000016666 - How to synchronize RSA SecurID tokens in RSA Authentication Manager 7.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016666
Applies ToRSA Authentication Manager 7.1 has a built-in RSA utility called "sync-tokens" that replaces setsync and setsyncint. The utility creates a batch job that is listed in the RSA Security Console. Like the former utility, the output is a text file.
RSA Authentication Manager 7.1
RSA SecurID Appliance 3.0
token synchronization, synchronize tokens, sync tokens
RSA Synchronize Tokens utility (rsautil sync-tokens)
IssueSynchronize RSA SecurID tokens in RSA Authentication Manager 7.1
Run a setsync or setsyncint equivalent in RSA Authentication Manager 7.1
The server time drifted, and tokens need to be resynchronized in batch.
setsyncint
ResolutionHow to synchronize RSA SecurID tokens in RSA Authentication Manager 7.1

If system clock drift is an issue, see the following solutions first:
  • solution a49766 on how to start the NTP service automatically when the Appliance 3.0 is rebooted
  • solution a44785 on how to change or set the date, time, time zone, or NTP server settings on an RSA SecurID Appliance after it has been set up
Important: The sync-tokens utility has a bug in the original version that was resolved. For RSA Authentication Manager software installations, Patch 7.1.1 411888 or later (also known as  am-7.1.1-build20080804161513) is required, and 7.1.2 (Service Pack 2) or later is recommended. For the RSA SecurID Appliance, version 3.0.0.3 or later is required, and version 3.0.2 (Service Pack 2) is recommended.

To synchronize all tokens in RSA Authentication Manager 7.1: 1.
  1. (Appliances only) Do the following:

    a. Connect to the Appliance using the console or an SSH client. (For remote access using an SSH client, verify in the RSA Operations Console that the Appliance is enabled for SSH connectivity.)

    b. Log on using the emcsrv account and the Operating System password.

    c. Switch users to root. Run:
      sudo su
    When prompted, enter the Operating System password.

    d. Switch users to rsaadmin. Run:
      su rsaadmin

    e. Set the current directory to the folder that contains the RSA utilities. Run:
    cd /usr/local/RSASecurity/RSAAuthenticationManager/utils

    f. Set the environmental variables. Run:
      . ./rsaenv
    Note: This command begins with a period, space, period, and forward slash.

  2. Set the correct time on the RSA Authentication Manager server.
  3. Synchronize the tokens:

    a. (Recommended) Create a text file where you can write output from the command, for example, c:\sync.txt. On the Appliance, a convenient location is /tmp/sync.txt.

    b. Open a command prompt, and set the current directory to RSA_HOME/utils where RSA_HOME is the RSA installation path.

    c. Run the RSA Synchronize Tokens utility using one of the following commands:

    Windows:
    rsautil sync-tokens -I


    Appliance and UNIX-based systems:
    ./ rsautil sync-tokens -I

    (Run this command as rsaadmin.)

    The -I option runs the utility in interactive mode so that the system prompts you to configure options for the sync token job.

    Note: To see all the options for this utility, run:
    rsautil sync-tokens ?

    d. Follow the prompts to synchronize tokens. Set the token offset to 0, and reset the Next Tokencode Mode.

    Note: RSA recommends running the command in list mode first so that you can see the current state of the token database and offsets. (You can include list mode as an option, or select it in interactive mode.) If the output file size is 0, check the batch job results and look for a batch job related to sync-tokens. If you run the sync-tokens utility in list mode and it does not produce any output, you might need to run identity source cleanup first.

    e. When the job completes, review the output file if you specified one, and test a token.


Command output example

The following example shows the command being run in list mode on Windows on the entire token database. Consider that the sync-tokens utility has many options and capabilities that are not all shown in this example.

------------------------------------------------------------------------
C:\Program Files\RSA Security\RSA Authentication Manager\utils>rsautil sync-tokens -I  

Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805

Copyright (C) 2008 RSA Security Inc. All rights reserved.  

Enter the absolute path for the output report file               : c:\sync.txt

Enter the base security domain name for recursive search [(none)]: none
Enter the type of token selection                [ (all) | file ]: all
Choose a token filter          [ assigned | unassigned | (both) ]: both
What action do you wish to perform?           [ (list) | modify ]: modify
Enter type of clock offset value  [ absolute | relative | (none)]: absolute
Enter clock offset value                                      [0]: 0

Do you want to reset the Next Tokencode Mode?             [ y/n ]: y
Do you want to reset the last login date and time?        [ y/n ]: n
Do you want to clear user lockout information?            [ y/n ]: y
Enter administrator user ID                                      : admin
Enter administrative password                                    : ***********  

Authenticator Bulk Synchronization Utility am-7.1.0-build20080715085805

Copyright (C) 2008 RSA Security Inc. All rights reserved.  

Started job on Wed Aug 20 10:19:51 EDT 2008 with ID = ims.e07c584ba263650a018d923bd0ac085d  

C:\Program Files\RSA Security\RSA Authentication Manager\utils>
------------------------------------------------------------------------


Output file example

The following example shows the output file c:\sync.txt.

------------------------------------------------------------------------
# Authenticator Bulk Synchronization Utility
# (c) 2005-2006 RSA Security Inc.
#
# THIS FILE COULD BE USED AS A SOURCE OF TOKEN SERIAL NUMBERS.
#
# EACH SERIAL NUMBER MUST BE 12 DIGITS IN LENGTH.
#
# SERIAL NUMBERS LESS THAN 12 DIGITS MUST BE PREFIXED WITH ZEROS
# IN ORDER TO MEET THIS LENGTH REQUIREMENT.
#   # UPDATING Token Data [Wed Aug 20 10:59:13 EDT 2008]
#
# Token            Clock   Next Tokencode  Last Login     Principal       Security
# Serial Number    Offset  Mode Status     Date/Time      Lockout Status  Domain 
  000032388427     0       false           None           <unassigned>    SystemDomain

  000032388428     0       false           None           <unassigned>    SystemDomain
  000032388429     0       false           None           <unassigned>    SystemDomain
  000032388430     0       false           None           <unassigned>    SystemDomain
  000032388431     0       false           None           <unassigned>    SystemDomain
  000032388432     0       false           None           <unassigned>    SystemDomain
  000032388433     0       false           None           <unassigned>    SystemDomain
  000027460501     -58     false           None           Unlocked        SystemDomain
  000027460502     0       false           None           <unassigned>    SystemDomain
  000027460503     0       false           None           <unassigned>    SystemDomain
  000027460504     0       false           None           <unassigned>    SystemDomain
  000027460505     0       false           None           <unassigned>    SystemDomain
  000027460506     0       false           None           <unassigned>    SystemDomain
  000027460507     0       false           None           <unassigned>    SystemDomain
  000027460508     0       false           None           <unassigned>    SystemDomain
  000027460509     0       false           None           <unassigned>    SystemDomain
  000027460510     0       false           None           <unassigned>    SystemDomain
  000032388434     0       false           None           <unassigned>    SystemDomain
  000032388435     0       false           None           <unassigned>    SystemDomain
  000032388436     0       false           None           <unassigned>    SystemDomain
  000032388437     0       false           None           <unassigned>    SystemDomain
  000032388438     0       false           None           <unassigned>    SystemDomain
  000032388439     0       false           None           <unassigned>    SystemDomain
  000032388440     0       false           None           <unassigned>    SystemDomain
  000032388441     0       false           None           <unassigned>    SystemDomain
------------------------------------------------------------------------
WorkaroundIf using Authentication Manager 8.0 8.1 , also see solution   A68058
NotesLike version 6.1, you can expand the token authentication window from a normal [+3 -3] minute tolerance to [+10 - 10] minutes from exact time when the server is first started, or restarted. Then after a user?s first authentication, it reverts to a normal +3 -3. This restart procedure may be all that is needed for small server clock changes in the range of 1 to 7 minutes.
When prompted to enter the type of clock offset value, the options are absolute, relative or none.
  • Absolute changes the offset to the defined value. For example if the current offset is 300 and an absolute value of 600 is defined, the new offset becomes 600.
  • Relative changes the current value by the defined value.  If the current offset is 300 and a relative change of 600 is defined, the new offset becomes 900.
  • None makes no changes to the value. 

When specifying absolute or relative offsets, these should be specified in SECONDS. However, the report will list the offset in MINUTES
eg -r 720 will add 720 seconds to the offset (-r -720 will substract 720 seconds)
Legacy Article IDa41725

Attachments

    Outcomes