Configure Token Settings
Token settings determine the authentication requirements for token users, and whether tokens that are replaced are automatically deleted from AM. In this procedure, you can also configure the settings for dynamic seed provisioning.
If CT-KIP runs on a web tier for dynamic seed provisioning, you must direct requests to the virtual host by changing the hostname and port number.
Procedure
In the Security Console, click Setup > System Settings.
On the Settings page, under Authentication Settings, click Tokens.
For SecurID PIN, select one of the following:
Allow PIN requirement to be set per token if you want to set PIN requirements for individual tokens. By default users must authenticate with a passcode (PIN + tokencode).
Set all tokens to not require a PIN (tokencode only) if you want users to authenticate only with a tokencode.
Note: For software tokens, setting all tokens to not require a PIN will override the PIN requirement specified in a software token profile.
For Replacement Tokens, select Automatically delete replaced tokens if you want to automatically delete a token after it is replaced with a new token.
For Only automatically assign tokens that do not expire for more than number of days, enter a number. When tokens are automatically assigned or used as replacement tokens, the system only selects unassigned tokens that have more than the configured number of days remaining.
(Optional) If you have web tiers, in the Dynamic Seed Provisioning Configuration section, do the following:
In the Fully Qualified Hostname field, enter the hostname of the virtual host that points to the dynamic seed provisioning service on the web tier.
In the Port field, enter the port number of the virtual host that clients use to communicate with the dynamic seed provisioning service.
Note: If the deployment does not have web tiers, the Fully Qualified Hostname and Port fields must use the default values - the hostname for the primary instance and the port number 7004.
When you click Save, the Current CT-KIP Service Address updates with the fully qualified hostname and port.
For Activation Code Expiration, do one of the following:
Enter the number of days that the activation code can be used after the software token is distributed.
Select Do not expire activation codes to prevent activation codes from expiring.
Click Save .
Related Concepts
Related Articles
RADIUS Settings Number of Views How to configure Certificate Extension Profile for KCA OneStep Number of Views Configuring TCP/IP information for DLP Network devices Number of Views Windows Routing and Remote Access Service - RSA Ready Implementation Guide Number of Views Configure RADIUS Settings Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
