The following sections detail how to upgrade an r12.x Policy Server on Windows and UNIX.
Before you upgrade a Policy Server, consider the following items:
chmod +x installation_media
Specifies the Policy Server installation executable.
Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:
java.lang.UnsatisfiedLinkError
If you are installing, configuring, or upgrading a Linux version of this component, the following packages are required on the host system:
Additionally, for Red Hat 6.x (64-bit):
All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.
SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.
The following conditions result in failed transactions:
When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.
To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.
Follow these steps:
siteminder_install_dir\config\properties\xsw.properties
siteminder_install_dir is the location where you installed the Policy Server.
During an HTTP-Artifact single sign-on transaction, the asserting party returns the assertion to the relying party over a secured back channel. You can require an entity to authenticate to access the back channel. If you select Basic as the authentication method for the back channel, a user name is needed.
Before you upgrade, verify that each federated partnership within the same SAML profile uses a unique user name for the incoming back channel. No two SAML 2.0 or two SAML 1.x partnerships can share an incoming back channel user name.
Note: A SAML 1.x and a SAML 2.0 partnership can share an incoming back channel user name, but it is not recommended.
If there are partnerships of the same protocol that share an incoming back channel user name, do the following steps before you upgrade:
Follow these steps:
Specifies the name of the Policy Server installation executable.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
Follow these steps:
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
./installation_media
Specifies the name of the Policy Server installer executable.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
Follow these steps:
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
./installation_media -i console
Specifies the name of the Policy Server installer executable.
The installer prompts you to select CA SiteMinder® components. Each component is prefixed with a number. Type numbers separated with a comma (,) to select one or more components. Enter only a comma to select none of the features.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
During a Policy Server upgrade, the existing JVMOptions.txt file is renamed to JVMOptions.txt.backup. A new JVMOptions.txt file is created.
If the original file included customized parameters, be sure to modify the newly created file to include these customized parameters.
For any Apache-based agents, add the SiteMinder/resources directory to the CLASSPATH in the JVMOptions.txt file, as shown in the following example:
-Djava.class.path=C:/Program Files (x86)/CA/siteminder/resources;
Your Policy Server operating system determines whether recompiling custom server–side code is required. Use the following table to identify the requirement:
Operating System |
Required? |
---|---|
Microsoft Windows and UNIX |
No. Recompiling the custom code is optional. |
Red Hat Linux |
Yes. Upgrade the SDK and recompile the custom code using GCC 3.4. |
If you experience problems during the upgrade:
Specifies the Policy Server installation path.
Note: A Policy Server upgrade and a smkeydatabase migration are separate processes. If the smkeydatabase migration fails, the Policy Server upgrade does not fail.
Copyright © 2014 CA.
All rights reserved.
|
|