Tech Tip:  CA Single Sign On:  Copying Policy Server files to another Unix machine?

Discussion created by MattDeChellis Employee on Jul 13, 2015

Customer question:


Is it possible to copy a working set of  Policy Server files from one Unix machine to another?






Althought this activity is not something we test internally, one customer has reported its recent success:



The customer shared the following:

Just tar up your /opt/CA or /opt/netegrity directory on the first system.  Make sure to include the ‘aas’ dir and your JDK (I put the JDK dedicated to SM under /opt/CA for this reason. Some people put it somewhere like /usr/lib and do a symbolic link to /usr/bin but I am only using the JDK for SiteMinder on these servers), and any other folders you have under there like Apache(associated /lib directory for PCRE, etc), ServletExec if you are using OneView. 


Untar it on the new system under /opt/CA. If you are pointing to the same policy store instance you don't need to update anything in sm.registry, but if you copied to a policy server in another data center edit the policy store / key store ip addresses.  


For the adminui you need to edit the server hostname in the following bindings file: /opt/CA/siteminder/adminui/server/default/conf/bindingservice.beans/META-INF/bindings-jboss-beans.xml.  Then you need to delete the data directory (/opt/CA/siteminder/adminui/server/default/data).  Run XPSRegClient and then hit the new WAM url and login for first time to register.


Lastly, launch the smconsole and make sure to uncheck 'enable agent key generation' in the management console for all other than the first policy server.


IF you decide to clone the policy store (do an ldif export) from one datacenter to another - you need to remember to run the dsadm reindex commands on the new store or you'll get that "GUID is not unique" error(this for Oracle DSEE. You would need to check for other store types).