Skip to main content

SecureAuth IdP cloud services communication protocol deprecation

Updated: March 25, 2021

In an effort to improve and modernize SecureAuth cloud services, as well as improve the performance of the SecureAuth IdP appliances, we are phasing out a legacy protocol used to communicate with SecureAuth cloud services, effective January 1, 2021.

What exactly needs to be changed?

In the Admin console, go to the System Info tab of each realm. The WSE 3.0 / WCF Configuration section contains URLs that connect the realm to SecureAuth cloud services.

If any URLs are HTTP, then you must update the URLs and the WSE setting

On the SecureAuth cloud services documentation page, the recommended URLs and configuration settings are documented. In short, all URLs must be set to HTTPS. And remove the suffix: /msg.

For example, if your SMS service is set to use Message level encryption, the existing URL might look like this:

http://us-cloud.secureauth.com/SmsService/SMS.svc/msg

Change the new URL to:

https://us-cloud.secureauth.com/SmsService/SMS.svc (change to https and remove the /msg)

The Use WSE field setting for all URLs must be set to False when the URL is changed from HTTP to HTTPS.

Change the certificate URL

Existing certificate URL:

https://us-cloud.secureauth.com/CertService/Cert.svc

Change to:

https://us-certs.secureauth.com/CertService/Cert.svc

If you are using https://nge-cloud.secureauth.com/CertServiceRSA/Cert.svc, there is no need to make a change.

What are the considerations?

Make sure you have outbound firewall or proxy rules that allow for HTTPS communication on port 443 to the following IP addresses:

34.212.120.216
34.215.233.46
35.170.216.14
35.172.189.69
35.172.253.27
52.39.105.166
52.43.188.66
52.70.56.97
146.88.110.112
146.88.110.114
146.88.110.98
162.216.42.101
162.216.42.110
162.216.42.111
208.74.31.114
208.82.207.89

As with any change to a mission critical production system, take a snapshot or other backup before making the changes. If you have a non-production test SecureAuth IdP appliance, make the changes on that system first, and thoroughly test before changing your production system.

After making all the changes, test every service on each realm, such as SMS and Push to make sure the new URLs are correctly entered and functioning as expected.

How long will it take to make these changes?

It should only take a few minutes for the hotfix installer to run and update the configurations on each realm. You will need to run the hotfix installer on every SecureAuth IdP appliance. Testing time is commensurate with your unique configuration.

What will happen if I don’t change these settings?

At some point, shortly after January 1, 2021, we will disable the endpoints listening on port 80 for message level requests. This will result in any requests to the SecureAuth cloud (such as SMS) failing and impacting your users.

Hotfix installer

SecureAuth has a hotfix installer to automatically update the configuration with the changes described above to each realm on your SecureAuth IdP appliance. To use the hotfix, go to the Installation section to download and install the hotfix.

Scope

This hotfix is not cumulative, and only addresses the SecureAuth IdP cloud services communication protocol. This hotfix does not include any other changes. The change only updates the URLs and connection settings used by the SecureAuth IdP appliances to communicate with SecureAuth cloud services.

Version support

The hotfix update applies only to SecureAuth IdP product versions 9.3 and earlier.

Installation

We recommend installing the hotfix on the server when it is offline / out of service. However, you can technically run the hotfix on a live server.

  1. Click and download the SecureAuthCloudUpdate executable file.

  2. Place the file on the D: drive of your SecureAuth IdP appliance.

  3. Right-click the file and go to Properties.

  4. On the General tab, at the bottom right, select the Unblock check box and click OK.

    If you do not see an Unblock check box, this means that the file is already unblocked.

  5. Recommended: Take a snapshot of the SecureAuth IdP appliance.

  6. Run the SecureAuthCloudUpdate executable file as an Administrator.

    The application will ask you to install the hotfix and typically completes within 30 seconds.

    A message displays indicating when the installation is complete.

    A reboot or IISRESET is not required.

  7. Test your applications, and then put the server back into production.

  8. Do one of the following:

    • You have FileSync installed: You only need to run this on your primary appliance. After the sync, check to make sure the web.config files on your secondary appliance match on your primary appliance.

    • You do not have FileSync installed: Repeat the steps above for all servers in your farm.

Troubleshooting

If you have any issues, please contact SecureAuth Support.

Rollback

If for any reason, you want to rollback this hotfix, there are two ways to do this:

  • Option 1: Revert to your snapshot (see step 3 in the Installation section).

  • Option 2: Rerun the hotfix installer (see step 4 in the Installation section), and click Revert Backup.