000026738 - AM 7.1- How to migrate RSA Authentication Manager 7.1 Primary to new Hardware

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000026738
Applies ToAuthentication Manager 7.1.2 on all supported platform
Migrate to a new Server
rsautil manage-database -a import -D
Authentication Manager 7.1, Appliance 3.0 AM 7.1 SP4, APP3.0.4 Oracle database
IssueHow to migrate RSA Authentication Manager 7.1.2 database to new hardware.
How to copy or export an AM 7.1 production database for use or import into a Development or Test Primary Server,
or any other AM 7.1 Server at same Service Pack or higher
CauseThis is also a method to upgrade an SP2 or Pre-SP2 database into a new SP4 Server or appliance.
  The FQDN and IP address do not have to remain the same
ResolutionTo migrate the database from the existing AM 7.1.x Primary to New hardware, follow these steps:
Outline
1. Get latest backup/export from existing primary Production Appliance
     ./rsautil manage-backups -a export -f /tmp/backup2014.dmp
2. Factory reset Spare/development Primary Appliance or step 3 if OS server based
3. Run Quick setup on this primary appliance to configure it as a primary or install AM 7.1 on new server
4. Configure RADIUS Server on new Primary ? You cannot do this after importing the database!
5. Import the database
     ./rsautil manage-backups -a import -D -f /tmp/backup2014.dmp
6. Generate Dev Replica package for Dev Replica if needed
Details
1.       Get latest backup/export from existing primary
  SSH in as emcsrv
  sudo su rsaadmin                 (this makes you the rsaadmin user)
  cd /usr/local/RSASecurity/RSAAuthenticationManager/utils
  ./rsautil manage-backups -a export -f /tmp/backup2014.dmp
This will create /tmp/backup2014.dmp and /tmp/backup2014.secrets, use WinSCP to copy these files off the Appliance.
RADIUS Data can only be migrated to a system using the same Operating System, and it must also match 32/64-bit.
 If your deployment has a radius server that needs to be migrated to the New hardware, follow these steps to backup the Radius Data:
- Stop the RSA Authentication Manager Radius Server Service.
- Open Windows Explorer and navigate to the RSA_HOME Directory (Where RSA_HOME is the main Authentication manager Installation directory.
  By default it is: C:\Program Files\RSA Security\RSA Authentication Manager)
- Take a copy of the "radius" directory.
- Start the RSA Authentication Manager Radius Server Service.
2. Factory reset Spare/development Primary Appliance or step 3 if OS server based
You need a Video monitor and USB keyboard connected directly to the Appliance, login with the emcsrv account
    sudo su -   to become root,
            same password as emcsrv,   then from # root prompt  enter the command       
    reboot
When Appliance reboots, you have about 30 seconds to select Factory reset instead of default normal boot.  Confirm Y
3. Run Quick setup on this primary appliance to configure it as a primary or install AM 7.1 on new server
 - Follow Appliance getting started PDF
 - Change your Laptop IP to 192.168.100.101, connect an Ethernet cable from your laptop to Appliance Ethernet port then
 - https://192.168.100.100  and configure as Primary.  You need original License.zip file
 - Make sure the same master password is used on the new Primary server.
For Server based OS
 - Follow the instructions in the RSA Authentication Manager Installation Guide to install Authentication Manager 7.1.x as a primary.
 - Make sure the same master password is used on the new Primary server.
4. Configure RADIUS Server on new Primary from the Operations Console ? Deployment Configuration ? RADIUS ? Configure Server
Do this even if you do not need RADIUS, in AM 7.1 You cannot do this after importing the database after importing the database in Step 5.
5. Import the database
 - Copy your Appliance backup2014.dmp and backup2014.secrets to /tmp or C:\Temp
 - SSH to Appliance and sudo su rsaadmin   or open CMD prompt in Windows
 - cd /usr/local/RSA Security/RSA Authentication Manager/utils   or   cd C:\Program Files\RSA Security\RSA Authentication Manager\utils
    ./rsautil setup-replication -a list
      i. <primary>
     ii. <replica>   should not see any?
    ./rsautil setup-replication -a remove-replica -n <replica>  
    ./rsautil setup-replication -a remove-primary                 
    cd ../server
    ./rsaam stop all              or Stop all RSA AM services in Windows Services
    ./rsaam start db              or Start all RSA AM services in Windows Services
    cd ../utils
    ./rsautil manage-backups -a import -D -f /tmp/backup2014.dmp                [need full path to .dmp and /secrets]
    rsautil manage-backups -a import -D -f C:\Temp\backup2014.dmp     in Windows  
         Enter Master Password:
    ./rsautil setup-replication -a set-primary                   
    cd ../server
    ./rsaam start all
- Logon to the Security Console and confirm that all the Data is present
- Updated the Authentication manager contact list from the
  Security Console/Access/Authentication Agents/Authentication Manager Contact list/Automatic Rebalance.
  (Click on Rebalance and verify the server information is accurate)
- If the new server has a new Hostname/IP address, make sure the agent configuration is updated with the
  New servers configuration File and the Agents are directed to the new server.
 OPTIONAL: Check RADIUS Clients to see if they exist.  SP4 may have them, but If not, then restore radius server,
 follow these steps:
- Copy the "radius" directory from the Old Primary server to the new Server.
- On the New Primary, Stop the RSA Authentication Manager Radius Services.
- Open windows Explorer and navigate to the RSA_HOME directory (Where RSA_HOME is the main Authentication manager Installation directory.
  By default it is: C:\Program Files\RSA Security\RSA Authentication Manager)
- Rename the existing "radius" directory to "radius_original"
- Place a copy of the "radius" directory from the Old primary in the New Primary servers RSA_HOME directory
- Open a command prompt and cd to the RSA_HOME\config directory
- Type the following command:
  configutil configure radius finalize-radius-restore    (Hit Enter)
- Once the configuration is complete, logon to the Operations Console
- From the top menu select Deployment Configuration/Radius/Manage Existing and make sure you're able to manage the Radius Server.
- Logon to the Security Console and confirm that all the Radius data is migrated.
- Point the Radius Clients to the new Radius server.
WorkaroundAdministrator wishes to perform a fresh installation of Authentication Manager 7.1.x on a replacement server, then wishes to migrate the database from his existing Production to the new Server.
Notes

There are a few points to take into consideration when migrating to a new AM 7.1.x server.


- If radius server is involved and/if the data is to be migrated
- If any Service Packs/Patches are to be applied on the New primary.


 

IMPORTANT: The Authentication Manager 7.1.x Primary MUST be installed using the SAME Master password as the Old Primary Server. If the same master password is not used with the new Primary, the database from the old primary  WILL NOT restore.


To verify the Master Password on the Old Primary Server, do the following:


- Open a Command Prompt and cd to the RSA_HOME\utils Directory (Where RSA_HOME is the main Authentication manager Installation directory. By default it is: C:\Program Files\RSA Security\RSA Authentication Manager)
- Type: rsautil manage-secrets -a list   (hit Enter)


You should see an outpu similar to:


C:\Program Files\RSA Security\RSA Authentication Manager\utils>rsautil manage-secrets -a list
Enter Master password: *****
Secrets stored in C:\PROGRA~1\RSASEC~1\RSAAUT~1\utils\etc\systemfields.properties.
Command API Client User ID .......................................................: CmdClient_cvnknxu3
Command API Client User Password .................................................: KKfPbOyE0j
Root Certificate Private Key Password ............................................: e5Il220iU2
Root Certificate Keystore File Password ..........................................: xtTEZ4sXdw


The "listkeys" action displays the key names to use when setting the values.


 

RSA Authentication Manager 7.1.2 Documentation: https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8516


RSA Authentication Manager 7.1.4 Documentation: https://knowledge.rsasecurity.com/scolcms/set.aspx?id=8789


 
Legacy Article IDa54072

Attachments

    Outcomes