• Due to time being off on the RSA Authentication Manager server, some tokens have become out of sync.
• A large group of tokens needs to be resynchronized.

1. Correct time and set an outside NTP server to prevent time from becoming unstable.
2. Connect to the RSA Authentication Manager primary server and run the command ./rsautil sync-tokens to generate a report showing token status.
3. Run ./rsautil sync-tokens again to modify tokens to be in proper sync with the server. 

Before running a modify command that will affect the tokens ability to authenticate, please discuss your issue with RSA Customer Support.  While editing the token offset is a way to restore authentication to tokens that are out of the acceptable token authentication window, it is possible that editing the token offset for all tokens will put tokens that are authenticating properly into into a non-functional state.

Prerequisites

1. All RSA Authentication Manager 8.x servers must have the correct time before proceeding, and be within ten seconds of each other (except for time zone differences).  If any of the servers have time that is incorrect by more than eight minutes, contact RSA Customer Support for assistance before proceeding. 
2. If Authentication Manager 8.x is running on a virtualization platform such as a VMware ESX host or Microsoft Hyper-V, then all of the ESX hosts that are being used (or could potentially be used in the future with VMware's vMotion or Hyper-V's Live Migration) need to have the correct time set by NTP.
3. It is recommended to verify there are NTP server entries for both hostname or IP address and secondary hostname or IP address to reduce alerts.

 * * * 

Run the sync-token utility

1. Launch an SSH client, such as PuTTY.
2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

login as: rsaadmin 
Using keyboard-interactive authentication. 
Password: <enter operating system password> 

3. Navigate to /opt/rsa/am/utils.
4. Run the sync-tokens wizard to generate a report of all of the tokens in the deployment using the options shown below.

Note that the administrator user ID and password requested must be for an administrative user in the internal database.

rsaadmin@am88p:~> cd /opt/rsa/am/utils 
rsaadmin@am88p:/opt/rsa/am/utils> ./rsautil sync-tokens -I
Authenticator Bulk Synchronization Utility 8.8.0.3.0 (1380648)
Copyright (C) 1994 - 2026 EMC Corporation. All Rights Reserved.
Enter the absolute path for the output report file               : /tmp/token_report.txt
Enter the base security domain name for recursive search [(none)]: <press Enter to select none>
Enter the type of token selection                [ (all) | file ]: <press Enter to select all>
Choose a token filter          [ assigned | unassigned | (both) ]: <press Enter to select both>
What action do you wish to perform?            [ (list) | modify ]:<press Enter to select list>
Enter administrator user ID                                      : <enter the name of a SuperAdmin user>
Enter administrative password                                    : <enter the password for the SuperAdmin user>
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2026 EMC Corporation. All Rights Reserved.

Determining if an offset value needs to be modified

1. Using cat, open the /tmp/token_report.txt:

rsaadmin@am88p:/opt/rsa/am/utils> cat /tmp/token_report.txt

2. The token_report.txt will show the token offset values under Clock Offset.

Modifying the offset value

If modifying the offset values is necessary, take a backup of the database before continuing.  From the Operations Console select Maintenance > Backup and Restore > Back Up Now.

1. Modify the clock offset value listed in the report by selecting the options listed below:

rsaadmin@am82p:/opt/rsa/am/utils> ./rsautil sync-tokens -I
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2014 EMC Corporation. All Rights Reserved.

Enter the absolute path for the output report file               : /tmp/sync_token.txt
Enter the base security domain name for recursive search [(none)]: <press Enter to select none>
Enter the type of token selection                [ (all) | file ]: <press Enter to select all>
Choose a token filter          [ assigned | unassigned | (both) ]: <press Enter to select none>
What action do you wish to perform?           [ (list) | modify ]: <type modify to select modify>
Enter type of clock offset value  [ absolute | relative | (none)]: <type absolute to select absolute>
Enter clock offset value                                      [0]: <press Enter to select 0>
Do you want to reset the Next Tokencode Mode?             [ y/n ]: y
Do you want to reset the last login date and time?        [ y/n ]: n
Do you want to clear user lockout information?            [ y/n ]: y
Do you want to reset the shutdown date?                   [ y/n ]: n
Enter administrator user ID                                      : <enter the name of a super admin user> 
Enter administrative password                                    : <enter the password for the super admin user> 
Authenticator Bulk Synchronization Utility 8.1.1.8.0 (1380648)
Copyright (C) 1994 - 2014 EMC Corporation. All Rights Reserved

2. Run the sync-token wizard again, using the list action to ensure your modifications were made and reflected in the output report file.