Installation and Upgrade Guides › SiteMinder Upgrade Guide › Upgrading from SiteMinder r12.x › Migration Considerations › Administrative UI Upgrade Options

Administrative UI Upgrade Options

Consider the following upgrade options:

• If you deployed the r12.x Administrative UI to an existing application server infrastructure, you cannot upgrade the Administrative UI to r12.5.
  1. Uninstall the r12.x version of the Administrative UI.
  2. Install an application server that SiteMinder supports.
  3. Install a new r12.5 Administrative UI.

  Note: For more information about installing the Administrative UI, see the Policy Server Installation Guide.

• If you deployed the r12.x Administrative UI using the embedded version of JBoss, run the r12.5 Administrative UI prerequisite installer and the Administrative UI installer to upgrade the Administrative UI.

  Note: For more information about upgrading an Administrative UI, review How to Migrate from r12.x.

Administrative UI Protection with SiteMinder

You can protect an r12.5 Administrative UI with SiteMinder. Protecting the Administrative UI requires that you complete the following steps:

1. Configure an agent to work with a reverse proxy server.

   Note: For more information about configuring a reverse proxy server, see the Web Agent Configuration Guide.

2. Configure an external administrator store. You enable SiteMinder authentication when you configure the store.

   Note: For more information about configuring an external administrator store, see the Policy Server Configuration Guide.

If you have configured an r12.x Administrative UI with an external administrator store and you want to enable SiteMinder authentication, complete the following steps:

1. Configure an agent to work with a reverse proxy server.
2. Reconfigure the external administrator store with the required agent settings.

Important! The Administrative UI does not retain the settings when you reconfigure the store. Before you reconfigure the connection, we recommend that you view the connection and record the settings.

Single Sign–on

You can maintain single sign–on during the migration to r12.5. Consider the following items:

• An r12.5 Policy Server can communicate with an r12.x policy store and an r12.x key store.
• An r12.5 Policy Server can communicate with an r12.x session store.

Certificate Data Management

The certificate data store is replacing the SiteMinder key database (smkeydatabase). If you have one or more smkeydatabases deployed in your environment, consider the following items:

• The certificate data store is collocated with the r12.5 policy store. A single certificate data store replaces the need for an individual smkeydatabase instance on each Policy Server host system.
• As part of a Policy Server upgrade, all smkeydatabase content is automatically backed up and migrated to the certificate data store.
• A r12.5 Policy Server can only communicate with a certificate data store. A r12.5 Policy Server and the respective local smkeydatabase do not operate in compatibility mode. However, all Policy Servers that have not been upgraded continue to communicate with their local version of the smkeydatabase.

  Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.

• Synchronize all smkeydatabase instances before beginning the migration. Synchronizing all instances helps avoid data collisions. Data collisions prevent a successful migration.
• All Policy Servers that share a common view into the same policy store have access to the same keys, certificates, and certificate revocation lists (CRL).
• The purpose of the certificate data store remains unchanged from the purpose of the smkeydatabase. This store makes the following available to the SiteMinder environment:
  • Certificate authority (CA) certificates
  • Public and private keys
  • Certificate revocation lists
• You can continue to use the SiteMinder key tool to manage the certificate data store. However, several options are deprecated.

  Note: For more information, see the Policy Server Release Notes.

• If a CRL is stored in an LDAP directory service, consider the following items:
  • SiteMinder no longer requires that the issuer of the CRL is the same CA that issued the corresponding root certificate.
  • SiteMinder no longer performs this check. This behavior is consistent with the requirements for a text–based CRL.

More information:

Synchronize Key Database Instances

Deprecated SiteMinder Key Tool Options

Federation Integration

All Federation Security Services functionality available in an r12.x FSS Administrative UI has been moved to the Administrative UI. If you were managing a federated environment, this functionality is referred to as legacy federation.

The Administrative UI also includes partnership federation. This functionality is specific to the partnership–based federation that Federation Manager makes available.

Avoid Policy Store Corruption

To avoid possible policy store corruption, be sure that the server that is hosting policy store is configured to store objects in UTF-8 form.

Note: For more information about configuring your server to store objects in UTF-8 form, see your vendor–specific documentation.

Advanced Password Services

If you have deployed Advanced Password Services, a Policy Server upgrade retains all LANG (translation), CFG (configuration), and mail files. The default r12.5 versions of the files are installed to siteminder_home\samples.

siteminder_home

Specifies the Policy Server installation path.