Symantec Access Management

  • 1.  Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 09, 2018 02:57 PM

    Hi, We are planning to Upgrade from 12.52 Policy Server to 12.7 Policy server. Our 12.52 PolicyStore and KeyStore are on same LDAP and Planning to keep the same way when we upgrade to 12.7. Any one has any tip to follow on this upgrade?

     

    1. We are not sure what is the version of Policy store we have. how to find current version?

    2.We have already built 12.7 Policy Server and Pointed to existing policy store (12.52) and it is working as expected. except compatibility issues with SmOverride.

    3. What are my best options to upgrade to 12.7 policy store and Keystore and point 12.7 to new store with less downtime.

     

    This is what I Tried:

     

    1. I got a new Policy Store created. 

    2. Exported Policyobject from 12.5 using xpsexport -xb from existing policy store

    3. Pointed the new policy store to a sanbox 12.52 policy server

    4. Did an XPSImport to the new policy store.

    5. Exported keys using smkeyexport from old policy store

    6. FAILED doing an import using SMKEYIMPORT in new Policy store. What credentials I need to provide here while smkeyimport?

     

    error:

     

    F:\>smkeyimport -ismkey_export_3_9_18.xml -d***** -w*******
    Import Status: Could not open Key store.
    Import Status: Policy store failed operation 'ProviderInit' for object type 'Policy store provider'. Failed to connect to th
    e LDAP Policy Store.

     

    Thanks,



  • 2.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 09, 2018 03:10 PM

    If you already have 12.7 pointing to the 12.52 policy store.  You can follow the online instructions for updating the policy store.

     

    Upgrade Policy Store - CA Single Sign-On - 12.7 - CA Technologies Documentation 



  • 3.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 09, 2018 03:19 PM

    Thanks David for your quick reply. 

     

    I dont want to upgrade existing policy store as if there is any issue during the upgrade it will corrupt the existing data.

     

    I am trying to get create a new Policy store and keystore of 12.7 and import data form 12.52 to new store and wants to point to new policystore and keystore.



  • 4.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 09, 2018 05:36 PM

    Can you check from smconsole if you have checked box for “Use policy store as keystore”?

     

    Ensure that test connection to policy store works after xpsimport of policy store

     

    Sent from my iPhone



  • 5.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 13, 2018 10:25 AM

    Hi, Use Policy Store as Key Store as key store is checked.

     

    1. I am not sure what is the current version of PolicyStore I have even though PolicyServer is 12.52 SP1 CR08. Anyway to find it? 

    2. What is the best back-out plan if PolicyStore upgrade fails to 12.7? 

    3.Since PolicyStore and Keystore is same, CA told just exporting full Policy Store is enough as it has both policy store and keystore? Is it correct?

     

    4. Do I need to do only below steps to upgrade a Policy Store?

       1. Create a new Policy Store

       2. Install 12.7 Policy Server.

       3. Configure new PolicyStore details in DataTab in SMConsole for PolicyStore and keyStore

       4.Make Sure PolicyServer is starting successfully.

       4. Run Policy Store Configuration Wizard from 12.7 and initialize new Policy Store.

       5. Run Xpsddinstall SmMaster.xdd

       6. Run XPsddinstall IdmSmObjects.xdd

       7. Run XPSimport smpolicy-secure.xml

     

    This Creates new 12.7 Polcy Store with Schema.

     

    5. XPSExport -xb -> fullbackup from 12.52 Polcystore (No key export ad both are Same)

    6. XPSimport full backup of 12.52 Policystore in 12.7 Polciy store

    7.Restart Policy Server.

     

    Please let me know if I am missing anything or anything wrong.

     

    Thanks



  • 6.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 15, 2018 11:01 PM

    My answers below.

     

    1. I am not sure what is the current version of PolicyStore I have even though PolicyServer is 12.52 SP1 CR08. Anyway to find it? 

    Ujwol => We do not store Policy store version.

     

    2. What is the best back-out plan if PolicyStore upgrade fails to 12.7? 

    Ujwol => I would advise :

    Policy store backup at LDAP/ODBC level . For LDAP , you can perform LDIF export, FOR ODBC, you can backup database.

    I would also backup full policy store/key store export.

    XPSExport -xb

    smkeyexport

     

    3.Since PolicyStore and Keystore is same, CA told just exporting full Policy Store is enough as it has both policy store and keystore? Is it correct?

     

    Ujwol => This is NOT true. XPSExport doesn't export any keys even if both policy store and key store are colocated.

    You must use smkexport and smkeyimprot to export/import keys.

     

    4. Do I need to do only below steps to upgrade a Policy Store?

     

    Ujwol => Here is the correct steps.

     

    Create a new Policy Store & initialize it with 12.7 Policy store schema.

     

       1. Create a new Policy Store

       2. Install 12.7 Policy Server.

       4. Run Policy Server Configuration Wizard from 12.7 , provide details of new policy store, and initialize new Policy    

           Store. (This will automatically import SmMaster.xdd , SmPolicy.xml)

       6. Run XPsddinstall IdmSmObjects.xdd ( Optional - only if you need integration with IM)

       7. Run XPSimport smpolicy-secure.xml  (Optional - only if you need secure version of default policy objects)

       8. XPSExport -xb -> fullbackup from 12.52 Polcystore

       9. smkeyexport from 12.52 

       10. XPSimport full backup of 12.52 Policystore in 12.7 Polcyy store

       10.1 Ensure that smconsole still points to 12.7 policy store/keystore and test connection works. We have seen that

             sometimes  the full xpsexport backup changes the policy store back to old.

       11. smkeyimport from 12.52 to 12.7

       12. Restart Policy server.

     

    Also have a look at :

    Tech Tip : CA Single Sign-On:: Policy Server : Best practice on importing Agent Keys 



  • 7.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 16, 2018 11:43 AM

    Thanks a Lot Ujwol for your detailed steps. 

     

    I have a question at Step 4.

     

    Asp per below link for new instance to create schema and ou=netegrity under root dn, it is asking to run smldsetup.

     

    Will this also be executed during initialization when i run policy store configuration wizard or Do I need to run below as per docuemnt?

     

    Configure an Oracle Directory Server as a Policy Store - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    Step 1 in doc: Gather Directory Server Information- > One question here is, is this the same admin id we use at the DATA tab to connect to the Policy store or asking to create a user named smadmin or siteminder?

     

    Ste 2 in doc: Oracle Directory Server Enterprise Edition Considerations -> Can you confirm that I don't have to worry about this step and this is just an information.

     

    Ste 3 in doc: Replicate an Oracle Directory Server Enterprise Edition Policy Store-> Can you confirm that I don't have to worry about this step and this is just an information.

     

    Step4 in doc:Point the Policy Server to the Policy Store -> I am clear with the steps

     

    Step5 in doc:Create the Policy Store Schema -> Run below commands?

       1. smldapsetup ldgen -ffile_name

       2. smldapsetup ldmod -fpolicy_server_home\xps\db\OracleDirectoryServer.ldif

       3. dsconf reindex -h localhost -p port_number -e "ou=Netegrity,root_dn"  -> Run By LDAP Admins

       4. Edit the following ldif file:

          policy_server_home/xps/db/OracleDirectoryServerBrowse.ldif

          Confirm that the LDAP directory contains the following path before proceeding (replace the Root DN below with your       own Root DN):

    5. Run the following command:

          smldapsetup ldmod -fOracleDirectoryServerBrowse.ldif -v

    6.  Stop the database and re-index the vlv indexes with the following commands: -> Run By LDAP Admins

          dsadm stop Instance_Path

          dsadm reindex -bl -t "Sort xpsSortKey" Instance_Path policysvr4

          dsadm reindex -bl -t "Sort modifyTimestamp" Instance_Path policysvr4

          dsadm reindex -b -t xpsNumber -t xpsValue -t xpsSortKey -t xpsCategory –t xpsParameter -t xpsIndexedObject -t       xpsTombstone instance_path policysvr4

     7. Start the database with the following command:-> Run By LDAP Admins

          dsadm start Instance_Path

     

    Then follow steps 4 from above as you mentioned before?

     

     

    Run Policy Server Configuration Wizard from 12.7 , provide details of new policy store, and initialize new Policy    

           Store. (This will automatically import SmMaster.xdd , SmPolicy.xml)

       6. Run XPsddinstall IdmSmObjects.xdd ( Optional - only if you need integration with IM)

       7. Run XPSimport smpolicy-secure.xml  (Optional - only if you need secure version of default policy objects)

       8. XPSExport -xb -> fullbackup from 12.52 Polcystore

       9. smkeyexport from 12.52 

       10. XPSimport full backup of 12.52 Policystore in 12.7 Polcyy store

       10.1 Ensure that smconsole still points to 12.7 policy store/keystore and test connection works. We have seen that

             sometimes  the full xpsexport backup changes the policy store back to old.

       11. smkeyimport from 12.52 to 12.7

       12. Restart Policy server.



  • 8.  Re: Assistance for Policystore and Keystore upgrade from 12.52 to 12.7

    Posted Mar 18, 2018 06:51 PM

    Hi Prajish,

     

    I think you missed the following comment from the doco:

     

    "Oracle Directory Server (formerly Sun Java System Directory Server) can function as a policy store. The Policy Server configuration wizard can set up this directory automatically as a policy store. However, if you did not use the wizard for set up, follow these instructions to set up the policy store up manually. "

     

    So the steps documented in the link you provided is required to be performed only when are doing the manual policy store configuration/initialization. So, the steps that I outlined earlier is all you neeed to do.

     

    However, as you are using Oracle directory as policy store, I would strongly advise you to perform some additional tuning as documented here. You can do this after the policy store init.

    How to Tune Oracle Directory Server for Policy Store 

     

    Regards,

    Ujwol