Symantec Access Management

Hi all.

We'd like to have more information about moving certificates from version 12.0 to version 12.6 of SSO.

Last year we moved (in another environemnt we have) 12.0 to 12.51 using a parallel upgrade. In that case we used two different policy stores (for 12.0 and 12.51), copy/pasted the smkeydatabase and performed with the new 12.51 (that was pointing to the new policy store) the "smmigratecds -validate"  and "smmigratecds -migrate". It was a very safety way due that all commands were performed in the new environment (12.51) without run any commands in the 12.0 infrastructure.

NOW.

Today we are moving to 12.6 from 12.0 (another completely environemnt).

We are using a parallel upgrade. 2 different policy store (12.0 and 12.6). 1keystore.

After installing 12.6, configuring a standard policy store 12.6, we need now to copy/move the certificates (used for federation) from 12.0 to the cds of the 12.6

AS documentation says:

"A direct migration of the r12.0x smkeydatabase to a 12.6 CDS is not possible."

So, first of all it is boring (and time spending) to install another policy server now 12.52 SP1 ONLY for migrate this certificates.... is it mandatory?

And even if... Documentation says that, after installing a 12.52 SP1, this poliy server HAS TO POINT TO the 12.0 policy store. Then we have also to run  "XPSDDInstall CDSObjects.xdd" to extend the schema: this is the part that is changed and that can create problem.We don't want (for safety reason) to run any command to the 12.0 policy store (this is also why users select parallel upgrade).

So... probably the steps are:

1. install another 12.52 SP1 and ANOTHER policy store 12.52 SP1 (so default objects).

2. copy smkeydatabase from 12.0 to 12.52 SP1

3. run smmigratecds -migrate

4. At this point we have a policy server 12.52 SP1 and a default 12.52 policy store with now also cds and certificates inside.

5. After that... we have to move again to 12.6? How? Running again the installer 12.6 to this 12.52? Or we can use our 12.6 policy server and point to this new 12.52 policy store?

Is seems the process has been complicated.

Thanks all for the explanation

Francesco

Hi Francesco,

Looks like complicated processes. I don't have answer top of my head. Will do some research and get back.

Regards,

Kar Meng

Hi Francesco,

From documentation, it did looks like the process you mentioned.

https://docops.ca.com/ca-single-sign-on/12-6/EN/upgrading/parallel-upgrade-from-12-x/move-keys-and-certificates-from-r12-0x-to-12-6

For step 3, you can refer to

https://docops.ca.com/ca-single-sign-on/12-6/EN/upgrading/parallel-upgrade-from-12-x/move-keys-and-certificates-from-r12-0x-to-12-6/migrate-the-smkeydatabase-to-the-12-52-sp1-cds

For step 5, you can upgrade the 12.52 to 12.6 as mentioned here:

https://docops.ca.com/ca-single-sign-on/12-6/EN/upgrading/parallel-upgrade-from-12-x/move-keys-and-certificates-from-r12-0x-to-12-6/complete-the-upgrade-to-12-6

Regards,

Kar Meng

Thanks for the reply.

I'm not sure what to be done after installing a new 12.52 SP1 ONLY for migrate the smkeydatabase to CDS.

I mean, we selected the parallel migration in order to NOT touch anything in the old (working!) envirnoment. Also the documentation itself says "The existing environment is left in tact but you setup a new environment

that protects new resources".

BUT, due that we are moving to 12.6, we cannot anymore migrate the smkeydatabase directly into 12.6.... ok.

So we installed a new 12.52 SP1 policy server, created a new policy store just for it (blank!), copied the smkeydatabase to 12.52 and runned the commands to migrate the keys to the cds. Right, now we have:

- old policy server 12.0

- new 12.52 SP1 policy server with its specific policy store and cds (but with NO DATA imported)

- new 12.6 policy server

What is the best way now to continue the migration? We need obviously to stay in 12.6.

We are think to

-take the 12.6 policy server

-points it to the 12.52 SP1 policy store (that contains only 12.52 schema and the exported cds),

- run the standard command like ("XPSDDInstall SmMaster.xdd" and "XPSImport smpolicy.xml -npass"

-at this point export data from 12.0 and import to 12.6.

- here we don't need anymore the 12.52 SP1

Is it correct? Is there any easier way?

We don't want to run any command into the 12.0 policy server /store. For this reason we think that documentation that says "

Point the 12.52 SP1 Policy Server to the 12.0x policy store then extend the 12.0x policy store

to include the CDS." is not safe, due that we have to run command in the 12.0 policy store.

Regards and thanks all for the reply

Hi,

I think the steps you mentioned are fine. The point to have 12.52SP1 Policy server in place is to migrate the certificate. Once the policy store equip with the exported cds, you can have the ready Policy server 12.6 point to the policy store.

@@

We are think to

-take the 12.6 policy server

-points it to the 12.52 SP1 policy store (that contains only 12.52 schema and the exported cds),

- run the standard command like ("XPSDDInstall SmMaster.xdd" and "XPSImport smpolicy.xml -npass"

-at this point export data from 12.0 and import to 12.6.

- here we don't need anymore the 12.52 SP1

@@

I agree your point

###

For this reason we think that documentation that says "

Point the 12.52 SP1 Policy Server to the 12.0x policy store then extend the 12.0x policy store

to include the CDS." is not safe, due that we have to run command in the 12.0 policy store

###

Regards,

Kar Meng