KB 150102 How To Migrate from an AD integrated IDENTIKEY Authentication Server?

KB 150102

How To Migrate from an AD integrated IDENTIKEY

Authentication Server?

Creation date: 17/05/2013 Last Review: 27/06/2013 Revision number: 1

Document type: How To Security status: EXTERNAL

Summary

This article will explain the required steps to migrate from an AD integrated

IDENTIKEY Authentication Server to a new AD integrated IDENTIKEY Authentication

Server on a new AD domain or to an ODBC integrated IDENTIKEY Authentication

Server.

Problem details.

This KB is valid when you need to migrate data from an AD integrated installation, where the data is stored in AD, to another IDENTIKEY Authentication Server that uses a different database.

This can be a new AD integrated IDENTIKEY Authentication Server on a new AD domain or an ODBC integrated IDENTIKEY Authentication Server.

As the data migration tool only can migrate from an ODBC integrated IDENTIKEY

Authentication Server, we will install and test the new server first, and then automate the creation of the users and assignment of the DIGIPASS.

Problem Solution.

•

First, install the new server from scratch, create the needed clients records and test the installation.

•

Then create the DIGIPASS objects by importing the DPX files.

•

Warning:

If the DIGIPASS is used with a server PIN, the initial server PIN will be imported from the DPX file.

If this initial pin had been modified on the old environment, the change will not be ported to the new environment.

Create a list of the DIGIPASS users and the DIGIPASS that is assigned to the users on the old server.

Applies to: IDENTIKEY Authentication Server 3.4

KB 150102 – 27/06/2013

 2013 VASCO Data Security. All rights reserved.

Page 1 of 3

Use following TCL script to create the list: puts "\n\nTCL script to make a list af all users" puts " list is displayed + written to a text file\n\n"

# In case you use a AD integrated installation, use logon without parameters

# In case you use a ODBC integrated installation, use logon with userid and password logon

#logon {userid admin password vasco}

#open output file, this command will create a Users.txt file in the curent directory set out [open "Users.txt" w]

# build a list of all users and put the data in a list variable called userlist selecting following data:

# userid: the user ID, org_unit: the organisation unit the user belongs to,

# domain: the domain the user belongs to, digipass: the digipass that is assigned to the user.

#

# other variables that could be recorded are:

# search_down_ou: enables/disables the search down the organisation units' path for this user (when assigning a digipass);

# disabled: the user's enabled/disabled status

# locked: used to set the locked state of the user

# username: the name of the person or organisation represented by the user id;

# email: the user's email address;

# phone: the user's phone number;

# mobile: the user's mobile number;

# password: the user's password;

# upn: the user's UPN;

# ldap_dn: the user's Active Directory distinguished name

# desc: any text (may be used as a search criteria);

# local_auth: local authentication status: None, Digipass/Password, or Digipass Only; if not set, it means, obey the effective policy;

# backend_auth: backend authentication status: None, if Needed, or Always; if not set, it means, obey the effective policy;

# lock_count: the number of times the user has been locked

# has_dp: the digipass assignment indicator (Assigned/Unassigned)

# status: -1-disabled by the admin; 0-active; 1-AD user deleted; 2-AD user expired; 3-AD user disabled; 4-AD user locked;

# link_userid: the user ID of the user whose digipass this user shares;

# link_domain: the domain of the user whose digipass this user shares;

# link_ldap_dn: the AD distinguished name of the user whose digipass this user shares;

# created: the date and time of the user's creation;

# modified: the date and time of the user's last modification; set userlist [user query {userid *} {userid org_unit domain digipass}] puts "total Number of users found: [llength $userlist]" puts "\n"

# output fields to console

# if you want a comma or tab separated file, replace ";" with "," or \t puts " userid, OrganizationalUnit, domain, SerialNumber "

# output fields to file puts $out " userid, OrganizationalUnit, domain, SerialNumber "

# for each user that has been found, display the user and write to the file foreach user $userlist { set x 0

# initiate the variables ( they must exist to print them) set userid "" set org_unit "" set domain "" set digipass "" while {$x < [llength $user]} {

set y [expr {$x + 1}]

# set the variables (only variables with data are set, and the order is not the same as in the query)

set [lindex $user $x] [lindex $user $y]

set x [expr {$x + 2}]

}

# output to console

Applies to: IDENTIKEY Authentication Server 3.4

KB 150102 – 27/06/2013

 2013 VASCO Data Security. All rights reserved.

Page 2 of 3

# if you want a comma or tab separated file, replace ";" with "," or \t puts " \"$userid\",\"$org_unit\",\"$domain\",\"$digipass\" "

# output to the file

puts $out " \"$userid\",\"$org_unit\",\"$domain\",\"$digipass\" "

} puts "\n" puts "\n"

#close output file close $out

(Copy the script and save it in a text file eg:export_users.tcl, then run dpadmincmd with the TCL script as argument in a dos box on the old server)

This will create a file Users.txt that can be used to create the users and assign the

DIGIPASS on the new IDENTIKEY Authentication Server.

PS: As explained in the comments of the script, you can adapt the script to export more fields if needed.

•

Create the DIGIPASS users and assign their DIGIPASS on the new server

See also http://www.vasco.com/Images/KB_150061.pdf

on how to import users in an AD integrated Identikey Authentication Server.

Remarks: o

You may need to edit the Users.txt file before using it. (Remove unused or already existing users, modify the domain name, …) o

If you migrate to an AD integrated IDENTIKEY Authentication Server, the

AD users must already exist before the DIGIPASS users can be created

(and the DIGIPASS assigned to them)

Applies to: IDENTIKEY Authentication Server 3.4

KB 150102 – 27/06/2013

 2013 VASCO Data Security. All rights reserved.

Page 3 of 3