KB 150102 How To Migrate from an AD integrated IDENTIKEY Authentication Server?

KB 150102
How To Migrate from an AD integrated IDENTIKEY
Authentication Server?
Creation date: 17/05/2013
Last Review: 27/06/2013
Document type: How To
Revision number: 1
Security status: EXTERNAL
Summary
This article will explain the required steps to migrate from an AD integrated
IDENTIKEY Authentication Server to a new AD integrated IDENTIKEY Authentication
Server on a new AD domain or to an ODBC integrated IDENTIKEY Authentication
Server.
Problem details.
This KB is valid when you need to migrate data from an AD integrated installation,
where the data is stored in AD, to another IDENTIKEY Authentication Server that uses
a different database.
This can be a new AD integrated IDENTIKEY Authentication Server on a new AD
domain or an ODBC integrated IDENTIKEY Authentication Server.
As the data migration tool only can migrate from an ODBC integrated IDENTIKEY
Authentication Server, we will install and test the new server first, and then automate
the creation of the users and assignment of the DIGIPASS.
Problem Solution.
•
First, install the new server from scratch, create the needed clients records and
test the installation.
•
Then create the DIGIPASS objects by importing the DPX files.
Warning:
If the DIGIPASS is used with a server PIN, the initial server PIN will be imported
from the DPX file.
If this initial pin had been modified on the old environment, the change will not be
ported to the new environment.
•
Create a list of the DIGIPASS users and the DIGIPASS that is assigned to the users
on the old server.
Applies to: IDENTIKEY Authentication Server 3.4
KB 150102 – 27/06/2013
 2013 VASCO Data Security. All rights reserved.
Page 1 of 3
Use following TCL script to create the list:
puts "\n\nTCL script to make a list af all users"
puts " list is displayed + written to a text file\n\n"
# In case you use a AD integrated installation, use logon without parameters
# In case you use a ODBC integrated installation, use logon with userid and password
logon
#logon {userid admin password vasco}
#open output file, this command will create a Users.txt file in the curent directory
set out [open "Users.txt" w]
# build a list of all users and put the data in a list variable called userlist selecting following data:
# userid: the user ID, org_unit: the organisation unit the user belongs to,
# domain: the domain the user belongs to, digipass: the digipass that is assigned to the user.
#
# other variables that could be recorded are:
# search_down_ou: enables/disables the search down the organisation units' path for this user (when
assigning a digipass);
# disabled:
the user's enabled/disabled status
# locked:
used to set the locked state of the user
# username:
the name of the person or organisation represented by the user id;
# email:
the user's email address;
# phone:
the user's phone number;
# mobile:
the user's mobile number;
# password:
the user's password;
# upn:
the user's UPN;
# ldap_dn:
the user's Active Directory distinguished name
# desc:
any text (may be used as a search criteria);
# local_auth:
local authentication status: None, Digipass/Password, or Digipass Only; if not set, it
means, obey the effective policy;
# backend_auth: backend authentication status: None, if Needed, or Always; if not set, it means,
obey the effective policy;
# lock_count:
the number of times the user has been locked
# has_dp:
the digipass assignment indicator (Assigned/Unassigned)
# status:
-1-disabled by the admin; 0-active; 1-AD user deleted; 2-AD user expired; 3-AD user
disabled; 4-AD user locked;
# link_userid: the user ID of the user whose digipass this user shares;
# link_domain: the domain of the user whose digipass this user shares;
# link_ldap_dn: the AD distinguished name of the user whose digipass this user shares;
# created:
the date and time of the user's creation;
# modified:
the date and time of the user's last modification;
set userlist [user query {userid *} {userid org_unit domain digipass}]
puts "total Number of users found: [llength $userlist]"
puts "\n"
# output fields to console
# if you want a comma or tab separated file, replace ";" with "," or \t
puts " userid, OrganizationalUnit, domain, SerialNumber "
# output fields to file
puts $out " userid, OrganizationalUnit, domain, SerialNumber "
# for each user that has been found, display the user and write to the file
foreach user $userlist {
set x 0
# initiate the variables ( they must exist to print them)
set userid ""
set org_unit ""
set domain ""
set digipass ""
while {$x < [llength $user]} {
set y [expr {$x + 1}]
# set the variables (only variables with data are set, and the order is not the same as in the
query)
set [lindex $user $x] [lindex $user $y]
set x [expr {$x + 2}]
}
# output to console
Applies to: IDENTIKEY Authentication Server 3.4
KB 150102 – 27/06/2013
 2013 VASCO Data Security. All rights reserved.
Page 2 of 3
# if you want a comma or tab separated file, replace ";" with "," or \t
puts " \"$userid\",\"$org_unit\",\"$domain\",\"$digipass\" "
# output to the file
puts $out " \"$userid\",\"$org_unit\",\"$domain\",\"$digipass\" "
}
puts "\n"
puts "\n"
#close output file
close $out
(Copy the script and save it in a text file eg:export_users.tcl, then run
dpadmincmd with the TCL script as argument in a dos box on the old server)
This will create a file Users.txt that can be used to create the users and assign the
DIGIPASS on the new IDENTIKEY Authentication Server.
PS: As explained in the comments of the script, you can adapt the script to export
more fields if needed.
•
Create the DIGIPASS users and assign their DIGIPASS on the new server
See also http://www.vasco.com/Images/KB_150061.pdf on how to import users in
an AD integrated Identikey Authentication Server.
Remarks:
o
o
You may need to edit the Users.txt file before using it. (Remove unused or
already existing users, modify the domain name, …)
If you migrate to an AD integrated IDENTIKEY Authentication Server, the
AD users must already exist before the DIGIPASS users can be created
(and the DIGIPASS assigned to them)
Applies to: IDENTIKEY Authentication Server 3.4
KB 150102 – 27/06/2013
 2013 VASCO Data Security. All rights reserved.
Page 3 of 3