Symantec Access Management

Hi,

We are upgrading policy-server 12.0 SP3 to 12.7 version. This is a parallel upgrade which will involve installing policy-server 12.7 on new Linux servers. We will be migrating the 12.0 policy-store to 12.7 environment. We used policy-store as a key-store in our existing 12.0 environment and we would like to do the same for 12.7 environment. We want to have the SSO capabilities between existing web-agents and new policy-server 12.7.

For doing this do we have to upgrade to any interim 12.5 version first or it could be direct parallel upgrade to 12.7 policy-server?

-Response to this post is greatly appreciated.

Thanks.

The upgrading process can be found at CA Single Sign-On 12.7 Upgrading. In the navigation panels to the left you will find different paths for In Place and Parallel upgrades. Unfortunately 12.0 must first be upgraded to a 12.5x or later release.

Thanks Sidney for your response. I was reading the documentation on the below link as well which explains about certificate data store which is not available in 12.0 release. I am not 100% sure as to why interim version upgrade is required. In our 12.0 environment key-store and policy-store are collocated. We don't have any smkeydatabase content to migrate to new environment. Do we still need to upgrade to interim version first? Just for clarification that this is a parallel upgrade and not in-place.

https://docops.ca.com/ca-single-sign-on/12-6-01/en/upgrading/parallel-upgrade-from-12-x/copy-private-keys-and-certificates-to-12-6-01-12-0x-environments-only

If you do not have content in smkeydatabse, you wont need interim 12.5.x environment.

You can just follow the parallel upgrade guide above and just skip stage 2.

One reason I could think of is "smmigratecds.sh" is no longer shipped with R12.6 and R12.7.

smmigratecds.sh is available in R12.52 SP1 (all CRs).

It is already confirmed that there is no content within smkeydatabase in R12.0. So you should be able to skip this interim step as it is mentioned only for smkeydatabase migration.

Another crude alternative for the folks who do have / use smkeydatabase in R12.0 and would want to avoid the interim upgrade; is to look at smkeytool export command in R12.0. Write a small wrapper around smkeytool to export certificates / keys based on their Type e.g.

echo "Exporting Certificate Type : CertificateAuthorityEntry"

echo "Exporting Certificate Type : CertificateEntry"

echo "Exporting Certificate Type : KeyEntry"

Once all certs / keys are exported then import them into R12.6 / R12.7 using the smkeytool import command.

Hi Ujwol,

I am saying this based on the data I have in our environment. The smkeydatabase directory doesn't have any content. I am assuming that means no smkeydata to migrate to CDS? smkeydb is in policy-store. Does that mean we still need interim upgrade? I also wanted to mention that we use cert7.db for certificate database. Does the upgrade to interim version probably address migration of certs?

Thanks.

Hi Pooja,

The cert7.db and smkeydatabase are used for different purpose.

smkeydatabse

The purpose of the smkeydatabase in r12.0 was to store the certificates used for signing, verification, encryption, and decryption between a SiteMinder asserting party and a SiteMinder relying party. So basically for federation use cases.

The actual location of the smkeydatabase can be configured in smkeydatabase.properties file located at 

siteminder_home\config\properties (Windows)
siteminder_home/config/properties (UNIX)

The property that points the smkeydatabase location is : DBLocation

CA SiteMinder Integrated Documents r12.0 SP3 

cert7/cert8 db (Nestscape certificate database)

This database is used to store the SSl certificate used to connect to LDAP user store.

You can use the Mozilla Network Security Services (NSS) certutil application that is installed with the Policy Server to convert existing cert7.db certificate database files to cert8.db format.

Policy Server Installation and Upgrade Considerations - CA Single Sign-On - 12.6.01 - CA Technologies Documentation 

To convert the certificate database file

1. From a command prompt, navigate to the Policy Server installation bin directory.
   Example: 

   C:\Program Files\CA\siteminder\bin

   Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.

2. Enter the following command:

   certutil -L -d certificate_database_directory [-p prefix_name] -X

   • -d certificate_database_directory
     Specifies the directory that contains the certificate database files to convert.
   • -p prefix_name
     (Optional) Specifies any prefix that is used when creating the existing cert7.db file (for example, my_cert7.db).
   Certutil converts the existing cert7.db file to cert8.db format.

In summary, if you are not using smkeydatabse or do not have content in it , you can skip the interim installation of r12.52SP1 policy server as that step is used to just migrate the smkeydatabse to new Certificate Data Store (CDS) which is now maintained in Policy store itself.

Regards,

Ujwol

Hi Ujwol,

Thanks a lot for the response. I was wondering if you know from which version smkey moved to the policy-store. I think in version 6x it used to be in the flat files that's where the smkeydatabase dir used to have that data? Please correct me if I am wrong. In our existing setup for 12.0 siteminder installation since this dir is empty so just want to make sure that the smkey will get imported to new 12.7 evn when we import the existing policy-store to new 12.7.

Thanks a lot.

Hi,

The smkey database was migrated to policy store ( now known as CDS -certificate data store) since from r12.5 GA

From r12.5 release notes :

CA SiteMinder Integrated Documents r12.5 

SiteMinder Key Database

In previous releases, a SiteMinder smkeydatabase stored private key/certificate pairs and standalone certificates. SiteMinder used these keys and certificates for signing, verification, encryption and decryption functions. Each Policy Server in the deployment accessed a local version of the smkeydatabase.

This release replaces the need for multiple, local smkeydatabases with a single certificate data store. By default, the certificate data store is automatically configured and co–located with the policy store. All Policy Servers that share a common view into the same policy store have access to all certificates and keys in the environment.

Note: For more information about managing the certificate data store, see the Policy Server Configuration Guide and the Policy Server Administration Guide. For more information about migrating a smkeydatabase to the certificate data store, see the SiteMinder Upgrade Guide.

Regards,

Ujwol

Hi Ujwol,

Thank you so much for the response. We are at 12.0 policy-server release. I am getting surprised as the smkeydata directory doesn't have any content and obviously this release doesn't have Certificate data store. Do you have any suggestion on how we can locate this smkeydata? I also checked the property file as you suggested. The property file is pointing to this empty dir.

Thanks again for your help.

That is perfectly fine. It just means you have no data to be stored in smkey database. 

I am guessing you do not use any federation functionality ?

Hi Ujwol,

you are right, that might be the reason.

Thanks so much.

If your question is now answered, please mark appropriate answer as correct to close this thread.