Verify that no existing partnerships have incoming backchannel usernames (within the same protocol) that are the same before upgrading.
That is, no two SAML 2.0 partnerships can share an incoming backchannel username. Similarly, no two SAML 1.0 partnerships can share an incoming backchannel username. A SAML 1.0 and a SAML 2.0 partnership can share an incoming backchannel username but it is not recommended.
If you do have partnerships of the same protocol that share an incoming backchannel username, do the following steps before you upgrade:
Follow these steps:
Specifies the name of the Policy Server installation executable.
The Policy Server installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
Follow these steps:
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
./installation_media
Specifies the name of the Policy Server installer executable.
The Policy Server installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
Follow these steps:
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
./installation_media -i console
Specifies the name of the Policy Server installer executable.
The Policy Server installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
The installer prompts you to select CA SiteMinder® components. Each component is prefixed with a number. Type numbers separated with a comma (,) to select one or more components. Enter only a comma to select none of the features.
Important! If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
The Policy Server is upgraded. The selected components are configured for use with the Policy Server.
../ca_ps_env.ksh
Note: Be sure that there is a space between the periods.
During a Policy Server upgrade, the existing JVMOptions.txt file is renamed to JVMOptions.txt.backup. A new JVMOptions.txt file is created.
If the original file included customized parameters, be sure to modify the newly created file to include these customized parameters.
Your Policy Server operating system determines whether recompiling custom server–side code is required. Use the following table to identify the requirement:
Operating System |
Required? |
---|---|
Microsoft Windows and UNIX |
No. Recompiling the custom code is optional. |
Red Hat Linux |
Yes. Upgrade the SDK and recompile the custom code using GCC 3.4. |
If you experience problems during the upgrade:
Specifies the Policy Server installation path.
Note: A Policy Server upgrade and a smkeydatabase migration are separate processes. If the smkeydatabase migration fails, the Policy Server upgrade does not fail.
Upgrading Web Agents is the second step in the migration process.
CA SiteMinder® r12.x Web Agents can communicate with an 12.52 Policy Server. Therefore, upgrade a Policy Server to r12.5 before upgrading a Web Agent to 12.52.
Before you upgrade Web Agents:
Ensure the Policy Server is Configured
Before you upgrade the Web Agent:
Identify the Required Administrator and Policy Server Object Names
Before upgrading the Web Agent, you need the following information from the Policy Server administrator.
Identify the Web Agent Requirements
For more information about patches and other Web Agent requirements, see the Web Agent Installation Guide.
Use the 12.52 web agent installer to upgrade a web agent.
Note: For more information about upgrading a web agent, see the Web Agent Installation Guide. For more information about installing the 12.52 Web Agent Option Pack, see the Web Agent Option Pack Guide.
Specifies the web agent installation path.
To determine if you are required to recompile your custom agent, use the following table:
Agent Type |
Required? |
---|---|
CA SiteMinder® agent |
Operating system–specific. If the agent operating system has reached end–of–life, you must recompile the custom agent. Upgrade the CA SiteMinder® SDK and recompile the agent on a supported operating system. |
Third–party agent |
Vendor–specific. Contact your third–party vendor to determine whether the agent is supported. |
Complete the following procedures to upgrade an r12.x policy store to 12.52:
Stopping all of the Policy Servers that are communicating with the policy store helps to prevent policy store corruption during the upgrade.
Follow these steps:
install_path/siteminder/stop-all
Specifies the Policy Server installation path.
Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.
Follow these steps:
Specifies the Policy Server installation path.
XPSDDInstall SmMaster.xdd
Imports the required data definitions.
Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.
Consider the following items:
Specifies the Policy Server installation path.
Follow these steps:
XPSImport smpolicy.xml -npass
XPSImport smpolicy-secure.xml -npass
Note: You use either file to configure a new policy store and upgrade an existing store. When imported as part of an upgrade, the file does not overwrite existing default objects that were modified. Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The secure file provides more restrictive security settings.
Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.
The default policy store objects are imported.
If you managed your Federation Security Services (legacy federation) objects using the FSS Administrative UI, run the XPS sweeper utility (XPSSweeper) to complete the migration of these objects.
Follow these steps:
XPSSweeper
All legacy federation created using the FSS Administrative UI are available in the Administrative UI.
Starting all Policy Servers resumes communication between all of the Policy Servers and the upgraded policy store.
Follow these steps:
install_path/siteminder/start-all
Specifies the Policy Server installation path.
The policy store is upgraded.
The following sections detail how to upgrade the Administrative UI on Windows and UNIX.
Consider the following items before you upgrade the Administrative UI:
Note: For a list of installation media names, see the Policy Server Release Notes.
chmod -R+x directory
Specifies the directory that contains the installation media.
Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:
java.lang.UnsatisfiedLinkError
If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:
compat–gcc-34-c++-3.4.6-patch_version.I386
libstdc++-4.x.x-x.el5.i686.rpm
libstdc++-4.x.x-x.el6.i686.rpm
Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.
libXau-1.0.5-1.el6.i686.rpm
libxcb-1.5-1.el6.i686.rpm
compat-db42-4.2.52-15.el6.i686.rpm
compat-db43-4.3.29-15.el6.i686.rpm
libX11-1.3-2.el6.i686.rpm
libXrender-0.9.5-1.el6.i686.rpm
libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)
libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)
libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)
libICE-1.0.6-1.el6.i686.rpm
libuuid-2.17.2-12.7.el6.i686.rpm
libSM-1.1.0-7.1.el6.i686.rpm
libXext-1.1-3.el6.i686.rpm
compat-libstdc++-33-3.2.3-69.el6.i686.rpm
compat-db-4.6.21-15.el6.i686.rpm
libXi-1.3-3.el6.i686.rpm
libXtst-1.0.99.2-3.el6.i686.rpm
libXft-2.1.13-4.1.el6.i686.rpm
libXt-1.0.7-1.el6.i686.rpm
libXp-1.0.0-15.1.el6.i686.rpm
Follow these steps:
Note: If you move the prerequisite or Administrative UI installation executables after extracting the zips, move the layout.properties file to the same location.
Note: For information about stopping and starting the embedded JBoss application server, see the r12.x Policy Server Installation Guide. For information about stopping an existing application server, see the vendor-specific documentation.
adminui-pre-req-version-cr-win32.exe
ca-adminui-version-cr-win32.exe
Note: The embedded JBoss application server automatically restarts after the installation is complete.
The Administrative UI is upgraded.
You can install the Administrative UI on UNIX platforms in GUI or Console mode.
Follow these steps:
Note: If you move the prerequisite or Administrative UI installation executables after extracting the zips, move the layout.properties file to the same location.
Note: For information about stopping and starting the embedded JBoss application server, see the r12.x Policy Server Installation Guide. For information about stopping an existing application server, see the vendor-specific documentation.
adminui-pre-req-version-cr-linux.bin adminui-pre-req-version-cr-sol.bin
GUI Mode
./prerequisite_installation_media
Console Mode
./prerequisite_installation_media -i console
ca-adminui-version-cr-linux.bin
ca-adminui-version-cr-sol.bin
./installation_media
./installation_media -i console
Note: For information about stopping and starting the embedded JBoss application server, see the r12.x Policy Server Installation Guide. For information about stopping an existing application server, see the vendor-specific documentation.
The Administrative UI is upgraded.
If you are using a Report Server version that is previous to r12.0 SP3 CR4, the simplest path to the 12.52 reporting environment is to uninstall the installed version, and then install and configure the 12.52 reporting components.
If you are using a Report Server r12.0 SP3 CR4 or higher, an upgrade is not required. However, if you want localized reports, you require the 12.52 reporting templates. So, run the 12.52 version of the Report Server Configuration Wizard for the reporting templates.
The Report Server uses data in the policy store and the CA SiteMinder® audit database to compile policy analysis and audit–based reports. The report database contains no information that these reports require. As a result, a migration from an r12.x report database to an 12.52 report database is not necessary.
Complete the following process to install and configure the 12.52 reporting components:
Important! Existing reports are stored in the report database. If you require existing reports for historical purposes, use the Administrative UI to view the reports and export them to a temporary location. For more information about viewing reports, see the Policy Server Administration Guide.
Note: For more information, see the Policy Server Installation Guide.
Note: For more information, see the r12 SP2 Policy Server Installation Guide. Uninstalling the Report Server does not remove the tables in the report database. Access the report database and remove all tables manually.
Note: For more information, see the Policy Server Installation Guide.
Copyright © 2013 CA.
All rights reserved.
|
|