Symantec Access Management

 View Only
Expand all | Collapse all

Policy Store Backup/Restore

  • 1.  Policy Store Backup/Restore

    Posted Mar 20, 2015 02:20 PM


    We are planning our upgrade from Siteminder 12.0 SP3 to 12.52 SP1 CR1. The upgrade path we have chosen to take is a migration. We need a good backout plan in the (hopefully) unlikely event that we have a problem after we upgrade the policy store.

     

    SO, if I do a policy store export prior to the upgrade and have a problem, can I re-import the 12.0 policy store over the upgraded policy store?

     

    Another option I thought of

    Export the policy store before it is upgraded, and import it into a separate container (our policy store is in AD) that we could point the policy servers to should we have a problem with the 12.52 policy store. This is assuming 12.52 policy servers will still be able to access a 12.0 policy store after the policy store they are using has been upgraded.

     

    I am guessing importing a policy store export requires you build new Siteminder environment? You can't just create an OU and import the policy store, it has to be done through a policy server, right? If that's the case.....

     

    Build a new 12.0 SP3 Policy Server and create an new policy store. Import the exported 12.0 policy store into the new policy store. Again, this is assuming 12.52 policy servers will still be able to access a 12.0 policy store after the policy store they are using has been upgraded.

     

    I was kind of thinking this through as I wrote. Appreciate feedback, and any suggestions.



  • 2.  Re: Policy Store Backup/Restore

    Posted Mar 20, 2015 02:31 PM

    We don't use AD   but we chose the parallel upgrade path when going Version 6 to 1252.

     

    We have done very successful migration upgrades in the past though ..ie upgrade all of your servers, then as a final step upgrade the policy store.

    A backout is essential ..it sounds like your on the right track.   Backup the policystore with your AD or OS  tools as well.   For the policy servers, since we use

    unix we had a backup of the old version that could quickly  be put back in place on each server.

     

    A migration is probably the fastest way to upgrade.



  • 3.  Re: Policy Store Backup/Restore

    Posted Mar 22, 2015 08:40 PM

    Hi brodginskicc,


    Let me answer by commenting on your questions :


    You asked - "SO, if I do a policy store export prior to the upgrade and have a problem, can I re-import the 12.0 policy store over the upgraded policy store?"

    => I assume this is for case when you have some problem with your policy store upgrade ? If the upgrade fails it might result in the policy store corruption in which case  I won't recommend doing this.

    Best is to create a brand new policy store for r12.52sp1cr1, initialize it with the default schema and Policy (this can be done either via command line tool or via policy server installer by choosing to initialize policy store in the wizard). Ensure that Policy server is able to start-up fine with the new policy store. Once confirmed, import r12.0 SP3 Policy store export.


    For the backup,

    => Yes, do a full backup of both your Policy store export and Key Store in the clear text.

    => Also perform a backup of policy store via AD backup/restore functionality. This is just for the case when we are unable to import your policy store export via SiteMinder import tools.


    Good Luck.


    Regards,

    Ujwol Shrestha



  • 4.  Re: Policy Store Backup/Restore

    Posted Mar 23, 2015 09:49 AM

    Just want to make sure I’ve got this right.

     

    1. Create a new policy store for 12.52 SP1CR1. Make sure a policy server able to start up using the new policy store.

    2. Import the 12.0 SP3 policy store export.

                    Question: After importing the 12.0 SP3 policy store, is the new policy store still 12.52 SP1 CR1, or does it become 12.0 SP3?

     

    This would be not only should be have a problem with the upgrade, but also in the event that numerous or “very important” applications have a problem with the new policy store. We could be asked to move them back to the 12.0 SP3 policy store. Going into the upgrade, we may be advised that this is a requirement should there be an issue.



  • 5.  Re: Policy Store Backup/Restore

    Posted Mar 23, 2015 01:16 PM

    brodginskicc

     

    What you were planning initially was a MIGRATION upgrade i.e. in place upgrade i.e. Upgrade existing components.

    How to Migrate from r12.x - CA SiteMinder® - 12.52 SP1 - CA Wiki

     

    What Ujwol recommended was a PARALLEL upgrade i.e. a parallel / new infrastructure with new version of Product, which is in SSO with current infrastructure with old version product.

    How a r12.x Parallel Upgrade Works - CA SiteMinder® - 12.52 SP1 - CA Wiki

     

     

    Circling back to your question.

    Question: After importing the 12.0 SP3 policy store, is the new policy store still 12.52 SP1 CR1, or does it become 12.0 SP3?

    Answer: The new policy store remains R12.52 SP1 CR1 after import of Policy Data.

    Reason:

    • In layman terms
      • Consider 2 different types of Shelves we purchased from a furniture mart.
      • Initially we purchased Version-1 only.
      • Version-1 : KALLAX Shelving unit - black-brown - IKEA
      • Now consider we purchased an Object e.g. STOCKHOLM Vase - IKEA. Then we placed this Object in the Shelf Version-1.
      • After many a years, we purchased Shelf Version-2.
      • Version-2 : KALLAX Shelving unit - white - IKEA
      • We then took (EXPORT) the Object e.g. STOCKHOLM Vase - IKEA and placed (IMPORT) in Shelf Version-2. Did the object change OR should the object change? No. The Object should remain as it is, only the version of Shelves have changed with certain characteristic i.e. it is much bigger, with more casing to allow for more objects. However between both version certain basic things remain the same i.e. basic structure pattern, they both are made up of wood; which allow both Shelves to hold the same object.
    • In Technical Terms
      • Between Versions only Schema (from R6.x) and Data Definitions (from R12.x) change.
      • The Policy Object's that we create in the Store remain unchanged. Hence we can export the Policy Objects from one version of Policy Store into another version of Policy Store.

     

     

    My recommendation would also be Parallel Upgrade, as it keeps the existing infrastructure untouched. However there are pros and cons in both approaches. These needs to delicately scrutinized before concluding which Upgrade pattern (Migration OR Parallel) to be adopted.

     

    For e.g. Since the PStore is AD, is it possible to setup a Parallel AD infrastructure? I doubt that, a corporate normally has one main AD Domain Controller and sub forrests. I don't know what the AD is being used for inaddition to being used as a Policy Store? If the entire AD instance / machine is just being used only for PStore then I could build a parallel AD setup with new version of Policy Store. So these are the kind of doubts that arise in my head when I think about AD.

     

     

     

    Circling back to your earlier question.

    Question : Was specific to rollback i.e. "So, if I do a policy store export prior to the upgrade and have a problem, can I re-import the 12.0 policy store over the upgraded policy store?"

    Answer : Yes you may be able to re-import; but note, your Policy Store would be still R12.51 or messier. The reason I state this is because when we talk about the Policy Store there are 4 different things

    [A] Policy Store Schema.

    [B] Policy Store Data Definition.

    [C] Policy Store Object (Policy Domains, User Directories, Agents, ACO, HCO, Trusted Hosts, etc etc etc i.e. all objects one sees in WAM UI / FSS UI).

    [D] Policy Store Configuration.

    Now it is very crucial on what type of export was taken i.e.

    [1] Was a full backup i.e. XPSExport -xb

    or

    [2] Was it a only a Policy Data export i.e. [C] i.e. XPSExport -xp -xe -xi -xs (-xp -xe -xi -xs is R12.5 and above; check corresponding parameters in R12.0. Just using it as an example here).

    Another question I would ask is even if I took a -xb i.e. a full backup (I am sure it includes [C] and [D]). What I am unsure is does xb include [A] and [B]. Even if it did, could the reimport (of full backup i.e. -xb) override / delete / de-reference the new DataDefinitions links which would have been created when the R12.0 Policy Store was upgraded to R12.5x using the execution of XPSDDInstall Command, which upgrades the Policy Store Data Definitions to new version.

    Therefore I'd rely completely on AD's rollback ability to roll back into a prior state i.e. SNAPSHOT rollback.

    This usecase is TRUE for Migration Upgrade.

     

     

    Question : Export the policy store before it is upgraded, and import it into a separate container (our policy store is in AD) that we could point the policy servers to should we have a problem with the 12.52 policy store.

    Answer : Here's the problem. Did any one suggest that in AD or ADLDS there is a configuration partition and a data partition. Schema for sure resides in the Configuration Partition. Data Definition (XPSDDInstall Command) I am unsure if it resides in Configuration or Data Partition. Policy Data Objects (everything we create in WAM UI) resides in Data Partition). *Assuming* Data Definition resides in the Configuration partition, the moment XPSDDInstall is executed the entire AD configuration structure is updated. Anything in the Configuration Partition applies to entire objects that gets created in AD/ADLDS under Data Partition. Hence this idea of pointing R12.5x Policy Server's to a different Container e.g. OU under the impression that only this OU is R12.5x; is incorrect. As I understand, any given point in time AD when used as PStore would remain in only one version i.e. R12.0 or R12.5x.

    NOTE : ADLDS does have the feature of instances. Hence each instance has its own Configuration and Data Partition. Don't think AD has that capability.

     

     

     

    An upgrade is a mammoth task, what we spoke here is just one piece of the puzzle. Hence I've kept the discussion specific to the rollback of policy store as per the query posted.

     

     

    Regards

     

    Hubert



  • 6.  Re: Policy Store Backup/Restore

    Posted Mar 23, 2015 03:57 PM

    Our 6.0 to 12.0 upgrade was a parallel upgrade. We have spent A LOT of time discussing our 12.0 to 12.52 SP1 upgrade and have decided we would prefer to do a migration this time. I agree with you that an upgrade is a mammoth task. The parallel upgrade was a lot of work. When we did that, the parallel environment we created was in the same AD that the existing policy store resided in. Just in a different container (OU).  We have been using AD for our policy store since Siteminder release 4, and it has always been in the same domain in either the same (in the case of a migration upgrade), or different (in the case of a parallel upgrade) containers.

     

    What I am trying to figure out is the best way to set us up for a back out should there be a problem. Our change people are big on back out plans. With the dependency we have on Siteminder for web access, I wouldn’t feel comfortable doing this change without a solid back out plan.

     

    The thought of creating a parallel environment to support a back out seemed like a good option as it would allow us to get back to where we were before upgrading. To be honest, I was thinking of creating a 12.0 SP3 policy store as the backup (using smobjexport and import), not 12.52 SP1. Backing out to the upgraded version of policy store (not the version we had before the change) doesn’t sound like a back out to me. I know our change folks would not consider it one.

     

    This probably sounds a little crazy to you, but given the back out scenario outlined in the previous paragraph, is it possible to take 12.52 SP1 policy servers that were pointing to the 12.52 SP1 upgraded policy store, and point them to the 12.0 SP3 policy store we created as a backup?  As with the parallel environment we created when we upgraded from 6.0 to 12.0, the back out parallel environment would be in the same AD as upgraded policy store, just in a different container.

     

    Regarding your comments about AD. The Schema and Network info (ex. Subnet info) are the only things in the configuration partition in AD. Everything else is data. The upgrade from 12.0 to 12.52 does not include an AD Schema update. So exactly what is changing in the policy store between 12.0 and 12.52? Guessing new data objects?



  • 7.  Re: Policy Store Backup/Restore

    Posted Mar 23, 2015 04:37 PM

    brodginskicc

     

    Question : Is it possible to take 12.52 SP1 policy servers that were pointing to the 12.52 SP1 upgraded policy store, and point them to the 12.0 SP3 policy store we created as a backup?

    Answer : Yes. R12.52 SP1 Policy Server can speak to a R12.0 PStore. But with limited capabilities (no features of R12.52 SP1 can be used at this time until Pstore is upgraded to R12.52 SP1). You'd still need a R12.0 WAM UI, to manage objects in the store until, Pstore is upgraded to R12.52 SP1.

     

    Question : So exactly what is changing in the policy store between 12.0 and 12.52? Guessing new data objects?

    Answer : New Data Definition Object. No Schema changes. Only Data Definitions, hence we run XPSDDInstall to upgrade R12.0 Pstore to R12.52 SP1 in Migration Upgrade.



  • 8.  Re: Policy Store Backup/Restore

    Posted Mar 23, 2015 09:44 PM

    brodginskicc

     

    Question : I was thinking of creating a 12.0 SP3 policy store as the backup (using smobjexport and import), not 12.52 SP1.

    Answer : If you use smobj* tools for backup and restore, only OID objects would be backed. Anything in XID form would not be exported. This is another factor you'd need to consider.

     

     

    I strongly urge to use AD's backup and restore as a strong fall back option. Not just relying on smobj* tool (for reasons stated above) and XPS* tools (they are still in their naive stages in R12.0).

     

    NOTE : If you adopt Migration Upgrade i.e. in place upgrade. You cannot (should not) use smobjexport once the Policy Server is upgraded to R12.52 SP1 (I think the installer removes it as it is deprecated in R12.52 SP1, only smobjimport functions and is supported). Hence I would strongly recommend backing up before any upgrade steps are initiated.

     

     

    Regards

     

    Hubert



  • 9.  Re: Policy Store Backup/Restore

    Posted Mar 23, 2015 09:49 PM

    The plan is to do the export BEFORE upgrading the policy server to 12.52 SP1



  • 10.  Re: Policy Store Backup/Restore

    Posted Mar 24, 2015 04:11 PM

    Thanks for all the good info and advice, especially the warnings about the two SM export/import utilities. I am looking into the AD Backup options now.

     

    I'm embarrassed to admit I don't have a better understanding of XIDs, other then the fact that they were introduced with 12.0. I have been around SM for a long time, and am more familiar with OIDs. Where can I go to read more about them, and how they are used compared to OIDs? I assumed OIDs were still being used.



  • 11.  Re: Policy Store Backup/Restore

    Broadcom Employee
    Posted Mar 25, 2015 04:20 PM

    I would like to point out a few concepts here which should be understood.  There is a lot of both accurate and inaccurate information.  I'm not going to tell you whether a Parallel or In-Place upgrade is the better option, because there are valid reasons to choose either. 

     

    Parallel Upgrade:   Least amount of down-time to complete upgrade.  Shortest Recovery Time Objective should a rollback be necessary.  Expensive in regards to duplicate hardware.  Necessary if choosing to also upgrade hardware during CA SSO upgrade.  Greater amount of time to configure parallel environment.  Potential to overlook tuning and environment settings configured in previous environment.

     

    In-Place Upgrade:  Greater amount of downtime.  Longer Recovery Time Objective should a rollback be necessary.  Reduced hardware costs.  Requires upgarde be performed on existing, potentially older hardware.  Faster to implement upgrade and little tuning and configuration, if any, required.

     

    The Original Poster (OP) is discussing an upgrade from r12.0 SP3 to r12.52.   We should keep this in mind.

     

    1) The Policy Store and XPS Schema has not changed at all between r12.0 and r12.52. 

     

    2) The Data Dictionary has changed.  This defines the Object Classes and the Attributes for those objects.

     

    3) The Upgrade of the Policy Server from r12.0 to r12.52 is mostly a binary update with some Data Dictionary additions.

     

    4) Both 'smobjexport' and 'xpsexport' export the User Defined Data only.  They DO NOT export the Schema or the Data Dictionary.

     

    When you upgrade the Policy Sever form r12.0 to r12.52 the only update to the Policy Store is to the Data Dictionary.  The r12.0 Policy Server CAN use the r12.52 Data Dictionary.  The Data Dictionary will simply define Classes and Attributes which r12.0 does not use. 

     

    Backing up the Policy Store using either 'smobjexport' or 'xpsexport' then restoring it will not actually do anything other than overwrite you user defined data with an exact copy.  It will not overwrite the Data Dictionary. 

     

    You are discussing a series of steps for roll-back which is essentially unnecessary. 



  • 12.  Re: Policy Store Backup/Restore

    Posted Mar 25, 2015 06:10 PM

    Hi Stephen,

     

     

    Some great piece of information there.

     

    I just would like to point out that the following from what you have said :

    =>4) Both 'smobjexport' and 'xpsexport' export the User Defined Data only.

    This is not correct technically. The export utility also exports the default (out of the box ) policy store objects (as defined in smpolicy.xml or  smpolicy-secure.xml) along with user defined data/policies.

     

    =>You are discussing a series of steps for roll-back which is essentially unnecessary.

    I am not sure which steps are you talking about here, but if you are talking about the AD backup, I think that would still make sense, to have an absolute piece of mind because we know that we have many issues with the xpsimport/smobjimport and things doesn't always run smooth.


    Cheers,

    Ujwol



  • 13.  Re: Policy Store Backup/Restore

    Posted Mar 26, 2015 09:23 AM

    This is some great info.

     

    I think I am trying to have the best of both worlds.

    1. Faster implementation, and "confidence" of doing the upgrade with a tuned environment, that you get from a migration, and

    2. Shortest recovery time by creating a parallel 12.0 environment right before the existing environment is upgraded, should we need to roll back.

     

    I have been working with the AD guys on the AD backup options, but it has its own set of challenges.

     

     

     




  • 14.  Re: Policy Store Backup/Restore

    Posted Mar 26, 2015 10:04 AM

    I know this doesn't apply to your situation, but for the general population:

     

    We utilize CA directory for our policy store.  The ability to backup and restore with CA directory is extremely fast and efficient.  We had an issue with our production policy store which required a restore.  Nightly we take a snapshot (online dump in CA Directory terminology).  I was able to restore the policy store to a new directory infrastructure and roll the live policy servers to point to it one by one.  During the restore we didn't have a second of downtime.  I am not much for plugging CA products (sorry CA), but CA Directory is fairly solid. 



  • 15.  Re: Policy Store Backup/Restore

    Posted Jul 21, 2015 10:02 PM

    Hi,

     

    I am doing an upgrade from 1251 Sp1Cr1 Upgrade to 1252 Sp1Cr1. I tried both methods, using separate policy store instance initialized during install of 1252 Sp1Cr1/Importing data using XPSImport and Upgrading 1251 Sp1Cr1 policy store instance with data dictionary of 1252. In both cases I am having issue with registering WAMUI successfully on 2 policy servers.

     

    Any thoughts?

    .



  • 16.  Re: Policy Store Backup/Restore

    Posted Sep 02, 2015 07:11 PM

    Hi Sanjay,

     

    I guess you are getting "there is no registration file found " error when trying to authenticate with WAM UI or if there is any other issue, please do the below steps.

     

    1. find out data folder inside adminui directory and rename.

     

    2. Close the browser and re-lanuch the WAM UI.

     

    Let me know if issue still persist.

     

    Regards,

    Sasi