World®’16
FiveEasyStepsforMigratingtoCADirectoryGregVickery,PrincipalServicesConsultant,CATechnologies
SCX12E
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
JoinusforadiscussiononthestepsformigratingyourcurrentUserStoreorPolicyStoretoCADirectory. Wewilldiscussdiscoveryandprojectscoping,alongwithBuildingtheCADirectoryenvironment,Schema(DataType)migration,Dataclean-upandApplicationTeamsign-off.
GregVickery
CATechnologiesPrincipalServicesConsultant
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
WHYMIGRATETOCADIRECTORY
DESIGNTHENEWDIRECTORY
GOLIVE!
LDAPTOCADIRECTORYTASKS
MIGRATINGDATABASETOCADIRECTORYTASKS
APPLICATIONTESTING
1
2
3
4
5
6
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DirectoryReview
§ Applicationcommunicatingwithadatastore– Viaprotocol- LDAP
§ Datastoremaycontain:– policyinformation– AuthenticationInfo– AuthorizationInfo– orAnyotherData
Levelsettheconversation
ApplicationLayer
LDAP
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhyCADirectory
§ Performance– Replication– allDirectoriesaresynced
(oftenmeasuredinmilliseconds)
§ Smallfootprint– Verylargeenvironmentsw/fewerservers
§ Scalability– 50++millionisOK– OnlyLimitedbyhardware– Canhorizontallyscale(virtuallynolimits)
CAexperiencingalargermigrationtoCADirectory
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhyCADirectory
§ Monitoringmultipleways– Logfilesforaccuraterecordofactivity– Timelogtovalidateperformance– Real-timemonitoringwithSNMP
§ IncludingSNMPtool
§ OperationalAdvantages(easytomanage)– Dataandindexesneednotuning– Veryfastbackupandrestore– Fewmovingparts
CAexperiencingalargermigrationtoCADirectory
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TypesofMigration
§ ExistingLDAPenvironmenttoCADirectory– MostcommonMigrationforUserStoreenvironments– Mayhaveveryshortprojectlengths(quick)
§ ExistingDatabaseenvironmenttoCADirectory– Generallyrequiresmoretasks– MoreBenefitsarerealized
§ Replicationindirectorymuchfasterthandatabases§ DatacentertoDatacenter(WAN)replicationiseasy
Twomigrationtypesfromthefield
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
5StepsofMigration
§ ArchitecttheNewCADirectoryenvironment
§ Schema(DataDefinition)Migration
§ DataMigration
§ ApplicationTesting
§ GoLive!
OverviewofTasks
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ArchitectingtheCADirectorysolution
§ CADirectoryArchitecture– TypicallyrequireslessserversthanLDAPServers– Don’tbeafraidtodesignforthestrengthsoftheCADirectory
§ OnetoOnereplacementcouldbebaddesign§ AND- Departurefromolddesignmyallowustooptimizethedesign
– HardwareRequirements(ServerSpecs)maychange§ CADirectoryisamemoryresidentdirectory§ ChangingO/Smaybeanoption
Viewasachancetooptimize
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingtheSchema
§ SchemaMigration– CADirectorytools
§ dxschemaldif - extractsschemafromexistingLDAPservers§ ldif2dxc – formatsLDIFtoCADirectoryconfiguration
– Focusisonyourcustomschema§ Althoughwehavehadtochangestandardschematosupportapps
– MostLDAPServershaverelaxedschema§ MayhavetextOID§ ToolswillsupplyvalidOIDsduringconversion
DefineTasks
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingtheData
§ ExportDataFromexistingLDAPServer– InmostcasesuseexistingLDAPServertoolstopullthedata– Someothervendortoolsmaybeabletoexcludeproprietarydata
§ CleanData– Couldbethemosttimeconsumingportionofmigration– Createoradaptexistingdatacleantool– RemoveLDAPServerspecificData(proprietarydata)
§ Import– Mayfindmoredataissueshere– Updatecleantoolandrunagain
Cleaningthedataforimport
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingtheData(continued)
§ Alargenumberofhourscouldbeinvolvedwiththisprocess– Ongoingprocess,toolmaybeupdatedseveraltimes.
§ Thedatacleanprocesswillberuninmultipleenvironments– Dev,QA,Staging,etc.beforeProduction(GoLive)– Eachenvironmentmayhaveuniquedataanomalies
§ Opportunitytore-organizeorremoveunwanteddata– Legacy/unusedattributescanberemoved– Oftenfindattributesthataremisused
§ Example:telephoneNumber (attribute)withavalueof‘outofthecountry’
CaseStudy(fieldexperiences)
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingtheData(continued)
§ Doyouplantosyncoldandnewenvironments?– “Onefootintheboat,onefootonthedock”– CADirectoryhassomelimitedabilitytosync(DXLink)– Syncmayintroduceannew(3rd)componenttotheenvironment
§ Mayrequireadditionalexpertise§ Willhaveperformanceimplications(slowingthenewenvironment)
– Synctoolmaybeslowerthannewdirectoryserver– Highlylikelytheoldenvironmentmaybeslowerthanthenewenvironment
§ Ifsyncprocessfails– isthiscauseforrollback?– Manualrecovery(rollback)maybefaster
OtherConsiderations
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ApplicationVerification
§ IdentifyApplicationsfortestingandverification– Typicallysamplegroupofrepresentativeapplicationswillbeused
§ Developatestplanfortestingapplications
§ IdentifyRequiredResources(personnel)neededforrollout
§ Theprocessshouldberun(andrefined)inmultipleenvironmentsbeforeproduction– Timeallphases,cantheprocessbeexecutedwithinouroutagewindow
TestPlantoverifyapplicationsworkwithnewenvironment
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
GoLive
§ Pre-GoLive(sometimebeforeGOLive):– Transformthetestplanintorolloutscriptandchecklist(process)– Theprocessshouldberuninmultipleenvironmentsbeforeproduction– IncludeaRoll-backPlanincaseofissuesorunexpecteddisruptions– Verifythecorrectpersonnelareavailable
§ DirectoryTeam,Operations,Applicationowners,Vendors,etc.
§ Executerolloutscript– Success!- Meetthenextdaywiththeentireteamtoreview
CutovertoProduction
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingDatabasetoCADirectory
§ UserStore– CADirectoryhasfasterreplication(DatacentertoDatacenter)
§ PolicyStore(CASSO)– VeryCosteffective
§ SessionStore(CASSO)– CADirectoryistheonlyDirectory/LDAPserversupportedassessionstore– DatacentertoDatacenterDatabasesynchronizationisexpensive
Advantagestomigratethedifferentenvironments
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingDatabasetoCADirectory
§ InvolvesmoretasksthanLDAPUserstoreconversion
§ CreateCADirectorySchema§ NoSchematoexport§ ConvertFieldstoattributes§ ConvertTablestoobjectClasses§ MaybeabletouseCADirectory‘Views’configurationtoreplacestoredprocedures
MigratingUserStoreFromDatabase
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingDatabasetoCADirectory
§ CADirectory‘Views’Configuration– ‘Views’configurationmaybeabletoreplacecertainstoredprocedures
§ Viewsarepre-definedsearcheswithmultiple‘phases’
§ Applicationconversion§ ApplicationswillneedtobeLDAPenabled§ DevelopasLDAPRequests(differentthanSQLRequests)§ Testingthefunctionality
– Startatbeginningofproject– Morecompletesetofusecases
MigratingUserStoreFromDatabase(continued)
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingDatabasetoCADirectory
§ StepsformigrationofPolicyStoreData– BuildCADirectoryServerenvironment(inCASSOGuide)
§ BuildDIT(Tree)structureforPolicyStoredata§ AddPolicyDataSchemafilestoCADirectory
– ExtractDatafromcurrentPolicyStore§ UsetheavailableCASSOToolstoexportthepolicies§ ThisprocessisthesamewhetherDatabaseorLDAPServer
– ConfigureCASSOPolicyServerfornewPolicyStore– ImportPoliciesintoCADirectory
§ UsingtheCASSOImporttool
CASSO(formerlySiteMinder)PolicyStore
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigratingDatabasetoCADirectory
§ StepsformigrationofSessionStoreData– AddSessionDataSchemafilestoCADirectory– Determineperformancerequirements:
§ Calculatenumberofconcurrentsessions§ Factorthesessiontimeout(oraveragesessionlife)
– CADirectoryasasessionstorehasspecializedconfiguration§ Documentationoutlinesthespecificsettings
– Hardwareintensiveforhighdemandenvironments§ ConsultCAforhardwareguidelines
– ConfigureCASSOPolicyServertouseCADirectory
CASSOSessionStore
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ReviewofMigrationSteps
§ Architectthenewsolution– Don’tbeafraidtochangefromolddesign
§ SchemaMigration– UtilizeCADirectorytools
§ DataMigration– Maybetimeconsuming
§ TestApplication§ GOLive
QuickRecap
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCT45T HowFastisyourDirectory? 11/16/2016at4:30pm
SCX20SCARoadmap:AdvancedAuthentication,SingleSign-On,Directory 11/16/2016at1:45pm
SCT44T WAM&Federation(TechTalk) 11/17/2016at4:30pm
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tMissOurINTERACTIVESecurityDemoExperience!
SNEAKPEEK!
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.27 @CAWORLD#CAWORLD
Security
FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw