Before you install the Policy Server, the Administrative UI, and the Report Server, make sure that you are using a supported operating system and third-party software.
Version 12.52 of the Session Linker is the appropriate version to use in conjunction with the 12.52 SP1 version of the Policy Server.
In addition to the CA SiteMinder® Upgrade Guide, CA Support Online includes valuable upgrade information. For more information, see the CA 12.52 SP1 Upgrade Information page.
To install and configure a CA SiteMinder® component to a non-English directory, set the system to the same locale as the directory. Also, make sure that you installed the required language packages so the system can display and users can type localized characters in the installer screens.
For the details on how to set locale and required language packages, refer to respective operating system documents.
To type local characters in international language versions of CA SiteMinder® installation and configuration programs in GUI mode, install fonts for that language on your operating environment.
For the RedHat Linux operating environment, download the packages shown in this document.
Symptom:
You are doing a console mode installation of a CA SiteMinder® product on a Solaris platform. The following error message displays: "Unable to install the Java Virtual Machine included with this installer."
Solution:
Ignore this error message. The error is a third-party issue and it has no functional impact.
If you are using Internet Explorer (IE) 9 to view the Administrative UI, run the Administrative UI in compatibility mode to submit the forms.
The following tables identify the installation executables for the following CA SiteMinder® components:
Note: Information appears by platform. For more information about supported operating systems, see the 12.52 SP1 CA SiteMinder® Platform Support Matrix on the Technical Support site.
Documentation
The CA SiteMinder® bookshelf is available on the Support site. The bookshelf does not require an installer. For more information, see Locate the Bookshelf.
Policy Server
Platform |
Installation Executable |
---|---|
Linux |
ca-ps-12.5-cr-linux.bin |
Solaris |
ca-ps-12.5-cr-sol.bin |
Windows |
ca-ps-12.5-cr-win32.exe |
Specifies the cumulative release number. The base 12.52 SP1 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
Administrative UI
Platform |
Installation Executable |
---|---|
Linux |
|
Solaris |
|
Windows |
|
Specifies the cumulative release number. The base 12.52 SP1 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
Report Server
Platform |
Installation Executable |
---|---|
Linux |
|
Solaris |
|
Windows |
|
Specifies the cumulative release number. The base 12.52 SP1 release does not include a cumulative release number.
Important! If you are running this wizard on Windows Server 2008, run the executable file with administrator permissions. Use these permissions even if you are logged in to the system as an administrator. For more information, see the release notes for your CA SiteMinder® component.
If you are upgrading to 12.52 SP1, the Password Services forms credential collector can present a password change message that users are not familiar with. If the following criteria are met, Active Directory users receive the password reuse message:
Note: For more information, see the Policy Server Configuration Guide.
This message states that a password change failed because an old password cannot be reused as new.
You can customize the password reuse message using the FCC properties template (smpwservicesUS–EN.properties). The template is located in web_agent_home\samples\forms.
Specifies the web agent installation path.
If Password Services is customized to send authentication failure messages based on CA SiteMinder® authentication reason codes, we recommend that you verify that your implementation handles all password message values (PasswordMsg) that the CA SiteMinder® SDK defines.
Password Services error handling is enhanced to:
This enhancement can result in users receiving messages that they are unfamiliar with.
If you are upgrading to 12.52 SP1 and a CRL is stored in an LDAP directory service, consider the following items:
If you are using key tool options in automated scripts, consider that the following options are deprecated:
This option is not being replaced and does not work with the accessLegacyKS argument. If a script uses this option:
Note: If a script also attempts to verify that a smkeydatabase was created successfully, the script fails. A smkeydatabase directory does not exist in an 12.52 SP1 Policy Server installation.
This option is deprecated. The removeAllCertificateData replaces this option. If a script uses the deleteDB option:
This option is not being replaced. If a script uses this option:
In previous releases, you used the smobjimport utility to import an upgrade CA SiteMinder® data interchange format (smdif) file. Importing an upgrade file, instead of the smpolicy file (smpolicy.smdif), prevented existing default objects that were modified from being overwritten.
This release no longer requires an upgrade file. You use the XPSInstall utility to import the smpolicy.xml file. When you import this file as part of an upgrade, it does not overwrite existing default objects that were modified.
Note: For more information about upgrading a policy store, see the CA SiteMinder® Upgrade Guide.
The format of certificates that are stored in the 12.52 SP1 policy store is different from certificates that are stored in Policy Server r12.5 GA and Policy Server r12.5 CR.
Therefore, export certificates that were imported into the Policy Store before CA SiteMinder® r12.5 CR2 before you upgrade and then reimport them.
Follow these steps:
If your Policy Server and policy store are operating in mixed-mode during an upgrade to 12.52 SP1, the following error message appears when you start the Policy Server:
[8114/21][Fri Oct 15 2010 09:10:26][CA.XPS:LDAP0014][ERROR] Error occurred during "Modify" for xpsParameter=CA.XPS::$PolicyStoreID,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,dc=PSRoot",text: Object class violation
[8114/21][Fri Oct 15 2010 09:10:26][CA.XPS:XPSIO024][ERROR] Save Policy Store ID failed.
This message is expected behavior and does not affect the CA SiteMinder® environment.
This message occurs because the r6.x policy store is not upgraded. Part of the upgrade process includes importing the policy store data definitions. The error appears in the CA SiteMinder® Policy Server log because the data definitions are not available in the policy store.
Configuring an LDAP user directory connection over SSL requires that you configure CA SiteMinder® to use your certificate database files.
The Policy Server requires that the certificate database files be in the Netscape cert8.db file format. Use the Mozilla Network Security Services (NSS) certutil application installed with the Policy Server to convert existing cert7.db certificate database files to cert8.db format.
Note: The following procedure details the specific options and arguments to complete the task. For a complete list of the NSS utility options and arguments, refer to the Mozilla documentation on the NSS project page.
Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.
To convert the certificate database file
Example: C:\Program Files\CA\SiteMinder\bin
Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
certutil -L -d certificate_database_directory [-p prefix_name] -X
Specifies the directory that contains the certificate database files to convert.
(Optional) Specifies any prefix used when creating the existing cert7.db file (for example, my_cert7.db).
Certutil converts the existing cert7.db file to cert8.db format.
Consider the following limitations before installing the Policy Server on a system with a non–English operating system:
To set the locale for the System or other service accounts, see the Microsoft documentation.
The Policy Server and Web Agent installations include a CA ETPKI library.
For Windows operating environments, if a CA ETPKI library exists on the machine to which you are installing the Policy Server or Web Agent, the installer upgrades the existing ETPKI library to the version shipped with the component. The CA ETPKI library remains in its current location.
For UNIX operating environments, the installer will install the CA ETPKI library to the installation_location/ETPKI directory, even if another CA ETPKI library exists elsewhere on the UNIX file system.
Valid on Windows
Symptom:
If a Policy Server and Web Agent are installed to the same host system, after you upgrade the Policy Server, the IIS web server fails to start and an error is logged in the Event Viewer.
Solution:
Upgrade the Web Agent. The IIS web server starts after you upgrade the Web Agent.
During a Policy Server upgrade, the installer creates new versions of certain files. The installer creates the following files in the policy_server_home/config directory:
The installer creates the following files in the policy_server_home/properties directory:
These 12.52 SP1 files use the .new extension: For example, the JVMOptions.txt file from the previous version remains untouched. The installer creates an 12.52 SP1 version of the JVMOptions.txt file that is named JVMOPtions.new.
If the original file included customized settings, be sure to modify the .new file with your customized settings. Rename the .new file with the extension from the original file.
For example, if you had custom settings in your JVMOptions.txt file, copy those changes to JVMOptions.txt.new. Rename the JVMOptions.txt.new to JVMOptions.txt.
When attempting to connect a SiteMinder Policy Server on Red Hat or Solaris to a Microsoft SQL Server 2008 database, you should correctly define the paths to the TraceFile, TraceDll and InstallDir parameters specified in the [ODBC] section of the system_odbc.ini file. Failure to do so may result in connectivity errors.
When installing the Policy Server, the CA Report Server, and the Administrative UI, you are asked to specify passwords for various components. Consider the following:
Policy Server
When entering password information, do not use the following characters as they are reserved or restricted:
CA Report Server
When entering password information, do not use the following characters as they are reserved or restricted:
Administrative UI
When entering password information, do not use the following characters as they are reserved or restricted:
If you are using multiple DSAs to function as a policy store, ensure that host information of the router DSA is listed first in the Policy Server Management Console. If you do not list the router DSA host information first, an error occurs when you attempt to install the policy store data definitions.
Note: For more information on configuring CA Directory Server as a policy store, refer to the Policy Server Installation Guide.
Consider the following before upgrading a Policy Sever to 12.52 SP1:
Note: The default location of the XPSAudit event handler library is policy_server_home\bin.
Specifies the Policy Server installation path.
The path to the event handler library is saved. The Event Handlers field appears disabled.
Note: By default, the only event handler library that appears in the Advanced tab is XPSAudit.dll.
Note: More information on using the XPSConfig utility to set event handler libraries exists in the Policy Server Administration Guide.
It is required that the MDAC versions installed on the client and server sides are compatible.
Note: More information exists in the Microsoft MDAC documentation.
LDAP directories using multi-master technology may be used as CA SiteMinder® policy stores. The following configuration is recommended when configuring an LDAP policy store in multi-master mode:
This master does not need to be the same as the master used for Administration. However, we recommend that you use the same master store for both keys and administration. In this configuration, all key store nodes should point to the master rather than a replica.
Note: If you use a master for key storage other than the master for administration, then all key stores must use the same key store value. No key store should be configured to function as both a policy store and a key store.
Due to possible synchronization issues, other configurations may cause inconsistent results, such as policy store corruption or Agent keys that are out of sync.
Contact CA SiteMinder® Support for assistance with other configurations.
The multi–mastered LDAP enhancement has the following limitations:
To ensure interoperability if you use multiple products, such as CA IdentityMinder and CA SiteMinder® Web Services Security check the Platform Support Matrices for the required releases of each product. The platform matrices exist on the Technical Support site.
This release includes an updated snmptrap.conf file. Before installation, back up and save the original snmptrap.conf file, located in siteminder_installation\config.
The following considerations apply to supported Windows operating environments:
Symptom:
A Data Execution Prevention (DEP) error can prevent the Policy Server from installing on Windows 2008 SP2.
Solution:
To configure DEP for essential programs and services
The System Properties dialog appears.
The Advanced tab opens.
The Performance Options dialog appears.
A message prompts you to restart the system.
Note: After you have successfully installed the Policy Server, you can revert the DEP settings for all programs and services.
For Windows Server 2008, the User Account Control feature helps prevent unauthorized changes to your system. When the User Account Control feature is enabled on the Windows Server 2008 operating environment, prerequisite steps are required before doing any of the following tasks with a CA SiteMinder® component:
Note: For more information about which CA SiteMinder® components support Windows Server 2008, see the CA SiteMinder® Platform Support matrix.
To run CA SiteMinder® installation or configuration wizards on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The wizard starts.
To access the CA SiteMinder® Policy Server Management Console on a Windows Server 2008 system
The User Account Control dialog appears and prompts you for permission.
The Policy Server Management Console opens.
To run CA SiteMinder® command–line tools or utilities on a Windows Server 2008 system
Cmd
The User Account Control dialog appears and prompts you for permission.
A command window with elevated privileges appears. The title bar text begins with Administrator:
If you are deploying CA SiteMinder® components on Windows 2008 SP2, we recommend installing and managing the components with the same user account. For example, if you use a domain account to install a component, use the same domain account to manage it. Failure to use the same user account to install and manage a CA SiteMinder® component can result in unexpected behavior.
The following considerations apply to Solaris.
The Policy Server and Web Agent are certified for global and non-global zones.
Note: More information on Solaris 10 support exists in the Policy Server Installation Guide.
Network connectivity errors appear in the smps log when gethostbyname() is called. These errors appear even though the directories are available on the network. This was a Solaris issue, which according to Sun bug ID 4353836, has been resolved.
Sun lists the following patches for Solaris 9:
Solaris 9
Symptom:
If your license file is older than January 2005, the Policy Server may experience problems reading the license file after an upgrade. You may receive a message stating that a valid end-user license cannot be found.
Solution:
Contact Technical Support, and request a new license file.
The Policy Server Installation Guide contains the system requirements required to install the Report Server. SAP BusinessObjects Enterprise provides additional patch specifications. Before installing the Report Server:
Specifies the location to which you copied the installation media.
Use this resource for Solaris 9 and 10 patch requirements only. This document also provides supported operating system and hardware requirements that CA SiteMinder® does not support. For supported operating systems, see the CA SiteMinder® 12.52 SP1 Platform Support Matrix. For system requirements, see the Policy Server Installation Guide.
The following considerations apply to Red Hat Enterprise Linux AS and ES.
A Policy Server installed on Red Hat AS requires the Korn shell. If you do not install a Korn shell on Red Hat AS, you cannot execute the commands that control the Policy Server from a command line, such as start-all and stop-all.
The following features are not supported by the Policy Server on Red Hat AS:
To use Apache 2.0 Web Server and ServletExec 5.0 on Red Hat AS
The ServletExec AS Java instance is created.
mod_servletexec2.c
Note: The directives are also present in the httpd.conf file of your Apache 1.3.x if you allowed the ServletExec installer to update the httpd.conf during installation. For more information on editing the httpd.conf file, refer to the New Atlanta Communication ServletExec documentation.
/servlet/TestServlet
The Policy Server Installation Guide contains the system requirements required to install the Report Server. SAP BusinessObjects Enterprise provides additional patch specifications. Before installing the Report Server:
Specifies the location to which you copied the installation media.
Use this resource for Red Hat 5 requirements only. This document also provides supported operating system and hardware requirements that CA SiteMinder® does not support. For supported operating systems, see the CA SiteMinder® 12.52 SP1 Platform Support Matrix. For system requirements, see the Policy Server Installation Guide.
Copyright © 2014 CA.
All rights reserved.
|
|