Upgrading to 12.8.03 Policy Server

book

Article ID: 186231

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Questions related to upgrade Policy Servers from 12.6.01 to 12.8.03

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

1. The upgrading the policy Store Step - Importing the data definitions, default policy store objects and the federation objects -

Does that cause an outage? Does the Store continue running while these imports are being performed? 

=============
when you are doing an upgrade, it is an assumption that we have shutdown the policy servers. so ideally you have scheduled an outage period for this activity,

But if it is not an ideal situation, then you may have the policy servers running but eventually you will need to restart the policy servers in turn, one by one,

when policy server caches the policy store objects, it is an assumption that the sub branch objects would be updated,

but in case of policy store upgrade, everything may get updated including the root object. in that case the running policy server may get confused and malfunction,

So it is always good to shutdown all the policy servers, upgrade the policy store, then start all the policy servers

if not, the option would be to have a policy store migration and this also means the policy servers may host different data during the cut-over time
=============

2. I stand up a new 12.8 Policy Server (same Encryption Key) and have it connected to the new upgraded 12.8 Policy Store -

After the above is done do you need to re-register agents ? Or you just have to change the HCO to have the new Policy Server IP's and the SSO continues to work as before?

==============

if the effective encryption key is the same, there is no need to re-register trusted host,

in case if there are bad handshake errors, that is a bad situation and you need to re-register,

==============

3. If I stand up a fresh new 12.8 Store using CA Directory and import the existing 12.6 Policy Store into it and point new 12.8 Policy Servers to it. 

-This will require Agent Re-registration correct?   If the new 12.8 Policy Servers use the same encryption key will it work without agent re-registration (Just HCO)?

===============

The encryption key must be the same, it does not matter whether it is ca directory or oracle DB, it is transparent to policy server.

As long as the encryption key is the same, then there will be no handshake errors and hence no need to re-register,

===============