Symantec Access Management

 View Only
  • 1.  Policy server object migration ?

    Posted May 02, 2016 02:34 PM

    We are currently looking into migrating all of our policy server objects between environments and we are wondering what would be the best way to do it? Every environment has different policy servers, web farms, sql databases, urls. Right now we are doing everything by hand.. we have a high number of environments making the migration process really unefficient. We are thinking of using XPSExport to dump the whole configuration, make search/replaces and re-importing the configuration and so on. What are you guys take on migrating objects between environments ?

  • 2.  Re: Policy server object migration ?
    Best Answer

    Broadcom Employee
    Posted May 03, 2016 12:06 PM

    There is not really enough information to accurately answer this question.  XPSExport/XPSImport can export the entire Policy Store, or it can migrate individual objects.  URLs and Web Servers are not relevant at this point.  What is important is the source environment where XPSExport is being run and the target environment where XPSImport is being run.


    If you are migrating individual objects, then the dependent objects need to be moved as well.  Let's say I wanted to migrate a single Domain.  I can use XPSExplorer to locate the XID of that domain.  I can then export just the domain object by using the XID.   In my case I had a domain with XID (CA.SM::Domain@03-5339efb4-a5fc-40bb-9b93-2ed63fbab605).  I exported just that object using

    xpsexport <filename>.xml -xo <XID>

    example: xpsexport Reservations-Domain.xml -xo CA.SM::Domain@03-5339efb4-a5fc-40bb-9b93-2ed63fbab605


    In my export file I can see there are a number of Referenced Objects contained in the 'References' sections





    You will need to ensure these objects are included as well.  Each of the XID's of the objects contained within the <references> section need to be exported as well.  You can take the Domain XID and the XID's of the referenced objects and place them all into a txt file.  Then run XPSExport using the -xf switch referencing the files with all of the XID's.  This export file will include the Domain and all the child objects (Agents, User directories, Named Expressions, etc). 


    This works well if you have an empty target on which you're running XPSImport.  If there is data already on the target, then you may run into some additional complications.   For example if the Agent Object or the User directory object already exists it doesn't need to be migrated.  However, if there are already objects with the same name and a different XID, then this will cause problems.


    Let's say you created a User directory named "ADUSerDir1" in system A.  It will be assigned an XID.  Let's say you create a User Directory in System B with the same name and a different XID.  The Domain defines the User Directory by XID in the Policy Store.  You can't import two user directories with the same name and different XID's.  If you replace the User Directory on the target with the one you are importing, then you would break some existing Domain in the process.


    Look at the documentation regarding Exports using Method = Add, Method = replace, and Method = Overlay to determine which might best meet your needs.


    If you have a more specific example, I'd be happy to discuss further.

  • 3.  Re: Policy server object migration ?

    Posted May 04, 2016 10:56 AM

    Thanks for your input @LAVST01 I'll look into the documentation you mentionned and try and test it out.