000027349 - How To Do PIN Management

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000027349
Applies ToBest Practices FAQ
Authentication Manager 6.1.x
Download RSA Authentication Manager 6.1 Security Best Practices Guide here
Warning:  This procedure sets users that no longer meet the PIN policy setting, into new pin mode.  Example: All users have a 4 character pin. Setting the policy to 5,6,7,8 will put every user in new pin mode.
This can adversely affect replication in a large user database.
IssuePIN Management How To.
Best Practices Technical FAQ
How to change minimum PIN length
Resolution

Best Practices Guide for ACE/Server 5.2 and Authentication Manager 6.1.x Page 13 PIN management

PIN length changes are made in Host Mode (Windows) or SDADMIN (Solaris)
Windows instructions:
Connect to the Primary Server.  Start> Programs> RSA Security> RSA Authentication Manager Host Mode
System> System Parameters> Edit Token, PIN and Password Parameters...

PIN Options Panel
Min PIN length  [4] __
Max PIN length [8] __

For System Generated PINs only with Alphanumeric allowed.  This will give alphanumberic system generated PIN's
__ User-created PINs allowed
__ User-created PINs required
_X_ Alphanumberic PINs allowed

To give choice of System Generated or User-Defined PIN and alphanumeric allowed
_X_ User-created PINs allowed
__ User-created PINs required
_X_ Alphanumberic PINs allowed

To require User-Defined PIN and alphanumeric allowed.
__ User-created PINs allowed
_X_ User-created PINs required
_X_ Alphanumberic PINs allowed


Note: If you do not see the above message, it is likely that after changing from a shorter PIN to a longer PIN requirement, users are not being challenged to create a new PIN.  See details in a54276 Force all tokens to be in New PIN mode 5.2 and 6.1x on SecurCareOnline here 


UNIX Instructions:
Connect to Unix system, usually via telnet
cd to rsa_home\prog
./sdadmin

System> System Parameters> Edit Token, PIN and Password Parameters...

Make settings choice as above.

NotesMinimum PIN length Change FAQ   
Q: Will Users be required to Login with their current PIN?
A: Yes, new PIN mode can be enforced and require authentication with Existing PIN.
Q: Can I enforce that Users do not use a previous PIN?
A: No
Q: Can I enforce a certain type of PIN complexity?
A: No
Q: Can I require alphanumeric when the user changes PIN as part of this process?
A: Yes, system generated PINs must be required, and alphanumerica allowed.  This will cause system generated PINs to be alphanumeric.
Scenario: Never used system generated PINs before and now requiring system generated PINs.
Q: How is a user PIN affected by increasing the minimum PIN requirement AND requiring system generated PINs.
A: Users with PINs already equal to minimum are unaffected. (unless the force PIN script is used)
A: Users with PINs not equal to minimum will be prompted for new PIN and provided with a system generated PIN
A: If the script above is used ALL users with be in new PIN mode regardless.
Legacy Article IDa54294

Attachments

    Outcomes