Hot Air Balloon! – thoughts of a Techy on Management

Hot Air Balloon!

A man in a hot air balloon, realizing he was lost, reduced altitude and spotted a woman below. He descended further and shouted to the lady, ‘Excuse me, can you help me? I promised a friend I would meet him an hour ago, but I don’t know where I am.’

The woman below replied, ‘You’re in a hot air balloon, hovering approximately 30 feet above the ground. You’re between 40 and 41 degrees north latitude and between 59 and 60 degrees west longitude.’

You must be in IT,’ said the balloonist.

Actually I am,’ replied the woman, ‘How did you know?’

Well,’ answered the balloonist, ‘everything you have told me is technically correct but I’ve no idea what to make of your information and the fact is I’m still lost. Frankly, you’ve not been much help at all. If anything, you’ve delayed my trip ‘.

The woman below responded, ‘You must be in Management.’

I am,’ replied the balloonist, ‘but how did you know?’

Well,’ said the woman, ‘you don’t know where you are or where you’re going. You have risen to where you are due to a large quantity of hot air. You made a promise, which you’ve no idea how to keep, and you expect people beneath you to solve your problems. The fact is you are in exactly the same position you were in before we met, but now, somehow, it’s my bloody fault.

RSA Authentication Manager 8: Move users across Identity Sources

AM8.x—Migrating users across Identity Sources

1.-In this example I have 10 users (test1-10) in an external Identity Source pointing to a Windows 2003 AD server. All 10 users have tokens assigned and PINs created. One of the users also has a replacement token assigned (but haven’t used it yet).

2.-To make things easier I create a group in AM called export. I assigned the users from the 2003 AD that I wanted to migrate (test1-test10) to a different Identity Source and placed them in this group. It is possible to just export all users with tokens as well.

3.-To Export the users we first need to download the encryption key: go to Administration—Export/ Import Tokens and Users—Download Encryption Key.

Save the file to a desired location.

4.-Now to actually export the users: go to Administration—Import/Export Tokens and Users—Export Tokens and Users (refer to screenshot from above).

5.-Browse to the encryption key you downloaded and select Users with Tokens (Users without tokens will not be exported) for the Export option and Click Next:

6.-On the next screen under Filter User with Tokens By Group I selected Narrow the selection by group membership. I typed the group, export, that I created for this which has the desired users and hit Search.

Select the group and then hit the > bring the group over on the right side under the Selected Groups section. Check the box next to the group and click Export:

7.-This brings you to the Import/Export Status screen. Once it’s complete download the file. I saved it in the same directory that I saved the encryption file.

8.-Now we have to remove the users that we exported and cleanup the database. Since I no longer need the 2003 Identity Source I’m going to unlink it.

Security Console—Setup—Identity Sources– Link Identity Source to System. I unlinked the 2003 ID source and clicked Save:

9.-Confirm that you want to unlink the Identity Source on the subsequent screen and make sure to check the box, then click on Unlink:

10.-Now we want to run the Scheduled cleanup job. Security Console—Setup—Identity Sources—Scheduled cleanup:

I set mine to run a few minutes from now and click Save:

11.-You can monitor the progress using the real-time system monitor or under Administration Batch jobs. Once the cleanup has completed login to the Operations Console and delete the Identity Source you just unlinked.

Deployment Configuration—Identity Sources—Manage Existing. Enter your Superadmin credentials when prompted. Now click the little arrow next to the ID source you wish to remove and select Delete:

12.-On the following screen check the box for Yes, delete the identity source and click Delete Identity Source.

13.-I’m going to be importing the users that were exported into a 2008 domain. The first name, last name, and default login all match what was in 2003. The 2008 Identity Source is already setup in AM8 and linked via the Security Console.

14.-Now to import the users that were exported. Security Console–Administration—Import/Export Tokens and Users—Import Tokens and Users. Select the .pkg file that you created during the export and click Next.

15.-For Security Domain I’m keeping the default of System Domain and clicking Next:

16.-On the subsequent screen you select the Identity Source that you wish to import to and then click Next:

17.-Review the summary which should match the export summary and click Import:

18.-Once it completes you should get something like the following:

***FYI, You will get the Done with Warning status as well.

19.-The imported users should now show up in the new Identity Source with their tokens/PINs intact. I was able to login successfully with the migrated accounts and Pins were retained.