000026361 - Migrating RSA Authentication Manager 8.1 users across identity sources

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000026361
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
IssueThis article provides information on:
  • How to move users with tokens from one identity source to another; and 
  • How to merge users with tokens from one external identity source into another external identity source,
Resolution

Be sure to take a backup of the database or a snapshot of the virtual server before continuing.
To import the users that were exported from one external identity source to another, the users' first name, last name, and default login must all match on both Active Directory servers.  Please confirm this before continuing.
In the example below there are ten users named test1 - test10 that are housed in an external Active Directory identity source that is on a Windows 2003 Server.  All ten users have tokens assigned and PINs have been created.  One of the users also has a replacement token assigned, but has not used it yet.


  1. To make things easier a group named export has been created in the Authentication Manager Security Console (Identity > User Groups > Add New).  Users test1 - test10 have been assigned to the group by clicking on the context arrow next to the group name and choosing Member Users.  Search for user and when results come back select them and click Add User to Group.  It is possible to just export all users with tokens as well.
  2. To export the users, first download the encryption key by selecting Administration Export/ Import Tokens and UsersDownload Encryption Key and save the file to a desired location.
  3. Now export the users by selecting Administration Import/Export Tokens and Users Export Tokens and Users.
  4. Browse to the encryption key downloaded in step 2 and select Users with Tokens (Users without tokens will not be exported) for the Export Type and click Next.
  5. On the next screen under Filter User with Tokens By Group, select Narrow the selection by group membership.  Enter the name of the group created in step 1 which has the desired users and hit Search.
  6. Select the group and then press > to bring the group over on the right side under the Selected Groups section.
  7. Check the box next to the group and click Export.
  8. This brings up the Import/Export Status screen.  Once it is complete, download the file.  Save the file in the same directory where the encryption file was saved in step 2.
  9. Now remove the users that have been exported and cleanup the database. If all the users have been exported, the identity source can be unlinked in the Security Console under Setup > Identity Sources > Link Identity Source to System. Unlink the identity source and click Save.
  10. Confirm that you want to unlink the Identity Source on the subsequent screen and make sure to check the box, then click on Unlink.
  11. Run the scheduled cleanup job (Setup > Identity Sources >Scheduled Cleanup), setting the job to run a few minutes ahead of the current time and click Save.  
  12. Monitor the progress using the real-time system monitor (Reporting > Real Time Activity Monitors > System Activity) or under Administration Batch Jobs.  Once the cleanup is complete,  login to the Operations Console and delete the Identity Source you just unlinked by selecting Deployment Configuration > Identity Sources > Manage Existing.  Click on the context arrow next to the correct identity source and select Delete.
  13. On the following screen check the box for Yes, delete the identity source and click Delete Identity Source.
  14. To import the users that were exported from the AD on the Windows 2003 Server into a 2008 domain, the first name, last name, and default login must all match what is on the Windows 2008 server.  The Windows 2008 Server identity source is already setup in Authentication Manager 8.1 and linked via the Security Console.
  15. Import the users that were exported by selecting Administration > Import/Export Tokens and UsersImport Tokens and Users.
  16. Select the .pkg file that was  created during step 8 of the export and click Next.
  17. Edit the system domain, if needed or keep the default of System Domain and click Next.
  18. On the subsequent screen select the identity source into which you are importing your users and tokens and click Next.
  19. When done, an export/import status screen will show.
  20. Review the summary which should match the export summary and click Import.  Note that it is possible to see a Done with Warning status as well. This is just the unassigned token records being overwritten.
  21. The imported users should now show up in the new identity source with their tokens and PINs intact.
To see these steps with screenshots included, see the attached pdf.
 
Legacy Article IDa63330

Outcomes