Previous Topic: Synchronize Key Database InstancesNext Topic: Upgrade an r12.x Web Agent


Upgrade an r12.x Policy Server

The following sections detail how to upgrade an r12.x Policy Server on Windows and UNIX.

Before You Upgrade

Before you upgrade a Policy Server, consider the following items:

Required Linux Libraries

Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:

java.lang.UnsatisfiedLinkError 

If you are installing, configuring, or upgrading a Linux version of this component, the following packages are required on the host system:

Red Hat 5.x:
Red Hat 6.x:

Additionally, for Red Hat 6.x (64-bit):

All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.

Disable XML Signature Wrapping Checks Before a Policy Server Upgrade

SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.

The following conditions result in failed transactions:

When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.

To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.

Follow these steps:

  1. Navigate to the xsw.properties file. Locate the file in the following directory:

    siteminder_install_dir\config\properties\xsw.properties

    siteminder_install_dir is the location where you installed the Policy Server.

  2. Open the file in a text editor, and set the DisableXSWCheck to true (DisableXSWCheck=true). Setting the value to true disables the vulnerability check.
  3. After the entire deployment is at version 12.52 SP1, and the Policy Server is running, return the DisableXSWCheck setting to false (DisableXSWCheck=false). Setting the value to false enables the signature vulnerability check.
Verify the Back Channel User Name is Unique for Each SAML Partnership

During an HTTP-Artifact single sign-on transaction, the asserting party returns the assertion to the relying party over a secured back channel. You can require an entity to authenticate to access the back channel. If you select Basic as the authentication method for the back channel, a user name is needed.

Before you upgrade, verify that each federated partnership within the same SAML profile uses a unique user name for the incoming back channel. No two SAML 2.0 or two SAML 1.x partnerships can share an incoming back channel user name.

Note: A SAML 1.x and a SAML 2.0 partnership can share an incoming back channel user name, but it is not recommended.

If there are partnerships of the same protocol that share an incoming back channel user name, do the following steps before you upgrade:

  1. Deactivate one of the partnerships.
  2. Change the back channel user name that is defined in that partnership.
  3. Inform the remote partner of the change.
  4. Reactivate the partnership.
Upgrade a Policy Server on Windows

Follow these steps:

  1. Exit all applications that are running.
  2. Navigate to the installation media.
  3. Double–click installation_media.
    installation_media

    Specifies the name of the Policy Server installation executable.

  4. Considering the following items when running the installer:
  5. Review the installation settings and click Install.

    The Policy Server is upgraded. The selected components are configured for use with the Policy Server.

More information:

Troubleshoot a Policy Server Upgrade

Installation Media Names

Upgrade a Policy Server Using a GUI on UNIX

Follow these steps:

  1. Exit all applications that are running.
  2. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

  3. Open a shell and navigate to the installation executable.
  4. Enter the following command:
    ./installation_media
    
    installation_media

    Specifies the name of the Policy Server installer executable.

  5. Considering the following items when running the installer:
  6. Review the installation settings and click Install.

    The Policy Server is upgraded. The selected components are configured for use with the Policy Server.

  7. Click Done.
  8. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

More information:

Troubleshoot a Policy Server Upgrade

Installation Media Names

Upgrade a Policy Server on UNIX Using a Console

Follow these steps:

  1. Exit all applications that are running.
  2. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

  3. Open a shell and navigate to the installation executable.
  4. Enter the following command:
    ./installation_media -i console
    
    installation_media

    Specifies the name of the Policy Server installer executable.

  5. Considering the following items when running the installer:

    The installer prompts you to select CA SiteMinder® components. Each component is prefixed with a number. Type numbers separated with a comma (,) to select one or more components. Enter only a comma to select none of the features.

  6. Review the installation settings and press Enter.

    The Policy Server is upgraded. The selected components are configured for use with the Policy Server.

  7. Click Done.
  8. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

More information:

Troubleshoot a Policy Server Upgrade

Installation Media Names

Modify a Customized JVMOptions File

During a Policy Server upgrade, the existing JVMOptions.txt file is renamed to JVMOptions.txt.backup. A new JVMOptions.txt file is created.

If the original file included customized parameters, be sure to modify the newly created file to include these customized parameters.

For any Apache-based agents, add the SiteMinder/resources directory to the CLASSPATH in the JVMOptions.txt file, as shown in the following example:

-Djava.class.path=C:/Program Files (x86)/CA/siteminder/resources;
Custom Server–Side Code Requirements

Your Policy Server operating system determines whether recompiling custom server–side code is required. Use the following table to identify the requirement:

Operating System

Required?

Microsoft Windows and UNIX

No. Recompiling the custom code is optional.

Red Hat Linux

Yes.

Upgrade the SDK and recompile the custom code using GCC 3.4.

Troubleshoot a Policy Server Upgrade

If you experience problems during the upgrade: