Moving Siteminder Policy Store from one database to another database, including IM policy store objects

Document ID : KB000050955
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This document contains the steps necessary to move the SiteMinder Policy Store from one data base to another; for example, from MS-SQL to Oracle, when the Policy Store contains Identity Manager Policy Store Objects as well (this is specific to environment where Identity Manager is integrated with SiteMinder).

Please Note: This document does not discuss moving the Identity Manager Object Store, Audit DB, Task Persistence DB, or the Report Snapshot DB (when moving the SiteMinder Policy Store it is not necessary to move any of these other Identity Manager Databases).

Solution:

The following are the steps that are required to move the SiteMinder Policy Store from one database to another database when the following conditions are true:

  1. Identity Manager and SiteMinder are integrated (wherein SiteMinder is providing protection and Password functionality for Identity Manager)

  2. The Policy Store contains Identity Manager Objects

  3. There are existing Task Persistence, Audit, and/or Workflow items in one or more of the established Identity Manager Environments

For example, moving the Policy Store from MS-SQL Server to an Oracle database.

Note: All the operations listed below should be carried out on the machine where the SiteMinder Policy Server is installed.

Export the existing SiteMinder Policy Store Data

  1. Make sure the Policy Store is pointing to the source database. You can verify this by using "SiteMinder Policy Server Management Console" -> Data tab.

  2. Open a command window (cmd) and enter the following command; in a typical SiteMinder installation, the xpsexport utility can been found in <SiteMinder-home>/bin:

    Xpsexport <xmlfile> -xa -l <logfile name> -e <error file name>

    For example,

    xpsexport test_export.xml -xa -l c:\IM\test_export.log -e c:\IM\test_err.txt

  3. xpsexport will prompt you to enter the passphrase. The passphrase is created by you and must adhere to the established criteria (i.e., the default is at least 1 upper case, at least 1 digit). Enter the passphrase as something like: passphrase1. If you don't see the export xml file, refer to the error log; it is most likely that the passphrase entered did not meet the policy criteria.

  4. If everything worked as expected, you will see the export XML file (this file will be create in the same folder from which you ran the xpsexport command)

  5. The xpsexport command will not export any of Identity Manage objects contained in the SiteMinder Policy Store. For example, the Identity Manager Directory and Environment details.

    Note: Here we are NOT referring to the Identity Manager Object Store, rather the SiteMinder Policy Store.

  6. To export the Identity Manager Objects contained in the SiteMinder Policy Store, you must use smobjexport command. The smobjexport utility is contained in the same folder as the spxexport utility; in a typically SIteminder installation this is <SiteMinder-home>/bin.

    smobjexport -d<admin-name> -w<admin-password> -o<file where the data will be exported>

    For example,

    smobjexport -dSiteMinder -wpassphrase1 -otestsmobj.smdif -v

    Note: The file produced from this command will be needed in the next steps.

At this point, you will have two export files:

  1. The SiteMinder Policy Store export file (created in step 3)

  2. The Identity Manager Policy Store export file (created in step 6)

Import the Policy Store Data

  1. Create the target SiteMinder Policy Store database (in this case, the Oracle database). Refer to the vendor specific documentation on how to do this.

  2. Make sure the database user, you are using to perform these steps, has the administrative privileges.

  3. Follow all the steps in the SiteMinder installation guide section "Configure a <database type> Policy Store" chapter (SiteMinder Installation guides -> Installation and Upgrade Guides -> Configuring SiteMinder Data Stores in a Relational Database)

  4. After successfully completing step 3, all of the default required SiteMinder objects will exist in the new database; this does NOT include the Identity Manager object.

    Note: this will establish the default SiteMinder Objects; however, does not import the previous specific data (data which may have been modified during the use of SiteMinder). The specific data will be established later, during the xpsimport phase (in the next steps).

  5. Open a command window (CMD) and enter the following command:

    xpsimport <xmlfile> -l <logfile name> -e <error file name>

    For example,

    xpsimport test_export.xml -l c:\IM\test_export.log -e c:\IM\test_err.txt

  6. xpsimport will you to enter the passphrase. Enter the passphrase you provided in step 3 of the "Export the data" section. This will import all the previously exported SiteMinder Policy Store data.

  7. Check the error log to ensure that there were no failures. The error log file is established by the value specified in the "-e" option on the xpsimport command.

  8. To import the Identity Manager Policy Sore objects, use 'smobjimport' (found in the same location as the other utilities - <SiteMinder-home>/bin):

    smobjimport -i<smobj-export-file> -f -d<admin-name> -w<admin-password> -v

    For example,

    smobjimport -ismobj-export.smdif -f -dSiteMinder -wfirewall -v

    Note: -f is required to overwrite. Otherwise not all the required objects will be imported successfully.

  9. Restart the Sitemer Policy Server, SiteMinder Web Agent (if you have installed one), and the Identity Manager Application server.

  10. SiteMinder and Identity Manager should now refer to the new Policy Store.

Notes

  1. There is no need to change anything from Identity Manager. Identity Manager, when integrated with SiteMinder, is using a proxy to connect to the SiteMinder Policy Store, which does not maintain any specific information about the specific details of the Policy Store (i.e., Policy Server); so, Identity Manager will simply reestablish the proxy connection and will connect to the newly established Policy Store.

  2. Keep the xpsexport, smobjexport, xpsimport, smobjimport, smps.log intact as it may be useful in understanding any issues. The log files will be created, if needed, in the same folder specified by the "l" parameter specified on the xpsimport command in step 5 above.

  3. After establishing the new Policy Store, it may occur that the SiteMinder Administration UI doesn't seem to connect to. This is a condition which occurs in SiteMinder and is not related to Identity Manager. We are currently discussing this with the SiteMinder Team.