MyTechReference - Technical Notes


by IDAMGroup

CA Siteminder Backup tools

CA Siteminder r12.x Policy Server command line backup tools

This post will guide you to take backup of Policy Server objects using XPSExport and XPSImport (XML Based Export and Import). Prior to r12.x Siteminder Policy Server objects are exported using smobjimport and smobjexport which exports objects using SMDIF format (Siteminder Data interchange Format).

XPSExport

XPSExport supports the below following task for migration or taking backups.

  • Export all the security data.
  • Export all the policy data.
  • Export all the configuration data.
  • Export a portion of the policy data.

Example of how to export a policy data

XPSExport  output_file.xml -xo object_id -npass -vT -l log_file
XPSExport c:/shared/agent_export1.xml -xo CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07  -npass -vT -l c:/shared/export_aget1.log

 XID is CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07

So how to find the XID’s? Using XPSExplorer

First set the Siteminder path in the Environment variable, so you can access the siterminder policy server tool commands from any path.

XPSExplorer

Used to explore the policy store object and find the XID’s.

XCart -. XCart allows you to save the Objects XID’s in a file so that it can be used to export using XPSExport.

XPSExplorer shows you 4 different section

  • CDS  – Certificate Data Store
  • EPM – Enterprise Policy Management
  • FED – Federation
  • SM – Siteminder Objects

Xxample of how to find an object XID and save that object in a file using XCart and export the object using XPSExport.

Login to the Policy Server and open the Command prompt.

C:\Users\Administrator>XPSExplorer
[XPSExplorer - XPS Version 12.51.0000.905]
Log output: XPSExplorer.2014-02-21_140049.log
(WARN) : [sm-xpsxps-03500] CA.SPS: No product library.

MAIN MENU*******************************************************************

   CA                          (Vendor) 85-    AgentType*
     CDS                      (Product) 86-    AgentTypeAttr
 3-    Certificate*                     87-    AuthAzMap*
 4-    CRLRevocationData*               88-    AuthScheme*
 5-    OCSPRevocationData*              89-    AuthValidateMap*
     EPM                      (Product) 90-    AzIdentityMappingEntry
 7-    Application*                     91-    CertMap*
 8-    ApplicationGroup*                92-    ConfigParameter*
 9-    AttributeMapping                 93-    ConfigParametersWithRule*
10-    CapabilityGroup                  94-    Domain*
11-    LDAPUserDirectory                95-    GlobalDomain
12-    ODBCQuery                        96-    GlobalPolicy
13-    ODBCUserDirectory                97-    GlobalPolicyLink
14-    ResponseConstraint               98-    GlobalRealm
15-    Role                             99-    GlobalResponse
     FED                      (Product) 100-    GlobalResponseAttr
17-    ArtResService*                   101-    GlobalResponseGroup
18-    AssConService*                   102-    GlobalRule
19-    AttributeAuthorityConfig*        103-    GlobalRuleGroup
20-    AttributeMapping*                104-    GlobalUserPolicy
21-    AttributeRequesterConfig*        105-    GlobalVariable
22-    AttributeService*                106-    HostConfig*
23-    AttributeSource*                 107-    IdentityMapping
24-    AuthnContextMapping*             108-    IdentityMappingEntry
25-    AuthnContextTemplate*            109-    ODBCQuery*
26-    BackchannelConfig*               110-    PasswordPolicy*
27-    Certificate*                     111-    Policy
28-    ContactPerson*                   112-    PolicyLink
29-    EncryptionConfig*                113-    Realm
30-    Endpoint*                        114-    RegularExpr
31-    GlobalConfig*                    115-    ResourcePartnerUsers
32-    IdPBase*                         116-    Response
33-    IdPLocal                         117-    ResponseAttr
34-    IdPPartnership                   118-    ResponseGroup
35-    IdPRemote                        119-    RootConfig*
36-    MetadataExchangeConfig*          120-    Rule
37-    NameIDConfig*                    121-    RuleGroup
38-    OpenCookieConfig*                122-    SAMLAffiliation*
39-    Organization*                    123-    SAMLv1IdP
40-    PartnershipBase*                 124-    SAMLv1SP
41-    PhysicalAttributeMapping*        125-    SAMLv2IdP
42-    SAML1xAssnConService*            126-    SAMLv2SP
43-    SAML1xAssnRetrService*           127-    SelfReg*
44-    SAML1xAttribute*                 128-    ServiceProviderUsers
45-    SAML1xConsToProdPartnership      129-    SharedSecretPolicy*
46-    SAML1xConsumerLocal              130-    STSEndpoint
47-    SAML1xConsumerRemote             131-    STSRelyingParty
48-    SAML1xEntityBase*                132-    STSUsers
49-    SAML1xPartnershipBase*           133-    STSWebService*
50-    SAML1xProdToConsPartnership      134-    TrustedHost*
51-    SAML1xProducerLocal              135-    UserDirectory*
52-    SAML1xProducerRemote             136-    UserPolicy
53-    SAML1xSSOService*                137-    ValidateIdentityMappingEntry
54-    SAML2Attribute*                  138-    Variable
55-    SiteMinderConnector*             139-    VariableType*
56-    SLOService*                      140-    WSFEDIdP
57-    SPBase*                          141-    WSFEDSP
58-    SPLocal                          142-    WSSecurityIdP
59-    SPPartnership                    143-    XMLDCCIdP
60-    SPRemote                         144-    XMLDSigIdP
61-    SSOService*                           SPS                      (Product)
62-    StandaloneStoreVersion*          146-    AgentConfiguration
63-    StatusRedirects*                 147-    ApacheConfiguration
64-    UserMapping*                     148-    ErrorMessages
65-    WSFEDEntityBase*                 149-    HttpClientLoggingProperties
66-    WSFEDIPLocal                     150-    LoggerProperties
67-    WSFEDIPRemote                    151-    MetricReporter
68-    WSFEDIPToRPPartnership           152-    ProxyConfiguration
69-    WSFEDPartnershipBase*            153-    ProxyFilter
70-    WSFEDPassiveRequestorEndpoint*   154-    ProxyFilterGroup
71-    WSFEDRPLocal                     155-    ProxyRules
72-    WSFEDRPRemote                    156-    ProxyServer*
73-    WSFEDRPToIPPartnership           157-    ProxyServerGroup*
74-    WSFEDSecurityTokenConsSvc*       158-    SessionScheme
75-    WSFEDSignoutEndpoint*            159-    SessionSchemeMapping
     SM                       (Product) 160-    SPSConfiguration
77-    Admin*                           161-    UserAgent
78-    AffiliateDomain                  162-    VirtualHost
79-    AffiliateUsers                   163-    VirtualHostSettings
80-    Agent*                                XPS                      (Product)
81-    Agent4x                          165-    CounterValue*
82-    AgentConfig*                     166-    Expression*
83-    AgentGroup*                      167-    ExtractManifest
84-    AgentInstance*                   168-    ExtractManifestEntry

* indicates object types that can be granularly exported.

-------------------------------------------------------------------
F - Find by XID or RID
B - Begin Transaction
X - XCart Management (0 item(s))
P - Synchronize with Policy Server (if running)
Q - Quit
-------------------------------------------------------------------
Enter Option (#,F,B,X,P, or Q):
(Enter the number "80" for Agent from SM since are going to take export of Agent object)

Enter Option (#,F,B,X,P, or Q): 80     
CLASS MENU****************************************************************#3
 Class: Agent [CA.SM::Agent] 
   SiteMinder Type:    1
   Export Group:       Environmental
   Import Type:        Add
   Category:           Dictionary (1)
   Data Category:      Object Store (2)
-------------------------------------------------------------------
   A - List 4 Attributes
   L - List 10 Links
   E - Show single extension Class
   N - Create a New instance of this class
   F - Find an object by XID or RID
   S - Search objects
   Q - Quit
-------------------------------------------------------------------
To Select for all Agent objects  select S

Enter Option (ALENFSQ): S

 SEARCH MENU*****************************************************
CA.SM::Agent  There are 2 objects in the result.
 * 1-CA.SM::Agent@01-5d1c3383-dc89-46da-8ba5-08f18765cc28
                        (I) Name  :"webone_agent"
                        (C) Desc  :"Weone Apache agent"
  2-CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07
                        (I) Name  :"websphere_agent"
                        (C) Desc  :"Websphere Application Server Agent"
* indicates that the object is in the XCart.
 -------------------------------------------------------------------
 +    - Add attribute to Sort (ascending)
 -    - Add attribute to Sort (descending)
B    - Build Filter
 X    - Add all to XCart (using mode: DEFAULT)
Y    - Remove all from XCart
M    - Change XCart Add Mode
Q    - Quit
 ------------------------------------------------------------------
 Enter Option (#,+,-,B,X,Y,M,Q):

The above Search result fetched all Agents  with XID configured in the policy server as seen in the Admin Console.

 

XPSTool

Now we know the Agent “XID’s” so what we can do is go back and find using the XID of the Agent object we need to take export and add the object to the XCart

 

CLASS MENU****************************************************************#3
Class: Agent [CA.SM::Agent]
   SiteMinder Type:    1
   Export Group:       Environmental
   Import Type:        Add
   Category:           Dictionary (1)
   Data Category:      Object Store (2)
-------------------------------------------------------------------
   A - List 4 Attributes
   L - List 10 Links
   E - Show single extension Class
   N - Create a New instance of this class
   F - Find an object by XID or RID
   S - Search objects
   Q - Quit
-------------------------------------------------------------------
Enter Option (ALENFSQ): F

Past the XID of the Object you identified above using the search result.
Record (blank to exit):Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07
OBJECT MENU************************************************************#3191
 ------------------------- Object Meta Data ------------------------
         XID: CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07
Actual Class: CA.SM::Agent
Base Class: CA.SM::Agent
In Cache: yes 3     Created: 2013-12-12 03:22:12 GMT
         By: siteminder (via GUI)
---------- Attributes from CA.SM::AgentDisplay Meta Data ----------
    AgentTypeLink                   =CA.SM::AgentType@10-8d78bb96-ae15-11d1-9cdd-006008aac24b
    Desc                            ="Websphere Application Server Agent"
    Name                            ="websphere_agent"
    RealmHintAttrId                 = 0
------------------ Attributes from CA.SM::Agent4x -----------------
    IpAddr
    Secret
-------------------------------------------------------------------
   M - Display Meta Data
   J - Display Joined Attribute value
   L - Display Links
   R - Display Related records (13 types)
   P - Polymorph object (3 classes)
   W - Get writable copy
   D - Delete Object
   A - List 6 Attributes

   X - Add to XCart (use Mode: DEFAULT)
   + - Change XCart Mode
   Q - Quit
-------------------------------------------------------------------

Enter Option (MJLRPWDAX+Q):X – ( This will add to Xcart.)

You have added the object in the XCart. Now  Quit to go to the Main Menu and Select X to save your changes to a file.

MAIN MENU*******************************************************************
-------------------------------------------------------------------
F - Find by XID or RID
B - Begin Transaction
X - XCart Management (1 item(s)) - UNSAVED
P - Synchronize with Policy Server (if running)
Q - Quit
-------------------------------------------------------------------
Enter Option (#,F,B,X,P, or Q): X
XCart MENU***********************************************************Unsaved
There is 1 object in the cart
 1-CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07
Import mode: DEFAULT
 (I) Name                            : "websphere_agent" (C) Desc                            : "Websphere Application Server Agent"
-------------------------------------------------------------------
   L - Load cart from file.
   S - Save cart to file (c:/shared/test_xcart)
   M - Load cart from an ExtractManifest
   N - Save cart to a new file.
   T - Save cart to a new ExtractManifest.

   A - Set import mode to ADD.
   O - Set import mode to OVERLAY.
   R - Set import mode to REPLACE.
   D - Set import mode to default.
   Z     Clear the cart
    Q     Quit
-----------------------------------------------------------------
Enter Option (L.S,M,N,T,A,O,R,D,Z or Q): S
File saved.
XCart MENU*************************************************************saved
There is 1 object in the cart
 1-CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07
Import mode: DEFAULT
 (I) Name                            : "websphere_agent" (C) Desc                            : "Websphere Application Server Agent"
-------------------------------------------------------------------
   L - Load cart from file.
   S - Save cart to file (c:/shared/test_xcart)
   M - Load cart from an ExtractManifest
   N - Save cart to a new file.
   T - Save cart to a new ExtractManifest.
   A - Set import mode to ADD.
   O - Set import mode to OVERLAY.
   R - Set import mode to REPLACE.
   D - Set import mode to default.
    Z     Clear the cart
    Q     Quit
 Enter Option (L.S,M,N,T,A,O,R,D,Z or Q): Q

 

Below is the save file content

The file :test_xcart
# Type: CA.SM::Agent
#  (I) Name                            : "websphere_agent"
#  (C) Desc                            : "Websphere Application Server Agent"
CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07

So what we have done so far is

  • Used XPSExplorer to Find the XID of the Object
  • Selected the Object
  • Added the object using XID to the XCart
  • Save the Xcart content to a file c:/shared/test_xcart Now take an export of the object using XPSExport

 

 C:\Users\Administrator>XPSExport c:/shared/agent_export.xml -xf c:/shared/test_xcart -npass -vT -l c:/shared/export_aget.log
[XPSExport - XPS Version 12.51.0000.905]
Log output: c:/shared/export_aget.log
Initializing XPS, please wait... 
(INFO) : [sm-xpsxps-00120] Initializing XPS Version 12.51.0000.905
(INFO) : [sm-xpsxps-01160] LDAP Provider Info String = CA Directory
(INFO) : [sm-xpsxps-01120] LDAP Provider Version: supportedLdapVersion = 3
(INFO) : [sm-xpsxps-01120] LDAP Provider Version: dxServerVersion = DXserver r12.0 SP12 (build 7338) Windows_NT/DXgrid 32-Bit
(INFO) : [sm-xpsxps-00560] Database Transactions are 0.
(INFO) : [sm-xpsxps-00300] 1 Parameter(s) loaded from Policy Store, 1 total.
(INFO) : [sm-xpsxps-00330] Caching Policy Data...
(WARN) : [sm-xpsxps-03500] CA.SPS: No product library.
(INFO) : [sm-xpsxps-00310] 3223 object(s) loaded from the Policy Store.
(INFO) : [sm-xpsxps-00430] Policy Store ID is "acb8bc84-5b1a-46b9-8942-e10e80f2b7a9".
(INFO) : [sm-xpsxps-06870] XPS Auditing is enabled.
(INFO) : [sm-xpsxps-03460] No validation warnings will be logged (controlled by CA.XPS::$LogValidationWarnings).
(INFO) : [sm-xpsxps-00150] XPS Initialized. (317, 0, 0)
(INFO) : [sm-xpsxps-00150] XPS Initialized.
(INFO) : [sm-xpsxps-05940] Extract Operation is entering the "Initializing" phase.
Log Time Phase/Section                Objects        %%age       #Err Elapsed
-------- ------------------------ --------------- -----------  -----------------
15:52:12 Initializing
(INFO) : [sm-xpsxps-05940] Extract Operation is entering the "Analyzing" phase.
 15:52:12 Analyzing                                             00:00:00
(INFO) : [sm-xpsxps-05940] Extract Operation is entering the "Reading" phase.
15:52:12 Reading                                               00:00:00
15:52:12 Reading/Policy Data           32/318        10%       00:00:00  00:00:00
15:52:12 Reading/Policy Data           64/318        20%       00:00:00  00:00:00
15:52:12 Reading/Policy Data           96/318        30%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          128/318        40%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          159/318        50%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          191/318        60%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          223/318        70%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          255/318        80%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          287/318        90%       00:00:00  00:00:00
15:52:12 Reading/Policy Data          318/318       100%       00:00:00  00:00:00
(INFO) : [sm-xpsxps-05940] Extract Operation is entering the "Sorting" phase.
15:52:12 Sorting/Policy Data                                   00:00:00
15:52:12 Sorting/Policy Data            1/1         100%       00:00:00  00:00:00
(INFO) : [sm-xpsxps-05940] Extract Operation is entering the "Writing" phase.
15:52:12 Writing/Header                                        00:00:00
15:52:12 Writing/References             1/2          50%       00:00:00  00:00:00
15:52:12 Writing/Policy Data            2/2         100%       00:00:00  00:00:00
15:52:12 Writing/Footer                                        00:00:00  00:00:00
(INFO) : [sm-xpsxps-05140] Extract complete.
(INFO) : [sm-xpsxps-05500] 0 value reference(s) exported.
(INFO) : [sm-xpsxps-05510] 1 link reference(s) exported.
(INFO) : [sm-xpsxps-05520] 1 policy data object(s) exported.
(INFO) : [sm-xpsxps-05530] 0 configuration parameter(s) exported.
(INFO) : [sm-xpsxps-05540] 0 security object(s) exported.
(INFO) : [sm-xpsxps-05560] Export file is 2079 bytes.
(INFO) : [sm-xpsxps-05940] Extract Operation is entering the "Complete" phase.
15:52:12 Complete                                              00:00:00
(INFO) : [sm-xpsxps-05140] Extract complete.
Total elapsed time:00:00
File is2,079 bytes.
(INFO) : [sm-xpsxps-00160] Shutting down XPS...
(INFO) : [sm-xpsxps-00170] Shutting down XPS housekeeping...
(INFO) : [sm-xpsxps-00160] Shutting down XPS...
(INFO) : [sm-xpsxps-00210] Releasing SiteMinder object store connection to XPS...
(INFO) : [sm-xpsxps-00180] Releasing XPS configuration cache...
(INFO) : [sm-xpsxps-00240] XPS Shutdown Complete.
C:\Users\Administrator>


You can also do export of this object using the below method

Use XPSExplorer to find the XID of the object to be export and run the following command

C:\Users\Administrator>XPSExport c:/shared/agent_export1.xml -xo CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07  -npass -vT -l c:/shared/export_aget1.log

[XPSExport – XPS Version 12.51.0000.905]

Export would be saved in XML file agent_export1.xml

 

XPSTool_export

Different Export options can be used are

  • DEFAULT
    • Default mode
  • ADD
    • Adds new objects; does not replace existing objects.
  • OVERLAY
    • Replaces existing objects; does not add new objects.
  • REPLACE
    • Replaces existing objects and adds new objects.

 

The test_cart file
# Type: CA.SM::Agent
#  (I) Name                            : "websphere_agent"
#  (C) Desc                            : "Websphere Application Server Agent"
CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07

# Type: CA.SM::AgentConfig
#  (I) Name                            : "WebOne_ACO"
#  (C) Desc                            : "WebOne Apache instance ACO"
ADD=CA.SM::AgentConfig@21-324b775a-725d-4be2-b07b-7ba8409a06a7

# Type: CA.SM::AgentConfig
 #  (I) Name                            : "IISDefaultSettings"
OVERLAY=CA.SM::AgentConfig@21-eaf30a03-e8f9-11d5-ba50-0010a4911ff4

 

 So you have manually type these keyword in the saved file and run the Export command or use XCart to export in any of the four mode  as below

 

Go to the Main menu of XPSExplorer

 * indicates object types that can be granularly exported.
 F - Find by XID or RID
 B - Begin Transaction
 X - XCart Management (2 item(s)) - UNSAVED
 P - Synchronize with Policy Server (if running)
Q - Quit
-------------------------------------------------------------------
Enter Option (#,F,B,X,P, or Q): X
XCart MENU***********************************************************Unsaved
There are 2 objects in the cart
1-CA.SM::Agent@01-84ba3672-ac33-41b2-ace5-97e1cf5bfe07
Import mode: DEFAULT
(I) Name                            : "websphere_agent"
 (C) Desc                            : "Websphere Application Server Agent" 

2-CA.SM::AgentConfig@21-324b775a-725d-4be2-b07b-7ba8409a06a7
Import mode: ADD
(I) Name                            : "WebOne_ACO" (C) Desc                            : "WebOne Apache instance ACO"
-------------------------------------------------------------------
L - Load cart from file.
S - Save cart to file (c:/shared/test_xcart)
M - Load cart from an ExtractManifest
N - Save cart to a new file.
T - Save cart to a new ExtractManifest.
A - Set import mode to ADD.
O - Set import mode to OVERLAY.
R - Set import mode to REPLACE.
D - Set import mode to default.
Z  Clear the cart
Q Quit

 

XPSImport

 XPSImport  performs the below task

  • Import the entire policy data.
  • Import a portion of the policy data.
  • Import configuration data.
>XPSImport Input_file.xml  -e log_file

Input_file  – Specify the exported xml file location

-e Logs errors and exceptions

>XPSImport c:/shared/agent_export.xml -e c:/shared/import_err.log

 

 

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.