How to Migrate individual objects in a CA SSO Policy Store

Document ID : KB000010848
Last Modified Date : 14/02/2018
Show Technical Document Details

You may want to migrate an individual policy store object between environments.  For example, you might create a Domain in a lower environment, such as DEV, and want to migrate just that domain to a higher environment, such as TST, QA, UAT or PRD.

You can migrate the object rather than manually creating it in each environment.  This can be done without the need to migrate the entire policy store.  The following instructions describe the process.




There are several object classes which contain references to other object classes within them.  For example a Domain object contains references to User Directory objects.  Agent objects reference Agent Type objects. etc.

The assumption is that any object which is linked or referenced either needs to already be defined in the target policy store, or contained within the .xml export which contains that main object.  In other words, if an  individual domain is exported the referenced Agent, Agent Type, User Directory and any other referenced object must either be in the policy store where the import is being run or be in the .xml file along with the Domain object itself.

The objects are linked and referenced by XID.  You cannot manually create a referenced object in the target policy store with the same name.  The creation process will randomly assign a new XID to the object.  Now there will be a conflict in the target policy store.  The object being imported will reference the XID of an object which does not exist in the target.  The imported object will not be pointing to the XID of the newly created object.  Subsequent attempts to import the original referenced object will fail because there cannot be two objects in the same object class with different XID's and the same name.

This process should allow you to avoid such conflicts.

Policy Server: r12.52; r12.6; r12.7Policy Server OS: ANYPolicy Store: ANY

1) Logon to the Policy Server

2) Run: XPSExplorer

3) Locate the object class of the object in the XPSExplorer menu, then record its menu number

EXAMPLE: 112-    Domain*

4) Type the object class menu number in the 'Enter Option' and then hit ENTER

EXAMPLE: Enter Option (#,F,B,X,P, or Q): 112

5) Locate the object you want to export.

NOTE: You may need to use the 'Build Filter' option to narrow the results by searching by Name)

6) Record the XID of the object.

EXAMPLE: CA.SM::Domain@03-697558b2-5162-103e-bc60-8527ea420043

7) Export that specific object by XID


xpsexport <FileName>.xml -xo CA.SM::Domain@03-697558b2-5162-103e-bc60-8527ea420043 -npass

8) Open the <FileName>.xml file with a text editor.

9) Locate the 'References' section of the .xml file.




10) Record all the XID values of all of the referenced objects


<ReferenceObject ReferenceId="Ref00001" ObjectClass="CA.SM::Agent">


<Attribute Name="CA.SM::Agent.Name" Type="Identity">

<StringValue>TranspolarAgent 01-7fa974ea-513c-103e-bc60-8527ea420043</StringValue>


<Attribute Name="CA.SM::Agent.Desc" Type="Comment">





11) Create a text file with the XID of the object you are exporting along with the XID's of all of the referenced objects







NOTE: Each XID should be listed on its own rown.  The file is <CR><LF> delimited.

12) Save the file with a name  (e.g. "TranspolarDomain.txt")

13) Run XPSExport against the file


xpsexport TranspolarDomain.xml -xf TranspolarDomain.txt -npass

NOTE: This will export all of the objects defined in the TranspolarDomain.txt to a single .xml file.

14) Import the .xml file into the target environment


xpsimport TranspolarDomain.xml -npass