RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Use this procedure when a large group of RSA SecurID tokens needs to be resynchronized with the Authentication Manager server — typically following a server time drift or NTP misconfiguration. The rsautil sync-tokens utility allows administrators to generate a token status report and, if needed, reset clock offset values in bulk.

Prerequisites:

• Super Administrator access to RSA Authentication Manager
• SSH access to the primary Authentication Manager server
• All Authentication Manager 8.x servers must have the correct time set and be within ten seconds of each other (except for time zone differences)
• If any server's time is incorrect by more than eight minutes, contact RSA Customer Support before proceeding
• If Authentication Manager is running on a virtualization platform (VMware ESX or Microsoft Hyper-V), all hosts must have the correct time set via NTP — including any hosts that may be used for vMotion or Live Migration

CAUTION: Modifying the token offset for all tokens may put tokens that are currently authenticating correctly into a non-functional state. Before running a modify command, discuss your situation with RSA Customer Support.

Shared Connection Details:

• Server: Primary Authentication Manager server
• Login: rsaadmin (or the username selected during Quick Setup)
• Utility Path: /opt/rsa/am/utils
• Access Method: SSH (e.g., PuTTY)

Task 1: Generate a Token Status Report

1. Launch an SSH client (for example, PuTTY) and connect to the primary Authentication Manager server.

2. Log in as rsaadmin and enter the operating system password.

   NOTE: If a different username was selected during Quick Setup, use that username instead of rsaadmin.

3. Navigate to the utilities directory: 
   

   cd /opt/rsa/am/utils

4. Run the sync-tokens wizard using the options below to generate a token report:
   

   rsaadmin@am88p:/opt/rsa/am/utils> ./rsautil sync-tokens -I
   Authenticator Bulk Synchronization Utility 8.8.0.3.0 (1380648)
   Copyright (C) 1994 - 2026 EMC Corporation. All Rights Reserved.
   Enter the absolute path for the output report file               : /tmp/token_report.txt
   Enter the base security domain name for recursive search [(none)]: <press Enter to select none>
   Enter the type of token selection                [ (all) | file ]: <press Enter to select all>
   Choose a token filter          [ assigned | unassigned | (both) ]: <press Enter to select both>
   What action do you wish to perform?            [ (list) | modify ]:<press Enter to select list>
   Enter administrator user ID                                      : <enter the name of a SuperAdmin user>
   Enter administrative password                                    : <enter the password for the SuperAdmin user>
   Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
   Copyright (C) 1994 - 2026 EMC Corporation. All Rights Reserved.

5. Open and review the generated report:
   

   cat /tmp/token_report.txt

Expected output:

# Token
# Serial Number

Clock
Offset	
Next Tokencode
Mode Status

Last Login
Date/Time

000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None
000xxxxxxxxx	0	false	None

Verification: If the Clock Offset values are zero, no modification is needed and the procedure is complete. If Clock Offset values are large, proceed to Task 2.

Task 2: Modify Token Clock Offsets

CAUTION: Modifying token offsets affects all tokens in the deployment. Tokens that are currently authenticating correctly may be put into a non-functional state. Take a full database backup before proceeding and consult RSA Customer Support if unsure.

1. Log in to the Operations Console.
2. Navigate to Maintenance > Backup and Restore > Back Up Now and wait for the backup to complete.
3. Return to the SSH session and run the sync-tokens wizard again:
   

   ./rsautil sync-tokens -I

   When prompted, enter the following:

    

   Prompt	Value
   Output report file path	/tmp/sync_token.txt
   Base security domain	Press Enter (none)
   Token selection type	Press Enter (all)
   Token filter	Press Enter (both)
   Action	Type modify
   Clock offset value type	Type absolute
   Clock offset value	Press Enter (0)
   Reset Next Tokencode Mode?	Type y
   Reset last login date and time?	Type n
   Clear user lockout information?	Type y
   Reset shutdown date?	Type n
   Administrator user ID	Enter a Super Admin username
   Administrative password	Enter the Super Admin password

4. Run the sync-tokens wizard one final time using the list action to verify the modifications were applied:
   

   ./rsautil sync-tokens -I

   Verification: Open the new output report and confirm all Clock Offset values are now set to 0. Affected users should be able to authenticate successfully.

• NTP Configuration: It is recommended to configure NTP with both a primary hostname/IP and a secondary hostname/IP to reduce synchronization alerts and prevent future token drift.

• Virtualization Platforms: If Authentication Manager runs on VMware ESX or Microsoft Hyper-V, all hosts — including those that may be used for vMotion or Live Migration in the future — must have the correct time set via NTP before running this procedure.

• Single Token Resync: If only one user's token needs resynchronization (not a bulk operation), use the Security Console instead: navigate to Identity > Users > Manage Existing, locate the user, select SecurID Tokens from the context menu, click the token, and select Resynchronize Token.

• Time Correction First: Always correct server time and configure a stable NTP source before running the sync-tokens modify action. Running the modify without fixing the underlying time issue may cause tokens to fall out of sync again.