RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager, AMBA
RSA Version/Condition: 8.x
Use the methods outlined below if:
- The Security Console is down for any reason and the super admins are unable to assign and distribute tokens.
- The super admins need to assign and distribute tokens in bulk to save time.
AMBA requires an Enterprise license for Authentication Manager. To verify your license type, login to the Security Console and navigate to Setup > Licenses > Status. The license type must be Enterprise, and the number of allowed instances under Replication must be 15.
Before starting, please review the RSA Authentication Manager 8.8 Bulk Administration Utility Guide for your product version.
- RSA Authentication Manager 8.7 Bulk Administration Utility (AMBA) Guide
- RSA Authentication Manager 8.7 SP1 Bulk Administration Utility (AMBA) Guide
- RSA Authentication Manager 8.7 SP2 Bulk Administration Utility (AMBA) Guide
- RSA Authentication Manager 8.8 Bulk Administration Utility (AMBA) Guide
- RSA Authentication Manager 8.9 Bulk Administration Utility (AMBA) Guide
I. Creating a software token profile
- Follow the documentation on how to create a new software token profile.
- For the delivery method, choose File-based Provisioning. Authentication Manager generates a software token distribution file (.sdtid), which is added to a .zip file for download. This software token distribution file contains the shared secret (“seed”) used by the SecurID algorithm, and other metadata such as expiration date, serial number, and number of digits in the tokencode.
II. Assigning tokens to users
- Logon to the command line of the RSA Primary instance.
- Navigate to the /tmp directory e.g. cd /tmp
- Use a text editor to create a . csv file (e.g., vi /tmp/rsa_assign.csv).
- Create row 1 with the following column headers: action, DefLogin, LastName, Firstname, TokSerial, ReplTokSerial, TokEnabled, IdentitySource (be sure not to use spaces in the header row).
- Add the required information to the file to assign tokens to the users.
A sample input file is shown here:
action,DefLogin,LastName,FirstName,TokSerial,ReplTokSerial,TokEnabled,IdentitySource
ATU,omurphy,Murphy,Owen,001915471532,,1,BOS-DC01
ATU,nhaddad,Haddad,Noura,001915471533,,1,EMEA-DC01
ATU,mnguyen_admin,Nguyen,Minh,001915471534,001256664514,,APJ-DC01
Where,
- Action (mandatory): is the command AMBA will run. In this case we are implementing Add Token to User (ATU).
- DefLogin (mandatory): The user's login ID.
- LastName and Firstname: User's last name and first name.
- TokSerial (mandatory): The serial number of the new token that is being assigned to the user.
- ReplTokSerial (mandatory): Populated if the new token is a replacement for a lost or damaged token that is already assigned to a user. Leave blank if there is not a token that is being replaced.
- TokEnabled (mandatory): Set if the token is delivered to a user in an enabled state. Use 1 to set the token to Enabled and set to 0 for disabled. If providing a disabled token, the end user will need to contact your helpdesk to enable it.
- IdentitySource (mandatory): List the external identity source to which the user belongs. If left blank, AMBA assumes the internal database as the identity source and system domain as the security domain.
- On the primary, change directory to /opt/rsa/am/utils (e.g., cd /opt/rsa/am/utils).
- Run the AMBA Utility to fetch the information from the /tmp/rsa_assign.csv (note that this is written in one line in the command line interface):
./rsautil AMBulkAdmin -a <Super-admin> -P <Super-admin-Password> --verbose -m 0 -i /tmp/rsa_assign.csv -o AMBAlog.log
For example,
./rsautil AMBulkAdmin -a scadmin -P support1'!' --verbose -m 0 -i /tmp/rsa_assign.csv -o AMBAlog.log
- Open the AMBAlog.log using the cat command (e.g., cat AMBAlog.log) andto confirm a successful result.
- Login to the primary's Security Console to confirm that the tokens were assigned successfully.
IV. Distributing assigned tokens to users using the SDTID format via email
- Navigate to /tmp on the primary.
- Use the Single Softtoken Deployment (SSD) action in AMBA to create a software token profile with a Delivery method of File Based (SDTID).
- Create a .csv file (e.g., rsa_distribute.csv) with the following fields (be sure not to use spaces in the header row):
action, TokSerial, TokEnabled, SoftIDParams, IdentitySource, DestinationAddress, DefLogin, DeliveryMethod, SoftTokenProfile
A sample input file is shown:
action,TokSerial,TokEnabled,SoftIDParams,IdentitySource,DestinationAddress,DefLogin,DeliveryMethod,SoftTokenProfile
SSD,001915471532,1,000,BOS-DC01,omurphy@rsalab.com,omurphy,SMTP,Desktop_Soft_Token
SSD,001915471533,1,000,EMEA-DC01,nhaddad@rsalab.com,nhaddad,SMTP,Desktop_Soft_Token
SSD,001915471534,1,000,APJ-DC01,mnguyen_admin@rsalab.com,mnguyen_admin,SMTP,Desktop_Soft_Token
Where,
- Action (mandatory): is the command AMBA will run. In this case we are implementing Add Token to User (SSD).
- TokSerial (mandatory): The serial number of the new token that is being distributed to the user.
- TokEnabled (mandatory): Set if the token is delivered to a user in an enabled state. Use 1 to set the token to Enabled and leave blank to provide a disabled token that the user enables on receipt.
- SoftIDParams (mandatory): This entry must be a 3-digit number and the first digit must be a 0. This value is required if SDTID files are used for token seed delivery, and not required when using CT-KIP. It must contain three decimal digits to control seed file generation characteristics:
- First digit must be 0. Required but ignored.
- Second digit sets the copy protection flag: 0 - Copy protection off. 1 - Copy protection on.
- Third digit - Password usage and Interpretation method:
- 0 - No password.
- 1 - Static password. See information in the AMBA Guide about SoftIDPW for more information.
- 2 - Default login.
- 3 - Default login appended to static password.
For example,
-
- 000 --- no copy protection, no password.
- 010 --- copy protection on, no password.
- 001 --- no copy protection, static password (requires an additional field called SoftIDPW that contains the password).
- 002 --- no copy protection, password is the value in DefLogin.
- 003 --- no copy protection, static password is the value from SoftIDPW followed by the value in DefLogin.
- 011, 012, 013 --- as above only with copy protection on.
- IdentitySource (mandatory): List the external identity source to which the user belongs. If left blank, AMBA assumes the internal database as the identity source and system domain as the security domain. If not defined, the utility only looks at the internal database.
- DestinationAddress (mandatory): To email address for the user for whom the token is assigned and distributed.
- DefLogin (mandatory): The user's login ID.
- DeliveryMethod (mandatory): Used for automatic email notification during CT-KIP and SDTID file provisioning.
- SoftTokenProfile (mandatory): The software token profile to be used when creating the .SDTID file for delivery.
- Change directory to /opt/rsa/am/utils (e.g. cd /opt/rsa/am/utils).
- Run the AMBA Utility to fetch the information from the /tmp/rsa_distrivute.csv (note that this is written in one line in the command line interface):
./rsautil AMBulkAdmin -a <Super-admin> -P <Super-admin-Password> --verbose -m 0 -i /tmp/rsa_distribute.csv -o AMBAlog.log -g
For example,
./rsautil AMBulkAdmin -a scadmin -P support1'!' --verbose -m 0 -i /tmp/rsa_distribute.csv -o AMBAlog.log -g
- Open the AMBAlog.log using the cat command (e.g., cat AMBAlog.log) and to confirm a successful result.
- Login to the primary's Security Console to confirm that the tokens were distributed successfully.
Related Articles
Import a Token Record File 343Number of Views How to automatically distribute a soft token to Android with AMBA via CT-KIP 508Number of Views RSA SecurID software token is distributed in a disabled state when requested with modified software token profiles via the… 535Number of Views How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device 783Number of Views Downloading RSA Authentication Manager license files or RSA Software token seed records 2.81KNumber of Views
Trending Articles
How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device RSA Authentication Manager 8.9 Setup and Configuration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process How to recreate the node secret for RADIUS Server in RSA Authentication Manager 8.x