Critical SecureAuth Connector update for SaaS IdP customers

May 25, 2023

In our continuous efforts to improve SecureAuth Cloud Services, as well as improve the performance and reliability of the SecureAuth SaaS Platform, we will be implementing changes to our cloud infrastructure. As a part of this change, SaaS IdP customers will be required to perform the following configuration changes by the dates below to avoid possible service disruption.

Effective June 5, 2023: If you install or update your Connector, you must update outbound firewall rules on your server to allow TCP port 5671 to host name "rabbitmq.secureauth.com".

Effective September 1, 2023: Any SecureAuth Connector not updated before September 2, 2023 will experience a service disruption with authentication requests. You must have all SecureAuth Connectors updated with outbound firewall rules to allow TCP port 5671 to host name "rabbitmq.secureauth.com".

Applies to

SecureAuth IdP releases 19.07 through 22.12, cloud deployments
SecureAuth Connector installed in your on-prem data store server before June 5, 2023

What do I need to do?

Between June 5, 2023 and September 1, 2023, you must reinstall the SecureAuth Connector bundle and change the firewall rule to allow TCP port 5671 to host name "rabbitmq.secureauth.com".

Warning

Reinstalling the SecureAuth Connector requires a restart of the machine. Make sure to set up a maintenance window for this process.

Reinstall the SecureAuth Connector

Open the Identity Platform application.
On the left side of the Identity Platform page, click Data Stores.
The User Data Stores page opens.
To add a Connector, do one of two options:
- When there are no connectors installed, click Add Connector.
- When there is at least one connector installed, and to add another connector, click the Open Installer instructions link.
The Connector Installer page opens.
Click the SecureAuth Connector .msi installer link.
The installer file is downloaded and saved to your machine.
To get the configuration files package, click Generate.
This generates the configuration files package. It sends an email with the configuration passcode to the system administrator tasked with setting up the Identity Platform.
Retrieve the configuration passcode from the email.
Open Windows PowerShell with administrative privileges, go to the directory that contains the SecureAuth Connector installer. Then, run the following command:
```
msiexec /l*v log.txt /package SecureAuthConnectorSetup.msi
```
The installation process for the SecureAuth Connector opens.
Click Next and accept the terms of the license agreement.
Click Next.
By default, the installation folder is set to C:\Program Files\SecureAuth Corporation\SecureAuth Connector\
Click Next.
The next page is to specify the location of the generated configuration files.
Browse to the downloaded location of the configuration files package (.zip file) that you generated.
Click Next.
The next page is to enter the configuration passcode.
Enter the passcode from the email and click Install.
Follow the remaining installation prompts to complete the installation and configuration of the SecureAuth Connector. The name of the machine on which the connector is installed is displayed on the Connectors tab.
On the Connectors tab, for connector you just installed, check the message area for an active connection.
At this point, the connection does a health check to indicate whether it is active and healthy (green status) or is not active (red status).
Optionally, to install another connector on another data store server for redundancy, do the following:
1. Copy the SecureAuth Connector installer file and generated configuration files package (.zip) to another local data store server.
2. Open Windows PowerShell with administrative privileges, go to the directory that contains the SecureAuth Connector installer. Then, run the following command:
```
msiexec /l*v log.txt /package SecureAuthConnectorSetup.msi
```
3. Use the same passcode copied from the email.
Tip
You can copy the same bundle to as many different data store servers and reuse the same passcode. However, each time you click Generate from the Connector Installer page, the bundle is the same, the only thing that is different is the passcode.

Ports to open on the Connector machine

After June 5, 2023, when you install or update your SecureAuth Connector, you must update the outbound firewall rule to allow TCP port 5671.

Source	Destination / Hostname	Ports	Notes
Connector	pkc-4nym6.us-east-1.aws.confluent.cloud	9092	Make sure this on your firewall allow list
Connector installed before June 5, 2023)	Allow outbound connection	443	Expires September 1, 2023 Traffic from the connector to SecureAuth Cloud using this port will expire on September 1, 2023 Note If you install or update the SecureAuth Connector after June 5, 2023, you must change the outbound firewall rule to TCP port 5671 (see the next row below).
Connector installed after June 5, 2023	rabbitmq.secureauth.com	5671	Effective June 5, 2023 Support for AMQP (Advanced Message Queuing Protocol) traffic from the connector to SecureAuth Cloud.

Source

Destination / Hostname

Ports

Notes

Connector

pkc-4nym6.us-east-1.aws.confluent.cloud

9092

Make sure this on your firewall allow list

Connector installed before June 5, 2023)

Allow outbound connection

443

Expires September 1, 2023

Traffic from the connector to SecureAuth Cloud using this port will expire on September 1, 2023

Note

If you install or update the SecureAuth Connector after June 5, 2023, you must change the outbound firewall rule to TCP port 5671 (see the next row below).

Connector installed after June 5, 2023

rabbitmq.secureauth.com

5671

Effective June 5, 2023

Support for AMQP (Advanced Message Queuing Protocol) traffic from the connector to SecureAuth Cloud.

If you have any questions, contact SecureAuth Support.

In this section: