I'm very new to this environment, but not to batch operations altogether.
What I have is a list of ~1300 users with expiring tokens exported from RSA to Excel. I'm currently manually going to each user in our security console, assigning them a new token, then shipping it to them.
What I want to do is figure out how to batch-update these users with their new tokens so all I have to do is compile the list of users and new tokens (which I'm doing anyway) fire that off as a batch job. I was looking at the Bulk Administration 1.6.0 Custom Application Guide PDF I found through this site, but it's frankly a little over my head at the moment. I have looked at the samples, but not sure how to adjust them for my scenario.
For example, We need to do direct assign-to-user & transfer the PIN where, after importing, they show in the user dashboard thusly:
I see in the documentation about the SetPin parameter, but there doesn't seem to be an option to carry the Pin over to the new token.
Going by the Replace and Provision Tokens sample AMBA scenario on page 144 of the referenced documentation, but it's not clear to me what data is where... This seems to me to be replacing hard tokens with soft tokens, but we need to replace expiring hard tokens with fresh soft tokens.
Any guidance would be great in this. I don't currently have access to the license info to get the direct RSA support (I'm working on this), but guidance to such a resource would also be appreciated.
By default, if you assign a token as a replacement, it will inherit the pin. Use the new token, with old pin, for the first time, the new token works, and the old token becomes unassigned. Of course you can make settings changes and make it work differently.
AMBA to assign a replacement token and inherit the pin of the old token:
Optional Fields TokEnabled, SetPin, PinMode, PinType, SoftIDParams,
SoftIDPW, Filename, copyProtect, IdentitySource,
SecurityDomain, SiteFile, SiteURL1, SiteURL2, SiteURL3,
DeviceSerialNumber, DeviceserialIsCtkipCode, Nickname,
NicknameIsCtkipCode, RegenerateSeed, OTPLength,
OTPAlgorithm, OTPInterval, PinAdded, DeliveryMethod,
DestinationAddress, TemplateFile
-------------------------------------------------------------------------------
Sample input file and command below.
I have a user with current keyfob token 000159871817 and need to assign
a replacement keyfob 000123003456, and keep the pin.
example AMBA launch (with debug log file options so you can see AMBulkAdminLog.txt details)
------------------------------------------------------------------------------------------------
./rsautil AMBulkAdmin -a admin -P support1! --verbose -m 0 -i repta.csv
repta.csv is plain text, and contains this
Action,TokSerial,ReplTokSerial,TokEnabled,PinMode
REPT,000159871817,000123003456,1,0
-------------------------------------------------------------------------------------------------
[Of course I can add as many REPT lines I need for more replacements.]
Now, as soon as the user picks up and uses the new token 000123003456 with old pin from
000159871817, the new token works, the old token is unassigned.
PinMode - This parameter is used to control the new PIN mode of the newly assigned
token. If PinMode is 0 or not set at all, new PIN mode will be reset (forced to off) for
the newly assigned token. This will cause each newly assigned token to inherit the
PIN and the new PIN mode state of the token it is replacing. If PinMode is set to 1,
each newly assigned token will be placed in new PIN mode, its PIN will be cleared
and will NOT inherit the PIN of the token being replaced.
0 - Replacement token will inherit the PIN and new PIN mode state of the token it is
replacing.
1 - Clears the PIN of the newly assigned token and forces new PIN mode on
----------------------------------------------------------------------------------------
Now, that was the simplest format. Assign a replacement.
How the token gets in the users hands is not part of that. If keyfob, you send it out.
If software, it needs to be distributed....somehow.
But....If you are going from hardware token to software token, you can combine the distribution phase in the same CSV:
NOTE-the old pin format must work with the new software token...or else the new token cannot inherit the pin
and it will be in new pin mode despite any settings to inherit it.
--Keyfob style software tokens can inherit any pin.
--Pinpad style software tokens can only inherit numeric pins that do not begin with a zero.
So, sid800 to software....a new input csv file might be more complex
(000116033641 is a software token to replace a sid800 with)
-assign replacement
-set as Android type software token
-distribute the replacement software token via sdtid email attachment
Action,TokSerial,ReplTokSerial,TokEnabled,PinMode
REPT,000159871817,000116033641,1,0
CIF,Action,Key,KeyType,MiscVariable
SSTDT,Android,FamilyKey,1.x
CIF,Action,TokSerial,TokEnabled,DeviceSerialNumber,DeliveryMethod,DestinationAddress
SSD,000116033641,1,357741061024863,SMTP,administrator@farmco.local
(you can add more '3 part chunks' to this for multiple users/tokens to make a much larger input file, using CIF)
To launch this, I want to send it as an sdtid file attachment [ctkip download is another way to send it]
./rsautil AMBulkAdmin -a admin -P support1! --verbose -m 0 -g -i newcsv.csv
NOTE: the command above sends email with .sdtid attachment... change -g to --ctkip and it will email
a ctkip link instead.
Check security console, it got assigned as replacement to my sid800:
Check email, I got the attachment
Finally, here are the relevant snips from the /opt/rsa/am/utils/AMBulkAdminLog.txt
-applyTokenSettings(...) - Key: Linenumber = Value: 2
Info : -applyTokenSettings(...) - Key: Action = Value: REPT
Info : -applyTokenSettings(...) - Key: ReplTokSerial = Value: 000116033641
Info : -applyTokenSettings(...) - Key: TokEnabled = Value: 1
Info : -applyTokenSettings(...) - Key: PinMode = Value: 0
Info : -applyTokenSettings(...) - Key: TokSerial = Value: 000159871817
Info : -Entering CommandUtils.setTokenDetails. - from: replaceToken
Info : Line 2 - replaceToken -000116033641, , 0 : New pin mode reset
-Entering deploySoftToken
Info : -deploySoftToken - Key: Linenumber = Value: 2
-Entered getSoftwareTokenDeviceDTO
Info : -Leaving getSoftwareTokenDeviceDTO
Info : -Entered setSoftTokenDeviceTypeAttributes
-Entering singleSofttokenDeployment
Info : -Entering verifyParameters
Info : -verifyParameters - Key: Linenumber = Value: 6
Info : -verifyParameters - Key: Action = Value: SSD
Info : -verifyParameters - Key: DestinationAddress = Value: administrator@farmco.local
-null, 000116033641, File davise3_000116033641.sdtid created.
-Entering EmailUtils.sendSDTIDFile(. . . )
Info : -mail.smtp.auth :: true
Info : -Fetching Custom Authenticator for SMTP Setup
Info : -mail.smtp.user :: administrator@farmco.local
Info : -mail.smtp.password :: ************
Info : -Creating SMTP Session with authenticate value.
Info : -Created SMTP Mail session
Success: 2018-03-07 12:17:37 : Line 6 - singleSofttokenDeployment -Token 000116033641 successfully deployed.
Info : -Leaving singleSofttokenDeployment
Info : -Log File Closed
Info : -Exit code: 0