Happy Business Starts Here

Community Manager

[ACTION REQUIRED] Maintenance to Implement Security Services (August 2014)

 

 [ACTION REQUIRED] Maintenance to Implement Security Services

 

Action is required on your part prior to August 23rd 2014 to ensure you do not experience any disruption in service.

 

Zuora understands that security is of the utmost importance to our customers and in order to increase the security of the Zuora platform, we will be conducting maintenance to implement the following changes:

  1. Akamai Web Application Firewall and Web Application Accelerator services

  2. Verisign Extended Validation (EV) SSL certificates for the Production environment

 

What changes will be implemented during this maintenance?

Zuora will be conducting a '""zero downtime deployment"" maintenance in the Production environment to implement the following two changes:

  1. Implement a new pool of web servers at Akamai.

  2. Implement new EV SSL Certificates for following production sites:

    1. zuora.com

    2. www.zuora.com

    3. api.zuora.com

    4. static.zuora.com

What are the benefits of these changes?

  • The implementation of Akamai Web Application Firewall and services will extend web application protection services to a proven, secure, and scalable platform.

  • The implementation of Verisign Extended Validation (EV) SSL certificates will support Zuora’s efforts to combat phishing on our websites.  The Extended Validation SSL certificate will allow customers to easily distinguish Zuora’s websites from potentially malicious sites by displaying a distinctive color, usually green, in the browser address bar.  These types of certificates are commonly used on websites of major banks and shopping sites.

 

When will these changes take effect?

  • For the Production environment, the change will occur on August 23rd, 2014 between 12:00 PM and 2:00 PM Pacific Time.  This is a zero downtime deployment, therefore there is no expected service interruption.

 

How will this change impact me?

You may be impacted by these changes for any of the following reasons:

  • If your systems whitelist outbound network access to Zuora web servers, you must change the IP addresses to include the IP addresses listed below. Otherwise your systems will be unable to establish connection to the Zuora system.

  • If your application relies on hardcoded IP addresses to communicate with the Zuora system, you should reconfigure your system to use DNS for IP lookup of www.zuora.com, zuora.com, api.zuora.com and static.zuora.com.   For proper operations, the DNS servers utilized should respect DNS TTL settings.

  • If your systems require Verisign Root Certificates to be trusted, and you do not already have Verisign Root Certificates imported into the trusted CA stores used by your applications, you must import these certificates properly.

 

Please note that Zuora Callout Notifications are not affected by this change.

 

What action must I take?

You must complete the following two actions before the scheduled maintenance release date of August 25th  to avoid any potential service disruption.

 

Step 1: Download and install Verisign Root Certificates

If your systems check client certificates and require that Verisign Root Certificates be imported into your application’s trusted CA stores, you must download the Verisign Root Certificates and install them appropriately on your systems.  

 

Note that if you updated your trusted CA stores when you first integrated with Zuora, this step is required for you.

 

Follow these steps to download the Verisign Root Certificates:

  1. Go to the FAQ below

  2. Click the “Download Verisign Root Certificates” link.

  3. Import these certificates into your trusted CA store based on your system parameters.

 

Step 2: Modify network access policies

If your systems whitelist outbound network access to Zuora services, you must modify your network access policies to allow access to these IP addresses specified below.

 

Note: As a part of the Akamai service IP addresses will be changed on an annual basis.  We will send proper communication at least one month in advanced when IP address whitelists need to be updated.  

 

  • For the Production environment, whitelist the following IPs.  These IPs are available for testing on July 25th, 2014 at 12:00 PM, Pacific Time.

    • 2.22.133.171/32

    • 23.13.165.171/32

    • 23.13.21.171/32

    • 23.15.149.171/32

    • 23.34.197.171/32

    • 23.34.213.171/32

    • 23.34.229.171/32

    • 23.35.101.171/32

    • 23.35.165.171/32

    • 23.35.21.171/32

    • 23.35.213.171/32

    • 23.35.37.171/32

    • 23.35.5.171/32

    • 23.35.53.171/32

    • 23.35.85.171/32

    • 23.37.133.171/32

    • 23.37.165.171/32

    • 23.37.181.171/32

    • 23.37.37.171/32

    • 23.38.21.171/32

    • 23.38.85.171/32

    • 23.4.181.171/32

    • 23.4.37.171/32

    • 23.4.53.171/32

    • 23.41.133.171/32

    • 23.41.149.171/32

    • 23.41.69.171/32

    • 23.42.21.171/32

    • 23.42.5.171/32

    • 23.43.133.171/32

    • 23.43.149.171/32

    • 23.43.5.171/32

    • 23.43.69.171/32

    • 23.44.149.171/32

    • 23.44.245.171/32

    • 23.46.101.171/32

    • 23.46.117.171/32

    • 23.46.37.171/32

    • 23.46.69.171/32

    • 23.47.21.171/32

    • 23.47.229.171/32

    • 23.47.245.171/32

    • 23.49.117.171/32

    • 23.49.133.171/32

    • 23.49.149.171/32

    • 23.49.69.171/32

    • 23.49.85.171/32

    • 23.5.245.171/32

    • 23.5.5.171/32

    • 23.50.101.171/32

    • 23.50.149.171/32

    • 23.50.181.171/32

    • 23.50.197.171/32

    • 23.50.69.171/32

    • 23.50.85.171/32

    • 23.51.117.171/32

    • 23.51.21.171/32

    • 23.51.229.171/32

    • 23.51.245.171/32

    • 23.51.37.171/32

    • 23.52.149.171/32

    • 23.52.21.171/32

    • 23.52.53.171/32

    • 23.52.85.171/32

    • 23.53.101.171/32

    • 23.53.149.171/32

    • 23.53.181.171/32

    • 23.53.85.171/32

    • 23.54.101.171/32

    • 23.54.133.171/32

    • 23.54.181.171/32

    • 23.54.229.171/32

    • 23.54.85.171/32

    • 23.55.149.171/32

    • 23.56.149.171/32

    • 23.57.101.171/32

    • 23.57.213.171/32

    • 23.57.229.171/32

    • 23.58.165.171/32

    • 23.58.37.171/32

    • 23.59.133.171/32

    • 23.60.133.171/32

    • 23.61.181.171/32

    • 23.61.69.171/32

    • 23.62.233.171/32

    • 23.62.245.171/32

    • 23.63.133.171/32

    • 23.64.165.171/32

    • 23.64.85.171/32

    • 23.65.133.171/32

    • 23.65.5.171/32

    • 23.7.133.171/32

    • 23.7.69.171/32

    • 23.9.117.171/32

    • 23.9.85.171/32

 

What can I do in advance to prepare?

If you would like to perform a non-service impacting test to our new configuration before the schedule maintenance, go to the FAQ below for instructions.  A successful test will provide assurance that your applications will continue to connect to Zuora services without impact after the maintenance completes.  

 

The IP addresses for the Production environment will be available for testing on July25th  2014 at 12:00 PM.  

 

What happens if I take no action?

If you take no action, your systems may be unable to connect to the Zuora system after these changes are implemented. Please discuss these changes with your IT administrators to ensure you take the appropriate actions.

 

Where can I find more information?

Additional information on this maintenance can also be found on the FAQ below  

 

Zuora Customer Support is readily available to answer any additional questions you may have.  Please contact us at +1-650-779-4993 or at support@zuora.com.

 

Best Regards,

Zuora Customer Support

 

 



Subscribe to Zuora System Updates at Zuora Trust
Follow Zuora Global Support on Twitter and LinkedIn