QUESTION :
12.0 policy-server + 12.0 pstore+ key store collocated (old environment: old ps + old agents talking to old ps)
12.7 policy-server + copy of 12.0 pstore+key store collocated (which is cleaned and no integrity errors as it is not original 12.0 pstore)
As you can see both policy-server have the independent setup. Now in this case can we still achieve SSO through
Common key store: option#1?
SUGGESTION :
Why do we need to sync keys across different KStore or use a common KStore ? Because a SMSESSION generated (encrypted) by a WebAgent latched onto either CA SSO Policy Server (R12.0 or R12.7) should be understood (decrypted) by the consuming WebAgent which is latched onto either CA SSO Policy Server (R12.0 or R12.7).
The basic thing to answer is would you like CA SSO Policy Server (R12.0 and R12.7) to point to the same KStore OR have their own respective KStore.
Yes very much you can achieve SSO in your setup. Each CA SSO ENV has its own PStore/KStore.
12.0 policy-server + 12.0 pstore+ key store collocated (old environment: old ps + old agents talking to old ps)
12.7 policy-server + copy of 12.0 pstore+key store collocated (which is cleaned and no integrity errors as it is not original 12.0 pstore). For better words and clarity, this is a R12.7 pstore+key store collocated with copy of migrated 12.0 policy data.
First begin by identifying the following things.
- Does your R12.0 ENV use DYNAMIC KEYS or STATIC KEYS.
- If it uses DYNAMIC KEYS and you'd like to use different versions of CA SSO to use their own respective PStore/KStore, then you have to turn off DYNAMIC KEYS. Switch to STATIC KEYS in R12.0 and R12.7 (login to both WAMUI and set a KEY value you like), so keys are same in both ENV. Save the key very securely for future need. After the migration is 100% complete, you may switch to DYNAMIC KEYS in R12.7.
- If it uses STATIC KEYS, do you know what the KEY VALUE is? Have you stored it securely somewhere. If Yes, then copy the same key value. Login to R12.7 WAMUI and save the STATIC KEY. Now keys are in sync between R12.0 and R12.7.
- An Alternative to [C] is where you forgot the STATIC KEY in R12.0, then use the key export utility in R12.0 and import that key file into R12.7 using key import utility. I'd like to add a slight caution, When exporting keys pay attention, if keys are getting correctly, older version of smkeyexport have had issues.
This is what the documentation elaborates in a more formalized manner.