Previous Topic: How the r12.x Migration WorksNext Topic: Verify That Existing Federated SAML Partnerships Do Not Have the Same Backchannel Username


How to Migrate from r12.x

Complete the following procedures to migrate from r12.x to 12.52:

  1. Review the installation and upgrade considerations in the Policy Server Release Notes.
  2. (Optional) If your environment includes multiple instances of smkeydatabase, synchronize all instances. Part of the Policy Server upgrade includes migrating all content in the smkeydatabase to the certificate data store.
  3. Review the sections in Before You Upgrade the Policy Server.
  4. Upgrade an r12.x Policy Server to 12.52.
  5. Upgrade an r12.x Web Agent to 12.52.
  6. Upgrade the remaining r12.x Policy Servers and Web Agents to 12.52, respectively.
  7. Upgrade the r12.x policy and key stores to 12.52.
  8. Upgrade the r12.x Administrative UI.
  9. If required, use the Administrative UI to save existing reports locally and remove the r12.x Report Server and report database from the environment. The simplest path to an 12.52 reporting environment is to install and configure a new Report Server and report database.

More information:

Installation and Upgrade Considerations

More information:

CA SiteMinder® Key Tool

Synchronize Key Database Instances

Synchronize all smkeydatabase instances before beginning the migration to a new version.

Note: Use the smkeytool utility to synchronize the smkeydatabases and resolve all data inconsistencies between smkeydatabase instances. For more information about the smkeytool utility, see the Policy Server Administration Guide.

Previous versions of CA SiteMinder® used a local smkeydatabase to store certificate data. Each Policy Server required its own smkeydatabase. For version 12.52, a centralized certificate data store replaces the local smkeydatabases.

As part of a Policy Server upgrade, the installer automatically backs up the local smkeydatabase and tries to migrate all content to the certificate data store. This process includes a comparison of both stores before starting the migration.

Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.

Use the following guidelines to identify and resolve data consistencies among your smkeydatabases:

Important! After you resolve all data inconsistencies, we recommended that you do not modify a smkeydatabase until all migrations are complete.

Upgrade an r12.x Policy Server

The following sections detail how to upgrade an r12.x Policy Server on Windows and UNIX.

Before You Upgrade

Before you upgrade a Policy Server, consider the following items:

More information:

Locate the Installation Media

Installation Media Names

Required Linux Libraries

Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:

java.lang.UnsatisfiedLinkError 

If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:

Red Hat 5.x:

compat–gcc-34-c++-3.4.6-patch_version.I386

libstdc++-4.x.x-x.el5.i686.rpm

Red Hat 6.x:

libstdc++-4.x.x-x.el6.i686.rpm

Additionally, for Red Hat 6.x (64-bit):

Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.

libXau-1.0.5-1.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

compat-db42-4.2.52-15.el6.i686.rpm

compat-db43-4.3.29-15.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libXrender-0.9.5-1.el6.i686.rpm

libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)

libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)

libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)

libICE-1.0.6-1.el6.i686.rpm

libuuid-2.17.2-12.7.el6.i686.rpm

libSM-1.1.0-7.1.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

compat-libstdc++-33-3.2.3-69.el6.i686.rpm

compat-db-4.6.21-15.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXft-2.1.13-4.1.el6.i686.rpm

libXt-1.0.7-1.el6.i686.rpm

libXp-1.0.0-15.1.el6.i686.rpm

Disable XML Signature Wrapping Checks Before a Policy Server Upgrade

SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.

The following conditions result in failed transactions:

When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.

To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.

Follow these steps:

  1. Navigate to the xsw.properties file. Locate the file in the following directory:

    siteminder_install_dir\config\properties\xsw.properties

    siteminder_install_dir is the location where you installed the Policy Server.

  2. Open the file in a text editor, and set the DisableXSWCheck to true (DisableXSWCheck=true). Setting the value to true disables the vulnerability check.
  3. After the entire deployment is at version 12.52, and the Policy Server is running, return the DisableXSWCheck setting to false (DisableXSWCheck=false). Setting the value to false enables the signature vulnerability check.