000036636 - How to replace an existing token in RSA Authentication Manager 8.x with a specific token and not with the Next Available Token

Document created by RSA Customer Support Employee on Aug 21, 2018Last modified by RSA Customer Support Employee on Aug 27, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000036636
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThis article explains how to replace a token in custom mode, as opposed to the default option of replacing with the next available token.
ResolutionUser1 currently is assigned token 000xxxxxxxx1.  The RSA administrator wants to replace 000xxxxxxxx1 (Token 1) with 000xxxxxxxx2 (Token 2), which is a specific token rather than any unassigned token in the pool.  The steps below show how to do this.


  1. From the Security Console select Identity > Users > Manage Existing

    1. Using the Identity Source filter on the left select either the internal database or to an external identity source and search for User1.
    2. When the search result is displayed, expand the content next to the user name by clicking the context arrow next to User1 and selecting SecurID Tokens

User-added image

  1. The page displays the token assigned to User1, which should be token 000xxxxxxxx1.

User-added image

  1. Expand the content by clicking the context arrow next to the serial number and selecting Edit
  2. The token serial number is listed under Token Basics. Copy the serial number of the token. 

User-added image

  1. Navigate to Authentication > SecurID Tokens > Manage Existing

    1. Use the Serial Number filter and paste the token serial number copied above into the search field. then click Search
    2. Place a check in the box next to token 000xxxxxxxx1. 
    3. Change the menu option above the Serial Number and Token Type headings to Replace SecurID Tokens and click Go

User-added image

  1. From the page of unassigned tokens, choose one of the options by selecting the corresponding checkbox. Going by the requirement made above, it must be Token-n (in this screen shots below the token is 000xxxxxxxx2). Click Next

User-added image

  1. At this stage, User1 is assigned 000xxxxxxxx2 as a replacement for 000xxxxxxxx1. 
  2. On the net page, chose the option to either: 

  • To require a new PIN be created, click the option to require assigned user to set up a new SecurID PIN for his or her replacement token. 
  • To retain the user's current PIN, do nothing.   

  1. Click Save and Finish.

User-added image

  1. To confirm the token is assigned, 

  1. Select Identity > Users > Manage Existing and search for User1.
  2. When the search result is displayed, expand the content next to User1 by clicking the context arrow next to User1 and selecting SecurID Tokens.  You will see Token 1 and Token 2 are both assigned.


Token 2 will replace Token 1 after Token 2 is distributed by the RSA admin. Once distributed, the end user will no longer be able to use Token1 to authenticate.

NotesThe instructions can be applied in the event where a token that is due to expire shortly is to be replaced with another token with extended expiration date, as opposed to letting the Authentication Manager server randomly pick any available token from the unassigned pool.