000027047 - Force all tokens to be in New PIN mode  without clearing PIN

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000027047
Applies ToACE/Server 5.x
Authentication Manager 6.1.x
minimum length 8, maximum length 8
IssueForce all tokens to be in New PIN mode, without clearing PIN
Increasing minimum PIN length from 4 to 5, 6, or 7 will put all users in New PIN mode as designed.
Increasing minimum PIN length to 8 does NOT turn on New PIN mode for users as expected.
CauseThis is a known Authentication Manager 5.x/6.x defect.

Note that for large Authentication Manager user populations it may be undesireable to set all tokens into New PIN mode via this solution.  See solution AM 5.x 6.x - Set tokens specified in a text file into New PIN required mode to set a specified number of tokens to New PIN mode.
A TCL script that sets all assigned tokens into New PIN mode is available
here (newpin.tcl).

Steps to run a TCL script:
1) Download the required RSA script from above link.
2) Copy the script to your Authentication Manager primary's ACE_HOME/utils/tcl/bin directory.
3) UNIX/LINUX only:  execute the ACE_HOME/utils/admenv script to identify required environment variables for executing the tcl-sd Tcl interpreter.  Set the environment variables as specified by admenv.
4) OPTIONAL to test your ability to successfully run the Tcl interpreter:  from ACE_HOME/utils/tcl/bin execute   tcl-sd test.tcl
This generates a list of agent hosts on your system.
5) To run the newpin.tcl script:  
AM_HOME/utils/tcl/BIN>./tcl-sd newpin.tcl

Sample output of the newpin.tcl script: 
Set to New PIN Mode for token UPW000004065

Set to New PIN Mode for token UPW000004066

Set to New PIN Mode for token 000102957238

Set to New PIN Mode for token 000102957239

Set to New PIN Mode for token 000102957240

Error setting New PIN Mode for 000102957241           (this is from a tokencode-only token)


NotesNotes and comments:

This script sets the token record for all passcode-type tokens (sid700, sid800, Software Tokens etc.) into New PIN Mode. It does NOT clear any existing PINs.  At their next authentication, users must authenticate with their existing PIN+Tokencode. They are then prompted to choose a new PIN.
Any 'token' starting with UPW indicates a token record for a STATIC RSA User Password in the SecurID database. This script will also take existing RSA user password records and set them to "Change Required" mode. It does NOT clear any existing user passwords.  User passwords are single-factor authentication and inherently less secure than using passcodes. Consider reducing or eliminating the use of user passwords, and follow best practices. 

Notes and Limitations:  

-  Token records configured as  TOKENCODE ONLY do not have a PIN status to change, are not affected by this script, and will show an error in the output similar to:
Error setting New PIN Mode for 000102957241      RSA Best Practices recommend not using tokencode-only tokens.
- When choosing a PIN for software tokens, the first digit of a PIN cannot be zero. You should inform your users of this.
- There are some types of third-party Agent systems (typically using the RADIUS protocol instead of RSA's SDI protocol) that have problems processing authentications when there is any Access-Challenge, including New PIN Mode. You will need to either contact the manufacturer of the third-party system for a fix, or have users authenticate to some other system that is able to process New PIN Mode . 

Legacy Article IDa54276