Policy Server upgrade to 12.8 SP03 using traffic serving Policy store and key store in production environment
search cancel

Policy Server upgrade to 12.8 SP03 using traffic serving Policy store and key store in production environment

book

Article ID: 191522

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're planning a Policy Server upgrade to 12.8SP3 and we have some

questions :

 1. What would be the EncryptionKey value? Will it be the same as
    exiting Policy Servers ?

 2. As we are configuring the existing production Policy Store to
    start our Policy Server 12.8 SP03 in new servers. What measures we
    need to take before and after starting the Policy Servers? What
    settings should be in-place to avoid any issues in existing
    production environment ?

 3. We are configuring the existing key store to start our new Policy
    Servers, what are the measures/settings we need to take to avoid
    any issues in Key Store ? We are using static keys in our
    production environment.

 4. Will there be any other configuration setting needs to be taken
    care before starting the Policy Server ?

Environment


Policy Server 12.8SP3 on RedHat 7;

Resolution


1. If Policy Server uses the same Policy and Key Stores, then the

   EncryptionKey value should be the same.

   Here are some guidance notes :

   Adding A Second Policy Server Pointing To The Same Policy Store and Key Store
   https://knowledge.broadcom.com/external/article?articleId=127169

   Further reading :
   
   Step 2: Install and Configure the Parallel Environment

     To maintain single sign-on with a common key store, all Policy
     Servers must use the same encryption key. If you do not know the
     value of the encryption key, reset the value in the policy
     store. Use the new value when installing the Policy Servers.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-2-install-and-configure-the-parallel-environment.html

   Common Key Store Requirements

     Verify that all Policy Servers use the same encryption key. If
     you do not know the value of the encryption key, reset the r12.x
     value in the policy store. Use the new value when installing a
     12.8.03 Policy Server.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html

2. You should ensure that the Policy Store with 12.52Sp1 objects are
   completely healthy, by following these requirements from
   documentation :

   Correct Integrity Errors of Policy Store

     CA Single Sign-on features strict policy store validation checks
     that prevent you from upgrading older policy stores with integrity
     errors. Before you upgrade, correct the integrity errors of your
     existing policy store.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/correct-integrity-errors-of-policy-store.html

   You should set only 1 Policy Server to roll the keys if you have
   dynamic agent keys.

   Common Key Store Requirements

    Select a single Policy Server to generate dynamic Agent
    keys. Disable Agent key generation for the remaining Policy
    Servers.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html

   and

   Separate a r12.x Key Store from a Collocated Policy Store

     Disable dynamic agent key generation in the r12.x environment.
     If your environment uses static keys, this step is not
     required. However, a CA Single Sign-On administrator cannot generate a
     random agent key after you export the keys from the policy store.

   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading/parallel-upgrade/step-1-determine-the-key-store-option/common-key-store-deployment.html
   
3. See the answer on point 2 above.

4. We invite you to read carefully the Upgrade entire section from the
   documentation about this question :

   Upgrading
   https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/upgrading.html

   More, in order to avoid to face complications due to your specific
   environment, we strongly invite you to engage our Services
   department in order to benifit from their experience in environment
   upgrade and they will help you to build an upgrade plan before
   going live.

      CA Services (now HCL)
      https://www.broadcom.com/support/ca/services-support/ca-services