Best Practices for Upgrading Your Mission-Critical CA SSO Environment

World®’16

BestPracticesforUpgradingYourCASSOEnvironmentJasonWilcox– Sr ServicesArchitect

SCX30E

SECURITY

2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD

ForInformationalPurposesOnly

©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

TermsofthisPresentation


Abstract

CASingleSign-On(CASSO)isoneofyourmission-criticalapplications,andkeepingthisinfrastructurecurrentiskeycomponenttocreatingasecureandstableenvironment.Eachreleasebringsnewfeatures,supportedplatformsandmorevaluetoyourorganization.Overtheyears,CAServiceshashelpedhundredsofcustomersupgradeCASSO.Inthissession,oneofourseniorarchitectswilldiscussthelessonslearnedfromalloftheseprojects,aswellasabest-practicesapproachforupgradingaCASSOenvironment.

JasonWilcox

CASrServicesArchitect


Agenda

PLANNINGYOURUPGRADE

UPGRADINGYOURPOLICYSTORE

WEDIDOURUPGRADE,WHENAREYOUSTARTINGYOURS?

POLICYSERVERUPGRADESANDIMPACTS

DOINEEDTOUPGRADEMYAGENTS

UPGRADETESTINGBESTPRACTICES

1

2

3

4

5

6


PlanningYourUpgrade

§ SSOUpgradesdon’tdictateaprojectmanagementapproach

§ Incorporatenewfeaturesandfunctionality

§ Don’tbringalongbaggage

§ Involveallyourstakeholders,don’tdoitinavacuum

§ InvolveCAServices(Healthcheck,Assessment,Upgrade)

THOSEWHOFAILTOPLANDIDN’THAVEAPROJECTMANAGER


SSOUpgradesareFlexible

§ Upgradesalignwelltoagileprinciples– Thenaturalpathoftheupgradeagile– Breaktheupgradeintosmallerworkefforts– Workcanbedoneinparallelbymultipleteams– In-PlaceandParallelupgradesbothworkwellwithAgile

§ Waterfallapproachhasbeensuccessful– WorksbestwithParallel,butstillsuccessfulwithIn-Place– Requiresmoreplanningandtestingupfront

Thereisnoonesizefitsall


IncorporateNewFeaturesandFunctionality

§ IncreasesyourROIinSSO

§ Allowsforbetteradoption

§ Takesadvantageofindustrytrends

§ Allowsyoutouseourimprovementsintheproduct– CAAccessGatewaybasedfederationoverFSS– PartnershipFederationModelvsAffiliateModel– OAuthSupport


Don’tBringAlongBaggage

§ Identifyandremoveunusedpolicyobjects

§ Considerrebuildingthepolicystore

§ Lookatbestpracticesforpolicydesign

§ Replacecustomdevelopedsolutionswithoutoftheboxcomponents

§ Removeworkaroundsforoldproductdeficiencies


Don’tUpgradeinaVacuum

§ Involveyourstakeholdersearlyandoften

§ Highlightthebenefitsofthisupgradetothem– Features– Performance– Reliability– Security

§ Seekfeedbackonwhattheyneedfromthesolution

§ Isanewfeaturetheirfieldofdreams?


InvolveCAServicesasNeeded

§ Getapre-upgradehealthcheck– Lookatallareasofyourimplementation– Makerecommendationsbasedonfindings– Buildaplantoremediatethosefindings

§ HaveanUpgradeAssessmentdone– Whatisthebestapproachtotheupgrade– Isthereanythinginmyenvironmentthatcouldbeaproblem

§ CAServicesUpgradeofferings

Wedon’thavetodoitall,butwecanifyouneedusto


UpgradingYourPolicyStore

§ Cleanitup

§ Considerarebuild

§ Splittingitfortheupgrade

§ Migrateittoanewplatform

§ Testitnomatterwhat

IFTHEPOLICYSERVERISTHEHEARTOFYOURSSOENVIRONMENT,THEPOLICYSTOREISTHEBRAINS


CleanUpYourPolicyStore

§ Removeunusedobjects– RetiredApplications– RetiredUserStores– UsethePolicyReadertoidentifyobjectswithnolinks

§ Makecandidatesforremovableunusable– Renametheagents– Associatedomainswithemptyagentgroups– Validateafteraperiodoftimethatitistrulyunused

Sub-head


ConsiderRebuildingYourPolicyStore

§ WellusedpolicystorefromPre-R12– Latentcorruptionispossible– UsePolicyReadertoview– Use12.6XPSSweepertodeterminethehealth

§ Makepoliciesmoreefficient– Changefromgroupstoreversegroupsifpossible– Moveitemstoglobalpolicieswhereappropriate– MigrateSAMLtopartnershipmodels– GofromAuth/AZMappingtoIdentityMapping

Sub-head


SplittingUpfortheUpgrade

§ NoSeparateKeystore?– Considerseparatingkeystoreduringtheupgrade– SetStaticKeysforuseduringtheupgrade– Giveplentyoftimeforlegacyagentstogetthechange

§ FacilitatesSSObetweenLegacyandUpgradedenvironment

§ Offersgreaterflexibilityintestingandtroubleshooting

Sub-head


MigrateYourPolicyStoretoaNewPlatform

§ Don’tjustmigrateyourpolicystore,upgradeit

§ Ensureit’shighlyavailableandactive-active

§ MigratetoCADirectoryasanocost,highvaluealternative

§ Evaluatetheperformancenotjustduringstartup,butduringoperation

Sub-head


TestNoMatterWhat

§ 12.6IncludesanewXPSSweeperAnalyzer

§ UseSMPolicyReadertocompareenvironments

§ Don’tassumethatbecauseitimportedeverythingisOK

§ Don’tassumebecauseyoudidn’tmigrateyourpolicystoreeverythingisOK

§ Whenyouthinkyouhavetestedenough,testsomemore

Sub-head


PolicyServerUpgradesandImpacts

§ Checkforlegacycodethatneedstobemigrated

§ Validateplatformsupportforthisyearandbeyond

§ Updateprocessestotakeadvantageofnewcapabilities

§ Buildnewprocessesaroundremoteengineer

§ Usetheopportunitytoimproveyourmonitoringandalerting

IFTHEPOLICYSTOREISTHEHEARTOFYOURSSOENVIRONMENT,THEPOLICYSERVERISTHEBRAINS


CheckforLegacyCodetobeMigrated

§ AllCustomCodeshouldbeanalyzedonthePolicyServer– CustomAuth Schemes– ActiveResponses– ActivePolicies– AssertionGenerators– MessageConsumers

§ Hasitbeenmadeobsoletebynewfunctionality?

§ Hasitbeenmadeobsoletebychangingbusinessneeds?

Sub-head


CheckforLegacyCodetobeMigrated

§ IsitusingthecurrentSDK?

§ DoesitneedtoberecompiledtothenewJavaVersion?

§ Isit32bit(Ifupgradingto12.6)?

§ IsitbasedonaCAGlobalDeliveryModule?

Sub-head


ValidatePlatformSupport

§ AreyouusinganearEndOfLifePlatformfromtheVendor?

§ ArethesurroundingtechnologiesnearingEndOfLife?– PolicyStore– UserStore– SessionStore

§ ThirdPartyCustomConnectors?

Sub-head


UpdateProcessesforNewCapabilities

§ Newcapabilitiesthatprobablyimpactyourprocesses– InMemoryTracing– ACOAttributeSearch– RemoteEngineer– SecondVerificationCertificates– AndMore

§ FunctionalityChanges– ReadReleaseNotes– Test,testandmoretest

Sub-head


ImproveYourMonitoringandAlerting

§ ImplementProactiveMonitoring

§ MonitorKPI’sandAlertoffchanges– ThreadCounts– ResponseTimes– SocketCounts– ErrorCounts

§ Don’tletuserstellyouwhenyouhaveaproblem

Sub-head


DoINeedtoUpgradeMyAgents?

§ AgentfromR6SP5throughR12.52SP2

§ OldAgentscan’ttakeadvantageofnewfeatures

§ LegacyPlatformsmightbebetterservedbyCAAccessGateway

§ Ifyouareupgrading,letstalkaboutapproach

IFTHEPOLICYSERVERISTHEBRAINSOFYOURSOLUTION,THEAGENTSARETHENERVEENDINGS


UpgradeTestingBestPractices

§ Youmustmimicprodineveryway

§ Don’tassumebecauseitimported,thatitwillwork

§ Applicationsneedtotest,planforitandhelpthem

IFTHEPOLICYSERVERISTHEBRAINSOFYOURSOLUTION,THEAGENTSARETHENERVEENDINGS


OneEnvironmentMustMimicProd

§ Thesmallthingscanmatter– NetworkLatency– LoadBalancers– Routes

§ IncludeAdequateLoadTesting

§ Don’tmakeassumptionsaboutintegratedsystems

Sub-head


Don’tAssumeBecauseitImporteditWorked

§ ValidateSchema’sonUserStore

§ ValidateDataRecord/Object/RowCounts

§ TestIndexes

Sub-head


ApplicationsNeedtoTest

§ Theleveloftestingforapplications,dependsontheirintegrationpattern– FrontDoorOnly– FineGrained

§ IncludeSSOtestingnotjustauthentication

§ Validateindividualserversifpossible

Sub-head


WeDidOurUpgrade

§ Significantperformanceimprovementsmovingto12.6

§ Whatwelearnedisbeingincorporatedintoourservicesandourproducts

§ Services,Engineering,andSupportwereallheavilyinvolved

§ Wedidre-architect,wedidre-platform,wedidimproveexistingandcreatenewprocesses

IFTHEPOLICYSERVER…WAITAREWESTILLDOINGTHIS?


SignificantPerformanceImprovements

§ Pilotupgradesreportsignificantperformanceimprovements– PolicyServerOperations– Authentication/Authorization– WAMUIObjectManagement

§ Youcandomorewithless– ReducedHardCosts– ReducedSoftCosts

Sub-head


LessonsLearned

§ Weeatourowncaviar,andusethoselessonstobettertheproductandservices

§ Multiplecustomerupgradesinprogress

§ Services,EngineeringandSupportteamsworkingtogethertointegratelessonslearnedfromeachupgrade– Newupgradeprocessesandtools– Directfeedbacktoproductmanagement– Engineeringhasbeenoutinthefieldtoseewhatcustomersface

Sub-head


WhyCAUpgradeServices?

§ Wehavereplatformedduringourupgrades

§ Wehaverearchitectedduringourupgrades

§ Wehaveanalyzedprocessesandprocedures

§ Wehaveanalyzedperformance

§ Wehavegonefromon-premtocloud

§ Yougettheexperiencewehavegained,dayone

Sub-head


RecommendedSessions

SESSION# TITLE DATE/TIME

SCX16E Pre-ConEd:Who'smindingtheSSOstore? 11/15/2016at1:00pm

SCX12E FiveEasyStepsforMigratingtoCADirectory 11/15/2016at3:30pm

SCX54STheCovetedDigitalBankingExperience–ARealityToday!

11/16/2016 at3:45pm

SCX20SCARoadmap:Authentication,SingleSign-On,Directory

11/17/2016at1:45pm


Questions?


WeWanttoHearfromYou!

§ ITCentralisaleadingtechnologyreviewsite.CAhasthemtohelpgenerateproductreviewsforourSecurityproducts.

§ ITCSstaffmaybeatthissessionnow!(lookfortheirshirts).Ifyouwouldliketoofferaproductreview,pleaseaskthemaftertheclass,orgobytheirbooth.Note:§ Onlytakes5-7mins§ Youhavetotalcontroloverthereview§ Itcanbeanonymous,ifrequired


Stayconnectedatcommunities.ca.com

Thankyou.

@CAWORLD#CAWORLD ©2016CA.AllRIGHTSRESERVED.36 @CAWORLD#CAWORLD

Security

FormoreinformationonSecurity,pleasevisit:http://cainc.to/EtfYyw

Technology

Best Practices for Upgrading Your Mission-Critical CA SSO Environment