One Identity Safeguard 2.5 - TPAM Migration Guide

Migration overview

The TPAM to Safeguard Migration Guide includes step-by-step instructions for migrating data from TPAM to Safeguard for Privileged Passwords as well as what to consider before and after the migration.

The following elements can be selected for migration.

  • Users are migrated with default permissions. Passwords are randomly generated and are available in a .csv file.
  • Accounts and Systems relationships are migrated to Safeguard. Systems (Assets) are set up on a default partition profile and Accounts are tied to the Systems (Assets) migrated.

  • TPAM Collections are migrated and are assigned to Systems/Accounts in Safeguard.
Versions

The following versions are required to perform the TPAM to Safeguard migration:

  • TPAM 2.5.919 (or later)
  • Safeguard 2.1 (or later)

Pre-migration activities

Activities to complete before performing the migration follow.

Timing

Plan the timing of the migration. Once started, if you close the migration tool, the migration will stop and partial data may be migrated.

Post migration considerations

Before starting the migration, ensure you have planned for post migration activities. For more information, see Post migration activities.

Identify the order of migration

You can migrate Systems/Accounts, Collections, and Users from TPAM all at once. Or, you can perform the migration in smaller increments by entity or records in an entity. Some Administrators prefer migrating smaller datasets because of the shorter timeframes, ease of checking smaller datasets, and impact on the organization.

Follow these guidelines as you determine how you will migrate the data:

  • Systems/Accounts: Systems/Accounts must be migrated before Collections so the Collections can be assigned to Safeguard Systems/Accounts. Accounts can be migrated with or without passwords. For example, you may migrate Accounts without passwords, check the data, and then migrate the passwords. Or, you may want to enter passwords directly in Safeguard.

    IMPORTANT: Before migrating account passwords, stop the TPAM password reset schedule to prevent the account passwords being reset by the schedule while the migration is in progress.
  • TPAM Collections: Collections must be migrated after Systems/Accounts so Safeguard Systems/Accounts can be assigned to Collections. Collections migration will not include files, permissions, roles, or affinity from TPAM.
  • Users: Users can be migrated with other elements or alone. Passwords are randomly generated and are available in a .csv file you will be prompted to save before the migration is finished.
Ensure permissions are in place

To perform the migration, you will need the following permissions.

  • TPAM permissions: The User must be a CLI (command line interface) user in TPAM with ISA permissions to pull asset account passwords in TPAM and pass the asset account passwords to Safeguard.

  • Safeguard permissions: The User must have Asset Administrator, Security Policy Administrator, and User Administrator permissions in Safeguard.

Secure the SSH key

TPAM authentication requires an SSH key. You will be asked to enter the SSH key file path (for example, a .txt file) before migrating data.

Map platforms

Ensure the correct platform is part of the Asset.

System (Assets) mapping file

The file “platform_mapping.json” is included with the migration tool for customization of the Systems (assets) mappings.

If Safeguard contains custom Systems, modify the mapping file to include corresponding TPAM and Safeguard Systems (assets).

Syntax

The JSON file includes a list of keys with corresponding value objects where key is the name of the System (asset) in TPAM and the corresponding value is an asset name and type from Safeguard.

“<Key>”: {“PlatformType”: “<SafeguardAssetType>”,

"DisplayName": “<SafeguardAssetName>”},

Examples

"HP ILO2": {"PlatformType": "HPiLO",

"DisplayName": "HP iLO 2 x86"},

"HP ILO3": {

"PlatformType": "HPiLO",

"DisplayName": "HP iLO 3 x86"},

"Linux": {

"PlatformType": "LinuxOther",

"DisplayName": "" },

If system type (PlatformType) in Safeguard is unique (for example, “Linux”), there is no need for DisplayName, but if the system type is not unique (for example, “HPiLO”), the display name needs to be added to make the target system unique.

TPAM assets

A list of Safeguard assets can be obtained using Swagger:

https://<Server Name Or IP>/service/core/swagger/ui/index#/Assets

The list of TPAM assets follows.

Table 1: TPAM assets

AIX

AIX LDAP

AS400

BoKS

BoKS Linux

Cache Server

CheckPoint SP

Cisco ACS

Cisco CATOS

Cisco PIX

Cisco Router (tel)

Cisco Router (ssh)

Cyberguard

DELL iDRAC 8, 9

Dell Remote Access

DPA

ForeScout CounterAct

Fortinet

Fortinet 5

FreeBSD

HC3

HP Non-stop

HP- ILO

HP - ILO2

HP - ILO3

HP - ILO4

HP - NonStop

HP-UX

HP-UX Shadow

HP US Untrusted

IBM Datapower

IBM HMC

JunOS

LDAP

LDAPS

Linux tty

Mac 10.4

Mac 10.5, 19.6

Mac 10.7 - 10.11

Mainframe

Mainframe (ACF2)

Mainframe LDAP ACF2

Mainframe LDAP RACF

Mainframe LDAP TS

Mainframe TS

MS SQL Server

MySQL

MySQL 5.6,5.7

Net App Filer

NetScreen

NIS Plus

Nokia IPSO

Nokia IPSO 6.X

Novell NDS

OpenVMS

Oracle (Legacy)

Other

PAN-OS

POS 4690

ProxySG

PSM ICA Access

PSM Web Access

SAP

SCO

Solaris

Sonicwall (SonicOS)

SPCW

SPCW (DC)

SPCW 2

SPCW (DC) 2

SPCW Pwd

Stratus VOS

Sybase

Teradata

Tru64 Enhanced Sec.

Tru64 Untrusted

Unixware

Unixware 7.x

VMware Vsphere

Windows

Windows Active Dir

Windows Desktop

Migration activities

Launching and connecting

Follow the steps below to launch the One Identity Migration Tool. Make sure you have the Safeguard for Privileged Passwords and TPAM IP addresses for authentication.

  1. Click the One Identity Migration Tool icon () and connect to Safeguard.
    1. In the Appliance field, enter or select the IP address of the Safeguard appliance.
    2. Click Connect to go to the login screen.

      NOTE: If the appliance does not have a secure certificate, the following standard message displays: "This site is not secure. This might mean that someone's trying to fool you or steal any info you send to the server. You should close this site immediately." If you know the site is secure, click More information then click Go on to the webpage (not recommended) to accept the certificate.
  2. On the One Identity Safeguard login screen, perform the following:
    1. Enter a user name and password that has privileges to write to Safeguard. If the privileges do not include Asset Administrator, Security Policy Administrator, and User Administrator, the following error message displays: "Sorry. You don't have sufficient rights to migrate TPAM."
    2. After entering valid login credentials, click Log in.
  3. The One Identity Migration Tool page displays with the Connection tab selected so you can connect to TPAM.
    1.  Complete the following fields:
      • TPAM Network Address: Enter the IP address of the TPAM machine to migrate.
      • TPAM User ID: Enter the TPAM CLI user ID with ISA permissions to pull asset account passwords and pass them to Safeguard.
      • SSH Key: TPAM authentication requires an SSH key. Click Browse and navigate to and select the SSH key file (for example, a .txt file).
    2. Click Connect. If the connection is successful, the status of Connected displays.
  4. Continue to Collecting data and starting the migration.
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents