AnsweredAssumed Answered

Move Keys and Certificates: SM 12.0 to 12.6

Question asked by fmoro on Oct 12, 2016
Latest reply on Oct 19, 2016 by Karmeng

Hi all.

We'd like to have more information about moving certificates from version 12.0 to version 12.6 of SSO.

Last year we moved (in another environemnt we have) 12.0 to 12.51 using a parallel upgrade. In that case we used two different policy stores (for 12.0 and 12.51), copy/pasted the smkeydatabase and performed with the new 12.51 (that was pointing to the new policy store) the "smmigratecds -validate"  and "smmigratecds -migrate". It was a very safety way due that all commands were performed in the new environment (12.51) without run any commands in the 12.0 infrastructure.



Today we are moving to 12.6 from 12.0 (another completely environemnt).

We are using a parallel upgrade. 2 different policy store (12.0 and 12.6). 1keystore.

After installing 12.6, configuring a standard policy store 12.6, we need now to copy/move the certificates (used for federation) from 12.0 to the cds of the 12.6

AS documentation says:

"A direct migration of the r12.0x smkeydatabase to a 12.6 CDS is not possible."


So, first of all it is boring (and time spending) to install another policy server now 12.52 SP1 ONLY for migrate this certificates.... is it mandatory?

And even if... Documentation says that, after installing a 12.52 SP1, this poliy server HAS TO POINT TO the 12.0 policy store. Then we have also to run  "XPSDDInstall CDSObjects.xdd" to extend the schema: this is the part that is changed and that can create problem.We don't want (for safety reason) to run any command to the 12.0 policy store (this is also why users select parallel upgrade).

So... probably the steps are:

1. install another 12.52 SP1 and ANOTHER policy store 12.52 SP1 (so default objects).

2. copy smkeydatabase from 12.0 to 12.52 SP1

3. run smmigratecds -migrate

4. At this point we have a policy server 12.52 SP1 and a default 12.52 policy store with now also cds and certificates inside.

5. After that... we have to move again to 12.6? How? Running again the installer 12.6 to this 12.52? Or we can use our 12.6 policy server and point to this new 12.52 policy store?


Is seems the process has been complicated.

Thanks all for the explanation