Previous Topic: How to Migrate from r12.xNext Topic: How a Parallel Upgrade Works


Verify That Existing Federated SAML Partnerships Do Not Have the Same Backchannel Username

Verify that no existing partnerships have incoming backchannel usernames (within the same protocol) that are the same before upgrading.

That is, no two SAML 2.0 partnerships can share an incoming backchannel username. Similarly, no two SAML 1.0 partnerships can share an incoming backchannel username. A SAML 1.0 and a SAML 2.0 partnership can share an incoming backchannel username but it is not recommended.

If you do have partnerships of the same protocol that share an incoming backchannel username, do the following steps before you upgrade:

  1. Deactivate one of the partnerships.
  2. Change the backchannel username that is defined in that partnership.
  3. Inform the remote partner of the change.
  4. Reactivate the partnership.
Upgrade a Policy Server on Windows

Follow these steps:

  1. Review Before You Upgrade.
  2. Exit all applications that are running.
  3. Navigate to the installation media.
  4. Double–click installation_media.
    installation_media

    Specifies the name of the Policy Server installation executable.

    The Policy Server installer starts.

    Note: For a list of installation media names, see the Policy Server Release Notes.

  5. Considering the following items when running the installer:
  6. Review the installation settings and click Install.

    The Policy Server is upgraded. The selected components are configured for use with the Policy Server.

More information:

Troubleshoot a Policy Server Upgrade

Installation Media Names

Upgrade a Policy Server Using a GUI on UNIX

Follow these steps:

  1. Review Before You Upgrade.
  2. Exit all applications that are running.
  3. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

  4. Open a shell and navigate to the installation executable.
  5. Enter the following command:
    ./installation_media
    
    installation_media

    Specifies the name of the Policy Server installer executable.

    The Policy Server installer starts.

    Note: For a list of installation media names, see the Policy Server Release Notes.

  6. Considering the following items when running the installer:
  7. Review the installation settings and click Install.

    The Policy Server is upgraded. The selected components are configured for use with the Policy Server.

  8. Click Done.
  9. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

More information:

Troubleshoot a Policy Server Upgrade

Installation Media Names

Upgrade a Policy Server on UNIX Using a Console

Follow these steps:

  1. Review Before You Upgrade.
  2. Exit all applications that are running.
  3. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

  4. Open a shell and navigate to the installation executable.
  5. Enter the following command:
    ./installation_media -i console
    
    installation_media

    Specifies the name of the Policy Server installer executable.

    The Policy Server installer starts.

    Note: For a list of installation media names, see the Policy Server Release Notes.

  6. Considering the following items when running the installer:

    The installer prompts you to select CA SiteMinder® components. Each component is prefixed with a number. Type numbers separated with a comma (,) to select one or more components. Enter only a comma to select none of the features.

  7. Review the installation settings and press Enter.

    The Policy Server is upgraded. The selected components are configured for use with the Policy Server.

  8. Click Done.
  9. Execute the following script in a ksh shell from the CA SiteMinder® installation directory:
    ../ca_ps_env.ksh
    

    Note: Be sure that there is a space between the periods.

More information:

Troubleshoot a Policy Server Upgrade

Installation Media Names

Policy Server Upgrade Creates a New JVMOptions File

During a Policy Server upgrade, the existing JVMOptions.txt file is renamed to JVMOptions.txt.backup. A new JVMOptions.txt file is created.

If the original file included customized parameters, be sure to modify the newly created file to include these customized parameters.

Custom Server–Side Code Requirements

Your Policy Server operating system determines whether recompiling custom server–side code is required. Use the following table to identify the requirement:

Operating System

Required?

Microsoft Windows and UNIX

No. Recompiling the custom code is optional.

Red Hat Linux

Yes.

Upgrade the SDK and recompile the custom code using GCC 3.4.

Troubleshoot a Policy Server Upgrade

If you experience problems during the upgrade:

Upgrade an r12.x Web Agent

Upgrading Web Agents is the second step in the migration process.

CA SiteMinder® r12.x Web Agents can communicate with an 12.52 Policy Server. Therefore, upgrade a Policy Server to r12.5 before upgrading a Web Agent to 12.52.

Before You Upgrade an r12.x Web Agent

Before you upgrade Web Agents:

Ensure the Policy Server is Configured

Before you upgrade the Web Agent:

Identify the Required Administrator and Policy Server Object Names

Before upgrading the Web Agent, you need the following information from the Policy Server administrator.

Identify the Web Agent Requirements

For more information about patches and other Web Agent requirements, see the Web Agent Installation Guide.

Upgrade an r12.x Web Agent

Use the 12.52 web agent installer to upgrade a web agent.

Custom Agent Requirements

To determine if you are required to recompile your custom agent, use the following table:

Agent Type

Required?

CA SiteMinder® agent

Operating system–specific.

If the agent operating system has reached end–of–life, you must recompile the custom agent.

Upgrade the CA SiteMinder® SDK and recompile the agent on a supported operating system.

Third–party agent

Vendor–specific.

Contact your third–party vendor to determine whether the agent is supported.

How to Upgrade an r12.x Policy Store

Complete the following procedures to upgrade an r12.x policy store to 12.52:

  1. Stop all Policy Servers that are communicating with the policy store.
  2. Import the policy store data definitions.
  3. Import the default policy store objects.
  4. If you managed your r12.x legacy federation environment using the FSS Administrative UI, run the XPS sweeper utility to complete the migration of your legacy federation objects.
  5. Start all Policy Servers that are communicating with the policy store.
Stop all Policy Severs

Stopping all of the Policy Servers that are communicating with the policy store helps to prevent policy store corruption during the upgrade.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Complete one of the following steps:
  3. Repeat this procedure for each Policy Server that is communicating with the policy store.
Import the Policy Store Data Definitions

Importing the policy store data definitions defines the types of objects that can be created and stored in the policy store.

Follow these steps:

  1. Open a command window and navigate to siteminder_home\xps\dd.
    siteminder_home

    Specifies the Policy Server installation path.

  2. Run the following command:
    XPSDDInstall SmMaster.xdd
    
    XPSDDInstall

    Imports the required data definitions.

Import the Default Policy Store Objects

Importing the default policy store objects configures the policy store for use with the Administrative UI and the Policy Server.

Consider the following items:

Follow these steps:

  1. Open a command window and navigate to siteminder_home\db.
  2. Import one of the following files:

    Note: You use either file to configure a new policy store and upgrade an existing store. When imported as part of an upgrade, the file does not overwrite existing default objects that were modified. Both files include the default policy store objects. These objects include the default security settings in the default Agent Configuration Object (ACO) templates. The secure file provides more restrictive security settings.

    –npass

    Specifies that no passphrase is required. The default policy store objects do not contain encrypted data.

    The default policy store objects are imported.

Run the XPS Sweeper Utility

If you managed your Federation Security Services (legacy federation) objects using the FSS Administrative UI, run the XPS sweeper utility (XPSSweeper) to complete the migration of these objects.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Run the following command to make available your legacy federation objects to the Administrative UI:
    XPSSweeper
    

    All legacy federation created using the FSS Administrative UI are available in the Administrative UI.

Start all Policy Servers

Starting all Policy Servers resumes communication between all of the Policy Servers and the upgraded policy store.

Follow these steps:

  1. Log in to the Policy Server host system.
  2. Complete one of the following steps:
  3. Repeat this procedure for each Policy Server that is communicating with the policy store.

The policy store is upgraded.

Upgrade an r12.x Administrative UI

The following sections detail how to upgrade the Administrative UI on Windows and UNIX.

Before You Upgrade

Consider the following items before you upgrade the Administrative UI:

More information:

Locate the Installation Media

Installation Media Names

Required Linux Libraries

Certain library files are required for components operating on Linux operating environments. Failure to install the correct libraries can cause the following error:

java.lang.UnsatisfiedLinkError 

If you are installing, configuring, or upgrading a Linux version of this component, the following libraries are required on the host system:

Red Hat 5.x:

compat–gcc-34-c++-3.4.6-patch_version.I386

libstdc++-4.x.x-x.el5.i686.rpm

Red Hat 6.x:

libstdc++-4.x.x-x.el6.i686.rpm

Additionally, for Red Hat 6.x (64-bit):

Note: All the RPM packages that are required for 64-bit Red Hat 6.x are 32-bit packages.

libXau-1.0.5-1.el6.i686.rpm

libxcb-1.5-1.el6.i686.rpm

compat-db42-4.2.52-15.el6.i686.rpm

compat-db43-4.3.29-15.el6.i686.rpm

libX11-1.3-2.el6.i686.rpm

libXrender-0.9.5-1.el6.i686.rpm

libexpat.so.1 (provided by expat-2.0.1-11.el6_2.i686.rpm)

libfreetype.so.6 (provided by freetype-2.3.11-6.el6_2.9.i686.rpm)

libfontconfig.so.1 (provided by fontconfig-2.8.0-3.el6.i686.rpm)

libICE-1.0.6-1.el6.i686.rpm

libuuid-2.17.2-12.7.el6.i686.rpm

libSM-1.1.0-7.1.el6.i686.rpm

libXext-1.1-3.el6.i686.rpm

compat-libstdc++-33-3.2.3-69.el6.i686.rpm

compat-db-4.6.21-15.el6.i686.rpm

libXi-1.3-3.el6.i686.rpm

libXtst-1.0.99.2-3.el6.i686.rpm

libXft-2.1.13-4.1.el6.i686.rpm

libXt-1.0.7-1.el6.i686.rpm

libXp-1.0.0-15.1.el6.i686.rpm

Upgrade the Administrative UI on Windows

Follow these steps:

  1. (Embedded JBoss setups only). Verify that you extracted the prerequisite installer zip into the same directory that you extracted the Administrative UI installer zip. The layout.properties file, included with the Administrative UI installation zip, must be located in the same directory as both executables.

    Note: If you move the prerequisite or Administrative UI installation executables after extracting the zips, move the layout.properties file to the same location.

  2. Exit all applications that are running.
  3. Stop the application server that is hosting the Administrative UI.

    Note: For information about stopping and starting the embedded JBoss application server, see the r12.x Policy Server Installation Guide. For information about stopping an existing application server, see the vendor-specific documentation.

  4. For embedded JBoss installations only, run the following executable and follow the installer prompts. Otherwise, skip to the next step.
    adminui-pre-req-version-cr-win32.exe
    
  5. Run the following executable:
    ca-adminui-version-cr-win32.exe
    
  6. Follow the installer prompts and confirm upgrade of the Administrative UI.
  7. Review the installation settings and click Install.
  8. For existing application servers, restart the application server after the installation is complete.

    Note: The embedded JBoss application server automatically restarts after the installation is complete.

The Administrative UI is upgraded.

Upgrade the Administrative UI on UNIX

You can install the Administrative UI on UNIX platforms in GUI or Console mode.

Follow these steps:

  1. (Embedded JBoss setups only). Verify that you extracted the prerequisite installer zip into the same directory that you extracted the Administrative UI installer zip. The layout.properties file, included with the Administrative UI installation zip, must be located in the same directory as both executables.

    Note: If you move the prerequisite or Administrative UI installation executables after extracting the zips, move the layout.properties file to the same location.

  2. Exit all applications that are running.
  3. Stop the application server that is hosting the Administrative UI.

    Note: For information about stopping and starting the embedded JBoss application server, see the r12.x Policy Server Installation Guide. For information about stopping an existing application server, see the vendor-specific documentation.

  4. For embedded JBoss installations only, run the prerequisite installer. Otherwise, skip to the next step.
    1. Open a shell and navigate to one of the following prerequisite installation executables:
      adminui-pre-req-version-cr-linux.bin
      adminui-pre-req-version-cr-sol.bin
      
    2. Enter the command for the appropriate mode:

      GUI Mode

      ./prerequisite_installation_media
      

      Console Mode

      ./prerequisite_installation_media -i console
      
    3. Follow the prerequisite installer prompts.
  5. Open a shell and navigate to one of the following installation executables:
    ca-adminui-version-cr-linux.bin
    
    ca-adminui-version-cr-sol.bin
    
  6. Enter the command for the appropriate mode:
    GUI Mode
    ./installation_media
    
    Console Mode
    ./installation_media -i console
    
  7. Follow the prompts and confirm the upgrade of the Administrative UI.
  8. Review the installation settings and click Install.
  9. Start the application server that is hosting the Administrative UI.

    Note: For information about stopping and starting the embedded JBoss application server, see the r12.x Policy Server Installation Guide. For information about stopping an existing application server, see the vendor-specific documentation.

    The Administrative UI is upgraded.

Upgrade an r12.x Report Server

If you are using a Report Server version that is previous to r12.0 SP3 CR4, the simplest path to the 12.52 reporting environment is to uninstall the installed version, and then install and configure the 12.52 reporting components.

If you are using a Report Server r12.0 SP3 CR4 or higher, an upgrade is not required. However, if you want localized reports, you require the 12.52 reporting templates. So, run the 12.52 version of the Report Server Configuration Wizard for the reporting templates.

The Report Server uses data in the policy store and the CA SiteMinder® audit database to compile policy analysis and audit–based reports. The report database contains no information that these reports require. As a result, a migration from an r12.x report database to an 12.52 report database is not necessary.

Complete the following process to install and configure the 12.52 reporting components:

  1. (Optional) Export existing reports.

    Important! Existing reports are stored in the report database. If you require existing reports for historical purposes, use the Administrative UI to view the reports and export them to a temporary location. For more information about viewing reports, see the Policy Server Administration Guide.

  2. Delete the connection between Report Server and the Administrative UI.

    Note: For more information, see the Policy Server Installation Guide.

  3. Uninstall the r12.x Report Server.

    Note: For more information, see the r12 SP2 Policy Server Installation Guide. Uninstalling the Report Server does not remove the tables in the report database. Access the report database and remove all tables manually.

  4. Install and configure 12.52 reporting, which includes:
    1. Installing the Report Server.
    2. Installing the CA SiteMinder® report templates.
    3. Registering the Report Sever.
    4. Configuring connectivity between the Report Server and a CA SiteMinder® audit database.

    Note: For more information, see the Policy Server Installation Guide.