AnsweredAssumed Answered

SSO not working between SiteMinder r12.0 SP3 to r12.52 SP1 policy server in parallel upgrade

Question asked by dmt953 on Jul 19, 2016
Latest reply on Jul 21, 2016 by dmt953

Hello,

We are in the process of upgrading our SiteMinder r12.0 SP3 CR10 policy server to version r12.52 SP1.  We chose to do this in a "parallel" environment to minimize impact and risks on our existing applications.  I started this parallel upgrade method in our DEV environment with a single policy server and encountered numerous issues but eventually resolved them all and learned quite a bit throughout the process.  I am now finally ready for our QA environment but the upgrade is not going so well.  Right now I am dealing with an issue with the r12.0 policy server sharing the agent key and session ticket with the r12.52 policy server to enable SSO between the two.

Here are the specifics for the policy servers:

 

Current Policy Server:

*r12.0 SP3 CR10  RHEL 6

*policystore = CA Directory r12.0 SP11

 

New Policy Server:

*r12.52 SP1 CR5  RHEL6

*policystore = CA Directory r12.0 SP17

 

This is the summary of my steps in the DEV environment:

1) Install and configure the r12.52 policy server/components (parallel to the r12.0 environment)

2) Export r12.0 policy data (smobjexport -oR12.0export.smdif -dsiteminder -wpassword -v)

3) Export r12.0 agent & session ticket keys (smobjexport -oR12.0-keysexport.smdif -dsiteminder -wpassword -v -k -x)

4) Import policy data into r12.52 (smobjimport -dsiteminder -wpassword -iR12.0export.smdif -v -a3)

5) Import agent keys into r12.52 (smkeyimport -dsiteminder -wpassword -iR12.0-keysexport.smdif -v)

6) restart the r12.52 policy server and the policystore (CA Directory Server)

 

Testing SSO between r12.0 and r12.52 PS:

1) Request and authenticate against: https://current-r12-0.testsite.com (obtain SMSESSION from r12.0 PS)

2) Request the r12.52 protected site with existing r12.0 SMSESSION cookie in browser

3) SSO failed - SMSESSION cookie unable to decrypt so redirected to r12.52 for authentication

 

We want to avoid resetting the "Static Agent Key" for both the r12.0 and r12.52 policy servers because this would require restarting all of the web servers and causes interruptions.  The export/import of the agent key in our DEV environment successfully enabled SSO between the two policy servers and we want to employ the same process as we move on up to our production environment.

 

With the given information, I hope that folks can provide some tips and suggestions to help me figure this out.

 

Thanks in advance

Outcomes