CA SiteMinder® Federation Standalone Installation and Upgrade Guide › Migrate to CA SiteMinder® Federation Standalone 12.52 › How to Migrate to 12.52 › Migrate SSL Keys and Certificates (optional)

Migrate SSL Keys and Certificates (optional)

For CA SiteMinder® Federation Standalone 12.52, the SSL key and certificate files for the embedded Apache and Tomcat servers are encrypted. For releases 12.0 and 12.0 SP1, these files are not encrypted. To avoid purchasing a new key/certificate pair for an encrypted file, migrate existing key or certificate files from CA SiteMinder® Federation Standalone r12.0/r12.0 SP1 to 12.52. You can also export these files for backup purposes without migrating them.

Important! For systems before r12.1, the embedded Tomcat server uses a self-signed certificate. You cannot use this self-signed certificate for a migration to 12.52. Purchase a signed certificate and upgrade the Tomcat SSL configuration with the signed certificate.

For Apache, you can migrate files for SSL connections beginning at r12.0. For Tomcat, you can migrate files only from r12.1 forward because in 12.0, a self-signed certificate secured the Tomcat key store. Beginning with r12.1, the federation product requires that a Certificate Authority signs the certificate.

Migrating SSL keys and certificate files is useful in the following situations:

• To move to a different version of CA SiteMinder® Federation Standalone on a new system instead of upgrading an existing system. Migrate the SSL keys or certificates from the existing system to the new system.
• To migrate SSL keys and certificates from one system in a cluster to another. Migrating lets you reuse the keys and certificates. For example, if a load balancer passes SSL requests to the federation systems in a cluster, each system must use the same keys and certificates. Therefore, you would migrate keys and certificates from one system to the other.

Note: If you upgrade a 12.0 system to 12.52, the installer automatically upgrades Apache and Tomcat SSL key and certificate files to encrypted files. This automatic does not apply to migrations.

The certificate and private key files are as follows:

Apache

• The server.key file contains a private key.
• The server.cert file contains a server certificate.

Tomcat

• For r12.0, the tomcat.keystore file contains a self-signed certificate. For r12.x, the tomcat.keystore file contains a CA-signed certificate and private key pair.

To migrate or export these files, use the SSL utility named migratessl. The migration utility is included with CA SiteMinder® Federation Standalone 12.52 as a batch file for Windows systems and a shell script for UNIX systems. The tool resides in the federation_install_dir/bin folder.

The process to migrate SSL files is as follows:

1. Copy the key and certificate files from the existing federation system to any location on the 12.52 system.
2. Copy the migratessl tool to the location where you copied the key and certificate files.
3. If you migrate signed certificates, export the Certificate Authority certificate that signed the SSL certificate. Before you continue with the migration, import the CA certificate.

Note: You can also skip this migration process, generate a new key/certificate request, and then get the certificate signed. SSL certificates are not included in the imported configuration file.