What is Impacted:
- Generic Cloud Administration Console URLs
- Generic Cloud Administration API URLs
- Generic 3rd Party IdP Assertion Consumer Service (ACS) URLs
- Generic 3rd Party IdP Sign-in URLs
- Firewall Allowlists where generic URLs are in use
What is Not Impacted:
- The registration URL, My Page URL, and Authentication API REST URL remain the same.
- Environments that were set up from December 5, 2024 onwards.
Where it is Impacted:
- Saved bookmarks to Cloud Administration Console
- Authentication Manager Security Console “RSA Cloud Authentication Service Configuration” settings.
- Tools or scripts that use Cloud Administration APIs:
- RSA Prime (AMIS)
- ITSM or IGA tools that perform administrative tasks
- SIEM tools that collect log messages via API
- Third-Party IdP usage with:
- Cloud Administration Console
- Firewall allowlists for communication between IDR and CAS
Planning Steps:
- Determine all the locations where you need to update once you have your tenant-specific URLs and/or new Admin API key(s).
- Using the tenant-specific URL, update all areas that use the admin URL.
- Regenerate the API key for any Admin API updates.
- Update the API key in any Admin APIs.
- Firewall Allowlist update
Note: There are no dependencies in order of execution except for where you are traversing a firewall with an allowlist. Coordinate those with firewall permissions updates.
Determine if You Need to Make an Update:
Check your potentially impacted configurations/integrations, tools, scripts, and bookmarks for usage of the generic non-tenant specific URLs. If you have URLs that are formatted like ones in this section, they must be reconfigured to use tenant-specific URLs.
Generic URL formats and examples (See 'Generic URL "{region}" and "{-region}" mappings' chart below for region mappings):
Cloud Administration Console URL
https://{region}.access{-region}.securid.com
Example: https://na2.access.securid.com
Cloud Administration API Endpoint
https://{region}.access{-region}.securid.com/AdminInterface/restapi
Example: https://access-anz.securid.com/AdminInterface/restapi
3rd Party IdP Assertion Consumer Service (ACS) URL for Cloud Administration Console access
https://{region}.access{-region}.securid.com/AdminInterface/saml/acs/{tenant-name}
Example: https://eu2.access-eu.securid.com/AdminInterface/saml/login/mycompany
3rd Party IdP Sign-in URL for Cloud Administration Console access
https://{region}.access{-region}.securid.com/AdminInterface/saml/login/{tenant-name}
Example: https://access-in.securid.com/AdminInterface/saml/login/mycompany
Generic URL "{region}" and "{-region}" mappings:
| Deployment Region | "{region}" in URLs | "{-region}" in URLs |
| NA1 (US) | blank | blank |
| NA2 (US) | na2 | blank |
| NA3 (US) | na3 | blank |
| NA4 (US) | na4 | blank |
| EU1 (EMEA) | blank | -eu |
| EU2 (EMEA) | eu2 | -eu |
| CA (Canada) | blank | -ca |
| ANZ1 (ANZ) | blank | -anz |
| ANZ2 (ANZ) | anz2 | -anz |
| IND (India) | blank | -in |
| JP (Japan) | blank | -jp |
| SG (Singapore) | blank | -sg |
Firewall Allowlist
Log in to the Cloud Administration Console and navigate to Platform → Identity Router. Expand the Identity Router section to view the Status Indicators.
Within the Software Update Service / Adapter Update Service Status Indicator, you will find three statuses:
- The first two check the Identity Router's connectivity using region-specific URLs.
- The newly added third status, "Company Specific URL", verifies connectivity using the company-specific URL.
If the Company Specific URL status is unhealthy, review your firewall rules and ensure the company-specific URL is added to the allow-list.
RSA Identity Router (IDR) connection to Cloud Access Service (CAS) for Software and Adapter Update:
RSA needs customers to allow region specific *.auth{-region}.securid.com and *.access{-region}.securid.com traffic in the firewall for IDR and CAS updater communication. However some customers allow the actual URLs, and they need to allow new URLs in case they have done so. There is no impact to customers who have allowed region specific *.auth{-region}.securid.com and *.access{-region}.securid.com traffic in firewall.
Software Update Repository URL format: https://public-apprepo-{tenant-name}.access{-region}.securid.com/
Adapter Update Repository URL format: https://public-connectorrepo-{tenant-name}.access{-region}.securid.com/
Company specific URL format : https://{tenant-name}.access{-region}.securid.com
or
FedRAMP Company specific URL format : https://{tenant-name}.access.securidgov.com
Complete list of regions for reference:
| Deployment Region | What to use for "{-region}" in URLs |
| NA1 (US) | Keep blank |
| NA2 (US) | Keep blank |
| NA3 (US) | Keep blank |
| NA4 (US) | Keep blank |
| EU1 (EMEA) | -eu |
| EU2 (EMEA) | -eu |
| CA (Canada) | -ca |
| ANZ1 (ANZ) | -anz |
| ANZ2 (ANZ) | -anz |
| IND (India) | -in |
| JP (Japan) | -jp |
| SG (Singapore) | -sg |
Authentication Manager Security Console:
Note: If you are on AM 8.7 SP2 Patch 5 or later, we RSA make this update. If the update fails, an error message will display in the Security Console. You will then need to manually update Authentication Manager’s connection to the Cloud Authentication Service using the steps below. If you are on a version of AM prior to 8.7 SP2 Patch 5, you will need to manually update this connection.
- Sign in to the Security Console and browse to > Authentication Settings > RSA Cloud Authentication Service Configuration.
- View Help Desk Administration REST URL. If it is using the generic Cloud Administration API format, then it must be updated.
- To update:
- Login to the Cloud Administration Console
- Navigate to Platform->Authentication Manager
- Select the Access Policy that controls which methods Authentication Manager can use. If unsure, you can view which policy is currently in place in the AM Security Console “RSA Cloud Authentication Service Configuration” section.
- Generate a new Registration Code and make note of it
- Select the policy used in AM.
- Click Generate Code.
- Make note of the Registration URL.
-
- In the AM Security Console, browse to Setup > System Settings > RSA Cloud Authentication Service Configuration.
- Paste the Registration Code and URL from the previous step and click “Connect to the RSA Cloud Authentication Service”.
Cloud Administration Console:
The Admin URL does not display anywhere in CAS. Make sure you have checked and updated any bookmarks or saved locations. Should you need to determine what yours is, use the following as a guide.
Tenant specific - https://company.access{-region}.securid.com where “company” is the name of your tenant.
Generic - https://{region}.access{-region}.securid.com.
See 'Generic URL "{region}" and "{-region}" mappings' chart above for region mappings.
If you do not know your tenant ID, please contact Support.
Admin APIs:
- Generate a New API Key File.
- Login to CAS Admin Console
- Navigate to Platform -> API Key Management -> Legacy Clients
- Regenerate
- Use the new downloaded API Key to update any Admin APIs in use (examples Prime, IGA, SIEM, ITSM, scripts)
Note: Once you regenerate the key file from Admin Console, previously generated/used key will be invalidated.
Code and/or Configuration Files:
Prime (If Prime is configured with the Cloud Authentication Service)
Review your Prime configuration file(s) (get exact name and location) for use of a generic admin URL, typically:
Linux: /opt/rsa/primekit/configs/amis/tomcat-amis/config.sh
Windows: Run c:\ rsa\primekit\configs\amis\tomcat-amis\tomcat-amisw.exe and open the “Java” tab.
Additionally, c:\rsa\primekit\configs\amis\tomcat-amis\config.bat (if file exists—not all Prime deployments have this file.)
Update the Prime configuration file(s) with the updated tenant-specific URL and Admin API key:
Linux
- Add new Admin API key to /opt/rsa/primekit/configs/amis directory
- Navigate to config.sh location, typically:
/opt/rsa/primekit/configs/amis/tomcat-amis - vi config.sh
- Modify line:
- export CATALINA_OPTS="$CATALINA_OPTS '-Dmobile.admin.endpoint=https://yoururl.access{-region}.securid.com'"
- Modify line:
- export CATALINA_OPTS="$CATALINA_OPTS '-Dmobile.admin.key=your-admin-api.key'"
- Restart AMIS
- service tomcat-amis restart
Windows
- Add new Admin API key to c:\rsa\primekit\configs\amis\ directory
- Run tomcat-amisw.exe, typically found in c:\ rsa\primekit\configs\amis\tomcat-amis\
- Click on the “Java” tab.
- Modify the entries:
- Dmobile.admin.endpoint=https://yoururl.access{-region}.securid.com
- Dmobile.admin.key=your-admin-api.key
- Click “OK”
- If config.bat file exists (not all Prime deployments have this file), typically found in c:\rsa\primekit\configs\amis\tomcat-amis\, open the config.bat file in Notepad++ and modify the entries noted above
- Restart the Apache Tomcat-AMIS service
Firewall Allowlist
Allow company specific URL(s) if firewall allowlist has specific Generic URLs now. There is no impact if *.auth{-region}.securid.com and *.access{-region}.securid.com are allowed.
Third-Party IDP
If a SAML third-party Identity Provider (IdP) is set up for logging into the Cloud Administration Console, it is essential to ensure that both the Sign-In URL and the Assertion Consumer Service (ACS) URL are configured to use the company-specific URLs on the IdP side. If they are not currently configured this way, please make the necessary updates. To find your company-specific Sign-In URL and ACS URL, go to My Account > Company Settings > Sessions and Authentications in the Cloud Administration Console. Refer to the following screenshot:
Copy the Sign-In URL and ACS URL from this and configure it accordingly on the IdP side.
