Configure Token Settings

Token settings determine the authentication requirements for token users, and whether tokens that are replaced are automatically deleted from Authentication Manager. In this procedure, you can also configure the settings for dynamic seed provisioning.

If CT-KIP runs on a web tier for dynamic seed provisioning, you must direct requests to the virtual host by changing the hostname and port number.


  1. In the Security Console, click Setup > System Settings.

  2. On the Settings page, under Authentication Settings, click Tokens.

  3. For SecurID PIN, select one of the following:

    • Allow PIN requirement to be set per token if you want to set PIN requirements for individual tokens. By default users must authenticate with a passcode (PIN + tokencode).

    • Set all tokens to not require a PIN (tokencode only) if you want users to authenticate only with a tokencode.

    Note: For software tokens, setting all tokens to not require a PIN will override the PIN requirement specified in a software token profile.

  4. For Replacement Tokens, select Automatically delete replaced tokens if you want to automatically delete a token after it is replaced with a new token.

  5. For Only automatically assign tokens that do not expire for more than number of days, enter a number. When tokens are automatically assigned or used as replacement tokens, the system only selects unassigned tokens that have more than the configured number of days remaining.

  6. (Optional) If you have web tiers, in the Dynamic Seed Provisioning Configuration section, do the following:

    1. In the Fully Qualified Hostname field, enter the hostname of the virtual host that points to the dynamic seed provisioning service on the web tier.

    2. In the Port field, enter the port number of the virtual host that clients use to communicate with the dynamic seed provisioning service.

      Note: If the deployment does not have web tiers, the Fully Qualified Hostname and Port fields must use the default values - the hostname for the primary instance and the port number 7004.

      When you click Save, the Current CT-KIP Service Address updates with the fully qualified hostname and port.

    3. For Activation Code Expiration, do one of the following:

      • Enter the number of days that the activation code can be used after the software token is distributed.

      • Select Do not expire activation codes to prevent activation codes from expiring.

  7. Click Save .

Related Concepts

RSA Authentication Agents