Complete the following procedures to migrate from r12.x to 12.52:
Synchronize all smkeydatabase instances before beginning the migration to a new version.
Note: Use the smkeytool utility to synchronize the smkeydatabases and resolve all data inconsistencies between smkeydatabase instances. For more information about the smkeytool utility, see the Policy Server Administration Guide.
Previous versions of CA SiteMinder® used a local smkeydatabase to store certificate data. Each Policy Server required its own smkeydatabase. For version 12.52, a centralized certificate data store replaces the local smkeydatabases.
As part of a Policy Server upgrade, the installer automatically backs up the local smkeydatabase and tries to migrate all content to the certificate data store. This process includes a comparison of both stores before starting the migration.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
Use the following guidelines to identify and resolve data consistencies among your smkeydatabases:
Example: A certificate‑authority certificate consistently references certificate revocation lists in an LDAP directory service.
Important! After you resolve all data inconsistencies, we recommended that you do not modify a smkeydatabase until all migrations are complete.
The following sections detail how to upgrade an r12.1 SP3 Policy Server on Windows and UNIX.
Before you upgrade a Policy Server, consider the following items:
Note: For a list of installation media names, see the Policy Server Release Notes.
chmod +x installation_media
Specifies the Policy Server installation executable.
Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:
java.lang.UnsatisfiedLinkError
If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:
compat–gcc-34-c++-3.4.6-patch_version.I386
libstdc++-4.x.x-x.el5.i686.rpm
libstdc++-4.x.x-x.el6.i686.rpm
Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.
libXau-1.0.5-1.el6.i686.rpm
libxcb-1.5-1.el6.i686.rpm
compat-db42-4.2.52-15.el6.i686.rpm
compat-db43-4.3.29-15.el6.i686.rpm
libX11-1.3-2.el6.i686.rpm
libXrender-0.9.5-1.el6.i686.rpm
libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)
libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)
libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)
libICE-1.0.6-1.el6.i686.rpm
libuuid-2.17.2-12.7.el6.i686.rpm
libSM-1.1.0-7.1.el6.i686.rpm
libXext-1.1-3.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
compat-db-4.6.21-15.el6.i686.rpm
libXi-1.3-3.el6.i686.rpm
libXtst-1.0.99.2-3.el6.i686.rpm
libXft-2.1.13-4.1.el6.i686.rpm
libXt-1.0.7-1.el6.i686.rpm
libXp-1.0.0-15.1.el6.i686.rpm
The ksh Korn shell is required during Policy Server installation and upgrade on Linux platforms. Verify that the appropriate version for your Linux environment is installed.
Red Hat 5.x 32-bit
ksh-20100621-12.el5.i386.rpm
ksh-20100621-12.el5.x86_64.rpm
ksh-20100621-16.el6.i686.rpm
ksh-20100621-16.el6.x86_64.rpm
Follow these steps:
Specifies the name of the Policy Server installation executable.
The Policy Server installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
Follow these steps:
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
./installation_media
Specifies the name of the Policy Server installer executable.
The Policy Server installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
Follow these steps:
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
./installation_media -i console
Specifies the name of the Policy Server installer executable.
The Policy Server installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
The installer prompts you to select CA SiteMinder® components. Each component is prefixed with a number. Type numbers separated with a comma (,) to select one or more components. Enter only a comma to select none of the features.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
Your Policy Server operating system determines whether recompiling custom server–side code is required. Use the following table to identify the requirement:
Operating System |
Required? |
---|---|
Microsoft Windows and UNIX |
No. Recompiling the custom code is optional. |
Red Hat Linux |
Yes. Upgrade the SDK and recompile the custom code using GCC 3.4. |
If you experience problems during the upgrade:
Specifies the Policy Server installation path.
Note: A Policy Server upgrade and a smkeydatabase migration are separate processes. If the smkeydatabase migration fails, the Policy Server upgrade does not fail.
Upgrading the r12.1 SP3 SOA Agents in the environment to 12.52 WSS Agents is the second step in the migration process. You can upgrade the SOA Agents in your environment in any order.
Note: CA SiteMinder® Web Services Security r12.1 SP3 SOA Agents can communicate with a 12.52 Policy Server. Therefore, you can upgrade your Policy Server to 12.52 before upgrading SOA agents while continuing to protect resources.
Prepare for upgrading a SOA Agent using the following process:
Verify the Policy Server is Configured
Before you upgrade the SOA Agent:
Identify the Required Administrator and Policy Server Object Names
Before upgrading the SOA Agent, you need the following information from the Policy Server administrator.
Identify WSS Agent Requirements
For more information about patches and other WSS Agent requirements, see the respective WSS Agent Guide.
Replace Existing Read-only Files
When you upgrade a SOA Agent, you may see messages asking whether you want to replace read-only files. Select Yes to all.
Use the 12.52 WSS Agent installer to upgrade a web agent.
Note: For more information about upgrading a SOA agent, see the respective WSS Agent Guide.
Complete the following procedures to upgrade an r12.1 SP3 policy store to 12.52:
Stopping all of the Policy Servers that are communicating with the policy store helps to prevent policy store corruption during the upgrade.
Follow these steps:
install_path/siteminder/stop-all
Specifies the Policy Server installation path.
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
Specifies the Policy Server installation path.
XPSDDInstall SmMaster.xdd
Imports the required data definitions.
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
Specifies the Policy Server installation path.
Follow these steps:
XPSImport smpolicy.xml -npass
XPSImport smpolicy-secure.xml -npass
Note: You use either file to configure a new policy store and upgrade an existing store. When imported as part of an upgrade, the file does not overwrite existing default objects that were modified. Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The secure file provides more restrictive security settings.
Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
The default policy store objects are imported.
If you configured policy objects related to generating SAML assertions using the FSS Administrative UI, run the XPS sweeper utility (XPSSweeper) to complete the migration of these objects.
Follow these steps:
XPSSweeper
All legacy federation created using the FSS Administrative UI are available in the Administrative UI.
Starting all Policy Servers resumes communication between all of the Policy Servers and the upgraded policy store.
Follow these steps:
install_path/siteminder/start-all
Specifies the Policy Server installation path.
The policy store is upgraded.
Complete the following procedures to upgrade an r12.1 SP3 Administrative UI to 12.52 on Windows and UNIX.
Consider the following items before you upgrade the Administrative UI:
Note: For a list of installation media names, see the Policy Server Release Notes.
The installation zip contains a layout.properties file at the same level as the installation media. If you moved the installation media after extracting the installation zip, move the properties file to the same location or the installation fails.
chmod -R+x directory
Specifies the directory that contains the installation media.
Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:
java.lang.UnsatisfiedLinkError
If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:
compat–gcc-34-c++-3.4.6-patch_version.I386
libstdc++-4.x.x-x.el5.i686.rpm
libstdc++-4.x.x-x.el6.i686.rpm
Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.
libXau-1.0.5-1.el6.i686.rpm
libxcb-1.5-1.el6.i686.rpm
compat-db42-4.2.52-15.el6.i686.rpm
compat-db43-4.3.29-15.el6.i686.rpm
libX11-1.3-2.el6.i686.rpm
libXrender-0.9.5-1.el6.i686.rpm
libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)
libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)
libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)
libICE-1.0.6-1.el6.i686.rpm
libuuid-2.17.2-12.7.el6.i686.rpm
libSM-1.1.0-7.1.el6.i686.rpm
libXext-1.1-3.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
compat-db-4.6.21-15.el6.i686.rpm
libXi-1.3-3.el6.i686.rpm
libXtst-1.0.99.2-3.el6.i686.rpm
libXft-2.1.13-4.1.el6.i686.rpm
libXt-1.0.7-1.el6.i686.rpm
libXp-1.0.0-15.1.el6.i686.rpm
Be sure that you extracted the prerequisite installer executable into the same directory that you extracted the Administrative UI installer. The installers must be in the same location so that the layout.properties file, included with the Administrative UI installation zip, is co-located with both executables.
If you move the prerequisite or Administrative UI installation media after extracting the zips, move the executables and the layout.properties file to the same location. Both executables and the layout.properties file must be co-located or the stand-alone installation fails.
Upgrading the Administrative UI requires that you run a prerequisite installer and the Administrative UI installer.
Follow these steps:
Note: For more information about stopping the application server, see the r12.x Policy Server Installation Guide.
adminui-pre-req-version-cr-win32.exe
ca-adminui-version-cr-win32.exe
The Administrative UI is upgraded.
Be sure that you extracted the prerequisite installer executable into the same directory that you extracted the Administrative UI installer. The installers must be in the same location so that the layout.properties file, included with the Administrative UI installation zip, is co-located with both executables.
If you move the prerequisite or Administrative UI installation media after extracting the zips, move the executables and the layout.properties file to the same location. Both executables and the layout.properties file must be co-located or the stand-alone installation fails.
You can upgrade the Administrative UI in GUI or console mode.
Follow these steps:
Note: For more information about stopping the application server, see the r12.x Policy Server Installation Guide.
adminui-pre-req-version-cr-linux.bin adminui-pre-req-version-cr-sol.bin
./prerequisite_installation_media
./prerequisite_installation_media -i console
ca-adminui-version-cr-linux.bin
ca-adminui-version-cr-sol.bin
GUI Mode
./installation_media
./installation_media -i console
Note: For more information about starting the application server, see the 12.52 Policy Server Installation Guide.
The Administrative UI is upgraded.
Be sure that you extracted the prerequisite installer executable into the same directory that you extracted the Administrative UI installer. The installers must be in the same location so that the layout.properties file, included with the Administrative UI installation zip, is co-located with both executables.
If you move the prerequisite or Administrative UI installation media after extracting the zips, move the executables and the layout.properties file to the same location. Both executables and the layout.properties file must be co-located or the stand-alone installation fails.
Upgrading the Administrative UI requires that you run a prerequisite installer and the Administrative UI installer.
Follow these steps:
Note: For more information about stopping the application server, see the r12.x Policy Server Installation Guide.
adminui-pre-req-version-cr-linux.bin adminui-pre-req-version-cr-sol.bin
./prerequisite_installation_media -i console
ca-adminui-version-cr-linux.bin ca-adminui-version-cr-sol.bin
./installation_media -i console
Note: For more information about starting the application server, see the 12.52 Policy Server Installation Guide.
The Administrative UI is upgraded.
Copyright © 2013 CA.
All rights reserved.
|
|