Upgrading Policy Store to 12.8 SP03

book

Article ID: 144058

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're upgrading the Siteminder environment from 12.7SP2 to 12.8SP3 and
we'd like to know :

1. If running a separated Key Store, do the following steps apply from
   documentation :

   08 - From the Database list, select Key Store.
   09 - From the Storage list, select LDAP.
   10 - Select Use Policy Store database.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/upgrading/in-place-upgrade/upgrade-policy-store.html

2. The upgrade will enroll new keys if we're running Static Keys ?
3. Do we have to unflag the key agent generation ?

 

Environment

 

Policy Server 12.8SP3 on RedHat 7;

 

Resolution

 

1. Yes, you have to follow the documentation steps as
   mentioned above. This is for the sake of upgrading the Policy
   Store. Once the Policy Store is upgraded, then you will configure the
   separate Key Store in the smconsole. This will be done before doing
   that section :

      Restart all Policy Servers

2. If it's statics keys, this is defined in the Policy Store data. So
   the keys shouldn't be rolled.

   https://support.broadcom.com/enterprise-software

3. If you unflag the "Enable Agent Key Generation" in smconsole, you
   won't get the possibility to change the static key in the
   AdminUI. If you think you might need to change the static key, then
   you'll need at least 1 Policy Server having checked the "Enable
   Agent Key Generation" in smconsole.

Notes :

  Key Management Considerations

  When deciding on the key management scenario for your enterprise,
  consider the following:

    When configuring dynamic keys in an environment with multiple Policy
    Servers that share a common key store, a single Policy Server must
    be nominated to perform Agent Key generation. You should disable key
    generation on all other Policy Servers.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/administrating/manage-encryption-keys/key-management-scenarios.html

If you use shared secret roll over, you'll also need the "Enable Agent
Key Generation" checked in smconsole on 1 Policy Server :

  What is the meaning of "sharedsecrettime" parameter in SmHost.conf file?
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=10974