Layer7 Identity Management

Expand all | Collapse all

IDM Question & answers data migration from prov to user store (CA Directory)

Jump to Best Answer
  • 1.  IDM Question & answers data migration from prov to user store (CA Directory)

    Posted 08-19-2016 12:14 AM

    Hi,

     

    We are upgrading IDM from 12.5 SP 10 version environment to 12.6 SP8 version by standing up a separate parallel environment, but are stuck with migrating question & answers data from existing old provisioning directory (CA Directory) to user directory (CA Directory) on new version environment.

     

    With multiple use cases that I have run, I noticed that IDM is storing the encrypted question & answers data in the format "{V02}{3DES}jfgihoj[qwfiwqpfvk" when CA directory is acting as a common store for both user & provisioning and it is storing in the format "{RC2}opyo[ifv';qfi[gypo[piclgop" when it is configured separately.

     

    In the new version, we had to configure separate user store and provisioning store using CA Directory as the common store is no more supported. We copied over the question and answers data for few test users, but IDM is unable to decrypt the data that is copied over having 3DES format and is not displaying the question & answers data to users.

     

    Please advise the possible approaches to get the data migrated from provisioning directory in old environment to the user store in new version environment.

     

     

    Thanks,

    Chenna Kesav



  • 2.  Re: IDM Question & answers data migration from prov to user store (CA Directory)
    Best Answer

    Posted 08-19-2016 08:24 AM

    Note that customer has also opened support case 00474171

     

    You can retrieve the questions and answers from the Provisioning Server in clear-text by executing a base level search against each provisioning global user object and specifically requesting the attributes to be returned. You would need to do a separate search against each user. You could then use the clear-text data to maybe build a bulk load input file in order to feed the data into the IM Server.

     

    Below is what the ldapsearch command would look like where we are getting the data for testuser and binding to IMPS_HOST as IMPS_BIND_USER/IMPS_BIND_PWD:

     

    ldapsearch.exe -LLL -h IMPS_HOST -p 20389 -D "eTGlobalUserName=IMPS_BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w IMPS_BIND_PWD -b "eTGlobalUserName=testuser,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -s base "(objectclass=*)" eTSelfAuthQuestion0 eTSelfAuthAnswer0 eTSelfAuthQuestion1 eTSelfAuthAnswer1 eTSelfAuthQuestion2 eTSelfAuthAnswer2 eTSelfAuthQuestion3 eTSelfAuthAnswer3 eTSelfAuthQuestion4 eTSelfAuthAnswer4 > testuser_qa.ldif