Symantec Access Management

  • Private Community
 View Only

  • 1.  SiteMinder parallel upgrade R12SP3 to R12.52SP02

    Posted Aug 21, 2016 04:20 PM

    Hi,

     

    We are in process of upgrading CA SiteMinder setup from R12SP3 to R12.52 SP02. The approach we are following is Parallel upgrade.

    The infrastructure is ready in new environment and we have already installed & configured R12.52 SP02 policy server, CA directory as Policy+Key Store.

     

    In R12, we are using OID11g as Policy+Key store.

     

    We have migrated the policy data from R12 to R12.52 environment successfully. However, we are facing some issues when we tried to point an existing application from R12 to R12.52 environment. It's giving Internal server error on .fcc page post submitting the credentials.

     

    I reckon issue is because of below reasons -

    1. We have installed R12.52 servers with different encryption key and Key store is migrated from R12 to R12.52

    2. The custom login page for all the intranet application is hosted on central apache servers which is still pointing to R12 environment

     

    Questions -

    If we point the SM Webagent on central apache server(serving custom login page) to R12.52, then the SSO will not work for applications which are still pointing to R12 environment and vice versa.

     

    1. Can we use R12.52 CA Directory based collocated policy/key store as different keystore by resetting the Encryption key and importing the R12 key data?  If yes, then please help with steps to be followed.

    2. Any better approach to maintain SSO between R12 & R12.52 till the time we point all R12 applications to R12.52 policy servers?

     

    We don't want to use R12 Key store as common key store since we are planning to decommission the OID servers.

     

    Appreciate your quick help.

     

    Regards,

    Vishal



  • 2.  Re: SiteMinder parallel upgrade R12SP3 to R12.52SP02
    Best Answer

    Posted Aug 21, 2016 11:45 PM

    Hi Vishal,

     

    You will not able to do SSO , if the Policy server encryption keys are different between r12.0 and r12.52.

    The reason being , the Key Store Key which is used to encrypt/decrypt the key store data is derived from the Policy server encryption key. So, if you have different Policy server encryption key you are effectively having different Key Store Key , which means the agent keys encrypted by one environment will fail to decrypt on the other.

     

    Now, our documentation advise to have the common key store as r12.0 key store in this particular use case.

    Parallel Upgrade from 12.x - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

    But logically, I don't see a problem , even if you use r12.52 Key store as common key store here.

     

    So, my suggested next step is as follows :

     

    1. Reset r12.52 Policy server encryption key to match r12.0

    (Perform full policy store export -xb in the clear text using -npass switch, reset encryption key and reimport the export file )

    2. Create a separate r12.52 Key store.

    You need to configure policy store schema as normally. Policy store schmea includes Key store schmea

    Configure a Separate Key Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

    However, you do not have to:

    • Set the super user password.
    • Import the default policy store objects.
    • Import the policy store data definitions.
      A separate key store does not require these objects.

    3. Import r12.0 Agent/Persistent keys into r12.52 key store

    4. Configure r12.0 Policy server to use r12.52 key store

     

    Note: Please test this in lower environment first, I haven't tested this combination myself so not really sure if it works.

     

    Hope this helps.

     

    Regards,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog



  • 3.  Re: SiteMinder parallel upgrade R12SP3 to R12.52SP02

    Posted Aug 22, 2016 01:14 AM

    Hi Ujwol,

     

    Thanks for your inputs !

     

    I have doubts over below points -

    2. Create a separate r12.52 Key store.

    You need to configure policy store schema as normally. Policy store schmea includes Key store schmea

    Configure a Separate Key Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

     

    - Can't we use the collocated Policy & key store which is already configured in R12.52? The link which you have provide above seems not working.

     

    Regards,

    Vishal



  • 4.  Re: SiteMinder parallel upgrade R12SP3 to R12.52SP02

    Posted Aug 22, 2016 01:22 AM

    Please try following link :

    Configure a Separate Key Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

    You said - "Can't we use the collocated Policy & key store which is already configured in R12.52? The link which you have provide above seems not working."

    Ujwol => Probably not. Going by the parallel upgrade documentation, the key store needs to be separate.



  • 5.  Re: SiteMinder parallel upgrade R12SP3 to R12.52SP02

    Posted Aug 22, 2016 01:00 PM

    I guess I need to create a new DSA instance in CA directory and configure it as Key store for R12.52. I will refer the below link -

    How to Configure a CA Directory Key Store - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation

     

    Currently, we have 4 policy servers installed in R12.52 environment with the same encryption key(Different one than R12) with one server enabled to generate the agent keys. All of them are pointing to a common policy store. Do I still need to reset an encryption key for remaining 3?

     

    Regards,
    Vishal



  • 6.  Re: SiteMinder parallel upgrade R12SP3 to R12.52SP02

    Posted Aug 22, 2016 01:04 PM

    Yes, because remaining 3 policy servers will also need to read the keystore data and be able to decrypt them.