Extending Software Token Lifetimes

An administrator who has permission to assign tokens can extend the lifetime of a distributed software token that has expired or is due to expire soon. By extending software token lifetimes, you can avoid replacing expired software tokens on user devices, such as mobile phones, tablets, and PCs. Software token provisioning only needs to occur one time on each user device. RSA Authentication Manager determines the token expiration date for the extended token, and Authentication Manager assumes full administrative control over whether an extended token is available for authentication.

For example, a token that will expire in 15 days can be extended so that it will not expire for another 2 years. An unassigned token that expires in 2 years provides a new expiration date to the distributed token that was expiring in 15 days, and the unassigned token is deleted. The original, distributed token on the user device receives an extended lifetime in Authentication Manager.

Software token lifetime extension is transparent to users. No processing steps are required on user devices, and SecurID authentication continues as usual.

Extending the software token lifetime does not prevent a software token license from expiring. If a software token license expires, the software token continues to generate tokencodes, but authentication cannot occur until a new software token license is applied in Authentication Manager.

Only software tokens that were distributed in RSA Authentication Manager 8.2 or later can be extended. The following tokens cannot be extended:

  • Hardware tokens.

  • Software tokens that are not distributed to users.

  • Active or expired software tokens that were distributed in an Authentication Manager version earlier than version 8.2.

  • Evaluation software tokens that have a serial number in the range 000000000001 to 000000000025. These tokens are provided for use with the evaluation license.

  • Software tokens that are already being replaced or extended. However, a token can be extended for a second time when it is close to its expiration date.

  • Software tokens that are not yet expired or are not yet close enough to their expiration date. The default value is 15 days. You can change this value. You change the number of days before the expiration date during which a software token can be extended.

    For more information, see Configure Software Token Lifetime Extension Parameters.

  • SecurID Authenticate Tokencodes cannot be extended.

Extend Software Token Lifetimes

You can select software tokens and extend their expiration dates. This prevents tokens from expiring on user devices, such as mobile phones, tablets, and PCs, and avoids the need to provision each user device more than one time.

After you search for software tokens to extend, the search results display “Yes” in the Extendable column for software tokens that are eligible for extension. The extendable tokens must have been distributed in RSA Authentication Manager 8.2 or later, and the tokens must meet the other conditions for being extended, for example, the tokens must not already be in the process of being replaced or extended.

Before you begin

  • Your administrative role must permit you to assign tokens.

  • Import a token record file that contains extension token records. For instructions, see Import a Token Record File.

Procedure

  1. In the Security Console, find one or more software tokens that you want to extend. Use one of the following methods:

    Navigate From

    Steps

    List of tokens

    1. Click Authentication > SecurID Tokens > Manage Existing.

    2. On the Assigned tab, use the search fields to find software tokens.

    3. From the search results, do the following:

      Click one software token that you want to extend. From the context menu, click Extend SecurID Token Lifetime.

      Or

      Click more than one software tokens that you want to extend. From the Action menu, select Extend SecurID Tokens Lifetime, and click Go.

    User Dashboard

    1. In the Security Console, go to the Home page.

    2. Use Quick Search to find the user.

    3. Select the user for whom you want to extend software tokens.

    4. Under Assigned SecurID Tokens, click Edit > Extend SecurID Token Lifetime.

    List of users

    1. In the Security Console, click Identity > Users > Manage Existing.

    2. Use the search fields to find the user.

    3. From the search results, click the user for whom you want to extend software tokens. From the context menu, click SecurID Tokens.

    4. From the list of tokens assigned to the user, click the software token that you want to extend.

    5. From the context menu, click Extend SecurID Token Lifetime.

  2. The Extend Token Lifetime page displays the extension tokens that RSA Authentication Managerselected to extend the lifetime of the original tokens.

    Authentication Manager chooses extension tokens that have the longest lifetime. The extension tokens are deleted after the original software token expiration date is extended.

    (Optional) To choose different extension tokens, click Select Different Tokens. You must select an extension token for each of the original tokens.

    Note: Before selecting your own extension tokens, verify the expiration dates. The original tokens could potentially receive earlier expiration dates from the extension tokens.

  3. Click Save & Finish.

    The original tokens are updated with the new expiration dates.

    No processing steps are required on the user devices, and SecurID authentication continues as usual.

Configure Software Token Lifetime Extension Parameters

You change the number of days before the expiration date during which a software token can be extended. The default value is 15 days.

Before you begin

  • You must be an Operations Console administrator.

  • You must know how to use the Linux operating system.

  • Obtain the information required to access the appliance operating system:

  • Obtain the rsaadmin operating system password.

  • Obtain the IP address or fully qualified hostname for the hardware appliance or the virtual machine.

  • Enable SSH on the appliance.

    For instructions, see Enable Secure Shell on the Appliance.

Procedure

  1. On the primary instance, log on to the appliance with the user name rsaadmin and the operating system password.

  2. Change the directory to utils. Type:

    cd /opt/rsa/am/utils

    and press ENTER.

  3. Type the following command:

    ./rsautil store -a update_config auth_manager.extend_token_life.token_days_remaining_for_expiration number GLOBAL 503

    where number is the number of days before expiration. For example, 20.

  4. When prompted, type the Operations Console administrator password, and press ENTER.

  5. Restart all RSA Authentication Manager services. Change the directory. Type:

    cd /opt/rsa/am/server

  6. Type:

    ./rsaserv restart all

  7. Restart services on each replica instance. Log on to each replica instance, and repeat step 5 and step 6.

Related Concepts

SecurID Tokens

Related Tasks

Assign a Hardware Token to a User

Assign a Software Token to a User