Security update for connectors
Enterprise Application Access allows in-place patches for your connectors when there are security vulnerabilities.
You can apply in-place patches to their connectors in between Enterprise Application Access releases when there are security vulnerabilities that require kernel updates.
You get alert when connector's operating system has vulnerabilities. They can apply security patches with minimal downtime, thereby improving productivity for users. You can pick off-peak hours that work best for the organization. If there are any failures encountered during the upgrade, you can contact support. During the upgrade, the connector cannot serve traffic. To minimize interruption, Enterprise Application Access automatically chooses alternative connectors available for each application if it has been configured.
If you have a second connector that is associated with the applications and directories, that can be used as a backup while the security upgrade is completed for the connector with security vulnerability.
A EAA connector in operation can be in these states:
| Connector state | Description |
|---|---|
| ✓ Connector is running, Status: Ready | The connector is running fine. No security vulnerabilities are present. |
| Security update available | The connector has a security vulnerability. Click the arrow to open the Security Updates panel. |
| ✓ Connector is running (Up to date) | The connector is running fine. A previous update was successfully installed. It does not have any vulnerabilities. |
| ✓ Connector is running (Update failed) | The connector is running but, it has vulnerabilities. A previous update has failed. Re-run the security update to fix the vulnerability. If it still persists, contact support. |
| Status: Unreachable | The Connector is unreachable error message means that there are network problems that do not let the connector establish a connection to the Enterprise Application Access Cloud. |
| Status: Created | The connector has been created. Click Download Template to download the connector template. |
| Status: Created, Template expired | The connector expires if you don't deploy your connector within 30 days. This connector should be deleted. |
| Check back later. Status: Processing... | It may take some time for a connector to be generated. Check back a connector after few minutes. |
| Status: Checked in | Connector has been checked in. Click the hand icon, click Approve, to approve the connector and run it. |
Update connectors for security vulnerability
When you log into the Enterprise Center, if there are security vulnerabilities for the existing connectors you get the alert message:
ACTION Required: Mandatory connector upgrade for the following connectors. **Connector-name-1**, **Connector-name-2**
You can click on the Connectors that need an upgrade to see all the connectors that need to be updated in your environment to mitigate security vulnerabilities. You can see the connector state, applications and directories using this connector on the connectors list page.
Find a time that is best for your organization when there are minimum users using the applications, to have minimal downtime. You might also want to first update to connectors that have the least number of applications and directories associated with them, and then perform the update on other connectors.
-
Log in to Enterprise Center.
-
In the Enterprise Center navigation menu, select Application Access > Clients & Connectors > Access and Identity Connectors.
All of the connectors configured in your account are shown. Start with the connector that has the least number of applications and directories associated with it for least downtime. -
Hover over each of the connectors. Connectors that need security updates are indicated by the Security Updates Available icon. Click it.
-
In the Security Updates panel, you can see the number of security updates that need to be performed. Click Show packages, to see all the packages that are upgraded and their exact versions.
You cannot choose which packages should or should not be updated. Also, when the connector goes down, if you have another connector for high-availability, then the application, directory traffic is served by the other connector.
-
Click Start security update.
A warning notifies about a downtime and suggests to pick the right time for the update (outside of the office hours). -
Click Continue.
When the update finishes, a success message appears. Connector status changes from Updating to Connector is running (Up to date). -
If you get Connector is running (Update failed) update the security patch again.
If the problem persists, contact support. -
Repeat these steps for the next connector that has the security vulnerability, until all of the connectors are upgraded in your environment. You can update the connectors in parallel if they are independent and associated with another application.
For the automatic updates to connectors from the EAA connector repository see Self-upgrade of EAA connectors.
Updated about 1 year ago