AnsweredAssumed Answered

Token PIN generated by RSA for passcode generation or PIN provisioned by user

Question asked by Ajitabh Ajitabh on Jun 6, 2018
Latest reply on Jun 7, 2018 by Ajitabh Ajitabh

Like • Show 0 Likes0
Comment • 2

Hi SecureID experts,

I had used RSA for secure ID token in our product that used to have flow like :

User enters first time with TokenCode -> RSA SHARES PIN for user and "Secure ID" is set --> User stores PIN and uses to generate Token every time to get passcode...

With recent RSA ver8.3 setup we found change in this initial PIN setup flow, and here User is prompted to set PIN instead of providing PIN to user. Current flow looks like this:

User enters first time with TokenCode -> RSA REQUESTS for PIN and upon confirmation of same PIN from user "Secure ID" is set --> User stores PIN and uses to generate Token every time to get passcode...

This change is impacting our existing interface software and we need more information regarding this change.

Can you please help us with following info:

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.

2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?

We have RSA demo version for our development and test for Cisco leading optical transport product that supports RSA based authentication. Its field deployed config that we need to support with update across our platforms and RSA.

Regards,

Ajitabh

Piers Bowness

Jun 6, 2018 12:06 PM

Correct Answer

Hi Ajitabh,

You should be able to configure the token policy for system generated PIN. You did not mention your prior AM version.

What was changed was older versions had an option to allow the end-user to select whether they would select a PIN or allow the system to generate a PIN on their behalf. This mode has been deprecated. The token policy is configured to either allow the user to assign the PIN or to have it generated by the system and provided to the user.

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.

In the Security Console select "Administration > Policies > Token Policies > Manage Existing...". Click on the "Initial Token Policy" and select "Edit". Under the "SecurID Pin Format" section, select the "Require System Generated PIN" radio button and "Save".

2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?

This was introduced starting with AM 7.x. All certified partner agents should handle the system generated (or user-specified) PIN protocol.

Some notes....

If you've altered or created different policies for different security domains, you'll need to make sure the policy associated with the user's Security Domain has the "Require System Generated PIN" setting.
When this policy setting is changed, users will be forced to get a new (system-generated) PIN next time they authenticate.

See the reply in context

No one else had this question

Outcomes

Piers Bowness

Jun 6, 2018 12:06 PM

Hi Ajitabh,

You should be able to configure the token policy for system generated PIN. You did not mention your prior AM version.

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.

2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?

This was introduced starting with AM 7.x. All certified partner agents should handle the system generated (or user-specified) PIN protocol.

Some notes....

If you've altered or created different policies for different security domains, you'll need to make sure the policy associated with the user's Security Domain has the "Require System Generated PIN" setting.
When this policy setting is changed, users will be forced to get a new (system-generated) PIN next time they authenticate.

1 person found this helpful

Actions

Ajitabh Ajitabh @ Piers Bowness on Jun 7, 2018 4:42 AM

Hi Piers,

Thanks for to the point remedy!

I am able to set non-default token policy under Authentication > Policies > Token Polices which restored old config in this newly installed RSA server.

What I missed here is token based selection for such change. I have other token users with different product might be using default policy but this change will impact all. Do we have ways to group such different set of policy users based on product ?

Its not relevant now but as you asked, I was using v8.0 RSA server years back for our test.

Thanks and Regards,

Ajitabh

Actions

2 Replies

Piers Bowness Jun 6, 2018 12:06 PM
Unmark Correct
Correct Answer
Hi Ajitabh,
You should be able to configure the token policy for system generated PIN. You did not mention your prior AM version.
What was changed was older versions had an option to allow the end-user to select whether they would select a PIN or allow the system to generate a PIN on their behalf. This mode has been deprecated. The token policy is configured to either allow the user to assign the PIN or to have it generated by the system and provided to the user.

1. Can we configure tokens / RSA to be like previous config where RSA provides PIN to user? If we can provision please share steps to do same.
In the Security Console select "Administration > Policies > Token Policies > Manage Existing...". Click on the "Initial Token Policy" and select "Edit". Under the "SecurID Pin Format" section, select the "Require System Generated PIN" radio button and "Save".
2. When this change introduced and do we have to maintain same across all products / Lic. What are RSA Ver and RSA tool ver it should work with ?
This was introduced starting with AM 7.x. All certified partner agents should handle the system generated (or user-specified) PIN protocol.

Some notes....
- If you've altered or created different policies for different security domains, you'll need to make sure the policy associated with the user's Security Domain has the "Require System Generated PIN" setting.
- When this policy setting is changed, users will be forced to get a new (system-generated) PIN next time they authenticate.
1 person found this helpful
Like • Show 2 Likes2
Actions
- Ajitabh Ajitabh @ Piers Bowness on Jun 7, 2018 4:42 AM
  Mark Correct
  Correct Answer
  Hi Piers,
  Thanks for to the point remedy!
  
  I am able to set non-default token policy under Authentication > Policies > Token Polices which restored old config in this newly installed RSA server.
  What I missed here is token based selection for such change. I have other token users with different product might be using default policy but this change will impact all. Do we have ways to group such different set of policy users based on product ?
  Its not relevant now but as you asked, I was using v8.0 RSA server years back for our test.
  
  Thanks and Regards,
  Ajitabh
  Like • Show 0 Likes0
  Actions

Token PIN generated by RSA for passcode generation or PIN provisioned by user

Outcomes

Related Content

Recommended Content