RSA Product Set: RSA ID Plus
RSA Product/Service Type:

RSA Cloud Authentication Service

RSA Identity Router
Platform: all

When making certain configuration changes, such as modifying the IP addresses of an RSA Identity Router (IDR) or adding, removing or changing proxy configuration for the IDR, it is necessary to disconnect and reconnect the IDR from the RSA Cloud Authentication Service.

Follow the steps below to disconnect and reconnect an RSA Identity Router (IDR) to the RSA Cloud Authentication Service (CAS).  The IDR's logs, which includes the system and audit logs, are preserved automatically through this process.  However, just in case a problem occurs, there is an optional step included below to back them up.

1. If you need to configure a proxy server to handle traffic between the IDR and CAS, make sure your have the following information before proceeding:
   1. The proxy's IP address or hostname 
   2. The proxy's port number
   3. If the proxy requires authentication, the Proxy Username
   4. If the proxy requires authentication, the Proxy Password
2. Optional:  to save a copy of all logs within the IDR, follow the steps in section "Generate and Download the Identity Router Log Bundle" on page Troubleshooting Identity Router Issues .  Store the downloaded Zip file in a safe place in case it is needed later.
3. If this is the only IDR, and you have applications that use HTTP Federation (HFED), then you should perform an IDR backup before proceeding.  You should already have backups configured, but we recommend also taking a manual backup at this point.  Follow instructions in section "Back Up Now for a Single Cluster" on page Backing Up User Profiles for HTTP Federation Applications.
4. Disconnect (de-register) the IDR from the Cloud. Instructions are in section "Disconnect an Identity Router" on page Disconnect or Delete an Identity Router.  Do not delete the IDR.
5. Connect (register) the IDR to the Cloud.  Follow the instructions to do that here: Connect the Identity Router to the Cloud Administration Console, .

• If reconnection succeeds, the IDR should eventually show as Active once again in the Cloud Administration Console.  It may take some time for all IDR status indicators to show as green/healthy again in the Cloud Administration Console.  See View Identity Router Status in the Cloud Administration Console.
• If reconnection fails and the IDR cannot be recovered, the fallback option will be to delete and reinstall the Identity Router's VM. 

• If you have other IDRs in  your deployment that are configured to takeover all authentications for this IDR while this process is being followed, there will be no production outage during this task.   
• Downloading the IDR logs from an IDR saves a copy of the logs to a Zip "bundle" file.  The saved bundle logs cannot later be restored to the IDR, so need to be maintained somewhere else if they may be needed in future.   See Contents of Identity Router Log Bundle .
• If you do not have applications that use HTTP Federation (HFED), backing up an IDR serves no purpose.  For more information, see Backing Up User Profiles for HTTP Federation Applications.