The primary driving reason are some of the improvements 12.6 brings to the table and I know I will find useful. You can read the full list at the link above but here are the big ones I found to be most useful for my environment and future use -
- Self-Service usability improvements, making the end user's life easier and simpler to understand is always a plus.
- Synchronization of users, roles, endpoint accounts and templates from the User Console. Not having to use the Provisioning Manager in a split function role is a big one from an administration stand point.
- Out of the box, native security of the Management Console with the ability to add individual administrators. If you don't have Siteminder no problem. Siteminder is a better solution if you have it in house but this is a big add.
- During the upgrade it does not set this up automatically. In the manual there is a section called Protect an Existing Environment After Upgrade which details how to turn it on. It looks like an XML edit and manual SQL/Oracle table creation in addition to a DB script so you need DBA access to do it. I have not done the steps yet to comment on it. Check this blog posts comments for updates later.
- Manage certificates in the Connector Server, certificate management is always a pain.
There are many more features and security enhancements that were added that you may find useful, check them all out and upgrade accordingly.
Upgrade Experience
I upgraded from CA IdentityMinder 12.5 SP13 with all out of the box components, no shared CA Directory or a complex high availability environment. I read through the manuals and found the upgrade process is significantly different depending on what version of IdentityMinder you are running, especially if you are r12.0, so pay attention to versions.
I found the documentation fairly straight forward and for the steps it's very close to a "Setup.exe, Next, Next, Next button" process. You need to start with the Provisioning Manager first and finish with the IdentityMinder server.
Download the 12.6 files from the Support site, get them on the servers and unzip them.
Double click on ca-im-r12.6-win32.exe, agree to the terms and conditions and you will be taken to the upgrade screen. I am not going to post every step for every section, unless there is an influx of requests for it I took screenshots of every single step for my own reference and training of others.
You start at the top of the list and do all the products down until they are all completed then hit Next to finish up. You do this on the Provisioning Server and then the IdentityMinder Server. It's the same install package for the Provisioning and IdentityMinder server, it's smart enough to know what's what which server you are working on which is nice. The two different shots from the same install file is below.
 |
| Provisioning Server |
 |
| IdentityMinder Server |
The only moment where I could see people running into a big problem, because I almost did, is when you upgrade the Provisioning Server. You need to have the Shared Secret you put in when you originally installed IdentityMinder.
Also, on the Provisioning Server you need to stop the Provisioning Server Services but NOT the CA Directory instances if you have them on the same box. If you shut them all off, like I did, the installer can't connect to the directory to upgrade it.
I went through and did the upgrade on both servers getting successful messages for every component. No warnings, errors, or other gotcha moments that I had to go back. For as large as IdentityMinder is, this was a very smooth upgrade process with the number of steps involved.
 |
| Confirmation of Upgrade |
So far all my settings and configurations are intact, users are in place and arrangements are where they should be. I ran into a problem that may or may not have corrupted something in my corporate store data which throws Java.NullException errors when ever I try to look or modify user data, the rest is fine. I say it's the data over a JBOSS Java problem because I cannot use that User Store in a new environment the Console fails to, but I created a brand new SQL DB and created a new IME just fine. It may have been something I fat fingered because it worked fine until I changed audit and DB settings. I won't go into my feelings about Java.
New GUI
One last note, if you haven't already, I highly recommend you switch the default GUI skin to the new one. CA has improved this from even SP13 and to me seems more responsive than the old style tab layout of the first r12 product roll out. As I understand it this GUI style will be standardized across the entire suite of CA products over time.
I may put together a post about custom skinning beyond this but I am holding off on trying it myself as it requires an actual Java recompile and if you goof it up, no GUI.
To enable the new IdentityMinder GUI you need to add a property to each IME you want to turn it on for.
In the Management Console go to:
Home > Environments > (your IME) > Advanced Settings > Miscellaneous
Property: DefaultConsole
Value: ui7
Click Add, Save, then restart the IME.
You have the new, sleek GUI.
End of Line.
Posted in: IAM,IdentityMinder
0 comments:
Post a Comment