Update Identity Router Software

SecurID releases identity router software updates periodically. The updates ensure compatibility with new SecurID features and improvements. SecurID supports only the latest version and the previous version of the identity router software, and does not support rolling back updates after they are installed. See the following sections:

Update Schedules

When a new software version is released, SecurID announces the update and schedules a date and time when each cluster in your deployment will automatically install the latest update. SecurID recommends that you allow the update to occur automatically on the default rollout date. Do not perform the update immediately when SecurID makes it available unless your organization has a compelling reason to update as soon as possible. The default date and rollout schedule are published in the Release Notes.

The Identity Routers page lists the software version for each identity router in your deployment and, when a new software version is released, displays UPDATE AVAILABLE status for identity routers that do not have the latest software installed.

Identity routers automatically download and store new update packages as they become available, so download time is rarely a factor when applying an update.

You can also manage updates separately for each cluster in the following ways:

  • Schedule an automatic update to occur at a date and time you select. You can schedule all clusters to update simultaneously, or stagger the updates over a period of time. Use this as the primary method for updating the identity routers in your deployment.

  • Immediately apply the latest update to all identity routers in a cluster containing an UPDATE AVAILABLE identity router

Update Process

During an update, each identity router in the cluster installs the new software in rapid succession. Each identity router continues to authenticate users while waiting to install the update but does not perform authentication while installation is in progress. If a cluster contains only one identity router, user authentication through that cluster is disrupted when the update is installed. Individual identity routers typically take between 10 and 30 minutes to update. The cluster update process assumes updates that take longer than 40 minutes have failed or timed out.

If the first identity router does not update successfully, the cluster update is aborted, and all other identity routers continue to perform authentication using the outdated software version. If the first identity router update succeeds, but a subsequent identity router update is unsuccessful, the cluster update proceeds until all remaining identity routers have either updated, failed, or timed out. If a subsequent identity router takes more than 40 minutes to update, the status of that identity router displays UPDATE AVAILABLE and the cluster update proceeds to the next identity router.

Best Practices

Follow these best practices before updating identity routers.

  • SecurID recommends that you first deploy identity router updates to a test environment. After you have confirmed that updates are operating properly, then migrate the updates to your production environment.

  • Back up the user keychain data from the cluster you want to update.

  • Check the SecurID status page for announcements regarding maintenance downtime for the Cloud Authentication Service. Do not schedule updates during these periods.

  • Verify that all settings in the Cloud Administration Console are configured properly, and that all pending configuration changes are published.

    • Note: Unexpected results can occur if Cloud Administration Console settings are not configured properly prior to the update. Updates cannot be rolled back or reverted.

Update an Identity Router

Perform these steps to schedule an update or perform an immediate update.

Note: SecurID schedules blackout periods during which you are not permitted to schedule or perform updates.

Procedure

  1. In the Cloud Administration Console, click Platform > Clusters.

  2. Next to the cluster you want to update, click the drop-down arrow, and select Update.

  3. In the Start Time section, do one of the following:

    1. To schedule the update to occur at a predetermined date and time, select Later, and specify a date according to the recommended update schedule on RSA Link. Specify the time according to your local time zone.

      2. Note: SecurID recommends scheduling updates during off-peak hours.

    2. To apply the update immediately, select Now.

  4. Depending on your selection, click Save, or click Update Now and confirm the immediate update in the dialog box that appears.

Results

Depending on your selection, the identity routers in the cluster automatically install the latest software version either immediately, or at the specified date and time. For immediate updates, a notification appears when the update begins.

The Identity Routers page of the Cloud Administration Console displays DISTRESSED status for identity routers while they are updating.

Note: Do not reboot identity routers while an update is in progress.

After you finish

After the cluster update completes, if an identity router still displays an UPDATE AVAILABLE status, update the identity router individually from the Identity Routers page. If that update does not succeed, contact SecurID Customer Support.