Symantec Access Management

Expand all | Collapse all

Upgrading CA SSO from 12.52 to 12.8

  • 1.  Upgrading CA SSO from 12.52 to 12.8

    Posted 01-08-2019 10:47 PM

    Dear Experts,

     

    Please let me know if we miss anything while upgrading SiteMinder from 12.52 to 12.8. Please find the below steps we followed,

     

    1. Took a backup of SiteMinder 12.52 Policy Store from SQL 2008 

    2. Restored it on SQL 2016 

    3. Installed SiteMinder 12.8 on a different Windows Server with the same encryption key as 12.52

    4. using Policy Server Configuration Wizard pointed the SiteMinder to new Policy Store on SQL 2016 (which was created by duplicating 12.52 policy server on SQL 2008)

    5. Skipped the below step for now 
    Upgrade Policy Store - CA Single Sign-On - 12.8 - CA Technologies Documentation 

    6. Installed the 12.8 ADMIN UI and registered with 12.8 SSO and able to login to the ADMIN Console and can see all the policies, agents, aco, etc

     

    Thanks,



  • 2.  Re: Upgrading CA SSO from 12.52 to 12.8

    Posted 01-08-2019 11:54 PM

    It may work without even upgrading Policystore, however it is mandatory to run the Policy Store upgrade steps in order to update the Policy store schema definitions and import the newly available OOTB objects such as ACO parameters, Oauth/OpenID...etc. 

     

    All these needs to be executed:

    Import the Policy Store Data Definitions

    Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

    Follow these steps:

    1. Open a command window and navigate to siteminder_home\xps\dd.
      siteminder_home specifies the Policy Server installation path.

    2. Run the following XPSDDInstall SmMaster.xdd command to import the required data definitions.

      XPSDDInstall SmMaster.xdd

    3. If your environment is integrated with CA Identity Manager, also run the following command. This command imports the data definitions required for the integration:

      XPSDDInstall IdmSmObjects.xdd

    Import the Default Policy Store Objects

    Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

    Consider the following items:

    • To import the policy store objects, the import utility requires write access to siteminder_home\bin.
      siteminder_home specifies the Policy Server installation path.
    • If Windows User Account Control (UAC) is enabled, open command-line windows with administrator permissions, even if your account has administrator privileges.

    Follow these steps:

    1. Open a command window and navigate to siteminder_home\db.
    2. Import one of the following files:
      • smpolicy.xml: Import smpolicy.xml by running the following command:

        XPSImport smpolicy.xml -npass

      • -npass specifies that no passphrase is required. The default policy store objects do not contain encrypted data.

    Use either file to configure a new policy store and upgrade an existing store. When imported as part of an upgrade, the file does not overwrite existing default objects that were modified. Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The secure file provides more restrictive security settings. For a detailed summary of the security settings in both the files, see Configure LDAP Directory Servers as Policy, Session, and Key Stores or Configure ODBC Databases as Policy, Session, Key and Audit Stores.

    The default policy store objects are imported.

    Import the Federation Policy Store Objects

    If you want to use OAuth or OpenID Connect, import the default OAuth entities and default claims and scopes objects for OpenID Connect.

    Follow these steps:

    1. Open a command window and navigate to siteminder_home\db.
    2. Import the default-fedobjects-config.xml file using the following command:

      XPSImport default-fedobjects-config.xml -npass

      -npass specifies that no passphrase is required.

     

    Regards

    Ashok