Previous Topic: Run the Migration Utility to Move Data to the CDSNext Topic: Migrate or Export SSL Keys and Certificates

CA SiteMinder® Federation Standalone Installation and Upgrade GuideMigrate to CA SiteMinder® Federation Standalone 12.52 SP1How to Migrate to 12.52 SP1Migrate SSL Keys and Certificates (optional)

Migrate SSL Keys and Certificates (optional)

For CA SiteMinder® Federation Standalone 12.52 SP1, the SSL key and certificate files for the embedded Apache and Tomcat servers are encrypted. For releases 12.0 and 12.0 SP1, these files are not encrypted. To avoid purchasing a new key/certificate pair for an encrypted file, migrate existing key or certificate files from CA SiteMinder® Federation Standalone r12.0/r12.0 SP1 to 12.52 SP1. You can also export these files for backup purposes without migrating them.

Important! For systems before r12.1, the embedded Tomcat server uses a self-signed certificate. You cannot use this self-signed certificate for a migration to 12.52 SP1. Purchase a signed certificate and upgrade the Tomcat SSL configuration with the signed certificate.

For Apache, you can migrate files for SSL connections beginning at r12.0. For Tomcat, you can migrate files only from r12.1 forward because in 12.0, a self-signed certificate secured the Tomcat key store. Beginning with r12.1, the federation product requires that a Certificate Authority signs the certificate.

Migrating SSL keys and certificate files is useful in the following situations:

Note: If you upgrade a 12.0 system to 12.52 SP1, the installer automatically upgrades Apache and Tomcat SSL key and certificate files to encrypted files. This automatic does not apply to migrations.

The certificate and private key files are as follows:

Apache
Tomcat

To migrate or export these files, use the SSL utility named migratessl. The migration utility is included with CA SiteMinder® Federation Standalone 12.52 SP1 as a batch file for Windows systems and a shell script for UNIX systems. The tool resides in the federation_install_dir/bin folder.

The process to migrate SSL files is as follows:

  1. Copy the key and certificate files from the existing federation system to any location on the 12.52 SP1 system.
  2. Copy the migratessl tool to the location where you copied the key and certificate files.
  3. If you migrate signed certificates, export the Certificate Authority certificate that signed the SSL certificate. Before you continue with the migration, import the CA certificate.

Note: You can also skip this migration process, generate a new key/certificate request, and then get the certificate signed. SSL certificates are not included in the imported configuration file.

Copy Key and Certificate Files from the r12 System

To use the SSL migration tool, first gather the key and certificate files for the CA SiteMinder® Federation Standalone system from which you plan to migrate or export then copy them.

To copy the SSL key and certificate files

  1. Locate the files on the existing CA SiteMinder® Federation Standalone system.

    The Apache SSL key and certificate files are in the following locations:

    The Tomcat SSL key store file is in the following location:

  2. Copy the key and certificate files to any location on the new CA SiteMinder® Federation Standalone machine.
Copy the SSL Migration Tool to Same Folder as the Key/Certificate Files

The SSL migration tool requires software that is deployed with CA SiteMinder® Federation Standalone 12.1 SP3. Run the tool on the machine where the CA SiteMinder® Federation Standalone 12.1 SP3 product has been installed. Specifically, the tool has to reside in the same folder where you copied the files to be migrated.

To copy the SSL utility tool

  1. Navigate to federation_install_dir/bin on the 12.52 SP1 system.
  2. Copy the migratessl file (.bat or .sh) to the location on the 12.52 SP1 system where you copied the key and certificate files.