christian.verdellichristian.v
Yes the commands are XPSDDInstall and the XPSImport, that are needed to upgrade the Policy Store. As of your concerns on PStore, we have to upgrade it some day, that is inevitable. So how do we address your concerns is by taking adequate backups. Take CA SSO PStore backup using XPSExport using -xb flag. Take store backup using VM snapshot or product features of the store itself. But here is my detailed thoughts on the overall process.
ISSUE-1 : UI Issues
My thoughts. There are updates to the feature OIDC in R12.8. Hence to use the new additions to the OIDC features we would need to update the Data Definitions.
But this combination should/ must work in R12.7 capacity i.e Upgraded Policy Server Binary to R12.8 --> R12.7 PStore and R12.7 WAM UI. In this mode we should / must be able to use all OIDC functions in R12.7.
This combination is invalid i.e. Upgraded Policy Server Binary to R12.8 / R12.7 PStore and Upgraded WAM UI to R12.8. We should / must upgrade first Policy Server binary, then PStore and only thereafter Upgrade WAM UI. I have a feeling from your comments, you are on this combination.
Order of Migration Tasks
Order of Migration Tasks - CA Single Sign-On - 12.8 - CA Technologies Documentation
Now we know for a fact that we are not going to upgrade everything in a single night. There will a period in time when we will running in hybrid mode.
Phase-1
R12.8 PS / R12.7 PStore / R12.7 WAM UI.
Phase-2
R12.8 PS / R12.8 PStore / R12.7 WAM UI.
Phase-3
R12.8 PS / R12.8 PStore / R12.8 WAM UI.
I do see in the upgrade documentation (highlighted in Red below) very specific state with regards to R12.5x WAM UI not being able to communicate with R12.8 PS. It could also be possible due to the difference in 32 VS 64bit. Hence the statement WAMUI R12.5x or later cannot communicate with R12.8 PS, as R12.5x WAMUI is 32bit. This does beckon the thought how do we manage objects during migration phase when upgrading from a version which is R12.5x. There is an option to leave one PS to which the R12.5x WAMUI is connected on the same version as R12.5x PStore. Once R12.5x PStore is upgraded tp R12.8 PStore, use a new R12.8 UI.
But nevertheless I think from R12.6 / R12.7 we should be able to latch R12.6 / R12.7 WAMUI to R12.8 PS until PStore is upgraded to R12.8; for administering objects. Clearly it seems if we connect R12.8 WAMUI to R12.8 PS without upgrading the PStore to R12.8, the results have been disastrous in my Customer testing. We ended up with many WAM UI issues in this combination R12.8 PS / R12.7 PStore / R12.8 WAM UI - even basic UI functionality were broken.
ISSUE-2 : Functional Issue
You do also state that the Authorization Code flow was broken. That is serious. Needs some more investigation. From my perspective anything existing should continue working BAU (highlighted in Red below) after Phase-1 (i.e. PS Binary Upgrade). I'd recommend raising a CA Support Case. We need to see why the ClientID was not fetched via the Policy Server. Need to have logs from CA AG, Policy Server.
https://docops.ca.com/ca-single-sign-on/12-8/en/upgrading/in-place-upgrade#In-placeUpgrade-MaintainMixedEnvironments |
---|
Maintain Mixed EnvironmentsAs you migrate to 12.8, your environment can contain a combination of components at different versions. You do not have to upgrade all your components to 12.8. The following conditions exist in a mixed environment: - If your environment has a combination of components, 12.8 Policy Servers can continue to communicate with r12.5x or later policy stores during a migration. When you start a Policy Server, it detects the policy store version. If the policy store is operating at a previous version, the policy server runs in a compatibility mode until the store is upgraded as well.
In compatibility mode, the Policy Server supports only those features from the older release. - If your environment has a mix of Policy Server versions, users can continue to access resources and have the same experience using 12.0 SP2 or 12.0 SP3 agents.
- A mixed environment can support single sign-on.
Review the following considerations before you migrate: - A 12.8 Policy Server can communicate with an r12.5x or later policy store.
- A Policy Server version earlier than 12.52 SP2 cannot communicate with a 12.8 policy store.
- A 12.5x or later Policy Server cannot connect to a 12.8 policy store.
- A 12.52 SP2 Policy Server can communicate with a 12.8 policy store.
- A 12.5x or later Policy Server can share a key store with a 12.8 Policy Server.
- A 12.5x or later Policy Server can share a session store with a 12.8 Policy Server.
- A 12.5x or later Administrative UI cannot communicate with a 12.8 Policy Server.
- A 12.5x Web Agent can communicate with a 12.8 Policy Server.
|