Symantec Access Management

  • 1.  Upgrading r12.52 to r12.8 - how to export and import policystore data

    Posted Jan 25, 2019 06:13 PM

    Hello Folks,

     

    We have an existing r12.52 environment and we installed a fresh r12.8.1 environment in parallel to the current environment.  The r12.8 server is now fully setup and initialized and we're able to login to the AdminUI.  Our next step is to export the data from the r12.52 policystore and import it into the r12.8.1 policystore.

     

    At this point, I exported the r12.52 policystore via "dxdumpdb -f r12.52.ldif smpolicystore" and then imported this into the r12.8 policystore via "dxloaddb -v smpolicystore r12.52.ldif".  Afterwards I restarted both the policy server and the CA Directory server and now I am unable to login to the r12.8 AdminUI with the "siteminder" user.  I tried resetting the "siteminder' password via "smreg -su <password>" but still unable to login to the AdminUI.

     

    Looking for help on the correct process and sequence to successfully export the data from a r12.52 policy store and importing it into a fresh install of r12.8 policystore.

     

    Thanks in advance!



  • 2.  Re: Upgrading r12.52 to r12.8 - how to export and import policystore data

    Broadcom Employee
    Posted Jan 28, 2019 08:06 AM

    See if this helps where it is mentioned to use "smobjexport" and "smobjimport" instead of CA Directory command line tools such as 'dxdumpdb' and 'dxloaddb'?

    i.e.
    https://communities.ca.com/thread/241819829-advice-for-upgrading-from-r1252-to-r128



  • 3.  Re: Upgrading r12.52 to r12.8 - how to export and import policystore data

    Posted Jan 28, 2019 02:15 PM

    Hi Hitesh,

     

    Thank you for responding.  I did make good use of the "smobjexport" and "smobjimport" commands back when I upgraded from r12.0 to r12.52, but unfortunately the "smobjexport" has been completely phased out in the r12.8.  After much googling I was able to find the right XPSExport and XPSImport commands to export my entire r12.52 policystore and import it into my new r12.8 environment in the "parallel" mode.

     

    Here's my steps, with the XPS commands:

     

    1) export the current r12.52 policystore (the entire policystore data) - - > XPSExport r12.52-datastore.xml -xb -npass

    2) Open up the "r12.52-policystore.xml" file and modify this entry:  <PolicyData IsDumpExport="true"> and change this value to "true"> and change it to "false".

    2) run the import command - - - > XPSImport r12.52-datastore.xml

    3) the import command will fail and throw an error saying that the "siteminder" admin user ID already exists in the r12.8 policystore, and it will provide the exact LDAP unique ID value of the r12.52 "siteminder" admin user ID.  What I do next is I open up the "r12.52-policystore.xml" file and search for this LDAP entry ID and then delete that "siteminder" admin account in the xml file then save the file so next time I do the XPSImport it will not have that account collision.

     

    I am pretty sure there's a way to export the entire policystore without the "siteminder" admin account, but I am okay with identifying the entry and remove it from the XML file.

     

    This is where I found the XPSExport command, I hope this helps others out there as well:

     

    https://comm.support.ca.com/kb/xpsexport-for-policy-backup/kb000044799



  • 4.  Re: Upgrading r12.52 to r12.8 - how to export and import policystore data

    Broadcom Employee
    Posted Jan 29, 2019 02:09 AM

    The steps which you have followed are accurate and this is the way to go. !!!

     

    You can explore Siteminder Policy Reader utility if you looking to include/exclude specific objects as part of your migration.



  • 5.  Re: Upgrading r12.52 to r12.8 - how to export and import policystore data

    Posted Jan 29, 2019 03:52 PM

    Hi Ashok,

     

    Thanks for your response.  On this topic, I have one final question and it's regarding the SiteMinder keys (agent keys and session keys).  So with the steps above, I now have my new r12.8 policy server in parallel to my existing r12.52 and both have the same copies of the policy store data so now I can migrate one app at a time configuring the SmHost.conf file pointing each webagents to the new policy server, but I still need to worry about SSO between these two policy servers.

     

    With our previous SM upgrade from r12.0 to r12.52 I did the "smobjexport" with the "-v -k -x" parameters to export the r12.0 agent and session keys and then import them to the r12.52 using the "smkeyimport".  Since we are using "Static" keys for the current r12.52 servers, can I just simply go into the Admin UI of the r12.8 and enter the exising static key values and then roll the agent and session keys over so that they match with the current r12.52 keys to keep SSO between these two environments?



  • 6.  Re: Upgrading r12.52 to r12.8 - how to export and import policystore data
    Best Answer

    Broadcom Employee
    Posted Jan 29, 2019 04:23 PM

    Hi dmt953,

     

    Yes, you need to sync the keys between environments if you want to have SSO between environments.

     

    And if you know the plain text key values you can simply update it via admin UI which should take effect, if not you have to go through the process of smkeyexport/smkeyimport for key migration.

     

    Thanks

    Ashok