Hi Vishal,
You will not able to do SSO , if the Policy server encryption keys are different between r12.0 and r12.52.
The reason being , the Key Store Key which is used to encrypt/decrypt the key store data is derived from the Policy server encryption key. So, if you have different Policy server encryption key you are effectively having different Key Store Key , which means the agent keys encrypted by one environment will fail to decrypt on the other.
Now, our documentation advise to have the common key store as r12.0 key store in this particular use case.
Parallel Upgrade from 12.x - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
But logically, I don't see a problem , even if you use r12.52 Key store as common key store here.
So, my suggested next step is as follows :
1. Reset r12.52 Policy server encryption key to match r12.0
(Perform full policy store export -xb in the clear text using -npass switch, reset encryption key and reimport the export file )
2. Create a separate r12.52 Key store.
You need to configure policy store schema as normally. Policy store schmea includes Key store schmea
Configure a Separate Key Store - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
However, you do not have to:
- Set the super user password.
- Import the default policy store objects.
- Import the policy store data definitions.
A separate key store does not require these objects.
3. Import r12.0 Agent/Persistent keys into r12.52 key store
4. Configure r12.0 Policy server to use r12.52 key store
Note: Please test this in lower environment first, I haven't tested this combination myself so not really sure if it works.
Hope this helps.
Regards,
Ujwol Shrestha
Ujwol's Single Sign-On Blog