Note that for large Authentication Manager user populations it may be undesireable to set all tokens into New PIN mode via this solution. See solution AM 5.x 6.x - Set tokens specified in a text file into New PIN required mode to set a specified number of tokens to New PIN mode.
A TCL script that sets all assigned tokens into New PIN mode is available here (newpin.tcl).
Steps to run a TCL script:
1) Download the required RSA script from above link.
2) Copy the script to your Authentication Manager primary's ACE_HOME/utils/tcl/bin directory.
3) UNIX/LINUX only: execute the ACE_HOME/utils/admenv script to identify required environment variables for executing the tcl-sd Tcl interpreter. Set the environment variables as specified by admenv.
4) OPTIONAL to test your ability to successfully run the Tcl interpreter: from ACE_HOME/utils/tcl/bin execute tcl-sd test.tcl
This generates a list of agent hosts on your system.
5) To run the newpin.tcl script:
Sample output of the newpin.tcl script:
Set to New PIN Mode for token UPW000004065
Set to New PIN Mode for token UPW000004066
Set to New PIN Mode for token 000102957238
Set to New PIN Mode for token 000102957239
Set to New PIN Mode for token 000102957240
Error setting New PIN Mode for 000102957241 (this is from a tokencode-only token)
|Notes||Notes and comments:|
This script sets the token record for all passcode-type tokens (sid700, sid800, Software Tokens etc.) into New PIN Mode. It does NOT clear any existing PINs. At their next authentication, users must authenticate with their existing PIN+Tokencode. They are then prompted to choose a new PIN.
Any 'token' starting with UPW indicates a token record for a STATIC RSA User Password in the SecurID database. This script will also take existing RSA user password records and set them to "Change Required" mode. It does NOT clear any existing user passwords. User passwords are single-factor authentication and inherently less secure than using passcodes. Consider reducing or eliminating the use of user passwords, and follow best practices.
Notes and Limitations:
- Token records configured as TOKENCODE ONLY do not have a PIN status to change, are not affected by this script, and will show an error in the output similar to:
Error setting New PIN Mode for 000102957241 RSA Best Practices recommend not using tokencode-only tokens.
- When choosing a PIN for software tokens, the first digit of a PIN cannot be zero. You should inform your users of this.
- There are some types of third-party Agent systems (typically using the RADIUS protocol instead of RSA's SDI protocol) that have problems processing authentications when there is any Access-Challenge, including New PIN Mode. You will need to either contact the manufacturer of the third-party system for a fix, or have users authenticate to some other system that is able to process New PIN Mode .