Symantec Access Management

We previously upgraded from R12.0 to R12.52 several years ago via the "parallel upgrade" method.  Now it's time to upgrade again, but this time from R12.52 SP1 to R12.8.  The previous upgrade was our first SM Policy server upgrade and it took us a lot of time in the sandbox environment encountering many mistakes until we perfected the process.  We basically installed a fresh R12.52 PS server and then exported the r12.0 policystore data and then imported it to the new r12.52 policystore via "smobjexport" and "smobjimport" commands.

I think the trickiest part of this was exporting and importing the policystore data and also the agent keys between the old and new PS.  We plan to do the exact same process with this round of upgrade from 12.52 to 12.8 and hoping folks would chime in to give us any advice or tips.

Much thanks in advance!

It will be straight forward and smooth upgrade. Best of luck !!!.

I'll be in similar situation too. Any suggestions or known issues will help to plan it.

BTW, do we need to also upgrade CA directory server ( running as PST)?

Hi Suresh,

I just completed our DEV environment and now about to wrap up our UAT/QA environment.  So far it had been pretty smooth.  It is actually a quite a bit easier than our previous round of upgrading/migrating from r12.0 to r12.52.  For the r12.8 we do the upgrade in parallel method.  We simply build out new Linux VMs and install r12.8 policy server and components and get it up and running then we export the entire policy store data of the r12.52 and then import/overwrite the r12.8 policystore.

For the CA Directory upgrade, our r12.52 policystore was on CA Directory r12.0, but on the new r12.8 system we went with CA Directory Server r14 and had no issues so far.  Feel free to message me if you run into any issues and I'll see if I can help you out.  My first round of policy server upgrade several years ago moving from r12.0 to r12.52 was quite difficult and brutal.  It took me couple of months of trial and errors until I mastered the process and documented the entire process in a "runbook", which I used as guidance for this round of upgrades.  Now I have a new runbook for the r12.8 upgrade of which I can follow step by step to install each environment.

Regards,

Duc Tran

Hi Duc Tran,

Glad you had a positive experience with your upgrade. For me, I didn't have to do the classic policy export and import.

I had to upgrade from CA SSO r12.52 SP1 CR9 to CA SSO r12.8.

Using parallel method as well cos client wants a period of co-existence.

Policy store was in CA Directory 12.0.8 and we move over to CA Directory r14

what I did was, at the CA Directory r12, I did an onlinebackup. then just throw the .zdb files over to r14 Directory then start it up. It just works.

Then I installed CA SSO r12.8. point it to use the policy store in Directory r14. Also point the existing r12.52 policy servers to the new policy stores so that they are using the same keystore.

As there are some new stuff provided by r12.8, remember to run the following commands from the r12.8 policy server.

XPSDDInstall SmMaster.xdd

XPSImport smpolicy.xml -npass -vT

Then I register my new AdminUIs and I'm done. r12.52 access gateway continues to work with 12.8 policy server so I took my time with upgrading those (some in place upgrade, some are parallel and swing after).

Just need to remember before decommissioning the r12.52 policy server, make sure one of the r12.8 policy server becomes the key generator. Better yet, do this master swing as soon as r12.8 policy server is serviceable. I forgot this step and caused quite a bit of a scare when we shutdown the 12.52 policy servers in UAT.

regards,

Zen