000016762 - Can I migrate AM 7.1 Internal DB users to AM 8.0 as external Identity Source Users?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000016762
Applies ToAuthentication Manager AM 7.1 SP4 8.0 migrate migration UserID, first name, last name surname givenname given name
 
IssueHow to migrate AM 7.1 SP4 Internal DataBase (Oracle) users to AM 8.0 as external Identity Source Users in Active Directory?
Can I migrate AM 7.1 Internal DB users to AM 8.0 as external Identity Source Users?
Export Failed: There is an error with the user record. The identity source contains no value for the attribute set as the Unique Identifier for the user. Edit the user record in the directory to add a value.  This indicates you are not using objectGUID as the unique Identifier in your external IS, and are using something else such as exuid or employeeNumber, and there is at least 1 blank entry in this unique Identifier field in at least 1 record
 
ResolutionBasically you have to migrate to AM 8.0 Internal, then export Users and Tokens, remove internal users, then import after external AD Identity source has been created.
Authentication Manager 8.0 is a Virtual Appliance that runs on Suse Linux and is deployed into a Virtual infrastructure such as VMware ESX or VCloud.  Note: avoid using IE8 with very large (168Mg) database migration files, but other versions of IE, or Chrome of Firefox work fine.
You can also migrate several times, in effect doing your migration over to see how it turns out.
First stop is Secure Care and click on the very large 8.0 link on the main home page for various documents and videos.
Basic migration plan:
1.  Pre-Migration ? Migration Export Tool ? You need Master Password from AM 7.1 SP4.  Choose Test or Production
2.  deploy AM 8.0
3.  Import from the 8.0 Operations Console
User are now in AM 8.0 Internal DB with Tokens assigned and PINs intact, as well as all agents, etc...
4.  Export Users with Tokens
     a. Optionally Create a group to store users to migrate today
     b. From Security Console Export Users with Tokens using this group (or export all users)
     c. You need to download and use the AM 8.0 Key for this even though you are importing back to same AM 8.0 Server.
5. Remove Users from Internal database via the Security Console.
6. Create external Identity Source in AD (or other supported LDAP) - See KB a63091)
7. Import the exported User with Tokens file, it will find the User in IS-b Identity Source, and assign Token to this User in IS-b,
   with warning the unassigned token is being overwritten (which is good, what we want).
    a.  If the first name, last name and username match AD exactly, import will assign user token to the Identity in AD
    b.  Those users who do not match on those three attributes will be imported into the internal database with their tokens assigned
        i.   You would have to manually locate each of these internal users
        ii.  Un-Assign token from user in internal database
        iii.  Assign token to user in AD
        iv. Remove user from internal database
How to migrate users from one AM 8.0 external Identity Source to a second external Identity Source (from KB a63192)
Option in AM 8.0 is to export Users and Tokens, then re-import, like a migration from one Identity Source to another. 
Example is IS-a  to IS-b
1. User in IS-a Identity Source has token, but same UserID does not show in IS-b Identity Source because it?s filtered
   from this Identity Source (to filter disabled Users use something like the following ;
   (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))),
   or  if they are in a group  (&(objectClass=User)(objectcategory=person)(!(memberOf=CN= migratedUsers,CN=User,dc=emc,dc=com)))
2. Create a group to store users to migrate today
3. From Security Console Export Users with Tokens using this group (as opposed to all users).
   You need to download and use the AM 8.0 Key for this even though you are importing back to same AM 8.0 Server.
4. Now disable/block or delete User in IS-a, so they no longer show in IS-a Identity source.
5. Run Cleanup from Security Console to free up/un-assign  the Users Tokens
6. Enable same User in IS-b, so the same user shows in. IS-b Identity Source.
7. Import the exported User with Tokens file, it will find the User in IS-b Identity Source, and assign Token to this User in IS-b,
   with warning the unassigned token is being overwritten (which is good, what we want).
 
NotesNormally we think of AM 7.1 users being in the same external Identity Source (AD) as you plan in AM 8.0, but if your AM 7.1 Users are in the Internal Database and not an external Identity source, you can still migrate.  You have to Migrate to the AM 8.0 Internal Database first, export Users with Tokens, remove Users from Internal Database then set up the AD LDAP connection to the external Identity Source in AM 8.0 before you import the Users and Tokens back in.  If first name, last name and UserID in the Token/User import (from original AM 7.1 internal database) match the entries in the external Identity Source of Active Directory in AM 8.0, the users will migrate to the external ID source with tokens assigned and PINs intact.
Legacy Article IDa63122

Attachments

    Outcomes