Migration overview
|
|
IMPORTANT: Contact One Identity Professional Services to acquire the tool for TPAM migration and receive guidance specific to your organization. The tool and custom support is not available through One Identity Support. |
The TPAM to Safeguard Migration Guide includes step-by-step instructions for migrating data from TPAM to Safeguard for Privileged Passwords as well as what to consider before and after the migration.
The following elements can be selected for migration.
- Users are migrated with default permissions. Passwords are randomly generated and are available in a .csv file.
-
Accounts and Systems relationships are migrated to Safeguard. Systems (Assets) are set up on a default partition profile and Accounts are tied to the Systems (Assets) migrated.
- TPAM Collections are migrated and are assigned to Systems/Accounts in Safeguard.
Versions
The following versions are required to perform the TPAM to Safeguard migration:
- TPAM 2.5.919 (or later)
- Safeguard 2.1 (or later)
Pre-migration activities
Activities to complete before performing the migration follow.
Timing
Plan the timing of the migration. Once started, if you close the migration tool, the migration will stop and partial data may be migrated.
Post migration considerations
Before starting the migration, ensure you have planned for post migration activities. For more information, see Post migration activities.
Identify the order of migration
You can migrate Systems/Accounts, Collections, and Users from TPAM all at once. Or, you can perform the migration in smaller increments by entity or records in an entity. Some Administrators prefer migrating smaller datasets because of the shorter timeframes, ease of checking smaller datasets, and impact on the organization.
Follow these guidelines as you determine how you will migrate the data:
-
Systems/Accounts: Systems/Accounts must be migrated before Collections so the Collections can be assigned to Safeguard Systems/Accounts. Accounts can be migrated with or without passwords. For example, you may migrate Accounts without passwords, check the data, and then migrate the passwords. Or, you may want to enter passwords directly in Safeguard.
IMPORTANT: Before migrating account passwords, stop the TPAM password reset schedule to prevent the account passwords being reset by the schedule while the migration is in progress. - TPAM Collections: Collections must be migrated after Systems/Accounts so Safeguard Systems/Accounts can be assigned to Collections. Collections migration will not include files, permissions, roles, or affinity from TPAM.
- Users: Users can be migrated with other elements or alone. Passwords are randomly generated and are available in a .csv file you will be prompted to save before the migration is finished.
Ensure permissions are in place
To perform the migration, you will need the following permissions.
-
TPAM permissions: The User must be a CLI (command line interface) user in TPAM with ISA permissions to pull asset account passwords in TPAM and pass the asset account passwords to Safeguard.
-
Safeguard permissions: The User must have Asset Administrator, Security Policy Administrator, and User Administrator permissions in Safeguard.
Secure the SSH key
TPAM authentication requires an SSH key. You will be asked to enter the SSH key file path (for example, a .txt file) before migrating data.
Map platforms
Ensure the correct platform is part of the Asset.
System (Assets) mapping file
The file “platform_mapping.json” is included with the migration tool for customization of the Systems (assets) mappings.
If Safeguard contains custom Systems, modify the mapping file to include corresponding TPAM and Safeguard Systems (assets).
Syntax
The JSON file includes a list of keys with corresponding value objects where key is the name of the System (asset) in TPAM and the corresponding value is an asset name and type from Safeguard.
“<Key>”: {“PlatformType”: “<SafeguardAssetType>”,
"DisplayName": “<SafeguardAssetName>”},
Examples
"HP ILO2": {"PlatformType": "HPiLO",
"DisplayName": "HP iLO 2 x86"},
"HP ILO3": {
"PlatformType": "HPiLO",
"DisplayName": "HP iLO 3 x86"},
"Linux": {
"PlatformType": "LinuxOther",
"DisplayName": "" },
If system type (PlatformType) in Safeguard is unique (for example, “Linux”), there is no need for DisplayName, but if the system type is not unique (for example, “HPiLO”), the display name needs to be added to make the target system unique.
TPAM assets
A list of Safeguard assets can be obtained using Swagger:
https://<Server Name Or IP>/service/core/swagger/ui/index#/Assets
The list of TPAM assets follows.
|
AIX |
|
AIX LDAP |
|
AS400 |
|
BoKS |
|
BoKS Linux |
|
Cache Server |
|
CheckPoint SP |
|
Cisco ACS |
|
Cisco CATOS |
|
Cisco PIX |
|
Cisco Router (tel) |
|
Cisco Router (ssh) |
|
Cyberguard |
|
DELL iDRAC 8, 9 |
|
Dell Remote Access |
|
DPA |
|
ForeScout CounterAct |
|
Fortinet |
|
Fortinet 5 |
|
FreeBSD |
|
HC3 |
|
HP Non-stop |
|
HP- ILO |
|
HP - ILO2 |
|
HP - ILO3 |
|
HP - ILO4 |
|
HP - NonStop |
|
HP-UX |
|
HP-UX Shadow |
|
HP US Untrusted |
|
IBM Datapower |
|
IBM HMC |
|
JunOS |
|
LDAP |
|
LDAPS |
|
Linux tty |
|
Mac 10.4 |
|
Mac 10.5, 19.6 |
|
Mac 10.7 - 10.11 |
|
Mainframe |
|
Mainframe (ACF2) |
|
Mainframe LDAP ACF2 |
|
Mainframe LDAP RACF |
|
Mainframe LDAP TS |
|
Mainframe TS |
|
MS SQL Server |
|
MySQL |
|
MySQL 5.6,5.7 |
|
Net App Filer |
|
NetScreen |
|
NIS Plus |
|
Nokia IPSO |
|
Nokia IPSO 6.X |
|
Novell NDS |
|
OpenVMS |
|
Oracle (Legacy) |
|
Other |
|
PAN-OS |
|
POS 4690 |
|
ProxySG |
|
PSM ICA Access |
|
PSM Web Access |
|
SAP |
|
SCO |
|
Solaris |
|
Sonicwall (SonicOS) |
|
SPCW |
|
SPCW (DC) |
|
SPCW 2 |
|
SPCW (DC) 2 |
|
SPCW Pwd |
|
Stratus VOS |
|
Sybase |
|
Teradata |
|
Tru64 Enhanced Sec. |
|
Tru64 Untrusted |
|
Unixware |
|
Unixware 7.x |
|
VMware Vsphere |
|
Windows |
|
Windows Active Dir |
|
Windows Desktop |
Migration activities
Launching and connecting
Follow the steps below to launch the One Identity Migration Tool. Make sure you have the Safeguard for Privileged Passwords and TPAM IP addresses for authentication.
- Click the One Identity Migration Tool icon (
) and connect to Safeguard.
- In the Appliance field, enter or select the IP address of the Safeguard appliance.
-
Click Connect to go to the login screen.
NOTE: If the appliance does not have a secure certificate, the following standard message displays: "This site is not secure. This might mean that someone's trying to fool you or steal any info you send to the server. You should close this site immediately." If you know the site is secure, click More information then click Go on to the webpage (not recommended) to accept the certificate.
- On the One Identity Safeguard login screen, perform the following:
- Enter a user name and password that has privileges to write to Safeguard. If the privileges do not include Asset Administrator, Security Policy Administrator, and User Administrator, the following error message displays: "Sorry. You don't have sufficient rights to migrate TPAM."
- After entering valid login credentials, click Log in.
- The One Identity Migration Tool page displays with the Connection tab selected so you can connect to TPAM.
- Complete the following fields:
- TPAM Network Address: Enter the IP address of the TPAM machine to migrate.
- TPAM User ID: Enter the TPAM CLI user ID with ISA permissions to pull asset account passwords and pass them to Safeguard.
- SSH Key: TPAM authentication requires an SSH key. Click Browse and navigate to and select the SSH key file (for example, a .txt file).
- Click Connect. If the connection is successful, the status of Connected displays.
- Complete the following fields:
- Continue to Collecting data and starting the migration.