Migrating a complex CA SiteMinder® environment involves many component upgrades before the environment is upgraded. A migration strategy is critical so that the migration is completed efficiently and without exposing sensitive resources to security risks or downtime.
A migration strategy can consist of the following:
Perform a test migration to become familiar with the process. A test migration can help you identify, troubleshoot, and avoid issues that can bring down mission-critical resources when you migrate a production environment.
Determine if 12.52 SP1 supports your current third-party products and hardware.
Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 SP1 Platform Support Matrix on the Technical Support site.
Determine the current state of your CA SiteMinder® environment and when it is the best time to update each component.
List the individual CA SiteMinder® components that you plan on upgrading and identify where each component is being hosted.
Back up your existing components in the case you experience problems during the migration.
Determine the individual component upgrade paths supported by a migration.
Develop an understanding of mixed mode support.
Develop a strategy to performance test the environment when the migration is complete.
The Policy Server Release Notes includes installation and upgrade considerations. We recommend that you review this material before beginning a migration.
Analyze your CA SiteMinder® environment to determine the complexity of your migration. Consider the following questions:
Question |
Recommendation |
---|---|
How many Policy Server and Agents running in your environment? |
Use the Policy Server audit logs to determine the number. |
What are the versions of the Policy Server and Agents? |
Use the Policy Server audit logs to determine the versions. |
Which Policy Servers are communicating with which Web Agents? |
Use the Policy Server audit logs to determine this information. |
What time of day do you encounter the least traffic at each site? |
Review your web server logs and the Policy Server audit logs. |
Are your Web Agents working in failover or round robin mode? |
To maintain failover and round robin, refer to Mixed CA SiteMinder® Environments. |
Are you using single sign–on across the CA SiteMinder® environment? |
See this guide for more information about maintaining single sign–on. |
Are you using credential collectors for authentication schemes? |
See the Web Agent Configuration Guide for more information about using credential collectors in a mixed environment. |
Does 12.52 SP1 support your third–party hardware and software? |
See the CA SiteMinder® 12.52 SP1 Platform Support Matrix on the Technical Support Site. |
Do you have CA SiteMinder® software that Professional Services customized? |
Contact Customer Support for instructions. |
Do you have access to previous versions of CA SiteMinder® documentation? This guide refers to the previous CA SiteMinder® documentation. |
Locate the CA SiteMinder® documentation on the Technical Support Site. |
Do you have any customized files that can be overwritten by the upgrade? |
Back up customized files before beginning the migration. |
The following figure shows CA SiteMinder® components to consider before upgrading:
Implement a recovery plan that lets you recover your original configuration. You cannot revert from a component upgrade or a migration.
Important! The most complete recovery plan is to back up entire image of each Policy Server and Web Agent host. We recommend this method.
If you do not want to back up the entire image of each system, complete the following steps:
If you intend to manage Agents centrally from an 12.52 SP1 Policy Server, give the Agent configuration file to the Policy Server administrator. The Administrator needs this file to create an Agent Configuration Object.
Note: For more information about managing Web Agents centrally, see the Policy Server Configuration Guide.
Exporting the policy store in clear–text provides you with a record of encrypted information, such as shared secrets. You can use this information to troubleshoot problems. If your key store resides in the policy store, use the -k option with the smobjexport utility. This option includes keys with the exported information.
As you migrate to 12.52 SP1, your environment can contain a combination of CA SiteMinder® components at different versions. In addition, you do not have to upgrade all of your components to 12.52 SP1. You can leave some components at the current version. Consider the following items:
Mixed–mode support lets an 12.52 SP1 Policy Server communicate with an r6.x or an r12.x policy store during a migration. When you upgrade a Policy Server, the Policy Server installer detects that policy store version.
If the policy store is operating at a previous version, the installer upgrades the Policy Server and enables mixed (compatibility) mode. You cannot disable mixed–mode support.
The Policy Server Management Console lets you see what policy store version the 12.52 SP1 Policy Server is using.
Follow these steps:
Note: The policy store version is also listed. The policy store version does not match the Policy Server version.
Consider the following items when migrating from r6.x to 12.52 SP1:
The following figure details r6.x mixed–mode support:
Limitations of a 6.x Mixed Environment
An 12.52 SP1 Policy Server can communicate with an r6.x policy store, but an r6.x Policy Server cannot connect to an 12.52 SP1 policy store. As a result, all existing r6.x features are available in a mixed environment, but the features specific to r12.x and 12.52 SP1 are not available.
Note: For more information about features in r12.x and 12.52 SP1, see the release notes.
Consider the following items when migrating from r12.0 SP1 or r12.0 SP2 to 12.52 SP1:
The following figure details mixed–mode support:
Limitations of an r12.x Mixed Environment
An 12.52 SP1 Policy Server can communicate with an r12.x policy store, but an r12.x Policy Server cannot connect to an 12.52 SP1 policy store. As a result, all existing r12.x features are available in a mixed environment, but the features specific to 12.52 SP1 are not available.
Note: For more information about features in 12.52 SP1, see the release notes.
Copyright © 2014 CA.
All rights reserved.
|
|