Web Services Security Guides › CA SiteMinder® Web Services Security Upgrade Guide › Upgrading from CA SOA Security Manager r12.1 SP3 › Migration Considerations

Migration Considerations

Consider the following before beginning the migration.

Administrative UI Upgrade Options

Consider the following items:

• If you deployed the r12.1 SP3 Administrative UI to an existing application server infrastructure, you cannot upgrade the Administrative UI to 12.52.
  1. Uninstall the r12.1 SP3 version of the Administrative UI.
  2. Install an application server that CA SiteMinder® supports.
  3. Install a new 12.52 Administrative UI.

  Note: For more information about installing the Administrative UI, see the Policy Server Installation Guide.

• If you deployed the r12.1 SP3 Administrative UI using the embedded version of JBoss, run the 12.52 Administrative UI prerequisite installer and the Administrative UI installer to upgrade the Administrative UI.

  Note: For more information about upgrading an Administrative UI, see How to Migrate from r12.1 SP3.

Administrative UI Protection with SiteMinder

You can protect a 12.52 Administrative UI with CA SiteMinder®. Protecting the Administrative UI requires that you complete the following steps:

1. Configure an agent to work with a reverse proxy server.

   Note: For more information about configuring a reverse proxy server, see the Web Agent Configuration Guide.

2. Configure an external administrator store. You enable CA SiteMinder® authentication when you configure the store.

   Note: For more information about configuring an external administrator store, see the Policy Server Configuration Guide.

If you have configured an r12.1 SP3 Administrative UI with an external administrator store and you want to enable CA SiteMinder® authentication, complete the following steps:

1. Configure an agent to work with a reverse proxy server.
2. Reconfigure the external administrator store with the required agent settings.

Important! The Administrative UI does not retain the settings when you reconfigure the store. Before you reconfigure the connection, we recommend that you view the connection and record the settings.

Certificate Data Management

The certificate data store is replacing the CA SiteMinder® key database (smkeydatabase). If you have one or more smkeydatabases deployed in your environment, consider the following items:

• The certificate data store is collocated with the 12.52 policy store. A single certificate data store replaces the need for an individual smkeydatabase instance on each Policy Server host system.
• As part of a Policy Server upgrade, all smkeydatabase content is automatically backed up and migrated to the certificate data store.
• A 12.52 Policy Server can only communicate with a certificate data store. A 12.52 Policy Server and the respective local smkeydatabase do not operate in compatibility mode. However, all Policy Servers that have not been upgraded continue to communicate with their local version of the smkeydatabase.

  Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.

• Synchronize all smkeydatabase instances before beginning the migration. Synchronizing all instances helps avoid data collisions. Data collisions prevent a successful migration.
• All Policy Servers that share a common view into the same policy store have access to the same keys, certificates, and certificate revocation lists (CRL).
• The purpose of the certificate data store remains unchanged from the purpose of the smkeydatabase. This store makes the following available to the CA SiteMinder® environment:
  • Certificate authority (CA) certificates
  • Public and private keys
  • Certificate revocation lists
• You can continue to use the CA SiteMinder® key tool to manage the certificate data store. However, several options are deprecated.

  Note: For more information, see the Policy Server Release Notes.

• If a CRL is stored in an LDAP directory service, consider the following items:
  • CA SiteMinder® no longer requires that the issuer of the CRL is the same CA that issued the corresponding root certificate.
  • CA SiteMinder® no longer performs this check. This behavior is consistent with the requirements for a text–based CRL.

More information:

Synchronize Key Database Instances

Deprecated CA SiteMinder® Key Tool Options

Avoid Policy Store Corruption

To avoid possible policy store corruption, be sure that the server that is hosting policy store is configured to store objects in UTF-8 form.

Note: For more information about configuring your server to store objects in UTF-8 form, see your vendor–specific documentation.