Layer7 Access Management

Tech Tip - CA Single Sign-On:Policy Server:: How to migrate selected policy domain(s) from one policy store to another

By Ujwol posted 04-03-2017 04:02 AM

  

Summary:

 

In this guide we will discuss about the steps required to export selected domain(s) from one policy store to another.

 

Domain may include following child objects:

  • CA.SM::SAMLv1SP
  • CA.SM::WSFEDSP
  • CA.SM::Variable
  • CA.SM::Response
  • CA.SM::Realm
  • CA.SM::RuleGroup
  • CA.SM::ResponseGroup
  • CA.EPM::Role
  • CA.SM::SAMLv2SP
  •  CA.SM::Policy

 

It may also include references like :

  • CA.SM::AuthScheme
  • CA.SM::AgentType
  • CA.SM::UserDirectory
  • CA.SM::Agent

 

So, migrating domain needs migrating the primary CA.SM.Domain object along with all it's children and referenced objects.

 

 

Environment:

  • Policy Server : R12.51+
  • OS : ANY
  • Policy Store : ANY

Instructions:

 

Source Policy Store/Policy Server

 

1. Identify the XIDs of the Policy domain(s) that you want to migrate.

This can be done by looking up the specified Policy Domain(s) via XPSExplorer:

 

However, the easiest option is to first perform a full policy store export and then manually lookup the domain XID in the export file :

To perform full policy store export (dump export) run following command:

XPSExport c:/fullexport.xml -xb -npass

 

Then, search for the domain name in the export file. 

For the matching object, the object class should be : "CA.SM.Domain' and the XID should be in the format 'CA.SM.Domain@XXXXX

For e.g. in the screenshot below the highlighted value is the XID of the policy domain "iis_anz_vm2_wa" that we would like to migrate.

 

2. Once identified, copy the XID(s) of all the Policy domain into a file, say domainXIDs.xml as below :

3. Next, export selected policy domain(s) using following command :

XPSExport c:\domainExport.xml -xf c:\domainXIDs.xml -npass

4. Then, open the newly exported file (domainExport.xml) and copy the XID(s) of all the references used into a new file say referenceXIDs.xml.

 

 

Tip : search for string "<ReferenceObject"

 

 

Note : Some of the reference types are not exportable so needs to be removed from referenceXIDs.xml , but this will be evident on trying to export the references.

So, let us try to export the references as it is first :

 

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass



As we can see above, the object of type CA.SM::AgentTypeAttr are not exportable which means, it can't be migrated. These are the default objects which came OOTB and can't be instantiated. So it is safe to remove this from the list of references - referenceXIDs.xml.

So, go ahead and delete the reference of these type of objects from referenceXIDs.xml 

 

 

(After manually deleting CA.SM.AgentTypeAttr object reference).

Now , try to export the references again using the same command :

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass

 

and it should be successful now :

 

Finally, we are now ready with following two export file which we can now import to the target polcy store :

  • domainExport.xml - Policy domain export file (from step 3)
  • ref.xml - Export of references used by polcy domain (from step 4)

 

Target Policy Store/Policy Server

1. Import references export file using following command :

XPSImport c:/ref.xml -npass

 

Sample output :

 

2. Import domain export file :

XPSImport c:/domainExport.xml -npass

 

Sample output :

 

 

 

Note : The above process doesn't migrate objects like ACO & HCO which is not related to a Policy domain. If you need those as well, then they need to be migrated using the same procedure as above.

8 comments
4 views

Permalink

Comments

10-17-2018 09:07 AM

kobi.azran

 

The XPSImport utility is smarter than its predecessors (smobjimport). The way XPSImport works is, if it finds that an User Directory Object with a NAME exists in the XML file and an User Directory exists in the PStore (where import is occurring) with the same NAME; XPSImport will not import the User Directory Object from XML file. XPSImport will simply map the Domain Object being imported from XML file with the same NAME User Directory Object in PStore. Thus your User Directory Object in PStore will not be overwritten with the User Directory Object in PStore.

 

Thus for the first time you can even manually create the same NAME UD object in DEV / TEST / PROD with different connection params. Now when you export from DEV and migrate to TEST, you need not edit the UD Object in XML file. Since UD NAME is the same present in TEST, XPSImport knows when it looks into PStore, that a Object Type UD with same NAME exists, hence it won't import UD from XML, but rather it will use just the UD NAME to map the correct UD in Test PStore to the Policy Domain being imported from XML.

 

You can test this and see for yourself. I have tested this and this design has been vetted by Engineering.

 

Hope this helps!

 

Regards

Hubert

10-17-2018 04:59 AM

One of the objects in reference which we export is CA.SM::UserDirectory with server name and port and username and password of source environment. those can vary between environments - especially staging/dev and prod.

In the first export-import of this object we did manual changes via AdminUI in target environment.

What are the options for subsequent object migrations, other than changing it manually in the exported file or AdminUI, so the existing User Directory connection details will not be overwritten? Doing those manual changes in text file are subject to human errors and exporting with -npass option which exposes sensitive information.

06-16-2017 03:25 PM

The above process we could do to migrate domain objects from sm 12.0 to 12.7 or from 12.51 to 12.7?

 

Many thanks

04-12-2017 10:09 PM

In some of those steps you can also use the SMPolicyReader to help generate the xcart.

 

Using SMPolicyReader to generate xcart selection. 

 

Siteminder Policy Reader 

 

The Policy Reader lets you right click and add the domains to the cart, and you can right click on the individual items.  It does not automatically add all the referenced links - but that would be a nice option to have, and I may be able to include that in a latter version (update: May-2017- reader updated and now has screen to view reference links and to add them to the xcart if you want)

 

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

04-04-2017 08:34 PM

04-03-2017 07:58 PM

Thanks for sharing Alex. However, the approach couldn't be used for the current use case of exporting Domain along with its references, as there is no convenient way to identify all the references using XPSExport -x? option/XPSExplorer.

04-03-2017 11:42 AM

Alternatively, you can use XPSExport with the -x? flag to do the selection of objects without ever having to jump between XPSExport and XPSExplorer. The -x? flag bundles the XPSExport with XPSExplorer in one convenient flow. There is not even a need to save the xcart.