ErikaB6 (Customer) asked a question.
I imported the new tokens and chose "Ignore all duplicate tokens". I realize now that all the new tokens are imported as unassigned.
I imported the new tokens and chose "Ignore all duplicate tokens". I realize now that all the new tokens are imported as unassigned.
Does that mean if I have assigned tokens that will expire soon, that I need to replace user's token with a new just recently imported token?
I also have tokens that will expire in 2035. Does that mean that I have a license for the tokens until 2035?
Is it safe to delete expired tokens if they are unassigned?
@ErikaB6 (Customer) ,
Great name! Welcome to the RSA Community!
When you import tokens to the Authentication Manager they are all marked as unassigned. If you have tokens that are set to expire soon you will need to replace the user's current token with a new one, either manually or or using Authentication Manager Bulk Admin (fondly referred to as AMBA). AMBA is a utility developed from the Authentication Manager Server Admin APIs. This utility enables administrators to perform administration from the command-line.
Tokens and licenses are different things. Authentication Manager licenses define the number of active users allowed in your deployment and basic information such as license type and other components, never expire. You can see your license information in the Security Console under Settings > Licenses > Status. Tokens do have expiration dates, as you see with the 2035 date. See this article that explains the expiration date of 2035 for RSA SecurID software tokens that you are seeing in the RSA Authentication Manager 8.x Security Console.
It is safe to delete your expired tokens.
Tip for Authentication Manager best practices
Save the token import .xml that you received in a secure location. You can use it to reload the token seeds back to the system in case any of the tokens are accidentally deleted. This happens more often than you'd think. Keep the token .xml file because RSA only stores purchased tokens files for 150 days. Within that time frame we can replace a lost file. After 150 days you would need to purchase new tokens as replacements.
If you do need to reimport the token file, use the option to ignore duplicates as you did. The deleted tokens are restored to the system and can then be reassigned. When you do this any tokens in the database that are assigned are not overwritten. If you choose to overwrite existing tokens, this unassigns all tokens in the database except for those assigned to your administrators.
hello,
if you have assigned token that wil lexpire soon, you should assign the new token as replacement token, so the user will keep his PIN on the new token, identical as the current one.
Token which expire in 2035 are software token I presume, and yes, they are valid till this date.
You have a token policy which mention that if you have assigned token, you can automtically delete them. So yes, you can delete them manually if you want.
Can you please point me to the instructions to replace a token so users can keep their PIN?
Erika
@ErikaB6 (Customer)
By default the user PIN is retained when you replace the token (note step 7 in the steps to replace the currently assigned token with a specific token).
To replace a token with the next available token,
Sometimes the next available token also has an expiration date that is coming up soon. If that is the case, you can use the option to replace the token with a specific token from a newer batch. In that case,
All of this is documented in the online help through the Security Console. Search for Replace Token. and you will see the additional options for replacing a token.
You must assign them as a replacement token.
let me check and come back to you with a more detailled answer
When your token is about to expire, if you assign a new token, you choose to assign it as a replacement token. the effect is that the user won't have to change his PIN. once the new token is used by the used, the old one is disabled.