Symantec Access Management

Goodmorning,

we are planning to migrate our policy server 12.52 to 12.7 in Windows 2012.

Due that we'll do an in-place migration, we'll upgrade all objects that are working (policy store, policy server, webagent). For this reason, to be sure, we are adopting snapshots of the virtual machines.

In any case, we prefer to duplicate our current policy store dsa, so that we can safetly work without create any error in the previous dsa.

It is not clear what is the best way to create a completely copy of a dsa.

Let's say,

we have:

SERVER 1: policy server 12.52 and policy store CA DIR with one dsa1 (key store+policy store embedded).

1. We'd like to clone the current dsa1 to dsa2 (on the same server)

2. Then we point policy server to dsa2.

3. Now we can upgrade policy server and policy store.

4. In case of failure, we can point again to dsa1.

So, the question is: what is the best way to perform the point 1?

Thanks

I assume that you do NOT want any on-going replication between the duplicate and the original

One way is to use DxNewDSA to create a new DSA on the same server. When running this command, note the following:

1) you must use a different port to the current policy store

2) you must use the same base DN (prefix) as the current policy store. See $dxserver/config/knowledge/<policy-store>.dxc. You will need to convert the DN from X500 format to LDAP format. E.g. <o SiteMinder><ou PolicyStore> goes to ou=PolicyStore,o=SiteMinder

3) Make sure the new DSA is large enough. Use the "-s" flag to set the size in MB (default is 500 MB if you leave it out). Check the size of the existing Policy Server .db file under $dxserver/data

Ensure that the new DSA sources the same schema files as the existing Policy Store. Simplest way is to update $dxserver/config/servers/<new-policy-store>.dxi to source the same schema file as $dxserver/config/servers/<current-policy-store>.dxi

Then you can use DXDumpDB to dump a copy of your existing Policy Store. And then you can use DXLoadDB to load the data into your new Policy Store. Note that the current documentation states the the exported data does not need to be sorted before loading. But check the documentation for the version of CA Directory that you are using. I believe in some previous versions, it was necessary to sort the data first. If that is the case, you can use LDIFSort on the exported data before importing it into the new Policy Server.

Once you've completed the migration, test that you can log in using your service account via any LDAP Browser - e.g. JXplorer. Once you can do this, then apply whatever access controls are required - i.e. at a minimum, disable anonymous authentication.

Hope that helps

Pearse

Also I would add, after replicating the DSA you must copy encryptionkey.txt to the new policy servers so they can read encrypted data in the policy store. This file is located in your old policy servers BIN folder.

CA Directory allows you to simply copy the db file to the new DSA name.  If you want an exact duplicate of the data from DSA1  to DSA2.  You can stop the directory server DSA1 and copy the $DXHOME/data/dsa1.db file to dsa2.db.  Then when you have created DSA2 (using dxnewdsa or manually creating the files or using the new UI) - then just put the dsa2.db in the proper folder and start DSA2.  Also, FYI, the db files should be able to be moved across platforms - Linux to Windows, window to Linux.

I recently encountered this challenge during a CA directory migration containing an instance of the Policy Store.  I started with DXDumpDBto create the new DSA. once the DSA in place it was a trivial exercise copy the original DSA.db file to the new DSA instance. Thanks for the great direction!