Symantec Access Management

  • 1.  RE: upgrading SiteMinder Proxy server to version r12.52.

    Broadcom Employee
    Posted Feb 17, 2014 05:45 PM

    Hi Naveen

     

    You wrote: 

    naveenpaul1987:

    Hi All,

     I have a requirement of upgrading SiteMinder Proxy server version r12.5 to r12.52.   I ahve following queries regarding the upgradation.

    1.       If I upgrade SPS what all are the re-configurations I will have to do?  Do I need to make any configuration with SIteminder Policy Server ? Do I need to re-register SPS with SM Policy Server ?

    2.       Are there any  other affected components?

    Any response at the earliest will  be much appreciated.

     

    In my experience, the best way to do an upgrade of SPS (and recent experience confirms this with a R12.5 to R12.52 upgrade as well) is to backup the existing SPS install, (using tar or zip), make a fresh SPS install (you most likely will need to do an uninstall and reinstall), and the use diff to reapply to configuration changes to the newly installed instance.

    The steps we've followed are :

    1. Backup exisitng system (particularly note httpd/conf and proxy-engine/conf directories since these hold most of the configuration) - use tar or zip.
       
    2. Uninstall, this will reset some /etc/CA/ file settings, 
       
    3. Install as per new instance - you do  not need to do host registration.
       
    4. run a diff utility over the httpd config files (diff -U for unix or windiff or similar on Windows).You will find you need to transfer about 4-6 lines of local configuration, depending if you have SSL enabled or not.
      1. httpd/conf/httpd.conf  
      2. httpd/conf/extra  (this is a recursive diff of a directory
    5. run diff utility over proxy-engine configuration (diff -U or windiff)
      1. proxy-engine/conf/server.conf
      You will find you need to transfer the virtual hosts xml areas, and possibly some settings.
       
    6. These files / directories can be directly copied over to the new area (but a diff does not hurt you will find WebAgent.conf has different comments that identify agent version, and some extra dll's that are commented out in default).
      1. proxy-engine/conf/proxyrules.xml 
      2. proxy-enigine/conf/defaultagent  (directory)
      3. (any other "agent" directory if you have multiple agent instances)
      The proxyrules.xml will be your rules, and the defaultagent and any other agents you have installed will then retain their ACO, SmHost.conf and all their existing settings.

    If you have some customized scripts, such as proxyengine.sh settings, then again a diff on the directory is the best way to confirm what is different and you can then review these files.

    That is the process I've used on several occasions and the changes to transfer configuration are fairly simple.  Running the SPS upgrade has (in my experience) often ended up with broken configuration files or new features not working since it is using old configuration files.

    I would recomend If you are running an upgrade (either scripted, or manually as above), then test the upgrade process in lesser environment, several times until all the steps are known, before applying it to your production environment (and take a backup of the original prod one for reference). 

    Hope that helps.

    Cheers - Mark

    (Note: no policy server changes are required to get the same functionality, if you which to say, start using proxyui if you were not previosuly, or start using webservices, ie start using new features, then those do require entry of some additional policy server configuration )



  • 2.  RE: upgrading SiteMinder Proxy server to version r12.52.

    Broadcom Employee
    Posted Feb 17, 2014 07:44 PM

    Hi Naveen

    naveenpaul1987:

    I have one more question.

     What java version is supported by SPS r12.52? Any idea?

     

    I have installed it fine with both JDK 1.6 and with JDK 1.7 without problems.

    Support for both JDK 1.6 and JDK 1.7 is explicit in the release notes : 
     

    The Release Notes for R12.52 say :  https://support.ca.com/cadocs/0/CA%20SiteMinder%20Secure%20Proxy%20Server%2012%2052-ENU/Bookshelf.html

    Java JDK Installation Requirement

    The operating environment where you intend to install the CA SiteMinder® SPS must have Java JDK 1.6.0_32 or later already installed.


    Also the Product Support Matrix (albeit latest one is for older R12.5) , but that explicitly mentions JDK 1.7 :  https://support.ca.com/phpdocs/7/5262/5262_SecureProxyServer_125_PSM.pdf

    . JVM requirements  JDK supported versions 
    a. 1.6.0_30 or above 
    b. 1.7 or above 

    So for R12.52, latest JDK 1.6 or JDK 1.7 will be supported.


    Also when installing the Java JDK some points to remember are :

    1. You need the 32bit JDK, not the 64bit one.
       
    2. You need the current "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction" policy jar files.  
      http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-6-oth-JPR
      http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

    As those are easy and common mistakes to make.

    Cheers - Mark



  • 3.  RE: upgrading SiteMinder Proxy server to version r12.52.

    Posted Feb 17, 2014 08:05 PM
    naveenpaul1987:

    Thanks Mark..Thank you so much...Really appreciable.

    I have one more question.

     What java version is supported by SPS r12.52? Any idea?

    Thanks in advance.

    Regards,

    Naveen


    Hi Naveen,

    You can find the JVM support requirement from R12.52 platform support matrix (https://support.ca.com/phpdocs/7/5262/5262_SiteMinder_12_52_Platform_Support.pdf, under section 2.4 Java Virtual Machine).

    Following are the minimum requirements for JDK

    Oracle (formerly Sun) 1.7 32-bit
    Sun 1.6.0_32 32-bit
     

    Regards,

    Kar Meng



  • 4.  RE: upgrading SiteMinder Proxy server to version r12.52.

    Posted Feb 17, 2014 08:07 PM

    Hi Mark,

    First up all thanks for your reply and sorry for posting too many question. I am a newbie in this and I dont have much idea abt SPS. Forgive my ignorance. 

    I went through the product document and I noted down the folllowing points. Can you please correct me if I am wrong in any of these steps.

    1. Backup the existing SPS install(using zip).
    2. Run the installation program to upgrade from a previous version of SPS to the current version.
        Right-click the executable and select Run as administrator.
        Double-click ca-proxy-<version>-<operating_system>.exe.
        Select OK to upgrade SPS version.
    3. Follow the instructions from the installation wizard.
    4. Restart the system after the installation completes.
    5. Verify that the SSL configuration paths inside the ssl.conf file and the server.conf file are correct for our environment.
    6. Modify the path to the proxy rules DTD file in the proxyrules.xml file.
    7. Check the InstallLog file to verify that SPS installation is successful. By default, the InstallLog is installed in the following location on all platforms:
    sps_home\install_config_info\CA_SiteMinder_Secure_Proxy_Server_InstallLog.log
    8. To duplicate custom settings
        Modify the httpd.conf file.
        Modify the sps_home\httpd\conf\extra\httpd-ssl.conf file.
        Modify the server.conf file.
    9. Copy the existing custom session schemes and filter class files to the new installation.//***Where exactly I can find these files?
    10. Deploy any custom Java class or .jar files related to the SPS filter or session scheme APIs. //** I am not sure whether any are available in our environment or not. How can I check?
    11. You can customize Java Virtual Machine (JVM) parameters in the following files:
       modify the SmSpsProxyEngine.properties file located in the directory sps_home\proxy-engine\conf.//** What is the use for this? What is the scenario I need to do this.
    12. After you install SPS, run the configuration wizard. The configuration wizard lets you register the trusted host for the embedded SiteMinder Web Agent and performs some administrative tasks for the embedded Apache web server. (//Since smhost.conf file is already present, we can skip the option to register the trusted host. Is my understanding correct?)
     
    According to product document we need to gather the following information before starting upgrade.
     
    SiteMinder administrator name:
    SiteMinder administrator password: 
    Trusted host name: (We can get this info from smhost.conf file)
    Host Configuration Object: (We can get this info from smhost.conf file)
    Agent Configuration Object: (We can get this info from WebAgent.conf file)
    IP address of the Policy Server where the host is registered : (We can get this info from smhost.conf file)
    Host Configuration File name and location : Location of smhost.conf file.
    Name and location of the Web Agent configuration file: Location of WebAgent.conf file.
    Fully qualified host name of the server: You can find this info in server.conf file
     
     13.   Follow these steps for upgradation:
                Open a console window and navigate to the directory sps_home/secure-proxy.
                Enter the following command: ca-sps-config.exe
                Enter the details we gathered for upgradation in the configuration wizard.
                Review the Configuration Summary
                Click Install.
                SPS is configured and the configuration files are installed.
                Click Done to exit the wizard.
     
    14. We can find the existing SPS configuration for our environment in following configuration files. Its recommendable to run a diff utility(to compare two files) such as windiff over config files such as httpd and make necessary changes in the new config files. 
     
    httpd.conf
    Contains the settings for the Apache web server.
    server.conf
    Contains the settings that determine SPS behavior, including virtual hosts, and session scheme mapping.
    logger.properties
    Contains the settings that determine SPS logging behavior.
    proxyrules.xml
    Contains the rules that determine how SPS handles incoming requests.
     
     
    Thanks in advance.
    Regards,
    Naveen
     
     
     


  • 5.  RE: upgrading SiteMinder Proxy server to version r12.52.

    Broadcom Employee
    Posted Feb 17, 2014 08:58 PM

    Hi Naveen,

    Naveen wrote : 

    naveenpaul1987:

    Hi Mark,

    First up all thanks for your reply and sorry for posting too many question. I am a newbie in this and I dont have much idea abt SPS. Forgive my ignorance. 

     

     

    SPS is not hard, it is mainly apache front-end + tomcat with custom proxy-engine app, and webagent.

     

    naveenpaul1987:

    Hi Mark,

    I went through the product document and I noted down the folllowing points. Can you please correct me if I am wrong in any of these steps.
    ....
    ....


     

    Generally that looks about right, the best thing to do is run a test upgrade in some QA environment to ensure your procedure is complete and works.  A good way to do that testing is with virtual machines and vm snapshots, so you can retest your upgrade procedure until you are happy with it.

    As I said in my experience, an uninstall, reinstall then manually transferring the configuration ovver, worked best for me, rather than relying on the auto update process.  But if you have a VM you can try the SPS installer upgrade option and see if that works for you.

    For some of the specific quesitons: 

    9. Copy the existing custom session schemes and filter class files to the new installation.//***Where exactly I can find these files?
    10. Deploy any custom Java class or .jar files related to the SPS filter or session scheme APIs. //** I am not sure whether any are available in our environment or not. How can I check?
    11. You can customize Java Virtual Machine (JVM) parameters in the following files:
       modify the SmSpsProxyEngine.properties file located in the directory sps_home\proxy-engine\conf.//** What is the use for this? What is the scenario I need to do this.
    12. After you install SPS, run the configuration wizard. The configuration wizard lets you register the trusted host for the embedded SiteMinder Web Agent and performs some administrative tasks for the embedded Apache web server. (//Since smhost.conf file is already present, we can skip the option to register the trusted host. Is my understanding correct?)
     


    I doubt you have any custom java filters, or session schemes, they are unusual, and I expect you would have some documentation of them, if they existed.

    SmSpsProxyEngine.properties contains the java runtime settings, and any paramaters passed through to java.exe on the cmd line.

    If you have a prior install, you will not need to reregister the trusted host - it does no harm to reresiter the host - but generally is it not needed.

    Good luck - and I hope that helps 

    Cheers - Mark



  • 6.  RE: upgrading SiteMinder Proxy server to version r12.52.

    Posted Mar 07, 2014 12:45 PM

    Thank you all..

    I have successfully upgraded SPS. Once again thank you very much.

    Regards,

    Naveen