Tech Tip – How to migrate selected policy domain(s) from one policy store to another

TechTip

How to migrate selected policy domain(s) from one policy store to another

 

SUMMARY:

Often while migrating data from lower environment to higher, it may be required to migrate just few policy domain(s) rather than migrating the entire policy data. In this guide, we will discuss the steps required to export selected policy domain(s) from one policy store to another.

But before we do that, we need to understand that a policy Domain may consists of several child objects and reference object as below :

Child Objects:

  • CA.SM::SAMLv1SP
  • CA.SM::WSFEDSP
  • CA.SM::Variable
  • CA.SM::Response
  • CA.SM::Realm
  • CA.SM::RuleGroup
  • CA.SM::ResponseGroup
  • CA.EPM::Role
  • CA.SM::SAMLv2SP
  •  CA.SM::Policy

References:

  • CA.SM::AuthScheme
  • CA.SM::AgentType
  • CA.SM::UserDirectory
  • CA.SM::Agent

Migrating domain involves migrating the primary CA.SM.Domain object along with all it’s child and referenced objects.

Environment:
  • Policy Server: R12.51+
  • OS: ANY
  • Policy Store: ANY to ANY (e.g this procedure works even if the source and target policy stores are of different types e.g source CA Directory and target: ODBC , provided the policy store (schema) version are at the same level.
Instructions:

 

Source Policy Store/Policy Server

1. Identify the XIDs of the Policy domain(s) that you want to migrate.

This can be done by looking up the specified Policy Domain(s) via XPSExplorer:

xpsexplorer

However, the easiest option is to first perform a full policy store export and then manually lookup the domain XID in the export file :

To perform full policy store export (dump export), run following command:

XPSExport c:/fullexport.xml -xb -npass

Then, search for the domain name in the export file.

For the matching object, the object class should be: “CA.SM.Domain‘ and the XID should be in the format ‘CA.SM.Domain@XXXXX

For e.g. in the screenshot below the highlighted value is the XID of the policy domain “iis_anz_vm2_wa” that we would like to migrate.

xpsexport

 

2. Once identified, copy the XID(s) of all the Policy domain into a file, say domainXIDs.xml as below :

domainXID

 

3. Next, export selected policy domain(s) using following command :

XPSExport c:\domainExport.xml -xf c:\domainXIDs.xml -npass

4. Then, open the newly exported file (domainExport.xml) and copy the XID(s) of all the references used in a new file say referenceXIDs.xml.

refXIDS

 

Tip : search for string “<ReferenceObject”

refXIDSxml

Note: Some of the reference types are not exportable so needs to be removed from referenceXIDs.xml, but this will be evident in trying to export the references.

So, let us try to export the references as it is first :

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass

xpsexportRef

 

As we can see above, the object of type CA.SM::AgentTypeAttr are not exportable which means, it can’t be migrated. These are the default objects which came OOTB and can’t be instantiated. So it is safe to remove this from the list of references – referenceXIDs.xml.

So, go ahead and delete the reference of these type of objects from referenceXIDs.xml

iamtechtips

 

(After manually deleting CA.SM.AgentTypeAttr object reference).

Now, try to export the references again using the same command :

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass

and it should be successful now :

xpsexportRefSuccess

 

Finally, we are now ready with following two export file which we can now import to the target policy store :

  • domainExport.xml – Policy domain export file (from step 3)
  • ref.xml – Export of references used by policy domain (from step 4)

Target Policy Store/Policy Server

1. Import references export file using the following command :

XPSImport c:/ref.xml -npass

Sample output :

Reference Import

 

2. Import domain export file :

XPSImport c:/domainExport.xml -npass

Sample output :

domain import

 

Note: The above process doesn’t migrate objects like ACO & HCO which is not related to a Policy domain. If you need those as well, then they need to be migrated using the same procedure as above.

RELATED BLOG:

Tech Tip – Policy store object types

Leave a Reply