How to Plan a Migration

Web Services Security Guides › CA SiteMinder® Web Services Security Upgrade Guide › Planning Migration and Upgrades › How to Plan a Migration

How to Plan a Migration

Migrating a complex CA SiteMinder® environment involves many component upgrades before the environment is upgraded. A migration strategy is critical so that the migration is completed efficiently and without exposing sensitive resources to security risks or downtime.

A migration strategy can consist of the following:

A test environment
Perform a test migration to become familiar with the process. A test migration can help you identify, troubleshoot, and avoid issues that can bring down mission-critical resources when you migrate a production environment.
Current third-party products and hardware
Determine if 12.52 supports your current third-party products and hardware.

Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 Platform Support Matrix on the Technical Support site.
A site analysis
Determine the current state of your CA SiteMinder® environment and when it is the best time to update each component.
CA SiteMinder® Components
List the individual CA SiteMinder® components that you plan on upgrading and identify where each component is being hosted.
A recovery plan
Back up your existing components in the case you experience problems during the migration.
Upgrade paths
Determine the individual component upgrade paths supported by a migration.
Mixed–mode support
Develop an understanding of mixed mode support.
Performance testing
Develop a strategy to performance test the environment when the migration is complete.

Review the Policy Server Release Notes

The Policy Server Release Notes includes installation and upgrade considerations. We recommend that you review this material before beginning a migration.

More information:

Installation and Upgrade Considerations

Analyze Your CA SiteMinder® Web Services Security Environment

Analyze your CA SiteMinder® Web Services Security environment to determine the complexity of your upgrade. Do this by answering the following questions:

Question	Recommendation
How many Policy Servers and SOA Agents are in your environment?	Use the Policy Server audit logs to determine the number.
What are the versions of the Policy Server and SOA Agents?	Use the Policy Server audit logs to determine the versions.
Which Policy Servers are communicating with which SOA Agents?	Use the Policy Server audit logs to determine this information.
What time of day do you encounter the least traffic at each site?	Review your web and application server logs and the Policy Server audit logs.
Are your SOA Agents working in failover or round robin mode?	To maintain failover and round robin, refer to Mixed CA SiteMinder® Environments.
Does CA SiteMinder® Web Services Security12.52 support your third–party hardware and software?	Go to the Technical Support site and search for the CA SiteMinder® Platform Matrix for 12.52.
Do you have CA SiteMinder® software customized by Professional Services?	Contact Customer Support for instructions.
Do you have access to previous versions of the CA SiteMinder® Web Services Security user documentation? This guide refers to the previous CA SiteMinder® documentation.	Locate the CA SiteMinder® documentation on the Technical Support Site.
Do you have any customized files that may be overwritten by the upgrade?	Back up customized files, such as Host configuration files before upgrading.

More information:

Locate the Platform Support Matrix

Locate the Bookshelf

Plan a Recovery Strategy

Implement a recovery plan that lets you return to your original configuration. You cannot revert from a component upgrade or migration.

Important! The most complete recovery plan is to back up the entire image of each Policy Server and SOA Agent host. We recommend this method.

If you do not want to back up the entire image of each system, do the following:

Back up all SOA Agent and Policy Server binaries. Most of these files are in the bin subdirectory where you installed the Policy Server and SOA Agent.
Back up the SOA Agent configuration file
If you intend to manage Agents centrally from a 12.52 Policy Server, you need to supply the Agent configuration file to the Policy Server administrator. The Administrator will need this file to create an Agent Configuration Object, which defines the Agent’s configuration at the Policy Server.

Note: More information about centrally managing SOA Agents exists in the CA SiteMinder® Web Services Security Policy Configuration Guide.
Export the policy store to a file using the XPSExport utility.
Copy the r12.1 SP3 installation scripts and hot fixes so that you can re-install if necessary. You can download copies from the Technical Support site.

More information:

Locate the Installation Media

Determine the Upgrade Path

The following table lists the supported upgrade paths for a migration to 12.52:

CA SOA Security Manager Policy Server r12.1 SP3 to CA SiteMinder® 12.52 Policy Server
Note: The CA SOA Security Manager r12.1.SP3 Policy Server is an extended version of the SiteMinder r12.0 SP3 Policy Server. The CA SiteMinder® 12.52 Policy Server includes all the SOA Security Manager extensions.
CA SOA Security Manager r12.1 SP3 SOA Agents to SiteMinder WSS Agents 12.52
CA SOA Security Manager r12.1 SP3 Administrative UI to CA SiteMinder® 12.52 Administrative UI
Note: The CA SOA Security Manager r12.1.SP3 Administrative UI is an extended version of the SiteMinder r12.0 SP3 Policy Server. The CA SiteMinder® 12.52 Administrative UI includes all the SOA Security Manager extensions.

Mixed Environments

As you migrate to CA SiteMinder® Web Services Security 12.52, your environment can contain a combination of components at different versions. In addition, you do not have to upgrade all of your components to 12.52. You can leave some components at the current version. Consider the following:

If your environment contains CA SOA Security Manager r12.1 SP3 components, CA SiteMinder® 12.52 Policy Servers can continue to communicate with r12.1 SP3 policy stores.
If you have a mix of Policy Server versions, users can continue to access resources and have the same experience using SOA Agents r12.1 SP3 or SiteMinder WSS Agents 12.52
A mixed environment can support single sign-on.

Use Mixed-Mode Support

Mixed-mode support lets a CA SiteMinder® 12.52 Policy Server communicate with a CA SOA Security Manager r12.1 SP3 policy store during a migration. When you upgrade a Policy Server, the Policy Server installer detects that policy store version. If the policy store is operating at a previous version, the installer upgrades the Policy Server and enables mixed (compatibility) mode.

Note: You cannot turn mixed-mode off.

The Policy Server Management Console lets you see what policy store version the 12.52 Policy Server is using.

Note: The CA SOA Security Manager r12.1.SP3 Policy Server is an extended version of the SiteMinder r12.0 SP3 Policy Server. The CA SiteMinder® 12.52 Policy Server includes all the SOA Security Manager extensions. The Management Console identifies SiteMinder rather than CA SiteMinder® Web Services Security Policy Server and Policy Store version numbers.

To identify the policy store version

Start the Policy Server Management Console.
Click the Data tab.
Select Help, About.
The About the Policy Server Management Console screen appears. The Policy Server version is listed.

Note: The policy store version is also listed. The policy store version does not match the Policy Server version.

SOA Security Manager r12.1 SP3 Mixed Mode Support

Consider the following when migrating from r12.1to 12.52:

A SOA Security Manager r12.1 SP3 Policy Server cannot communicate with a CA SiteMinder® 12.52 policy store.
A CA SiteMinder® 12.52 Policy Server can communicate with a SOA Security Manager r12.1 SP3 policy store.
A SOA Security Manager r12.1 SP3 Policy Server can share the same key store with an CA SiteMinder® 12.52 Policy Server.
A SOA Security Manager r12.1 SP3 Policy Server can share the same session store with a CA SiteMinder® 12.52 Policy Server.
A SOA Security Manager r12.1 SP3 SOA Agent can communicate with a CA SiteMinder® 12.52 Policy Server.

The following illustration details mixed mode support:

Diagram showing mixed-mode-support

Limitations of an r12.1 SP3 Mixed Environment

A CA SiteMinder® 12.52 Policy Server can communicate with a CA SOA Security Manager r12.1 SP3 policy store, but a CA SOA Security Manager r12.1 SP3 Policy Server cannot connect to a CA SiteMinder® 12.52 policy store. As a result, all existing SOA Security Manager r12.1 SP3 features are available in a mixed environment, but the features specific to 12.52 are not available.

Note: For more information about features in 12.52, see the release notes.