Upgrading Policy Store to 12.8 SP03
search cancel

Upgrading Policy Store to 12.8 SP03


Article ID: 144058


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're upgrading the Siteminder environment from 12.7SP2 to 12.8SP3 and
we'd like to know :

1. If running a separated Key Store, do the following steps apply from
   documentation :

   08 - From the Database list, select Key Store.
   09 - From the Storage list, select LDAP.
   10 - Select Use Policy Store database.


2. The upgrade will enroll new keys if we're running Static Keys ?
3. Do we have to unflag the key agent generation ?




Policy Server 12.8SP3 on RedHat 7;




1. Yes, you have to follow the documentation steps as
   mentioned above. This is for the sake of upgrading the Policy
   Store. Once the Policy Store is upgraded, then you will configure the
   separate Key Store in the smconsole. This will be done before doing
   that section :

      Restart all Policy Servers

2. If it's statics keys, this is defined in the Policy Store data. So
   the keys shouldn't be rolled.


3. If you unflag the "Enable Agent Key Generation" in smconsole, you
   won't get the possibility to change the static key in the
   AdminUI. If you think you might need to change the static key, then
   you'll need at least 1 Policy Server having checked the "Enable
   Agent Key Generation" in smconsole.

Notes :

  Key Management Considerations

  When deciding on the key management scenario for your enterprise,
  consider the following:

    When configuring dynamic keys in an environment with multiple Policy
    Servers that share a common key store, a single Policy Server must
    be nominated to perform Agent Key generation. You should disable key
    generation on all other Policy Servers.


If you use shared secret roll over, you'll also need the "Enable Agent
Key Generation" checked in smconsole on 1 Policy Server :

  What is the meaning of "sharedsecrettime" parameter in SmHost.conf file?