000025596 - How to fix ACE/Server time offset for token drift with the setsyncint utility on a Windows or UNIX ACE/Server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000025596
Applies ToRSA ACE/Server
RSA Authentication Manager
setsyncint
setsync
IssueHow to fix ACE/Server time offset for token drift with the setsyncint utility on a Windows or UNIX ACE/Server
How to use setsyncint utility to reset token time offset or remove next token code mode
Many ACE/Server users going into Next Token Code Mode
Error: "Access Denied, PASSCODE Incorrect"
ResolutionNOTE: If your ACE/Server is less than 9 1/2 minutes off, use this alternative solution regarding How to change System Clock by up to 9 1/2 minutes without disrupting authentication.
NOTE: In-depth coverage of the importance of time to the ACE/Server can be found in the solution regarding Why is a consistent time reference important to the ACE/Server/SecurID authentication mechanism?
IMPORTANT: if using setsyncint on a Windows system, you must NEVER use this to make any updates while using Remote Desktop RDP .  Using setsyncint under a remote desktop can permanently corrupt the database. 
To fix an offset for an ACE/Server database that is over 9 1/2 minutes off with setsyncint (determining whether your system is off by 9 1/2 minutes [or more or less] is described in step 4 below):
1.  Call RSA Customer Service and get the setsyncint for your version of the ACE/Server and the platform on which you are running. Place it into your ace/data directory.  
     NOTE: This must be run on the Primary ONLY. You will see the following message twice, and setsyncint will perform as specified:
                "There is no server for database  ace\data\sdserv"
2.  If the ACE/Server is running on a UNIX system, set the following environment variables by running

 /{full logical path}/ace/utils/admenv  and export the results to the environment
  For example,  to set the USR_ACE variable using the Bourne or Korn shell:
   USR_ACE=/{full logical path}/ace/prog
   export USR_ACE
3.  From a command prompt in the ace/data directory, run the following command:
   
    setsyncint  -r >outputfilename
    (setsyncint -r can be run whether the server is stopped or started.)
4.  View the output file (outputfilename) with any ascii capable editor, and you will see output like below. (The Machine that we ran the setsyncint -r option on is behind 13 minutes)
34568709        Sync:        840        NTC        0        LLD        9/18/00        LLT        51829
34568719        Sync:        1140        NTC        0        LLD        9/10/00        LLT        50255
34568728        Sync:        1260        NTC        0        LLD        9/10/00        LLT        41079
34568853        Sync:        780        NTC        0        LLD        9/18/00        LLT        66733
34568854        Sync:        780        NTC        0        LLD        9/18/00        LLT        67045
34568855        Sync:        780        NTC        0        LLD        9/18/00        LLT        81742

The 2nd, 4th, 6th and 8th columns are labels for the next sequential column.
4th (Next TokenCode), 6th (Last Login Date) and 8th columns are labels for the next sequential column.
    The first column is the serial number. The second and third columns pertain to the offset values. The fourth and fifth columns are the Next Token Code values            
0 in the fifth column means Next Tokencode Mode is off
2 Means that Next Tokencode Mode is on.
The sixth and seventh columns are the Last Login Date  
( If the date 01/01/1986 is displayed, it means that this token has not been used so there is no real last login date).
The eighth and ninth columns are the Last Login Time and the actual time in seconds according to GMT.
    The third column shows most of the tokens are off by 780 or 840. When we looked at the whole database of tokens, most of them were at 780 which is also how far the
    ACE/Server was off.
5.  Calculate how much your ACE/Server is off by using a reliable time source such as the following:
    a. Call 303.499.7111 in the U.S.
    b. Go to http://tycho.usno.navy.mil/what.html
Note: If system time change is unknown, follow these steps.  If system time change is known skip to Step 7.
6. To figure out the time offset of the database:
        a. Run Database Administration to the Master using Remote Administration, Database Administration-Host Mode or sdadmin from ace/prog.
        b. Go to token ?> Edit Token and select a token you have in hand
        c. Click Resynchronize Token and enter 2 tokencodes in a row
        d. From a command prompt in the ace/data directory, run setsyncint  -r >aftersyncfile
        e. Compare the offset for the token in hand, in the two files (outputfilename from step 3 and aftersyncfile) , the difference between the two will give you an reasonable offset value to work with. This method is not as accurate as comparing the system clock to GMT if no changes have been made to the clock, but is the best method if the clock has been altered prior to resynchronization attempt.
 If token offset was 780 before resynchronizing the token and 60 after the time offset would be +720 seconds. (Resynchronizing 2 or 3 tokens will insure the offset is the same for more than one token)
 If token offset was -780 before resynchronizing the token and -60 after the time offset would be -720 seconds.
7.  Run ACE Database Administration
8.  Go to Token ?> Export Tokens. Select All unassigned tokens.
9.  Save these tokens to a file, and put the file in a directory (you will to re?import this file into your database later).
10.  Stop the Master ACE/Server completely.
On UNIX systems, make sure your environment variables are set, Below is a hyperlink to a solution on setting variables.
How to setenvironment variables for RSAACE/Server and RSA Authentication Manager
    a.  On NT, go to Control Panel ?> ACE/Server, and click stop.  When fully stopped, go to Control Panel ?> Services, and make sure none of the ACE/Server processes are
         running.
    b.  On UNIX, from /?Path?/ace/prog, run aceserver stop, then sdconnect stop, then sdconnect shutdown, and then sdconnect clean to ensure a smooth shutdown.
11. Create a backup of the ace/data directory on another drive/partition or another machine.
12. Run setsyncint according to your offset.  If the ACE/Server time is behind (slow), then the token offset values will be more positive to compensate.  If the ACE/Server time is ahead (fast), then the token offset values will be more negative to compensate.


     a. If your ACE/Server is behind 13 minutes, you will need to run setsyncint  -all -y -780.
     b. If your ACE/Server is ahead 13 minutes, you will need to run setsyncint -all -y 780.
     c. If any tokens had a 2 after NTC, you will need to run setsyncint -all -n to reset Next Tokencode Mode 



IMPORTANT: if using setsyncint on a Windows system, you must NEVER use this to make any updates while using Remote Desktop RDP .  Using setsyncint under a remote desktop can permanently corrupt the database.


13. Change the system time on the Master
14. Run setsyncint -all -r to verify that the offset has been corrected for all the tokens. The offset values should have been adjusted to approximate a zero value more closely.
15. Stop the Slave ACE/Server (if applicable).
     a. On NT, go to Control Panel ?> ACE/Server, and click  stop.  When fully stopped, go to Control Panel ?> Services, and make sure none of the ACE/Server processes are
         running.
     b. On UNIX, from /?Path?/ace/prog run aceserver stop, then sdconnect stop,  then sdconnect shutdown, and then sdconnect clean to ensure a smooth shutdown.
16. Start the Master ACE/Server
     a. On NT, go to Control Panel ?> ACE/Server, and click start.  When fully started, go to Control Panel ?> Services and make sure all of the ACE/Server processes are running.
     b. On UNIX, from /?Path?/ace/prog, run sdconnect start, aceserver start  then ps -ef |grep ace to make sure all of the ACE/Server processes are running.
17. From Database Administration, point to Tokens ?> Import Tokens, and then point to the file of exported tokens. Select Overwrite ALL duplicate serial # token records.
18. Verify that users are able to log in by running the Log Monitor (Report ?> Log Monitor ?> Activity Monitor).
19. Stop the Master ACE/Server. (If applicable, the Slave should still be down.)
20. Copy all the sdserv files and the license.rec in ace/data from the Master to the Slave ACE/Server (if applicable).
21. Fix the system time on the Slave Server
22. Start the Master, and then start the Slave.
The procedure is complete, verify that your users are able to authenticate by observing the ACE/Server Activity Monitor.
Below are all of the variables for setsyncint.
Usage: setsyncint [ -? | -h] [-all | -f file] [-s] [-n] [-l] [-r] [-y number]
-? or -h        Display this usage text.
-all                Reset all tokens in the database.
-f file             Reset only tokens and ranges of tokens listed in the file.
-s                 Reset sync value to 0.
-n                 Reset next token code mode to 0.
-l                  Reset last login date time.
-r                  Read and display sync values and NTC values for all tokens in the database.
No update is performed, no range validation.
If neither -all or -f is specified or none of -s or -n is provided, the program  displays -y number. Adjust synch value by given time. This can be combined with -s. In this case, the resulting value will be set to 0 and then adjusted.
RSA Security recommends to redirect output to the file adding "> filename" at the end of the command line.


 

. Setsyncint


If time is out of sync yet ?close? (+- 9.5 mins.)  then just stop and start Auth Manager Services, as setsyncint is a little dangerous.  You?ve been warned.


setsyncint ?h  for help


-r to see what the offsets are.  ?s zeros out the offset, -n cancels next token mode,


Combined with ?all does all tokens.  Example:


 


setsyncint ?s ?n ?all


 


Example for 1 token.  Create a file called set.txt with one token ID; 000027460508


To add 60 seconds to the offset for this token, type:


 


 setsyncint ?f set.txt ?y 60


 


You can use negative numbers with ?y.


LLD = Last login date, LLT = Last login time.
WorkaroundThe system clock time has drifted on its own or someone has recently changed the system time
Legacy Article ID6.0.2488410.2839150

Attachments

    Outcomes