What to expect during an RSA SecurID Access Identity Router (IDR)/Cluster software update
3 years ago
Originally Published: 2016-10-07
Article Number
000056799
Applies To
RSA Product Set:  SecurID Access
RSA Product/Service Type:  Identity Router
Issue
As of the Fall 2016 SecurID Access release, on-premise Identity Router (IDR) updates are now managed by the customer as discussed in the documentation entitled Update Identity Router Software for a Cluster

This article describes what you can expect while performing an IDR Cluster software update.
Resolution
  • Each IDR in a cluster will take approximately 10 to 30 minutes to update, depending on the performance of your VMware infrastructure.
  • During an update, the IDR's Platform > Identity Routers status will change from OUT_OF_DATE to DISTRESSED.  The status will change to ACTIVE when the update is complete.  You must refresh the page to see status changes.
  • During an update you cannot select Test or View Log from the Admin Console; nor can you access the IDR Setup Console (a/k/a the setup.jsp). 
  • If you have a high availability cluster with properly configured load balancer and session replication, users may see little or no impact during a software update.  Even with high availability, however, your load balancer needs to detect a pool member being down for some period of time before removing it from rotation, so some users may still be directed to a "down" (updating) IDR during that time, and see an error message.
  • If you have a single IDR environment, then all services will be down during the update.  End-users will need to log in again after the update is complete.
Notes
If an IDR is both OUT_OF_DATE and in DEBUG logging mode, the dashboard IDR update message and IDR list page (Platform > Identity Routers) status will be inconsistent.  If you refresh, the dashboard message may appear or disappear, and the IDR list page will alternate between showing OUT_OF_DATE or DEBUG.
Don't see what you're looking for?