Hi Marubu,
As Michael mentioned, the imPasswordData is typically used for password history, and therefore it is not exposed to be decrypted.
However, fortunately we do not need to for a migration to a later release of the IGA solution stack.
Below are steps we use to speed up this process if there is no expectations of changing the schema or moving from one solution to another.
Checklist: Corporate UserStore Backup and Migration (IMCD TCP 10101 / 19289)
References:
· Be Safe and Automate Your Backups for CA Directory Data DSAs to LDIF -
https://anapartner.com/2019/10/16/be-safe-and-automated-your-backups-for-ca-directory-data-dsas-to-ldif/
· Directory Backup and Restore DAR Scenarios -
https://anapartner.com/2020/08/21/directory-backup-and-restore-dar-scenarios/
Steps on the Old IMCD Host
1. Create an Online Backup (ZDB File):
ssh config@OLD_IMCD_HOST_1
su - dsa
dxserver status
dxserver onlinebackup IMCD_DATA_DSA_NAME_HERE
2. Locate and Copy the Backup File:
cp -r -p /opt/CA/Directory/dxserver/backup/*.zdb /tmp/
3. Update Permissions:
chmod 444 /tmp/*.zdb
4. Transfer Backup to New IMPS Hosts:
scp -r /tmp/*.zdb config@NEW_IMPS_HOST_1:/tmp
scp -r /tmp/*.zdb config@NEW_IMPS_HOST_2:/tmp
scp -r /tmp/*.zdb config@NEW_IMPS_HOST_3:/tmp
5. Exit the `dsa` and `config` sessions:
exit
Steps for the New IMCD (usually co-located with IMPD) Host #1
6. Verify Backup File:
ssh config@NEW_IMPS_HOST_1
ls -lart /tmp/*.zdb
7. Shutdown the Current DSA Service:
su - dsa
dxserver stop IMCD_DATA_DSA_NAME_HERE
8. Backup Existing DSA Files:
mv /opt/CA/Directory/dxserver/data/IMCD_DATA_DSA_NAME_HERE.db /opt/CA/Directory/dxserver/data/IMCD_DATA_DSA_NAME_HERE.db.org
mv /opt/CA/Directory/dxserver/data/IMCD_DATA_DSA_NAME_HERE.tx /opt/CA/Directory/dxserver/data/IMCD_DATA_DSA_NAME_HERE.tx.org
9. Restore the Backup:
cp /tmp/IMCD_DATA_DSA_NAME_HERE.zdb /opt/CA/Directory/dxserver/data/NEW__IMCD_DATA_DSA_NAME_HERE.db
10. Update Permissions:
chmod 640 /opt/CA/Directory/dxserver/data/NEW__IMCD_DATA_DSA_NAME_HERE.db
11. Start the Restored DSA:
dxserver start NEW__IMCD_DATA_DSA_NAME_HERE
12. Create a Timestamp File (to prevent any updates to MS before this time)
dxdisp NEW__IMCD_DATA_DSA_NAME_HERE
13. Validate and Update Credentials:
Use JXplorer to log in with the old `dsaadmin` password.
Update passwords for `imadmin`, `dsaadmin`, and `impublic` to match the new master password.
14. Repeat Steps 5–11 for Remaining IMPS Hosts.
LDIF Delta Comparison
15. Export LDIF Files:
dxdumpdb -z -f /tmp/$(date --utc '+%Y%m%d%H%M%S')_NEW__IMCD_DATA_DSA_NAME_HERE.ldif -x createTimeStamp,modifyTimeStamp NEW__IMCD_DATA_DSA_NAME_HERE
16. Compare LDIF Files: (do not forget to sort, otherwise you see some strange deltas)
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/administrating/tools-to-manage-ca-directory/dxtools/ldifsort-tool-sort-ldif-records.html
ldifsort old.ldif old_sorted.ldif
ldifsort new.ldif new_sorted.ldif
ldifdelta -x -S NEW__IMCD_DATA_DSA_NAME_HERE /tmp/NEWER_sorted_TIME_FILE.ldif /tmp/OLDER_sorted_TIME_FILE.ldif |
perl -p00e 's/\r?\n //g' > /tmp/$(date --utc '+%Y%m%d%H%M%S')__DELTA_NEW__IMCD_DATA_DSA_NAME_HERE.ldif
17. Review Delta File:
Open the delta file in a text editor such as Notepad++ or vi.
These will be changes that we wish to make the NEW directory, compared with data from the OLD directory.
Or two different timestamps of the same directory.
18. Apply Delta Changes:
Use `ldapmodify` or `dxmodify` to apply the changes to the new directory.
(note: you can also reverse the order).