This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to delete and reinstall a virtual RSA Identity Router

Article Number

000063939

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
RSA Version/Condition: all

Issue

In some circumstances, it may be necessary or advantageous to delete the VM of an RSA Identity Router (IDR), then reinstall it.  This article explains how that should be done.

Some examples of situations that may necessitate deleting and reinstalling an IDR are:
  • Failed upgrade.  If an IDR upgrade is failing after repeated attempts, delete and reinstall of the IDR with the latest IDR version is usually the most expeditious workaround.  A failed upgrade most commonly happens if the IDR is running a very old IDR version that cannot be upgraded to the latest version.  Only the latest version and the previous version of IDR software is supported .
  • Hypervisor hardware failure.  If a hypervisor server fails in such a way that the IDR's VM image is destroyed/deleted, the IDR must be reinstalled.
  • Accidental deletion of a VM.   The IDR VM must be reinstalled.
  • Distressed IDR that cannot be recovered.  This could occur due to an old IDR version that is no longer supported by the Cloud, or a corrupted IDR image in your hypervisor.
Note that this article does not apply if you want to change a VMWare/Hyper-V IDR from one to two network interfaces or vice versa.  It is not possible to do that as a configuration change.  You would instead have to completely delete the IDR from both the Cloud Administration Console and from the IDR's hypervisor.  Then, add it as a new Identity Router with the changed number of network interfaces.

Task

Be sure to follow these steps below in the order shown.

Do not delete the Identity Router's configuration/definition from the Cloud Administration Console.  

  1. If the original IDR's VM is still available and running, take the following backups:
    • If you have any IDR-based HTTP Federation applications configured, backup the cluster  and make sure you are familiar with the steps to restore a backup
    • If you have other operational IDRs in the cluster, this backup is only a precaution because the data will automatically be replicated to the new IDR instance by the other IDRs in the cluster.
    • if it is not an embedded identity router, then save a copy of its Network Settings page .
      • You could take a screenshot (making sure you capture the entire page) or print the page or copy and paste the data from the page.  Save the backup to a safe place.
    • If the IDR's audit or other logs must be retained for future reference, generate and download the IDR's log bundle and save it in a safe place.
      • The log bundle cannot be restored to the new instance of the IDR.  The downloaded log bundle must be maintained offline.
      • To find files in the downloaded log bundle, see Contents of Identity Router Log Bundle .
  2. Disconnect the current IDR but do not delete it from the Cloud Administration Console.
  3. If the IDR's VM is still available, shutdown and uninstall the VM from your environment using your VMware administration client or Hyper-V Manager or Amazon EC2.  If it is an embedded IDR, Remove the Embedded Identity Router from RSA Authentication Manager .
    • If the old IDR's VM is left running, or it is accidentally restarted, it will interfere with the registration and operation of the new IDR instance.
  4. Get the Identity Router's Registration Details:
    1. Login to the Cloud Administration Console with a Super Administrator account.
    2. Go to Platform > Identity Routers, then Edit the Identity Router that you will be reinstalling
    3. On the Registration tab, click the Generate Code button.
    4. Copy the Registration Code and Authentication Service Domain to a location where you can access them when you deploy the new IDR instance.
  5. If your IDR runs in VMWare, Hyper-V or AWS, then open Deploying an Identity Router . Follow steps 3 to 10 only:
    • Steps 1 and 2 on that page should not be done, because we will be reusing the existing IDR's Cloud Administration Console configuration.
    • At steps 4, 5, 6, 7 and 8 on that page, use the details from the old IDR's backed up Network Settings page from step a. above.
    • At step 9 on that page, use the saved Registration Details from step c above.
  6. If it is an Embedded IDR in RSA Authentication Manager, then open Deploy the Embedded Identity RouterFollow steps 2 to 9 only:
    • At step 8 on that page, use the saved Registration Details from step c above .

Resolution

After completing the steps listed under Tasks above, the new instance of your Identity Router should be active and operational.

Notes

SecurID does not support rolling back IDR updates after they are installed. 

IDR VM snapshots are supported for a short period only, e.g. as a precaution just before a hypervisor upgrade.

The instructions given in this knowledge base article will destroy all data on the IDR, including all logs and HTTP Federation user profiles.  Consequently, the backups recommended in step a above are vital.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-04-25 10:41 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.