Complete the Upgrade Prerequisites

Complete the following upgrade prerequisites before you begin any upgrade method:
casso1283
Complete the following upgrade prerequisites before you begin any upgrade method:
Determine the Upgrade Path
Review the available upgrade paths for each component.
Note
:
I
represents an in-place upgrade,
R
represents a rolling upgrade, and
P
represents a parallel upgrade.
Policy Server and Administrative UI
The following table lists the possible upgrades to Policy Server 12.8.03 and Administrative UI 12.8.03:
Release/Operating System
Windows 2008
Windows 2008 R2
Windows 2012 R2
RHEL 5 32-bit
RHEL 5 64-bit
RHEL 6 32-bit
RHEL 6 64-bit
RHEL 7 64-bit
Solaris 10
Solaris 11
12.51
R, P
R, P
n/a
R, P
R, P
R, P
I
,
R, P
n/a
R, P
R, P
12.52 SP1
R, P
R, P
n/a
R, P
R, P
R, P
I
,
R, P
n/a
R, P
R, P
12.52 SP2
n/a
n/a
I
,
R, P
n/a
n/a
n/a
n/a
n/a
n/a
n/a
12.6.01
n/a
n/a
I
,
R, P
n/a
n/a
n/a
I
,
R, P
I
,
R, P
n/a
n/a
12.7
n/a
n/a
I
,
R, P
n/a
n/a
n/a
I
,
R, P
I
,
R, P
n/a
n/a
Review the following consideration:
  • The 12.8.03 Policy Server is a 64-bit executable and requires Windows Server 2012 R2. You cannot perform an in-place upgrade of 12.52 SP2 Policy Server that is insalled in the Program Files (x86) directory. The 12.8.03 Policy Server is a 64-bit application and only 32-bit applications belong in this directory. If you are upgrading from a release earlier than 12.52 SP2 or if your 12.52 SP2 Policy Server is installed under the Program Files (x86) directory, install a new Policy Server on Windows Server 2012 R2.
Access Gateway
The following table lists the possible upgrades to Access Gateway 12.8.03:
Release/Operating System
Windows 2008
Windows 2008 R2
Windows 2012 R2
RHEL 5 32-bit
RHEL 5 64-bit
RHEL 6 32-bit
RHEL 6 64-bit
RHEL 7 64-bit
Solaris 10
Solaris 11
12.51
R, P
R, P
n/a
R, P
R, P
R, P
I
,
R, P
n/a
R, P
R, P
12.52 SP1
R, P
R, P
I
,
R, P (12.52 SP1 CR02 and later)
R, P
R, P
R, P
I
,
R, P
n/a
R, P
R, P
12.52 SP2
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
n/a
12.6.01
n/a
n/a
I
,
R, P
n/a
n/a
n/a
I
,
R, P
I
,
R, P
n/a
n/a
12.7
n/a
n/a
I
,
R, P
n/a
n/a
n/a
I
,
R, P
I
,
R, P
n/a
n/a
Web Agent
No upgrades are available for Web Agent. The existing 12.x Web Agents are compatible with 12.8.03 Policy Servers. If you want to upgrade agents to a newer version, you can upgrade to agents versions 12.52 SP1 CR
n
.
To upgrade 12.0x agents to 12.52 SP1, see the 12.52 SP1 documentation for instructions.
Prepare for a 64-bit Environment
Recompile all the 32-bit custom binaries for a 64-bit environment. This includes the custom components provided by CA Technologies or the ones you built yourself. Then, copy the recompiled binaries to the 12.8.03 Policy Server.
Determine the Upgrade Strategy
The upgrade strategy is critical to ensure that the upgrade is completed efficiently without exposing sensitive resources to security risks or downtime.
An upgrade strategy can consist of:
  • A test environment.
    Set up a test environment and try an upgrade to become familiar with the process. A test upgrade helps you identify and troubleshoot issues that can bring down mission-critical resources when you upgrade a production environment.
  • Verification of third-party products and hardware.
    Determine if this release supports your current third-party products and hardware. For a list of supported CA and third-party components, see Platform Support Matrix.
  • A site analysis.
    Determine the current state of your environment and when it is the best time to update each component.
  • A list of  components.
    List the individual components that you plan on upgrading and identify where each component is being hosted.
  • A recovery plan.
    Back up your existing components in the case you experience problems during the migration.
  • Available upgrade paths.
    Determine the individual component upgrade paths.
  • (For in-place and rolling upgrades) Mixed-mode support.
    Develop an understanding of mixed mode support.
  • Performance testing.
    Develop a strategy to performance test the environment when the upgrade is complete.
Review Release Notes
Before you begin an upgrade, we recommend that you review Release Notes for installation and upgrade considerations in this release.
Analyze Your Environment
Analyze your environment to determine the complexity of your upgrade. Consider the following questions:
Question
Recommendation
How many Policy Servers and Agents are running in your environment?
Use the Policy Server audit logs to determine the number.
What are the versions of Policy Server and Agents?
Use the Policy Server audit logs to determine the versions.
Which Policy Servers are communicating with which Agents?
Use the Policy Server audit logs to determine this information.
What time of day do you encounter the least traffic at each site?
Review your web server logs and the Policy Server audit logs.
Are your Agents working in failover or round robin mode?
To maintain failover and round robin, refer to Maintaining Mixed Environments.
Does the latest release support your third-party hardware and software?
See the Platform Support Matrix on the Technical Support Site.
Do you have software that CA Professional Services customized?
Contact Support for instructions.
Do you have any customized files that can be overwritten by the upgrade?
Back up customized files before beginning the migration.
Do you have any custom components that are 32-bit?
Recompile the custom components for 64-bit.
The following figure shows the components to consider before upgrading:
Upgrade-ready Components
Upgrade-ready Components
Review Upgrade Considerations
Administrative UI Protection with
SiteMinder
You can protect an Administrative UI with
SiteMinder
. Complete the following steps:
  1. Configure an agent to work with a reverse proxy server.
  2. Configure an external administrator store and enable authentication.
If you have configured Administrative UI with an external administrator store in 12.5x, complete the following steps:
  1. Configure an agent to work with a reverse proxy server.
  2. Reconfigure the external administrator store with the required agent settings.
The Administrative UI does not retain the settings when you reconfigure the store. Before you reconfigure the connection, view the connection and record the settings.
Maintaining Single Sign-On
You can maintain single sign-on during the upgrade to 12.8.03. Consider the following items:
  • A 12.8.03 Policy Server can communicate with a 12.5x or later policy store and a r12.5x or later key store.
  • A 12.8.03 Policy Server can communicate with a 12.5x or later session store.
Certificate Data Management
The certificate data store is where you store private keys and certificates. Note the following requirements:
  • All Policy Servers that share a common view into the same policy store have access to the same keys, certificates, and certificate revocation lists (CRL).
  • The certificate data store makes the following available to the
    SiteMinder
    environment:
    • Certificate authority (CA) certificates
    • Public and private keys
    • Certificate revocation lists
  • You can continue to use the smkeytool utility to manage the certificate data store. However, several options were deprecated in Release 12.6.01. For more information, see the Policy Server Changed Features
    in the Release Notes of Release 12.6.01
    .
  • If a CRL is stored in an LDAP directory service, consider the following items:
    • SiteMinder
      no longer requires that the issuer of the CRL is the same CA that issued the corresponding root certificate.
    • SiteMinder
      no longer performs this check. This behavior is consistent with the requirements for a text-based CRL.
Federation Integration
All Federation Security Services functionality available in the FSS Administrative UI has been moved to Administrative UI. If you were managing a federated environment, this functionality is referred to as
legacy federation
.
Administrative UI also includes
partnership federation
. This functionality is specific to the partnership-based federation that is available in
SiteMinder
.
Advanced Password Services
If you have deployed Advanced Password Services, a Policy Server upgrade retains all LANG (translation), CFG (configuration), and mail files. The default versions of the files are installed to
siteminder_home
\samples.
siteminder_home
specifies the Policy Server installation path.
SiteMinder
Integration with CA Advanced Authentication
If you integrated
SiteMinder
12.5x or earlier with CA Advancded Authentication, you can upgrade to version 12.52 or later.
Follow these steps:
  1. Navigate to the
    arcot_home
    \conf directory.
  2. Take a back-up of the
    adaptershim.ini
    file.
  3. Upgrade
    SiteMinder
    .
  4. Copy the back-up
    adaptershim.ini
    file in the
    arcot_home
    \conf directory.
Plan a Recovery Strategy
To recover your original configuration, implement a recovery plan. The most complete recovery plan is to back up entire image of each Policy Server and Web Agent host. We recommend this method.
You cannot revert from a component upgrade or a migration.
If you do not want to back up the entire image of each system, complete the following steps:
  • Back up all Web Agent and Policy Server binaries. Most of these files are in the bin subdirectory where you installed the Policy Server and Web Agent.
  • Back up the Web Agent configuration file (WebAgent.conf).
    To manage Agents centrally from the Policy Server, give the Agent configuration file to the Policy Server administrator. The Administrator needs this file to create an Agent Configuration Object.
  • Export the policy store to a file using the XPSExport utility.
  • Copy the r12.5x or later installation scripts, hot fixes, and service packs so you can reinstall if necessary. You can download copies from the CA Support site.
Maintain Mixed Environments
Valid for in-place upgrade and rolling upgrade.
As you migrate to 12.8.03, your environment can contain a combination of components at different versions. You do not have to upgrade all your components to 12.8.03.
The following conditions exist in a mixed environment:
  • If your environment has a combination of components, 12.8.03 Policy Servers can continue to communicate with r12.5x or later policy stores during an upgrade. When you start a Policy Server, it detects the policy store version. If the policy store is operating at a previous version, policy server runs in a compatibility mode until the store is upgraded as well.
    In compatibility mode, the Policy Server supports only those features from the older release.
  • If your environment has a mix of Policy Server versions, users can continue to access resources and have the same experience using 12.0 SP2 or later agents.
  • A mixed environment can support single sign-on.
Review the following considerations before you migrate:
  • A 12.8.03 Policy Server can communicate with an r12.5x or later policy store.
  • A 12.7 or earlier Policy Server cannot communicate with a 12.8.03 policy store.
  • A 12.5x or later Policy Server can share a key store with a 12.8.03 Policy Server.
  • A 12.5x or later Policy Server can share a session store with a 12.8.03 Policy Server.
  • A 12.5x or later Administrative UI cannot communicate with a 12.8.03 Policy Server.
  • A 12.5x Web Agent can communicate with a 12.8.03 Policy Server.
The following figure details mixed environment:
Mixed mode support in 12.x
Mixed mode support in 12.x
Upgrade to 12.8.03
If you point an Agent to a 12.8.03 Policy Server in your mixed environment that has 12.8.03 or earlier Policy Servers and Agents, and if the agent keys are rolled over from the 12.7 or earlier Policy Server, the Agent that is pointed to 12.7 or earlier Policy Server fails to decrypt the Agent keys and its single sign-on with the other agents in the environment fails.
To ensure that the agent works seamlessly, perform the following steps to add the BackwardCompatibleMode registry key:
  1. Perform one of the following steps:
    Windows
    1. Open regedit and navigate to the following location:
      HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer
    UNIX
    1. Navigate to the following location:
      install_directory/siteminder/registry
    2. Open the sm.registry file.
  2. Add the following registry key:
    BackwardCompatibleMode
  3. Set the registry key value to 1.
  4. Restart Policy Server.
If 12.8.03 Policy Server generates agent keys in a mixed environment, the agents connected to 12.7 or earlier Policy Servers cannot decrypt the new agent keys.