The migration process involves the following two phases:
Migrating the administrator-managed settings: If you want to decommission your existing datastore and move to another datastore, you need to migrate all settings, preferences, application definitions, password policies, logins with passwords, and other stored data.
First, you need to identify the shared configurations, such as containers and group policy settings, and how it will be fit in the structure of the new datastore. You can export this administrator-managed data using the tools similar to the existing process of distribution, and then import these to the new environment.
See Distributing Configurations, Using the slAP Tool, and Managing Configurations (SLManager).
Migrating the per-user settings: The per user data, which is encrypted by the user is not transferable by an administrator without the user’s keys to unlock it. Also as part of migration, the client application needs some reconfiguration where the data is stored via installer modification. The slMigrationHelper tool performs these per user actions, running the process of exporting the data, reconfiguring the SecureLogin client to the new datastore, and importing the data. Users’ inherited settings from containers or group/group policy are not migrated by default.
Perform the following steps to migrate the per-user settings by using the slMigrationHelper tool:
Determine the following details:
Whether you want to upgrade from an earlier version and migrate or only migrate from one datastore to another in the same version of SecureLogin.
The type of the new datastore and any associated additional installer options, such as server address.
Go to the SecureLogin\Tools\Administration\Provision Tools folder.
Run the slMigrationHelper tool with the following options as required:
The option to import the data automatically after login (requires HKLM access)
The option to specify where to export the users' encrypted data
The option to customize the password of the exported data
The option to exclude the passphrase in the migration
For more information about these options, see Table 16-1.
Based on the installer prompt, re-login or restart SecureLogin to load it in the new datastore mode.
If you did not choose to import the data automatically, run the tool again with the option to import all the data.
Table 16-1 slMigrationHelper Options
|
Option |
Description |
|---|---|
|
Migrate to the same version or upgrade to a later version |
|
|
-m |
Use this option to modify an existing SecureLogin installation. For example: If you are on eDirectory, run the following command to specify that the existing installation needs to be modified to run with a new datastore: slmigrationhelper.exe -m [Datastore options] You can also specify additional options during the modify process. For example, slmigrationhelper.exe -m ADDLOCAL=SeamlessLDAPGina |
|
-u <path of the installer> |
Use this option to upgrade SecureLogin and change the datastore. To upgrade and change the datastore, use this option in combination with option -t to specify the new datastore. For example, slmigrationhelper.exe – u <path of the 9.0 installer> - t [datastore] You can choose to upgrade to a newer version without changing the datastore. For example, slmigrationhelper.exe – u <path of the 9.0 installer> You can specify additional options during the upgrade or modify process. For example, slmigrationhelper.exe -u <path of the 9.0 installer> ADDLOCAL=SeamlessLDAPGina |
|
Installer options |
|
|
-t <datastore> |
Use this option to specify the datastore you want to migrate to. This option is used in combination with option -m. The valid datastores are:
For examples, see Example Commands for the -t Option. |
|
-q |
Use this option to run the installer in the quiet mode. By default, all installation program screens are displayed during the migration process. For example: slmigrationhelper.exe -q |
|
Export options |
|
|
-f <path of the XML file> |
Use this option to specify path to the file that will contain all the exported data. All the data is stored in the XML format. For example: slmigrationhelper.exe – f <path of the file> |
|
-E |
Use this option to encrypt the exported data. If you do not specify a password, the default password changeit is used for encryption. For example: slmigrationhelper.exe – E <password> |
|
Import the exported user data manually or automatically |
|
|
-i <path to the XML file> |
Use this option to import the previously exported data. For example: slmigrationhelper.exe – i |
|
-r |
Use this option to invoke importing of user data from the XML file. Using option updates HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. For example: slmigrationhelper.exe -r |
|
Export/import option |
|
|
-P |
Use this option to exclude import/export of passphrase information. If you have excluded passphrase import and export, during installation the user has to configure the passphrase information. For example: slmigrationhelper.exe -m -f <path to the XML file> -P |
|
-I |
Use this option to include settings inherited from containers or groups. For example, you can include or exclude the settings inherited from containers or groups as follows:
|
|
Help option |
|
|
-h |
Use this option to display help for the slmigrationhelper tool. |
You can use the APPENDLOCAL property to add additional features to be installed.
For example, you can use the APPENDLOCAL command to add DAS and Syslog as additional features in the LDAP mode using the following command:
slmigrationhelper.exe -u C:\NetIQSecureLogin.exe -t LDAP ADDLOCAL=SeamlessLDAPGina LDAPSERVERADDRESS=127.0.0.1 APPENDLOCAL=DAS,Syslog
NOTE:You can specify multiple comma-separated features as required in APPENDLOCAL. For more APPENDLOCAL commands, see the command options in the mode-specific sections in the SecureLogin 9.0 Installation Guide.
Example commands for migrating to another modes:
To Migrate to the SLAE Mode: You must provide the server address. Alternate port is optional and its default value is SSL 443.
slmigrationhelper.exe -m -t SLAE SLAESERVERADDRESS=10.198.1.2 /q
To Migrate to the LDAP or LDAPSecretStore Mode: You must provide the server address. Consider the method of seamless login GINA/Cred Manager.
slmigrationhelper.exe -u <fullpath>\NetIQSecureLogin.exe -t LDAP LDAPSERVERADDRESS=127.0.0.1 APPENDLOCAL=SeamlessLDAPCred
IMPORTANT:To include the additional NICI LDAP dependency, you might need to perform upgrade instead of migration.
|
Scenario |
Command |
|---|---|
|
To switch to the LDAP mode and install in the GINA/Credential Provider mode |
slmigrationhelper.exe -u C:\NetIQSecureLogin.exe -t LDAP ADDLOCAL=SeamlessLDAPGina |
|
To switch to the LDAP mode and install in the Credential Manager mode |
slmigrationhelper.exe -u C:\NetIQSecureLogin.exe -t LDAP -q ADDLOCAL=SeamlessLDAPCred |
|
To switch to the LDAP mode and specify an LDAP server address |
slmigrationhelper.exe -m -t LDAP LDAPSERVERADDRESS=127.0.0.1 |
|
To specify additional features to be installed using the APPENDLOCAL property |
slmigrationhelper.exe -m -t LDAP LDAPSERVERADDRESS=127.0.0.1 APPENDLOCAL=DAS |
|
To Switch to the LDAPSecretStore and install in the Credential Manager mode |
slmigrationhelper.exe -m -t LDAPSecretStore ADDLOCAL=SeamlessLDAPCred /q |
IMPORTANT:Installing in any LDAP or LDAPv3 mode requires NICI to be installed.
If you are modifying the datastore from an existing one to LDAP and NICI is not installed on your workstation, use the -u option to specify the path to SecureLogin installer.
For example: slmigrationhelper.exe -u C:\NetIQSecureLogin.exe -t LDAP -q
This switches the datastore to LDAP and installs NICI in the quiet mode.
To Migrate to the Microsoft Active Directory Mode:
slmigrationhelper.exe -m -t MAD /q
To Migrate to the ADAM (AD LDS) Mode:
slmigrationhelper.exe -m -t ADAM /q
To Migrate to the NDS Mode:
slmigrationhelper.exe -m -t NDS /q
In the subsequent release of SecureLogin, support for Secret Store will be discontinued. It is recommended to migrate from the SecretStore environment to one of the following modes:
LDAP
NDS
SecureLogin supports the following migration flows:
|
Scenario |
Use the command |
|---|---|
|
To switch to the LDAP mode and install in the GINA/Credential Provider mode |
slmigrationhelper.exe -m -t LDAP ADDLOCAL=SeamlessLDAPGina /q |
|
To switch to the LDAP mode and install in the Credential Manager mode |
slmigrationhelper.exe -m -t LDAP ADDLOCAL=SeamlessLDAPCred /q |
|
To switch to the LDAP mode and specify an LDAP server address |
slmigrationhelper.exe -m -t LDAP LDAPSERVERADDRESS=127.0.0.1 /q |
|
To specify additional features to be installed using the APPENDLOCAL property |
slmigrationhelper.exe -m -t LDAP LDAPSERVERADDRESS=127.0.0.1 APPENDLOCAL=DAS |
To migrate to the NDS mode, use the following command:
slmigrationhelper.exe -m -t NDS /q
To migrate to the NDS mode, use the following command:
slmigrationhelper.exe -m -t NDS /q
If you want to upgrade SecureLogin and want to use another mode in the upgraded version, you must first upgrade SecureLogin to the latest version and then migrate it to the required mode. Performing the direct migration disables the features that you have enabled in the previous version.
Using ADDLOCAL overwrites the existing feature set. During upgrade, you can use ADDLOCAL, but it must be used with all features that are required.
You can use the APPENDLOCAL property to add additional features to be installed. However, this option does not work during the upgrade. It only migrates the features that are installed.
For example, you can use the APPENDLOCAL command to add DAS and Syslog as additional features in the LDAP mode using the following command:
slmigrationhelper.exe -u C:\NetIQSecureLogin.exe -t LDAP ADDLOCAL=SeamlessLDAPGina LDAPSERVERADDRESS=127.0.0.1 APPENDLOCAL=DAS,Syslog
NOTE:You can specify multiple comma-separated features as required in APPENDLOCAL. For more APPENDLOCAL commands, see the command options in the mode-specific sections in the SecureLogin 9.0 Installation Guide.