SecurID^® Discussions

DavidClarke2 · ‎2016-06-01

I'm looking at refreshing a server and moving to an appliance.

Can we reuse the existing SecurIDs rather than reissueing new ones.

Does this require importing the xml config seeds?

Any other info may be of use.

Regards

David

JayGuillette · ‎2016-06-01

In the operations console you can take a backup of the existing system, and that backup can be restored to another AM 8.1 SP1 system, so this is a commom way to migrate from a VM to an Appliance, or vice versa. This is a complete backup of everything in the current AM 8.1 SP1 system, internal Database Users, external LDAP identity source configuration for Active Directory or other LDAP sourced Users, Authentication agents, tokens, and tokens assigned to specific users including any PINs set, and RADIUS clients. The new system importing /restoring this backup effectively becomes the original system.

A different option is in the Security Console of the existing system you can export Users and/or their assigned tokens and PINs and import this smaller collection of Users and/or tokens to a specific new system. This is done on the Security Console under Administration - Import/Export Tokens & Users. You have to plan this, so you first need to export the Certificate of the new System, and import that into the new System under Security Console under Administration - Import/Export Tokens & Users, so that you can encrypt these Tokens and Users specifically so that only this new System can read or import them. After this you just select specific Tokens, specific Users or both Users and Tokens.

View solution in original post

JayGuillette · ‎2016-06-01

In the operations console you can take a backup of the existing system, and that backup can be restored to another AM 8.1 SP1 system, so this is a commom way to migrate from a VM to an Appliance, or vice versa. This is a complete backup of everything in the current AM 8.1 SP1 system, internal Database Users, external LDAP identity source configuration for Active Directory or other LDAP sourced Users, Authentication agents, tokens, and tokens assigned to specific users including any PINs set, and RADIUS clients. The new system importing /restoring this backup effectively becomes the original system.

A different option is in the Security Console of the existing system you can export Users and/or their assigned tokens and PINs and import this smaller collection of Users and/or tokens to a specific new system. This is done on the Security Console under Administration - Import/Export Tokens & Users. You have to plan this, so you first need to export the Certificate of the new System, and import that into the new System under Security Console under Administration - Import/Export Tokens & Users, so that you can encrypt these Tokens and Users specifically so that only this new System can read or import them. After this you just select specific Tokens, specific Users or both Users and Tokens.

DavidClarke2 · ‎2016-06-01

Thank you.

And what are the options regarding importing the seeds/tokens without performing an export from the existing system?

JayGuillette · ‎2016-06-01

Since you own the Token Seed records, and either have them stored safely or can ask the License team at RSA to send to a copy (there is a time limit on how long RSA keeps these records), you can import these same token seeds into another system. That is like starting over, all that is imported is the token, no PIN no Users assigned. But you have the find the original .xml Token seed file and you need to know the file password to do that, and there is a time limit on how long you can wait before you ask RSA for a copy.

EdwardDavis · ‎2016-06-01

NOTE

if the tokens you are importing the seeds for, are software tokens, they will all have to be redistributed

Only

a) an actual [export users and tokens] and [import tokens and users]

or

b) restore from a backup

can retain the encryption scheme for issued software tokens.

If simply importing the original token xml file, all currently issued copies of those software tokens are rendered 'junk'

DavidClarke2 · ‎2016-06-01

Thank you. We have hardware tokens at present and are not currently looking at making s/w tokens available at present.

We have a pre-production and production environment of a system using the single existing 6.1 server.

If the configuration is exported from the existing 6.1 server and imported to the 8.1 server using the steps provided in the 6.1 to 8.1 migration guide, we point the Pulse Secure system to the new 8.1 appliance and we test on the pre-production environment - will the existing RADIUS 6.1 server remain operational until we configure the production system to authenticate with the new appliance?

Or do we need to migrate both pre-production and production at the same time?

Also in addition to the purchasing of a virtual or physical appliance - is a separate licence required for the new appliance or would the existing licence be able to be applied to the appliance.

StevenSpicer · ‎2016-06-17

The existing RSA AM6.1 RADIUS server will remain operational until you shut it down.

Did you use the RADIUS export utility to migrate the RADIUS database from 6.1 to 8.1? RADIUS management was not as well integrated in 6.1 as in 8.1, and migrating it correctly requires the additional step.

SecurID® Discussions

server refresh - importing seeds

SecurID^® Discussions