Skip to main content

SecureAuth IdP Appliance Certificate Renewal Utility (ACRU)

Introduction

Use this guide to install, run (or update), and confirm the actions of the SecureAuth IdP Appliance Certificate Renewal Utility (ACRU).

The ACRU tool is for use on SecureAuth IdP pre-8.1 appliances to update the Operating System (OS) to support SecureAuth's new SecureAuth IdP SHA256 Cloud Web Service. ACRU updates all of the certificate information to reflect the SHA-2 hashing algorithm and updates the URLs used by the appliance to communicate with the SecureAuth cloud services.

Prerequisites

Warning

Be sure that all of the Prerequisites have been met before installing and running the ACRU.

For any questions regarding the Prerequisites as they pertain to the existing environment, please contact SecureAuth Support.

  1. If SecureAuth IdP is integrated with any VPN or Gateway (Juniper, Cisco, Citrix, F5) using a vendor-specific thick client and a native X.509 personal certificate, then upload the SecureAuth CA Public Certificates to the VPN or Gateway, and all client workstations before running the ACRU.

    If no VPNs or gateways are integrated with SecureAuth IdP, then the ACRU can be utilized immediately.

  2. If any firewalls are in place, open the following ports to enable access to the necessary IP addresses and URLs:

    TCP

    IP

    URL

    TCP 80 and 443

    208.82.207.89

    cloud.secureauth.com / us-cloud.secureauth.com

    TCP 80 and 443

    208.74.31.114

    trx.secureauth.com / us-trx.secureauth.com

    TCP 80 and 443

    146.88.110.112

    cloud.secureauth.com / us-cloud.secureauth.com

    TCP 80 and 443

    146.88.110.114

    trx.secureauth.com / us-trx.secureauth.com

    TCP 80 and 443

    162.216.42.110

    cloud.secureauth.com / us-cloud.secureauth.com

    TCP 80 and 443

    162.216.42.111

    trx.secureauth.com / us-trx.secureauth.com

    TCP 443

    See SecureAuth cloud services

    us-audit.secureauth.com

    TCP 443

    See SecureAuth cloud services

    us-audit.secureauth.com

  3. Contact Support to download the SecureAuth IdP Appliance Certificate Renewal Utility file.

    The name, size, and hash of this file is:

    • Filename: SecureAuthApplianceCertificateRenewalUtility.msi

    • Filesize: 856 KB (876,544 bytes)

    • MD5 hash: c15520a622ae207e07be3f67a9ce4535

Installing ACRU

To install ACRU, perform the following steps.

  1. Locate and double-click to open the downloaded ACRU file, SecureAuthApplianceCertificateRenewalUtility.msi.

    35456217.png
  2. Click Run to open the file.

    35456218.png
  3. Once the ACRU Installation Wizard opens, click Next.

    35456219.png
  4. Leave the fields at their default values and click Next.

    35456220.png
  5. Click Next to confirm the installation.

    35456221.png

    The installation runs.

  6. Once the installation is complete, click Close.

    35456222.png
  7. Proceed to the next section, Running ACRU.

Running ACRU

Once you have installed ACRU, perform these steps to run it.

  1. Locate the ACRU Tool in Drive-C > Program Files (x86) > SecureAuth > ApplianceCertRenewalUtility.

    35456223.png
  2. Double-click to open the SecureAuth.Tool.ApplianceCertRenewUtility.exe file.

  3. Once the ACRU Update Wizard opens, leave the configurations at their default values and click Start.

    35456224.png

    Note

    Select the Through importing a PFX file option only if explicitly instructed to do so by SecureAuth. Otherwise, leave default the Through submitting a Certificate Signing Request option.

    If a proxy is configured on the SecureAuth IdP appliance, click Proxy Settings before proceeding and perform the steps described in Proxy Settings.

  4. Wait for the ACRU Tool to update.

    35456227.png

    A Reset IIS prompt may appear; if so, click Yes to reset IIS.

    35456228.png
  5. Once the ACRU updates are complete, click Close.

    35456229.png
  6. Start your browser and click the SecureAuth Admin bookmark.

  7. On the initial screen, click Update WebConfig.

    35913838.png
  8. Click Update and review the Results list. Once you've finished reviewing this list, click Update Complete.

    35913839.png

    Warning

    For SecureAuth IdP versions 8.0.0 and earlier, the Transaction (Trx) Log URL must be modified to avoid license errors.

    See SecureAuth IdP Web Admin- System Info below for more information.

Confirming changes to the appliance operating system

Once the installation and update has been completed, confirm that the changes have been applied to the appliance's OS. These changes include:

Certificates Console

In the Certificates Console, double-click to open the SecureAuth G3 certificate.

35456230.png

Old SHA-1 certificates may still be present in the Certificates Console, so make sure to select the correct one. To do this, enter the Certificate Details page and examine it for old SHA-1 certificates as described below.

SecureAuth IdP Web Admin - System Info

In the SecureAuth IdP Web Admin, select the System Info tab and make sure the URLs in the WSE 3.0 / WCF Configuration section are updated to properly communicate with the SecureAuth cloud services.

35456232.png

Warning

For SecureAuth IdP versions 8.0.0 and earlier, examine the Admin Realm (SecureAuth0) attributes to make sure:

  • If True is selected from the Trx Use WSE 3.0 option list, make sure the Trx Log Service URL field is set to http://cloud.secureauth.com/trxservice/trx.svc/msg.

  • If False is selected from the Trx Use WSE 3.0 option list, set the Trx Log Service URL field to https://cloud.secureauth.com/trxservice/trx.svc.

If a proxy is already configured on the appliance, the WSE 3.0 option list and URLs are updated accordingly.

Refer to Web Proxy Server Configuration Guide for more information.

Warning

SecureAuth recommends that you select False from the Trx Use WSE 3.0 option list, and set the Trx Log Service URL field to https://cloud.secureauth.com/trxservice/trx.svc to utilize HTTPS encryption rather than Message Level Encryption (msg).

Related Documentation

  • SecureAuth cloud services

  • SecureAuth SecureAuth ACRU Lite