Symantec Access Management

Tech Tip - CA Single Sign-On:Policy Server:: How to migrate selected policy domain(s) from one policy store to another

By Ujwol posted 04-03-2017 04:02 AM




In this guide we will discuss about the steps required to export selected domain(s) from one policy store to another.


Domain may include following child objects:

  • CA.SM::Variable
  • CA.SM::Response
  • CA.SM::Realm
  • CA.SM::RuleGroup
  • CA.SM::ResponseGroup
  • CA.EPM::Role
  •  CA.SM::Policy


It may also include references like :

  • CA.SM::AuthScheme
  • CA.SM::AgentType
  • CA.SM::UserDirectory
  • CA.SM::Agent


So, migrating domain needs migrating the primary CA.SM.Domain object along with all it's children and referenced objects.




  • Policy Server : R12.51+
  • OS : ANY
  • Policy Store : ANY



Source Policy Store/Policy Server


1. Identify the XIDs of the Policy domain(s) that you want to migrate.

This can be done by looking up the specified Policy Domain(s) via XPSExplorer:


However, the easiest option is to first perform a full policy store export and then manually lookup the domain XID in the export file :

To perform full policy store export (dump export) run following command:

XPSExport c:/fullexport.xml -xb -npass


Then, search for the domain name in the export file. 

For the matching object, the object class should be : "CA.SM.Domain' and the XID should be in the format 'CA.SM.Domain@XXXXX

For e.g. in the screenshot below the highlighted value is the XID of the policy domain "iis_anz_vm2_wa" that we would like to migrate.


2. Once identified, copy the XID(s) of all the Policy domain into a file, say domainXIDs.xml as below :

3. Next, export selected policy domain(s) using following command :

XPSExport c:\domainExport.xml -xf c:\domainXIDs.xml -npass

4. Then, open the newly exported file (domainExport.xml) and copy the XID(s) of all the references used into a new file say referenceXIDs.xml.



Tip : search for string "<ReferenceObject"



Note : Some of the reference types are not exportable so needs to be removed from referenceXIDs.xml , but this will be evident on trying to export the references.

So, let us try to export the references as it is first :


C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass

As we can see above, the object of type CA.SM::AgentTypeAttr are not exportable which means, it can't be migrated. These are the default objects which came OOTB and can't be instantiated. So it is safe to remove this from the list of references - referenceXIDs.xml.

So, go ahead and delete the reference of these type of objects from referenceXIDs.xml 



(After manually deleting CA.SM.AgentTypeAttr object reference).

Now , try to export the references again using the same command :

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass


and it should be successful now :


Finally, we are now ready with following two export file which we can now import to the target polcy store :

  • domainExport.xml - Policy domain export file (from step 3)
  • ref.xml - Export of references used by polcy domain (from step 4)


Target Policy Store/Policy Server

1. Import references export file using following command :

XPSImport c:/ref.xml -npass


Sample output :


2. Import domain export file :

XPSImport c:/domainExport.xml -npass


Sample output :




Note : The above process doesn't migrate objects like ACO & HCO which is not related to a Policy domain. If you need those as well, then they need to be migrated using the same procedure as above.