Upload
ca-technologies
View
1.364
Download
1
Embed Size (px)
Citation preview
World®’16
BestPracticesforUpgradingYourCASSOEnvironmentJasonWilcox– Sr ServicesArchitect
SCX30E
SECURITY
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ForInformationalPurposesOnly
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
TermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
CASingleSign-On(CASSO)isoneofyourmission-criticalapplications,andkeepingthisinfrastructurecurrentiskeycomponenttocreatingasecureandstableenvironment.Eachreleasebringsnewfeatures,supportedplatformsandmorevaluetoyourorganization.Overtheyears,CAServiceshashelpedhundredsofcustomersupgradeCASSO.Inthissession,oneofourseniorarchitectswilldiscussthelessonslearnedfromalloftheseprojects,aswellasabest-practicesapproachforupgradingaCASSOenvironment.
JasonWilcox
CASrServicesArchitect
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
PLANNINGYOURUPGRADE
UPGRADINGYOURPOLICYSTORE
WEDIDOURUPGRADE,WHENAREYOUSTARTINGYOURS?
POLICYSERVERUPGRADESANDIMPACTS
DOINEEDTOUPGRADEMYAGENTS
UPGRADETESTINGBESTPRACTICES
1
2
3
4
5
6
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PlanningYourUpgrade
§ SSOUpgradesdon’tdictateaprojectmanagementapproach
§ Incorporatenewfeaturesandfunctionality
§ Don’tbringalongbaggage
§ Involveallyourstakeholders,don’tdoitinavacuum
§ InvolveCAServices(Healthcheck,Assessment,Upgrade)
THOSEWHOFAILTOPLANDIDN’THAVEAPROJECTMANAGER
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SSOUpgradesareFlexible
§ Upgradesalignwelltoagileprinciples– Thenaturalpathoftheupgradeagile– Breaktheupgradeintosmallerworkefforts– Workcanbedoneinparallelbymultipleteams– In-PlaceandParallelupgradesbothworkwellwithAgile
§ Waterfallapproachhasbeensuccessful– WorksbestwithParallel,butstillsuccessfulwithIn-Place– Requiresmoreplanningandtestingupfront
Thereisnoonesizefitsall
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
IncorporateNewFeaturesandFunctionality
§ IncreasesyourROIinSSO
§ Allowsforbetteradoption
§ Takesadvantageofindustrytrends
§ Allowsyoutouseourimprovementsintheproduct– CAAccessGatewaybasedfederationoverFSS– PartnershipFederationModelvsAffiliateModel– OAuthSupport
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tBringAlongBaggage
§ Identifyandremoveunusedpolicyobjects
§ Considerrebuildingthepolicystore
§ Lookatbestpracticesforpolicydesign
§ Replacecustomdevelopedsolutionswithoutoftheboxcomponents
§ Removeworkaroundsforoldproductdeficiencies
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tUpgradeinaVacuum
§ Involveyourstakeholdersearlyandoften
§ Highlightthebenefitsofthisupgradetothem– Features– Performance– Reliability– Security
§ Seekfeedbackonwhattheyneedfromthesolution
§ Isanewfeaturetheirfieldofdreams?
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
InvolveCAServicesasNeeded
§ Getapre-upgradehealthcheck– Lookatallareasofyourimplementation– Makerecommendationsbasedonfindings– Buildaplantoremediatethosefindings
§ HaveanUpgradeAssessmentdone– Whatisthebestapproachtotheupgrade– Isthereanythinginmyenvironmentthatcouldbeaproblem
§ CAServicesUpgradeofferings
Wedon’thavetodoitall,butwecanifyouneedusto
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
UpgradingYourPolicyStore
§ Cleanitup
§ Considerarebuild
§ Splittingitfortheupgrade
§ Migrateittoanewplatform
§ Testitnomatterwhat
IFTHEPOLICYSERVERISTHEHEARTOFYOURSSOENVIRONMENT,THEPOLICYSTOREISTHEBRAINS
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CleanUpYourPolicyStore
§ Removeunusedobjects– RetiredApplications– RetiredUserStores– UsethePolicyReadertoidentifyobjectswithnolinks
§ Makecandidatesforremovableunusable– Renametheagents– Associatedomainswithemptyagentgroups– Validateafteraperiodoftimethatitistrulyunused
Sub-head
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ConsiderRebuildingYourPolicyStore
§ WellusedpolicystorefromPre-R12– Latentcorruptionispossible– UsePolicyReadertoview– Use12.6XPSSweepertodeterminethehealth
§ Makepoliciesmoreefficient– Changefromgroupstoreversegroupsifpossible– Moveitemstoglobalpolicieswhereappropriate– MigrateSAMLtopartnershipmodels– GofromAuth/AZMappingtoIdentityMapping
Sub-head
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SplittingUpfortheUpgrade
§ NoSeparateKeystore?– Considerseparatingkeystoreduringtheupgrade– SetStaticKeysforuseduringtheupgrade– Giveplentyoftimeforlegacyagentstogetthechange
§ FacilitatesSSObetweenLegacyandUpgradedenvironment
§ Offersgreaterflexibilityintestingandtroubleshooting
Sub-head
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MigrateYourPolicyStoretoaNewPlatform
§ Don’tjustmigrateyourpolicystore,upgradeit
§ Ensureit’shighlyavailableandactive-active
§ MigratetoCADirectoryasanocost,highvaluealternative
§ Evaluatetheperformancenotjustduringstartup,butduringoperation
Sub-head
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
TestNoMatterWhat
§ 12.6IncludesanewXPSSweeperAnalyzer
§ UseSMPolicyReadertocompareenvironments
§ Don’tassumethatbecauseitimportedeverythingisOK
§ Don’tassumebecauseyoudidn’tmigrateyourpolicystoreeverythingisOK
§ Whenyouthinkyouhavetestedenough,testsomemore
Sub-head
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PolicyServerUpgradesandImpacts
§ Checkforlegacycodethatneedstobemigrated
§ Validateplatformsupportforthisyearandbeyond
§ Updateprocessestotakeadvantageofnewcapabilities
§ Buildnewprocessesaroundremoteengineer
§ Usetheopportunitytoimproveyourmonitoringandalerting
IFTHEPOLICYSTOREISTHEHEARTOFYOURSSOENVIRONMENT,THEPOLICYSERVERISTHEBRAINS
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CheckforLegacyCodetobeMigrated
§ AllCustomCodeshouldbeanalyzedonthePolicyServer– CustomAuth Schemes– ActiveResponses– ActivePolicies– AssertionGenerators– MessageConsumers
§ Hasitbeenmadeobsoletebynewfunctionality?
§ Hasitbeenmadeobsoletebychangingbusinessneeds?
Sub-head
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
CheckforLegacyCodetobeMigrated
§ IsitusingthecurrentSDK?
§ DoesitneedtoberecompiledtothenewJavaVersion?
§ Isit32bit(Ifupgradingto12.6)?
§ IsitbasedonaCAGlobalDeliveryModule?
Sub-head
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ValidatePlatformSupport
§ AreyouusinganearEndOfLifePlatformfromtheVendor?
§ ArethesurroundingtechnologiesnearingEndOfLife?– PolicyStore– UserStore– SessionStore
§ ThirdPartyCustomConnectors?
Sub-head
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
UpdateProcessesforNewCapabilities
§ Newcapabilitiesthatprobablyimpactyourprocesses– InMemoryTracing– ACOAttributeSearch– RemoteEngineer– SecondVerificationCertificates– AndMore
§ FunctionalityChanges– ReadReleaseNotes– Test,testandmoretest
Sub-head
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ImproveYourMonitoringandAlerting
§ ImplementProactiveMonitoring
§ MonitorKPI’sandAlertoffchanges– ThreadCounts– ResponseTimes– SocketCounts– ErrorCounts
§ Don’tletuserstellyouwhenyouhaveaproblem
Sub-head
23 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
DoINeedtoUpgradeMyAgents?
§ AgentfromR6SP5throughR12.52SP2
§ OldAgentscan’ttakeadvantageofnewfeatures
§ LegacyPlatformsmightbebetterservedbyCAAccessGateway
§ Ifyouareupgrading,letstalkaboutapproach
IFTHEPOLICYSERVERISTHEBRAINSOFYOURSOLUTION,THEAGENTSARETHENERVEENDINGS
24 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
UpgradeTestingBestPractices
§ Youmustmimicprodineveryway
§ Don’tassumebecauseitimported,thatitwillwork
§ Applicationsneedtotest,planforitandhelpthem
IFTHEPOLICYSERVERISTHEBRAINSOFYOURSOLUTION,THEAGENTSARETHENERVEENDINGS
25 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
OneEnvironmentMustMimicProd
§ Thesmallthingscanmatter– NetworkLatency– LoadBalancers– Routes
§ IncludeAdequateLoadTesting
§ Don’tmakeassumptionsaboutintegratedsystems
Sub-head
26 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Don’tAssumeBecauseitImporteditWorked
§ ValidateSchema’sonUserStore
§ ValidateDataRecord/Object/RowCounts
§ TestIndexes
Sub-head
27 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ApplicationsNeedtoTest
§ Theleveloftestingforapplications,dependsontheirintegrationpattern– FrontDoorOnly– FineGrained
§ IncludeSSOtestingnotjustauthentication
§ Validateindividualserversifpossible
Sub-head
28 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WeDidOurUpgrade
§ Significantperformanceimprovementsmovingto12.6
§ Whatwelearnedisbeingincorporatedintoourservicesandourproducts
§ Services,Engineering,andSupportwereallheavilyinvolved
§ Wedidre-architect,wedidre-platform,wedidimproveexistingandcreatenewprocesses
IFTHEPOLICYSERVER…WAITAREWESTILLDOINGTHIS?
29 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SignificantPerformanceImprovements
§ Pilotupgradesreportsignificantperformanceimprovements– PolicyServerOperations– Authentication/Authorization– WAMUIObjectManagement
§ Youcandomorewithless– ReducedHardCosts– ReducedSoftCosts
Sub-head
30 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
LessonsLearned
§ Weeatourowncaviar,andusethoselessonstobettertheproductandservices
§ Multiplecustomerupgradesinprogress
§ Services,EngineeringandSupportteamsworkingtogethertointegratelessonslearnedfromeachupgrade– Newupgradeprocessesandtools– Directfeedbacktoproductmanagement– Engineeringhasbeenoutinthefieldtoseewhatcustomersface
Sub-head
31 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhyCAUpgradeServices?
§ Wehavereplatformedduringourupgrades
§ Wehaverearchitectedduringourupgrades
§ Wehaveanalyzedprocessesandprocedures
§ Wehaveanalyzedperformance
§ Wehavegonefromon-premtocloud
§ Yougettheexperiencewehavegained,dayone
Sub-head
32 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCX16E Pre-ConEd:Who'smindingtheSSOstore? 11/15/2016at1:00pm
SCX12E FiveEasyStepsforMigratingtoCADirectory 11/15/2016at3:30pm
SCX54STheCovetedDigitalBankingExperience–ARealityToday!
11/16/2016 at3:45pm
SCX20SCARoadmap:Authentication,SingleSign-On,Directory
11/17/2016at1:45pm
34 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WeWanttoHearfromYou!
§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.
§ ITCSstaffmaybeatthissessionnow!(lookfortheirshirts).Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired