Symantec Access Management

Expand all | Collapse all

Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

  • 1.  Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 17, 2017 09:49 AM

    Hi,

    We have a collocated key and policy-store in existing 12.0 policy-server(use policy-store as key-store). After setting up the new 12.7 environment, we want to keep the collocated key and policy-store. We want to also maintain the SSO capabilities with the existing agents which are connected with the 12.0 environment as of today. We are looking for best way to migrate the keys to new 12.7 policy-server for the parallel upgrade.

    I am going through below documentation link. It suggests separating the key store from policy-store by installing 12.0 environment where the both stores are not collocated. Why is that required?  Please suggest.

     

    https://docops.ca.com/ca-single-sign-on/12-7/en/upgrading/parallel-upgrade/select-an-sso-key-store-option/common-key-store-deployment



  • 2.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 17, 2017 08:36 PM

    You have two choices here:

     

    1. Common key store deployment (both r12.0 and r12.7 pointing to centralized common key store)
    2. Multiple key store deployment (both r12.0 and r12.7 pointing to their own key store)

     

    If you go with option(1) , you will need to separate out the key store. Otherwise , the two environment may be interfering with other policy data as well.

     

    If you go with option(2), you do NOT need to separate out the key store from policy store. You can still have the collocated policy store and key store. Each of the key store will have same static keys (both persistent and agent keys)

     

    Let me know if you have any further question.

     

    Regards,

    Ujwol



  • 3.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 17, 2017 09:15 PM

    Hi Ujwol,

    The documentation talks about separating the key store by first installing 12.0 policy-server in not collocated mode. I don't think we will have availability of servers to install 12.0. The existing 12.0 installations are in collocated mode.

    if we go by option 1), can we use smkeyexport and smkeyimport utility without separating the policy-store and key-store?



  • 4.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 17, 2017 09:19 PM

    You asked -"if we go by option 1), can we use smkeyexport and smkeyimport utility without separating the policy-store and key-store?"

     

    Ujwol => Yes, you can.

     



  • 5.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 18, 2017 10:25 AM

    Hi Ujwol,

    I think I made it confusing by opening up separate thread. I thought it will be easy to follow them, one for establishing parallel pstore+key-store and one for making SSO work between the new and existing environment. I am still confused/trying to figure out which option can be deployed in our situation:

    Common key store OR

    Multiple key store

    I also replied back to Denis on the same note in other thread.

     

    12.0 policy-server + 12.0 pstore+ key store collocated (old environment: old ps + old agents talking to old ps)

    12.7 policy-server + copy of 12.0 pstore+key store collocated (which is cleaned and no integrity errors as it is not original 12.0 pstore)

    As you can see both policy-server have the independent setup. Now in this case can we still achieve SSO through

    Common key store: option#1?



  • 6.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 18, 2017 10:36 AM

    QUESTION :

    12.0 policy-server + 12.0 pstore+ key store collocated (old environment: old ps + old agents talking to old ps)

    12.7 policy-server + copy of 12.0 pstore+key store collocated (which is cleaned and no integrity errors as it is not original 12.0 pstore)

    As you can see both policy-server have the independent setup. Now in this case can we still achieve SSO through

    Common key store: option#1?

     

    SUGGESTION :

    Why do we need to sync keys across different KStore or use a common KStore ? Because a SMSESSION generated (encrypted) by a WebAgent latched onto either CA SSO Policy Server (R12.0 or R12.7) should be understood (decrypted) by the consuming WebAgent which is latched onto either CA SSO Policy Server (R12.0 or R12.7).

     

    The basic thing to answer is would you like CA SSO Policy Server (R12.0 and R12.7) to point to the same KStore OR have their own respective KStore.

     

    Yes very much you can achieve SSO in your setup. Each CA SSO ENV has its own PStore/KStore.

    12.0 policy-server + 12.0 pstore+ key store collocated (old environment: old ps + old agents talking to old ps)

    12.7 policy-server + copy of 12.0 pstore+key store collocated (which is cleaned and no integrity errors as it is not original 12.0 pstore). For better words and clarity, this is a R12.7 pstore+key store collocated with copy of migrated 12.0 policy data.

     

    First begin by identifying the following things.

    • Does your R12.0 ENV use DYNAMIC KEYS or STATIC KEYS.
    • If it uses DYNAMIC KEYS and you'd like to use different versions of CA SSO to use their own respective PStore/KStore, then you have to turn off DYNAMIC KEYS. Switch to STATIC KEYS in R12.0 and R12.7 (login to both WAMUI and set a KEY value you like), so keys are same in both ENV. Save the key very securely for future need. After the migration is 100% complete, you may switch to DYNAMIC KEYS in R12.7.
    • If it uses STATIC KEYS, do you know what the KEY VALUE is? Have you stored it securely somewhere. If Yes, then copy the same key value. Login to R12.7 WAMUI and save the STATIC KEY. Now keys are in sync between R12.0 and R12.7.
    • An Alternative to [C] is where you forgot the STATIC KEY in R12.0, then use the key export utility in R12.0 and import that key file into R12.7 using key import utility. I'd like to add a slight caution, When exporting keys pay attention, if keys are getting correctly, older version of smkeyexport have had issues.

     

    This is what the documentation elaborates in a more formalized manner.



  • 7.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 18, 2017 12:27 PM

    We are using static key and we know its value.



  • 8.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Broadcom Employee
    Posted Oct 16, 2018 10:12 PM

    Hello,

     

    I'm working with a customer dealing with similar circumstances where they would to execute a parallel upgrade with two separate SSO environments with seperate policy server and key store setup.

     

    I have a couple questions:

     

    1) Is it possible to just set a new static agent and session key value in both existing and new environments and have SSO between the two environments?

     

    2) Would doing so still require the export of keys from existing SSO environment and import into new SSO environment?

     

    3) Are there unintended outcomes I should be aware of by just setting new key values?

     

    Thanks for any information that can be shared.

     

    Regards,

     

    Michael Pass 



  • 9.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 16, 2018 10:52 PM

    Micheal pasmi02

     

     

    1) Is it possible to just set a new static agent and session key value in both existing and new environments and have SSO between the two environments?
    Yes, very much. But the thing we need to be careful about is when we set a new KEY, all Web Agents need to pick the new KEY. There have been instances where WebAgents did not pick the new KEY unless they were restarted. For that reason some organization had to set a rolling restart of all Web Server, after the KEYs were reset (This is just a very precautionary, but also a very tedious step).

     

     

    2) Would doing so still require the export of keys from existing SSO environment and import into new SSO environment?
    No. If you setting the KEYS to brand new static keys across both ENV using WAM UI, then we do not need to export. But I'd recommend, that we save the KEY some place very secure e.g. a Password Vault, just so that we can reference back in future.

     

     

    3) Are there unintended outcomes I should be aware of by just setting new key values?

    Since we are switching from Dynamic Keys to Static Keys, all 4 Key Markers will be reset to Static Keys. Hence there is no way for the WebAgent to try and decrypt an already encrypted SMSESSION with Dynamic Key. Logged in users SMSESSIONs will be invalid, as WebAgents (who have received new KEYs) not be able to decrypt the SMSESSION using the new keys. Hence it is recommended to perform this when user traffic is at the lowest. If the user closes the browser and reattempts to login they should be fine.

     

    As long as WebAgent does not receive the KEY update from Policy Server, existing SMSESSIONs will work. The moment WebAgent receives the KEY update from Policy Server (Static Key), existing SMSESSION will be invalid. Hence it'd be best to let the user community be made aware, if the organization is a round the clock OR has presence across geo's; thus there'd be user traffic always.

     

     

    Hope it helps Mike.

     

     

    Regards

    Hubert



  • 10.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Broadcom Employee
    Posted Oct 17, 2018 12:34 PM

    ******UPDATED MY POST******

     

    Hey Hubert,

     

    Thanks so much for your response.

     

    I think we will elect to export the keys from 12.0 and import into 12.7.

     

    I'm thinking the process would be:

    1) Ensure that "Use static Agent Key" is checked via WAMUI in r12.0 environment.

    2) Export keys from r12.0 using smexportkey

    3) Import keys into r12.7 using smimportkey

     

    Is this the correct process?

     

    Thanks,

     

    Michael Pass



  • 11.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment

    Posted Oct 17, 2018 11:16 PM

    Spoke with Michael offline and suggested...

     

    1) Ensure that "Use static Agent Key" is checked via WAMUI in r12.0 environment.

    2) We need to provide a Static Key and hit rollover now.

    3) {a} We can then export the keys (in clear text) from R12.0 and import into R12.7.

        OR

    3) {b} We can login to R12.7 WAMUI. Repeat Step-1 and 2. Paste the Static Key we provided in Step-2 and hit rollover.



  • 12.  Re: Policy-server parallel upgrade from 12.0 to 12.7 key-store deployment
    Best Answer

    Posted Oct 18, 2017 12:49 PM
    I would recommend going with Option 2.


    - Have 12.0 and 12.7 point to their own key store(collocated with policy store).

    - Export static keys from 12.0

    - Import static keys (from 12.0) into 12.7