Symantec Access Management

I am confused with documentation regarding parallel upgrade procedures. documentation talks about duplicating the policy store instance for ADLDS based policy store where are the instructions for duplicating the policy store? Can we do xpsexport / xpsimport?

Hi Milind,

The screenshot that you provided is for parallel upgrade from 12.x to 12.6

As you are in R12.52SP1, you can refer to migration upgrade which you can find the reference as below:

https://docops.ca.com/ca-single-sign-on/12-6-01/en/upgrading/migration-upgrade-from-r12-5x

You don't have to duplicate the instance as 12.6 policy server can communicate with 12.5x policy store while you perform upgrade of policy server.

In general, migration upgrade involved:

1. Correct policy store integrity errors before migrating.
2. Upgrade an r12.5x Policy Server to 12.6.01.
3. Upgrade the remaining r12.5x Policy Servers 12.6.01.
4. Upgrade the r12.5x policy and key stores to 12.6.01.
5. Upgrade the r12.5x Administrative UI.

Hope this helps.

Regards,

Kar Meng

I am so sorry, I always mix migration and parallel. yes I was inquiring about parallel upgrade because trying to figure out when exactly I am suppose to import old policy.xml or how to duplicate policy store. We are trying to move from existing windows 2008 (32 bit) to windows 2012 r2 (64 bit) servers.

Hi,

If I understood correctly, you want to know when or how do you duplicate the Policy Store in a parallel upgrade, right?

Actually in a parallel migration the Policy Store can be duplicated in both ways, or replicating the data directly on the store side (like duplicating the database for the new environment) or by exporting/importing the data as you pointed in your first message, using the XPSExport and XPSImport tools.
So initially you install the new environment (Policy Servers, etc) with an empty initial Policy Store (as installed from scratch), and then you export the Policy Store from the old environment, and import it in the new one, or as the R12.6.01 guide says, you configure an existing Policy Store (after you duplicated it through the native tools on your store database/server).

In both cases you would need to ensure data health during migration as covered in the documentation you shared. Actually, there is a full procedural guide at the following location:
https://docops.ca.com/ca-single-sign-on/12-6-01/en/upgrading/parallel-upgrade-from-12-x/install-and-configure-the-12-6-01-parallel-environment
https://docops.ca.com/ca-single-sign-on/12-6-01/en/upgrading/parallel-upgrade-from-12-x/correct-policy-store-integrity-errors-optional/

Find a short description of the full process under "Parallel migration", showing when to import data at:
https://docops.ca.com/ca-single-sign-on/12-6-01/en/upgrading

The steps in the R12.6.01 guide focus more on replicating the data between environments instead exporting/importing as you can work directly over the same data, but you could migrate data using XPSExport and XPSImport as noted in R12.52 SP1 guide:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/upgrading/parallel-upgrade-from-12-x/move-12-x-policy-store-data-to-the-12-52-sp1-environment

The steps shown for CA Directory can be an example on how to proceed when duplicating the store:
https://docops.ca.com/ca-single-sign-on/12-6-01/en/upgrading/parallel-upgrade-from-12-x/duplicate-an-existing-policy-store-instance

I hope it helps,

Albert.

Hi Minind,

Thanks for your update. From 12.52SP1 to 12.6, we use migration instead of upgrade. There is no way for you to upgrade from current OS (12.52SP1 in Win 2008) to new OS (12.6 in Win2012).

As you want to move the policy server OS from existing windows 2008 (32 bit) to windows 2012r2 (64 bit), you need to install the 12.6 policy server on win 2012 box. 12.6 policy server can communicate with 12.52SP1 policy store.

If you concern about policy store upgrade, I would suggest to create new policy store instance and follow installation document (if LDAP -> Chapter 6: Configuring LDAP Directory Servers to Store CA SiteMinder® Data, if ODBC -> Chapter 7: Configuring CA SiteMinder® Data Stores in a Relational Database) to Import the Policy Store Data Definitions, default policy store objects. Once the 12.6 policy store created, you can perform xpsimport by pointing to the xml file that generate via xpsexport on 12.52SP1 environment.

In this way, you keep the existing policy store (12.52SP1) and have a new policy store instance (12.6) for you to test if anything goes wrong on 12.6 setup. The advantage is you can always switch it back to old policy store (12.52SP1) if something goes wrong at new policy store instance after import the xml file.

Alternately, you can use the approach that I mentioned before:

1. Correct policy store integrity errors before migrating.
2. Upgrade an r12.5x Policy Server to 12.6.01.
3. Upgrade the remaining r12.5x Policy Servers 12.6.01.
4. Upgrade the r12.5x policy and key stores to 12.6.01.
5. Upgrade the r12.5x Administrative UI.

For this approach, you don't have to perform export policy and import policy as the contents are remain in current policy store. What you need to do is upgrade the policy store schema and data definition to match to 12.6.

Hope this helps.

Regards,

Kar Meng