Symantec Access Management

Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 7-26-2011

This brief note assumes that you’ve some experience with installation and/or configuration of the Site Minder r6.x and R12 environments.

Q1: In regards to the use of smobjexport & smobjimport commands and when to use XPSExport & XPSImport commands, does it make any difference which command should be used for exporting policy store data?

A1: Yes, it does. When there’s XPS added to (pre-R12) legacy schema (or when there is pure XPS, as in R12, you need to use XPSExport. And, if the exported file has XPS, XPSImport is needed for import. Also, the following is recommended. For upgrade from version r5.5 to r6.x of the policy store data, use smobjexport/import. For upgrade from r6.x to R12.x, use XPSExport/Import after importing the data definitions in r6.x with the XDDinstall commands.


Q2: Is the use of XPSSweeper in the context of above commands ever required if only one policy store is in use (i.e. when multiple policy servers pointing to a single policy store)?

A2: Yes, certainly; but note that it is also useful for synching after the use of legacy and current tools within one store.


Q3: It appears that smobjexport tool exports the entire policy store (in smdif format) and XPSExport will do the same exact thing in XML format.

A3: Yes, but there is a difference. There is another configuration specific file created with smobjexport; but, with XPSExport, only one “.xml” file is created which may have dependency information based on the exported policy. That’s why one needs to be careful how to use that information for the target environment. So, when moving SiteMinder policies from one environment to another, either as part of an upgrade or a policy migration, some objects that are environment–specific are included in the export file. Examples of these objects include:

-- Trusted hosts
-- HCO Policy Server settings
-- Authentication scheme URLs
-- Password services redirects
-- Redirect responses


For more details, refer to the CA Site Minder R12 Policy Server Installation, Administration and Upgrade Guides. When you’re ready to plan an upgrade or migration of an environment, it is recommended that you refer to the Upgrade Guide first to get an overview, and, subsequently, refer to the Installation and Administration Guides for details on any specific topics.

Gene_Howard wrote:

Good morning mario,

With moving objects between R12 environments, you should be using Xpsexport and Xpsexport. Smobjexport and Smobjmport are really there for legacy transitions from R6 environments.
You question on keys is a little confusing what are you trying to accomplish?

Usually when moving objects between environments it would be from DEV to UAT to PROD type of situation. Usually these three environments would have their own unique key stores for that environment.

If you are trying to do SSO between environments than use the two environments would either have to share a keystore or you would have to export the keys and import the keys to enable SSO.

Any time you are moving keys between environments I always do them separately so the information can be easily verified.

Hope this helps

Gene

Hi masvi,

I beg to differ on what you have mentioned in your post.

You have mentioned that smobjexport exports all the objects from the policy store and XPSExport also does the same <Afaik>

I personally have worked on the development of XPSImport/XPSExport tools. The behaviour is not the same what you have mentioned in your post.

smobjexport exports all the objects from the policy store, thats true. It also creates a CFG file where the configuration of existing policy store is written, If you want your new policy store should be exactly the same as existing one, don't change that cfg file, but f you want to change policies under your new enviornment, you need to modify the cfg file and keep that file while importing it thru smobjimport.

Now you have mentioned that you should use XPSExport when you have XPS store in place.  <Slightly Wrong Here>

Lets take the example of R12 sp3 only.

I would say that if you don't have any objects in your XPS store i.e. you are not using any EPM or XPS Object in your enviornment, then you are not always required to use XPSExport. Even if you expot it through SmObjExpot, it should be fine.

One more thing

SmObjExport exports all the objects from the policy store, but in case of XPSExport, only the root objects are exported. what i mean by this is, the objects which are referred in some other objects only a link to those will be exported (Not the whole Object).

For e.g. If you are exporting an Agent through XPSExport, it will not export the AgentTypes and AgentTypeAttr, only a link or reference to these object will be mentioned in XML file.

But if you will export an Agent from smobjexport, it wil export all the objects including Agent / AgentTypes/AgentTypeAttr.

I hope it make some sence to you here.

Best

Sandeep Khurana

We're running Siteminder 12.52.    There is no SmObjExport   or smobjexport command to use anymore..   One must use XPSExport as far as I know.