How to Migrate from r12.x

Installation and Upgrade Guides › SiteMinder Upgrade Guide › Upgrading from r12.x › How to Migrate from r12.x

How to Migrate from r12.x

Complete the following procedures to migrate from r12.x to 12.52:

Review the installation and upgrade considerations in the Policy Server Release Notes.
(Optional) If your environment includes multiple instances of smkeydatabase, synchronize all instances. Part of the Policy Server upgrade includes migrating all content in the smkeydatabase to the certificate data store.
Review the sections in Before You Upgrade the Policy Server.
Upgrade an r12.x Policy Server to 12.52.
Upgrade an r12.x Web Agent to 12.52.
Upgrade the remaining r12.x Policy Servers and Web Agents to 12.52, respectively.
Upgrade the r12.x policy and key stores to 12.52.
Upgrade the r12.x Administrative UI.
If required, use the Administrative UI to save existing reports locally and remove the r12.x Report Server and report database from the environment. The simplest path to an 12.52 reporting environment is to install and configure a new Report Server and report database.

More information:

Installation and Upgrade Considerations

More information:

CA SiteMinder® Key Tool

Synchronize Key Database Instances

Synchronize all smkeydatabase instances before beginning the migration to a new version.

Note: Use the smkeytool utility to synchronize the smkeydatabases and resolve all data inconsistencies between smkeydatabase instances. For more information about the smkeytool utility, see the Policy Server Administration Guide.

Previous versions of CA SiteMinder® used a local smkeydatabase to store certificate data. Each Policy Server required its own smkeydatabase. For version 12.52, a centralized certificate data store replaces the local smkeydatabases.

As part of a Policy Server upgrade, the installer automatically backs up the local smkeydatabase and tries to migrate all content to the certificate data store. This process includes a comparison of both stores before starting the migration.

Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.

Use the following guidelines to identify and resolve data consistencies among your smkeydatabases:

Verify that each certificate‑authority certificate references certificate revocation lists consistently across instances.
Example: A certificate‑authority certificate consistently references certificate revocation lists in an LDAP directory service.
Verify that the defaultentpriseprivatekey alias represents the same private key/certificate pair in all instances.
Verify that the same alias maps to the same certificate or key/certificate pair.
Verify that the same certificate‑authority certificates map to the same certificate revocation lists.
Verify that a revoked or expired certificate is not present.
Verify that all CRL information is valid.

Important! After you resolve all data inconsistencies, we recommended that you do not modify a smkeydatabase until all migrations are complete.

Upgrade an r12.x Policy Server

The following sections detail how to upgrade an r12.x Policy Server on Windows and UNIX.

Before You Upgrade

Before you upgrade a Policy Server, consider the following items:

(Optional) If the environment contains multiple smkeydatabase instances, be sure to synchronize all content. Synchronizing resolves data inconsistencies that can prevent the Policy Server installer from automatically migrating content to the certificate data store.
You upgrade the Policy Server using the installation media on the Technical Support site.
Note: For a list of installation media names, see the Policy Server Release Notes.
(Linux) Be sure that the required Linux libraries are installed to the Policy Server host system. For more information, see Required Linux Libraries.
Remove the Policy Server from the environment. Removing the Policy Server prevents CA SiteMinder® Agents from contacting the Policy Server during the upgrade.
Shut down all instances of the Policy Server Management Console.
(UNIX) The user account upgrading the Policy Server must have executable permissions on the directory that contains the installation media. If the user account does not have these permissions, run the following command:
```
chmod +x installation_media
```
installation_media

Specifies the Policy Server installation executable.
(UNIX) If you execute the Policy Server across different subnets, it can crash. Run the Policy Server installer directly on the host system.
(UNIX) Upgrade the Policy Server using an account with at least the same permissions as the user who installed the Policy Server. For example, if a root user installed the Policy Server, upgrade the Policy Sever using a root user.
The CA SiteMinder® documentation is not installed with the Policy Server. We recommend that you locate the documentation before you upgrade.

More information:

Locate the Installation Media

Installation Media Names

Required Linux Libraries

Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:

java.lang.UnsatisfiedLinkError

If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:

Red Hat 5.x:

compat–gcc-34-c++-3.4.6-patch_version.I386

libstdc++-4.x.x-x.el5.i686.rpm

Red Hat 6.x:

libstdc++-4.x.x-x.el6.i686.rpm

Additionally, for Red Hat 6.x (64-bit):

Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.

libXau-1.0.5-1.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

compat-db42-4.2.52-15.el6.i686.rpm

compat-db43-4.3.29-15.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libXrender-0.9.5-1.el6.i686.rpm

libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)

libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)

libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)

libICE-1.0.6-1.el6.i686.rpm

libuuid-2.17.2-12.7.el6.i686.rpm

libSM-1.1.0-7.1.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

compat-libstdc++-33-3.2.3-69.el6.i686.rpm

compat-db-4.6.21-15.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXft-2.1.13-4.1.el6.i686.rpm

libXt-1.0.7-1.el6.i686.rpm

libXp-1.0.0-15.1.el6.i686.rpm

Disable XML Signature Wrapping Checks Before a Policy Server Upgrade

SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.

The following conditions result in failed transactions:

CA SiteMinder® federation is deployed is at the Service Provider site.
SAML 2.0 HTTP-Artifact SSO is configured.
Signature verification at the Service Provider is configured for the assertion or the artifact resolve response.
The Policy Server setting that prevents XML signature wrapping attacks is enabled.

When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.

To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.

Follow these steps:

Navigate to the xsw.properties file. Locate the file in the following directory:
siteminder_install_dir\config\properties\xsw.properties

siteminder_install_dir is the location where you installed the Policy Server.
Open the file in a text editor, and set the DisableXSWCheck to true (DisableXSWCheck=true). Setting the value to true disables the vulnerability check.
After the entire deployment is at version 12.52, and the Policy Server is running, return the DisableXSWCheck setting to false (DisableXSWCheck=false). Setting the value to false enables the signature vulnerability check.