The Privileged Appliance and Modules

(TPAM) 2.5
2.5 Migration Guide

Copyright 2015 Dell Inc. All rights reserved.

This product is protected by U.S. and international copyright and intellectual property laws. Dell, SonicWALL and the Dell
logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. MAC OS, OS X are trademarks of Apple, Inc.,
registered in the U.S. and other countries. Check Point is a registered trademark of Check Point Software Technologies Ltd. or
its affiliates. Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other
countries. ForeScout and CounterACT are trademarks of ForeScout Technologies, Inc. Fortinet is a registered trademark of the
Fortinet Corporation in the United States and/or other countries. FreeBSD is a registered trademark of the FreeBSD foundation.
H3C is a trademark of Hangzhou H3C Technologies, Co. Ltd. Google and Chrome are trademarks of Google, Inc., used with
permission. HP, OPENVMS and Tru64 are registered trademarks of Hewlett-Packard Development Company. AS/400, IBM and
AIX are registered trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide.
Juniper, JUNOS and NetScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.
Linux is a registered trademark Linus Torvalds in the United States, other countries, or both. MariaDB is a registered
trademark of MariaDB Corporation. Microsoft, Active Directory, Internet Explorer, and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Mozilla and Firefox are
registered trademarks of the Mozilla Foundation. NetApp is a registered trademark of NetApp, Inc., registered in the U.S. and
other countries. Nokia is a registered trademark of Nokia Corporation. Novell is a registered trademark of Novell, Inc. in the
United States and/or other countries. Oracle, Java, MySQL, and Solaris are trademarks of Oracle and/or its affiliates. PAN-OS
is a registered trademark of Palo Alto Networks, Inc. PowerPassword is a registered trademark of BeyondTrust Software, Inc.
PROXYSG is a trademark of Blue Coat Systems, Inc., registered in the United States and other countries. Stratus is a registered
trademark of Stratus Technologies Bermuda Ltd. Teradata is a registered trademark of Teradata Corporation or its affiliates in
the United States or other countries. UNIX and UNIXWARE is a registered trademark of The Open Group in the United States
and other countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks
and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM 2.5 Migration Guide
Updated - November 2015
Software Version - 2.5

TPAM 2.5
2.5 Migration Guide

Contents
Migration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Outline of Migration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Take a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Take a Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Start Up 2.5 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Power on the TPAM Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configure the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configure DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
View Running Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Flush DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
DNS Suffix Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Host File Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Set Date Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Archive Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Configure Archive Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Add Existing Cache Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Log on to the Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Configure Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Prepare the Cache for Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Add Cache Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Add Cache Client Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Add Cache Trusted Root Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Add the Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Details Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Take a Backup of 2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Take a Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Run the Migration Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Put the 2.5 Appliance in Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Migrate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
TPAM 2.5
2.5 Migration Guide

Background Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Put the 2.5 Appliance in Operational Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Re-enroll DPAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Reset Locally Authenticated System Administrator Passwords . . . . . . . . . . . . . . . . . . .29
Import User ID Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Add Replicas to Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
Start Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Enable Back Up Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Stop the Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Remove Migration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
About Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Contacting Dell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Technical Support Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

TPAM 2.5
2.5 Migration Guide

1
Migration Overview

Outline of Migration Steps

Outline of Migration Steps

The following is an outline of the steps involved in migrating from TPAM 2.3.768 or 2.4.804 to TPAM 2.5.

Identify/create the 2.3.768/2.4.804 backup that will be used for migration.

Start up and log on to the new 2.5 TPAM appliances.

Configure network settings on new 2.5 appliance.

If using a backup from an existing 2.3.768/2.4.804 archive server, configuring the archive server on the
2.5 appliance.

Setup existing cache servers, users and trusted root certificates on 2.5 appliance.

Take a backup of the 2.5 database prior to starting the migration.

Put the 2.5 TPAM appliance in maintenance mode.

Migrate the data from 2.3.768/2.4.804

Check patch log for errors.

Add replicas to the cluster if desired.

Make DPAs active.

Remove migration page from menu of 2.5

If DPAs are configured on the 2.3.768/2.4.804 appliance the DPAs and the respective Affinity settings for these
DPAs will be migrated to the 2.5 appliance.

TPAM 2.5
2.5 Migration Guide

2
Take a Backup

Introduction

Take a Back Up

Introduction
Taking a backup of 2.3.768/2.4.804 provides the data source for the migration to 2.5.

Take a Back Up
To migrate to 2.5 a back up of the data from your old TPAM appliance is required. The backup file that is loaded
onto your 2.5 TPAM can come from one of the following sources:

A backup file that has been saved locally.

A backup file that is on an existing 2.3.768/2.4.804 archive server.

IMPORTANT: To use a backup file from a 2.3.768/2.4.804 archive server, the archive server must be set up
in 2.5 exactly as it is in 2.3.768/2.4.804. Also the archive method must use SCP using DSS key!

To take an online backup on your 2.3.768/2.4.804 TPAM:

1

Log on to the /paradmin interface of your old appliance.

Select Backup| Backup Now from the menu.

The backup will automatically start.

Click the Online Backups tab.

Once the online backup is complete is will appear in the listing.

Select the backup from the listing and click the Download button.

TPAM 2.5
2.5 Migration Guide

Save the backup file locally so it can be uploaded during the 2.5 migration process.

TPAM 2.5
2.5 Migration Guide

3
Start Up 2.5 Appliance

Introduction

Power on the TPAM Appliance

Introduction
The next step in the migration is to start up and log on to the new 2.5 appliances.
Take a few moments to gather the tools you will need to perform the initial setup of the TPAM appliance, and
organize your environment. You will need the following items:

A laptop or workstation computer with a web browser and ethernet interface that can be located near
the appliance.

A standard ethernet crossover cable.

Document supplied by Dell Software containing usernames and passwords (located on the CD).

One IP address for each TPAM appliance on the network.

Power on the TPAM Appliance

To power on the TPAM appliance:

Press the power button on the front panel of the appliance.

Connect a remote host computer (laptop, etc.) to the /config interface port using a crossover cable.

Set the IP address of the remote host to any address on the 192.168.1.XXX subnet, except for
192.168.1.105.

From the remote host, open a web browser session to: https://192.168.1.105/config. If prompted to
accept the certificate, click Yes.

Enter parmaster for the User Name. The password is supplied in the documentation accompanying the
appliance.
TIP: If you have problems accessing the config interface check your browser Security Settings. Try
using an alternate browser and/or make sure you have set up the URL as a trusted site.
Once logged on, you will see the /config home page:

TPAM 2.5
2.5 Migration Guide

TPAM 2.5
2.5 Migration Guide

4
Network Settings

Introduction

Configure the Network Settings

Configure DNS Settings

View Running Values

Flush DNS

DNS Suffix Search

Host File Mapping

Set Date Format

Introduction
The /config interface provides the connection for the initial setup and configuration of the TPAM appliance, as
well as an ongoing management interface for accessing logs and other forensic information.
The /config interface is used to set the following parameters for the appliance:

IP Address

Subnet Mask

Default Gateway

DNS server(s)

Configure the Network Settings

To configure the network settings:
1

Select Network Settings | Modify Network Settings from the menu.

Enter the IP Address, Subnet Mask, and Default Gateway. Click the Save Settings button.

TPAM 2.5
2.5 Migration Guide

10

Configure DNS Settings

Modifying the DNS settings allows a change in the configuration of just the DNS servers without making any
changes to the built-in firewall or IP address of the appliance. This is a more desired method when no other
network configuration changes are being made.

To configure the DNS settings:

1

Select Network Settings | Modify DNS Settings from the menu.

Enter the Preferred DNS Server and the Alternate DNS Server. Click the Save Settings button.

View Running Values

If you select Network Settings | View Running Values from the main menu, the current values for the primary
network interface for the appliance are displayed. This read only view lets the System Administrator confirm
that the settings are correct.

Flush DNS
To immediately flush all cached DNS entries:
1

Select Network Settings | Flush DNS from the menu.

Click the FlushDNS button.

DNS Suffix Search

The DNS suffix search allows you to add domain suffix search order to the network settings. Adding these
suffixes allows DNS to query for systems by appending these suffixes in order. For example: I enter a system in
TPAM and give it a network address of questdevchad. If the suffix search order is blank, it will query the DNS for
questdevchad without any other information and fail. Specifying a suffix search list allows the system to append
to suffix to questdevchad to resolve an address. If the search order was: example.org,tpamexample.org, it
would first try to resolve questdevchad.example.org first and then questdevchad.tpamexample.org if the first
resolution fails.

TPAM 2.5
2.5 Migration Guide

11

To add DNS suffix search:

1

Select Network Settings | DNS Suffix Search from the menu.

Enter up to six DNS suffixes.

Click the Save Settings button.

Host File Mapping

Host file mapping allows a static entry of a Host Name that is directly linked to an IP Address without the
dependency of a DNS server.

To map a host file:

1

Select Network Settings | Manage Hosts File from the menu.

Enter the Host IP address and the Host Name. Click the + button.

To remove an entry click the X button.

Select Replicate hosts file to other consoles and include in backup to replicate the mappings to
replicas in the cluster.

Set Date Format

Prior to running the migration it is strongly recommended that on your 2.5 appliance you select the same date
format that is used in your 2.3.768/2.4.804 environment.

To set the date format:

1

Log on to the admin interface of the 2.5 appliance.

Select System Status/Settings | Global Settings from the menu.

Select Customer Specified from the Category Filter list.

Select the system date format that you are using on your 2.3.768/2.4.804 TPAM.
TPAM 2.5
2.5 Migration Guide

12

Click the Save Changes button.

TPAM 2.5
2.5 Migration Guide

13

5
Archive Servers

Introduction

Configure Archive Server

Introduction
To pull the 2.3.768/2.4.804 backup off an existing archive server the archive server must be added to the 2.5
appliance prior to migration. The archive method must be SCP using DSS key.
IMPORTANT: For migration purposes the name of the archive server added in 2.5 must exactly match the
archive server configured in 2.3/2.4.

Configure Archive Server

To configure an archive server:
1

Select System Status/Settings | Archive Servers from the menu.

Click the Add Server button.

The table below explains the options on the archive server management page:
Table 1. Archive Server Management: Details tab options
Field

Description

Required?

Server Name

The unique server name.

Yes

Network
Address

The IP address or fully qualified domain name.

Yes

TPAM 2.5
2.5 Migration Guide

Default

14

Table 1. Archive Server Management: Details tab options

Field

Description

Required?

Default

Archive Method

Select the following archive method:

Yes

FTP

SCP using DSS Key - the most secure transport method,

data is transmitted through SCP (secure copy) with an
encrypted SSH tunnel form TPAM to the archive server.
The SCP method uses a public/private key pair for
authentication. Supported keys are OpenSSH and
SECSH keys. To complete the setup of the archive
server for SCP communication, download the required
public key using the Get Open SSH or Get Sec SSH
button and store the key in the proper location on the
archive server.

Port

Port number for TPAM to use.

DSS Key Details

When using DSS key authentication, a function is available to No

permit specific configuration of the public/private keys used.

No

Avail. System Std. Keys uses the single standard SSH

keys (either Open SSH or the commercial key) stored
centrally on TPAM. You have the ability to have up to
three active keys simultaneously. These keys are
configured in the paradmin interface. Use the list to
select the key you want to retrieve.

NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to use
all currently active keys when communicating with the remote
system.

Use System Specific Key allows the generation and

download of a specific SSH key to be used with this
system only. The key must first be generated using the
Gen/Regen Key Pair button, and then downloaded in
either Open SSH or Sec SSH (commercial) format.

The public key must be placed into the proper directory on

the archive server. For most systems this is [users home
directory]/.ssh (create the directory if it does not exist). The
public key must also be specified as an authorized
authentication method for the functional account. A new DSS
key pair can be generated at any time (if for example it is felt
that the existing keys have been compromised). Clicking the
Regen Key Pair button generates a new public/private key
pair.
The Regen Key Pair only regenerates the system specific key
for the selected archive server, so only that archive server is
affected.

Account Name

Used to authenticate to the archive server, and within whose

home directory the logs are stored.

Yes

Path to Storage

Enter the full path as required for the storage location on the Yes
archive server.

Description

Descriptive text for the archive server.

No

Enter the settings and click the Save Changes button.

The connection and authentication between TPAM and the archive server can be tested by clicking the Test
button.
To clear the existing host keys for the archive server from the TPAM appliance click the Clear Host Entry button.

TPAM 2.5
2.5 Migration Guide

15

6
Add Existing Cache Servers

Introduction

Log on to the Cache Server

Configure Network Settings

Prepare the Cache for Enrollment

Add Cache Users

Add Cache Client Hosts

Add Cache Trusted Root Certificates

Add the Cache Server

Details Tab

Introduction
To migrate the existing cache servers in your TPAM environment you must perform the steps listed below.
Detailed procedures on each of these steps are included in this chapter.

Log on to each cache server and update the network settings and generate a new enrollment string.

Add the cache users in the /tpam interface on the 2.5 TPAM appliance.
IMPORTANT: Cache userIDs must be set up so the userid created in 2.5 is an exact match with what
is set up in 2.3.768/2.4.804.

Add cache client hosts in 2.5 exactly as you had them in the old environment.

Add the cache trusted root certificates exactly as you had them in the old environment.

Log on to the Cache Server

To log on to the cache server:
1

Power on the cache using your virtualization product.

The appliance will boot to a login prompt.

Enter accsetup for the UserID and Setup4ACC as the password (unless you have changed the default
password to something else).
The following menu will appear listing all of the commands available from the configuration console.

TPAM 2.5
2.5 Migration Guide

16

Configure Network Settings

If the new 2.5 appliances gave different network settings than the2.3/2.4 appliances you need to update the
network settings with the 2.5 information.
1

Enter 4 and press the ENTER key to configure the network settings.

Enter 2 and press the ENTER key.

Enter the IP Address for eth0 as prompted and press the ENTER key

Enter the Network Mask for eth0 as prompted and press the ENTER key.

Enter the Gateway for eth0 as prompted and press the ENTER key.

Enter Y and press the ENTER key to save your changes.

From the Manage Network Settings menu, enter 1 and press the ENTER key to display the new running
values.

If a different network address is required/desired for application access to the cache, enter 3 and press
the ENTER key.

Repeat steps 3-6 for eth1.

10 Press the ENTER key to return to the manage network settings menu.
11 Enter 4 and press the ENTER key to modify the DNS settings.
TPAM 2.5
2.5 Migration Guide

17

12 Enter the DNS IP and press the ENTER key.

13 Enter the Secondary DNS IP and press the ENTER key. (Optional)
14 Enter the DNS Domain and press the ENTER key. (Optional)
15 Enter Y and press the ENTER key to save your changes.
16 Press the ENTER key to return to the manage network settings menu.
17 Enter Q and press the ENTER key to return to the main menu.

Prepare the Cache for Enrollment

The next step is to prepare the cache for enrollment to the 2.5 TPAM appliance. This step prepares temporary
keys that will be used to establish the secure connections between cache and your TPAM appliance(s). This step
is best done remotely as the string necessary to enroll the cache is rather long and remote accessing the cache
allows you to copy the string more easily.

To prepare for enrollment:

1

From the main menu, enter 3 and press the ENTER key.

When prompted, enter the IP address of the 2.5 TPAM primary or standalone device, and press the
ENTER key.

TPAM 2.5
2.5 Migration Guide

18

Enter E and press the ENTER key to enroll the cache.

Enter Y and press the ENTER key.

Copy the key that is presented. You will need to enter this key in procedure below.

Add Cache Users

To add a cache user:
1

Log on to the /tpam interface of the 2.5 appliance.

Select Users & Groups| UserIDs | Add UserID from the menu.

Enter information on the Details tab.

Select Cache User as the User Type.

Applications requesting passwords from the Password Virtual Cache must provide a client certificate in
order to be authenticated by the Cache. The client, or user certificate can be created by TPAM or
supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM. Use one
of the following methods to select certificate type:

Select User-Supplied. Click the Select File button. Click the Browse button and select the file.
Click the Upload button. Additionally, when using a user-supplied certificate, a trusted root
certificate that can establish trust in the user certificate must be uploaded to TPAM and assigned
to the Cache(s) from which the user will request passwords. This is needed so that applications
requesting passwords using this user-supplied certificate can be authenticated by the Cache. See
Add Cache Trusted Root Certificates.

Select Created by TPAM. Click the Download TPAM Root Certificate button to generate the
certificate.The generated user certificate must be downloaded and used by applications
requesting passwords from the Cache.

Enter and confirm the Password.

Click the Save Changes button.

Add Cache Client Hosts

As an extra security precaution you have the option to specify the client host that the cache users are using to
access the cache server.

To configure the client host/s:

1

Select Management | Cache Servers | Manage Client Hosts from the menu.

Click the Add Host button.

Enter the Network Address for the client host.

To enable the host, select the Enabled? check box.

Enter a description for the client host. (Optional)

TPAM 2.5
2.5 Migration Guide

19

Click the Save Changes button.

Add Cache Trusted Root Certificates

A trusted root certificate needs to be added to the cache server if a user-supplied certificate is used for a cache
user.

To add a root certificate:

1

Select Management | Cache Servers | Manage Trusted Roots from the menu.

Click the Add Certificate button.

Enter a name for the certificate.

Enter a description for the certificate. (Optional)

Use one of the following methods to select the certificate source:

Select Upload certificate file. Click the Select File button. Click the Browse button and select
the file. Click the Upload button.

Select Enter Certificate. Paste the certificate in the text area.

Click the Save Changes button.

Add the Cache Server

Add the cache server with the same exact name as you have in the 2.3.768/2.4.804 environment.

To add a cache server in the TPAM interface:

1

Select Management | Cache Servers | Manage Cache Servers from the menu.

Click the Add Server button.

Enter the information on the Details tab. For more information on these fields see Details Tab

Paste in the enrollment string generated from the enrollment on the cache log in.

Click the Save Changes button.

The information populated on the cache accounts, root certificates, users, hosts and permissions tab will all be
migrated and does not have to added here.

TPAM 2.5
2.5 Migration Guide

20

Details Tab

The table below explains the fields available when adding a cache server in the TPAM interface.
Table 2. Cache Server Management: Details tab options
Field

Description

Required?

Cache Server
Name

Descriptive name for the cache.

Yes

Enabled?

If selected, this cache server will be available to be assigned to systems. No

Secure Bus

The network address that TPAM and the cache use to communicate.

Default

Off

Yes

Appl Interface The network address that cache userids use to access the cache server.

Yes

Description

The description box may be used to provide additional information about No

the cache, special notes, business owner, etc.

Retention?

If selected, and the cache server does not communicate with TPAM
No
within X minutes entered in the Disable After field, the cache server will
shut down. This is a safeguard to prevent users retrieving passwords
when the TPAM appliance may be down.

Enroll String

The enroll string functions as the key exchange with the cache. The
enroll string is provided by the cache when you execute the prepare to
enroll/re-enroll with TPAM option of the Setup menu.

Yes

Logging

You have the option of having logs sent to a syslog address and/or a
specific email address.

No

Alerting

You have the option of having alerts sent to an SNMP address and/or a
specific email address.

No

SMTP

If the cache server uses a different SMTP server then TPAM enter the
address here.

No

Use DNS?

If selected, DNS is used to ask for the MX record, specifying the correct
server to use for sending mail.

No

TPAM 2.5
2.5 Migration Guide

Off

21

7
Take a Backup of 2.5

Introduction

Take a Back Up

Introduction
Prior to starting the migration process it is a good idea to take a backup of the 2.5 environment. This will save
all the pre-configuration work that has been done in the prior steps, such as the network settings and cache
server configuration.

Take a Back Up
To take an online backup on your 2.5 TPAM:
1

Log on to the /admin interface of your 2.5 appliance.

Select Backup| Modify Backup Settings from the menu.

Click the Backup Now button. A message will be displayed on the bottom of the page that the backup
has started.

Click the Online Backups tab.

Once the online backup is complete is will appear in the listing.

Select the backup from the listing and click the Download button.

Save the backup file locally so it can used at a later date if a restore is needed.

TPAM 2.5
2.5 Migration Guide

22

8
Run the Migration Job

Introduction

Put the 2.5 Appliance in Maintenance Mode

Migrate Data

Background Migration

Put the 2.5 Appliance in Operational Mode

Re-enroll DPAs

Reset Locally Authenticated System Administrator Passwords

Import User ID Passwords

Add Replicas to Cluster

Start Agents

Enable Back Up Schedule

Stop the Migration

API

Remove Migration Menu

Introduction
This chapter describes the migration job. The migration job can be run many times with the data being
overwritten each time the job has run.

Put the 2.5 Appliance in Maintenance Mode

Before the migration job can be started, the 2.5 appliance must first be put in maintenance mode.
NOTE: When the appliance is in maintenance mode, users will not be able to access the /tpam interface.

To put the appliance in maintenance mode:

1

Log on the to /admin interface of the 2.5 appliance.

TIP: It is recommended that you log on using the parmaster account to perform the migration, as
opposed to another system administrator account.

Select System Status/Settings | Cluster Management from the menu.

Select the Run Level check box.

Select Maintenance from the Run Level list.

TPAM 2.5
2.5 Migration Guide

23

Click the Change Run Level button.

Click the Continue with Change button.

Migrate Data
The next step is to use the 2.3.768/2.4.804 backup file to migrate the data. During the live migration users
cannot log in to the /tpam interface and the appliance must remain in maintenance mode.

To migrate the 2.3.768/2.4.804 data:

1

Log on to the /config interface of the 2.5 primary appliance using the parmaster user ID.
TIP: You must use the parmaster user ID when logging in to start the migration because any other
system administrator user id you have created in 2.5 prior to migration will be deleted.

Select Restore | System Migration from the menu.

Use one of the following methods to select the backup file source:

Select Backup To Migrate and select a specific backup from the list. This option is only available
if you have already run the migration process at least once before.

Select Upload Backup File. Click the Select File button. Click the Browse button and select the
file. Click the Upload button.

Select Retrieve from Archive Server. Select an archive from the list provided.
IMPORTANT: Only *.zip and *.zip2 backup file names that begin with PAR_*, EGP_*, EPAR_*, and
EEGP_* will be recognized.
IMPORTANT: In order to retrieve a backup from an existing archive server, this archive server must
have been added to 2.5 exactly as it was configured in your 2.3.768/2.4.804 environment and use
an archive method of SCP using DSS key. See Configure Archive Server.
TPAM 2.5
2.5 Migration Guide

24

If the backup file has secondary encryption, enter and confirm the password.

In order to translate dates and times in your 2.3/2.4 date select a time zone that matches the UTC offset
and daylight saving time (DST) rules on your old appliance. In 2.3 and 2.4 GMT time zones were used. In
2.5 the server time is always at UTC time with no adjustments for daylight savings time. The time zone
selected here will be used for any migrated user IDs that were set as "The user is in the same timezone
as the server" on the old appliance.
If the Automatically adjust clock for daylight saving changes was turned off on your old appliance
make sure to select the closet match on the list.
For example if your old appliance was at (UTC-5:00) Eastern time US and Canada, and the
Automatically adjust for daylight savings check box was turned off, then the closet match for both
offset and DST rules is (UTC-5:00) Bogota, Lima, Quito, which is always at UTC -5:00 and does not
adjust for DST.
This in 2.4

translates to this in 2.5:

Select one of the following options to determine how managed passwords are migrated:

Current - If selected, the most recent password for managed accounts and synchronized
passwords are migrated immediately. All past and archived passwords will be queued up to be
migrated in batches after the initial migration job has completed and the appliance is put back in
operational mode. Choosing this option will speed up the initial migration job.

Current & Recent - If selected, the active and past passwords for managed accounts and
synchronized passwords are migrated immediately. The archived passwords will be queued up to
be migrated in batches after the initial migration job has completed and the appliance is put back
in operational mode.

None - if selected, no passwords will be migrated.

IMPORTANT: The choice of None should only be used during migration testing.

Select one of the following options to determine how files are migrated:

Current - If selected, the most recent version of a file are migrated immediately. All past version
of files will be queued up to be migrated in batches after the initial migration job has completed
and the appliance is put back in operational mode. Choosing this option will speed up the initial
migration job.
TPAM 2.5
2.5 Migration Guide

25

All - If selected, current and past version of files are migrated immediately. Choose this option if
you have a small amount of files or require that current and past file versions be available
immediately after the migration job completes.

None - if selected, no files will be migrated.This can be used during testing to cut down on the
time of the migration run.
IMPORTANT: The choice of None should only be used during migration testing or if you do
not have any files loaded.

Select one of the following options to determine how the paradmin user account is migrated:
IMPORTANT: All users that have been set up in the 2.5 appliance prior to running the migration,
EXCEPT for cache user types, will be deleted during the migration process.

Do not change - If selected, all the settings for the paradmin account as it is on the 2.5 appliance,
prior to migration, will persist after the migration is run. None of the 2.3.768/2.4.804 settings for
this account will be imported. If the password was managed using TPAM in 2.3.768/2.4.804 the
password history will be migrated.

Reset - The password for the paradmin account will be reset to the factory default.

Migrate - Current and past passwords for the paradmin account will be migrated. If the paradmin
account is NOT managed by TPAM the password will be reset to the factory default.

Select one of the following options to determine how the parmaster user account is migrated:
NOTE: Regardless of the setting selected below if the parmaster or paradmin account is disabled in
the 2.3/2.4 migration file then it will be disabled in 2.5 after the migration is complete.

Do not change - If selected, all the settings for the parmaster account as it is on the 2.5
appliance, prior to migration, will persist after the migration is run. None of the 2.3.768/2.4.804
settings for this account will be imported. If the password was managed using TPAM in
2.3.768/2.4.804 the password history will be migrated.

Reset - The password for the parmaster account will be reset to the factory default.

Migrate - Current and past passwords for the parmaster account will be migrated. If the
parmaster account is NOT managed by TPAM the password will be reset to the factory default.

10 Select any of the following check boxes to migrate the settings from 2.3.768/2.4.804 for these jobs and
schedules to 2.5. All of the agents will be disabled after the migration is complete.

Backup Schedule

Password Test Schedule

Auto Discovery Agent

Auto Management Agent

Daily Maintenance Agent - If selected this will be reset to factory default when the migration is
run. The other option is to go ahead and configure this on your 2.5 appliance prior to migration
and leave this check box cleared.

Mail Agent

Periodic Review Notification

IMPORTANT: The Integration Agent (called Auto Discovery Agent in 2.5), Post-Session Processing
Agent, Mail Agent, and Auto Management Agent will not be running in 2.5 once the migration is
complete, regardless if they were on in 2.3.768/2.4.804. These will all have to be manually
restarted. We recommend validating the migration data prior to turning these on.

11 Click the Begin Migration button.

TPAM 2.5
2.5 Migration Guide

26

12 Click the OK button on the confirmation window.

13 To check the progress of the migration click the Results tab. Clicking the tab again will refresh the data.
The time displayed on the Migration log is server time (UTC).

Background Migration
Once the live migration has completed and the appliance is put back in operational mode, if not migrated
during the live migration, past passwords and past file versions will be migrated in batches during the
background migration process. During the background migration process the following is true:

Users may log on to the /tpam, /admin, and /config interfaces.

Passwords, files and sessions may be requested, approved, retrieved, etc.

Agents may be enabled.

The backup and restore processes will not run.

The appliance cannot change cluster role.

The appliance can be rebooted if necessary, the background migration will continue when the appliance
is rebooted.

The migration log and progress tabs are available to monitor background migration status.

Do not add any replicas to the cluster until the background migration has completed.

Put the 2.5 Appliance in Operational Mode

Once the live migration pass is complete put the 2.5 appliance back in operational mode to start checking the
data.

To put the appliance in operational mode:

1

Log on the to admin interface of the 2.5 appliance.

Select System Status/Settings | Cluster Management from the menu.

TPAM 2.5
2.5 Migration Guide

27

Select the Run Level check box.

Select Operational from the Run Level list.

Click the Change Run Level button.

Click the Continue with Change button.

Re-enroll DPAs
Any DPAs that were configured in your 2.3.768/2.4.804 environment will be migrated to 2.5, as well as their
affinity assignments. The remaining steps are to re-enroll the DPAs and flag them as active. When the DPAs are
migrated to 2.5, the DPA software version will be updated to v3.3.5.

To re-enroll the DPAs:

1

Log on to the DPA console with the dpasetup user id.

From the main menu, enter 3 and press the ENTER key

When prompted, enter the IP address of the new 2.5 TPAM primary device, and press the ENTER key.

Enter E and press the ENTER key to enroll the DPA.

Enter Y and press the ENTER key.

Copy the key that is presented. You will need to enter this key in procedure below.

Log on to the /admin interface. of TPAM.

Select System Status/Settings | Cluster Management from the menu.

Select the DPA in cluster member list.

10 Enter or paste the enrollment string that was generated from the DPA console.
11 Click the Save button.

TPAM 2.5
2.5 Migration Guide

28

12 If the DPA is successfully enrolled, enter Y back on the DPA console to complete the TPAM enrollment
process on the console.
13 Select the Appliance Active check box.
14 Select Active from the list.
15 Click the Save button.
16 Log on to the tpam interface.
17 Select Management | DPAs from the menu.
18 Select the DPA from the listing.
19 Click the Details tab.
20 Select the Allow PSM? flag.
21 Click the Save Changes button.
22 Repeat steps 1 - 21 for any additional DPAs.

Reset Locally Authenticated System

Administrator Passwords
Locally authenticated System administrator user IDs other then the parmaster require manual password resets.

To reset the passwords for the system administrator user IDs:

1

In the admin interface select Sys-Admin UserIDs | Manage Sys-Admin UserIDs.

Click the Listing tab.

Select a user from the listing. Click the Details tab.

Reset the password by entering a new password in the password and confirm fields.

Click the Save Changes button.

Repeat steps 3-5 for all system administrator user IDs except for the parmaster account.

Import User ID Passwords

Passwords for user IDs are not migrated, therefore new passwords will need to be loaded for all user IDs that
have local as their primary authentication type.

To create a batch update file:

1

Select Users & Groups | List UserIDs.

Click the Export to CSV button.

Open the file.

Delete the row in the file for the paradmin user ID.

In the password column, column I, paste in an initial password for all your users.

Save the file and close it.

Select Batch Processing | Update UserIDs.

Click the Select File button.

Click the Browse button. Select the file.

TPAM 2.5
2.5 Migration Guide

29

10 Click the Upload button.

11 Select Update for the Update Action for all rows.
12 Click the Process File button.
13 Distribute passwords to users. These passwords are one time use only and the users will be forced to
change their password upon logging on.

Add Replicas to Cluster

If you have additional TPAM appliances to add as replicas to the cluster and you are satisfied that the
2.3.768/2.4.804 data migrated successfully go ahead and add the replicas to the cluster. Do not add any replicas
to the cluster until the background migration has completed.
IMPORTANT: The TPAM appliances in a cluster now communicate with one another using port 8000. Please
ensure that your firewalls are configured to allow communication through these ports.

To add replicas to the cluster:

1

Log on to the /admin interface for the appliance you want to label as the primary.

Select System Status/Settings | Cluster Management from the menu.

Select the Name check box. It is recommended to change the name of the appliance to include
primary somewhere in the name. (optional)

Click the Save button.

Click the New Cluster Member button.

Enter the name for the replica.

Enter the network address of the replica.

Click the Check Address button.

Select Replica from the role list.

10 Enter the failover timeout.

11 Enter the failback timeout.

TPAM 2.5
2.5 Migration Guide

30

12 Click the Save button.You will see a message that Appliance at address x.x.x.x is not yet registered in
the cluster.

13 Click the Make Enrollment Bundle button. This generates the key file that will be used to communicate
with the replica.

14 Click the Continue with Change button.

NOTE: Make sure you have enabled pop-ups for your TPAM appliance.

15 You will be prompted to save the enrollment bundle file. Click the OK button and save the file locally.
16 Log on to the /admin interface of the replica appliance.
17 Select System Status/Settings | Cluster Management from the menu.
18 Select the Run Level check box.
19 Select Maintenance form the Run Level list.
20 Click the Change Run Level button.
21 Click the Continue with Change button.

22 Click the Select File button.

23 Click the Browse button. Select the file.
TPAM 2.5
2.5 Migration Guide

31

24 Click the Upload button.

25 Click the Apply button.

26 Click the Continue with Change button.

27 Log off the replica appliance or close the browser.

28 On the primary appliance select System Status/Settings | Cluster Management from the menu.
29 Select the replica in the cluster member list. Wait for the replica run level to change from Unknown to
Maintenance, then proceed to the next step.
NOTE: The replica may be visible in the cluster list but its status may be unknown for quite some
time until it has fully enrolled with the primary. The time it takes to complete enrollment is
dependent on the size of the backup being applied to the replica from the primary.
30 Select the Run Level check box.
31 Select Operational from the Run Level list.
32 Click the Change Run Level button.
33 Repeat steps 5-32 to add additional replicas to the cluster.

TPAM 2.5
2.5 Migration Guide

32

Start Agents
If the status of the Auto Management agent in the 2.3.768/2.4.804 backup was Running, then after the
migration is complete on the 2.5 appliance the agent will also have a status of Running, but all the individual
agents below will still need to be enabled:

Mail Agent

Check Agent

Change Agent

DA Change Agent (optional)

Man Pwd Change Agent (optional)

Sync Pass Change Agent (optional)

Account Discovery Agent (optional)

Auto Discovery Agent (optional)

NOTE: The post-session processing agent will automatically restart when the appliance is put in
operational mode.

For details on how to start or enable these agents please see the TPAM System Administrator Guide for
instructions.

Enable Back Up Schedule

The back up schedule that you have set in your 2.3.768/2.4.804 TPAM environment will migrate to your 2.5
appliance, but it will not be enabled.

To enable the back up:

1

From the admin interface select Backup | Modify Backup Settings.

Select the Enabled check box.

Click the Save Changes button.

Stop the Migration

There is the option to stop the migration in progress before it has completed. This option is only available if
TPAM detects either a live or background migration process running. After the migration is stopped, you can
run another migration from the beginning or you could restore the database using a 2.5 backup.
To stop the migration click the Stop Migration button.

Click the OK button on the confirmation window.

TPAM 2.5
2.5 Migration Guide

33

API
New API files that are compatible with 2.5 are posted on the customer portal. Please download these from
https://hq01.e-dmzsecurity.com/edmzcust.

Remove Migration Menu

Once you have completed the migration from 2.3.768/2.4.804 to 2.5 the migration menu can be removed from
the /config interface.

To remove the migration menu:

1

Log on to the /admin interface.

Select System Status/Settings | Global Settings from the menu.

Select Allow Migration from the Category Filter list.

Select No for the setting.

Click the Save Changes button.

TPAM 2.5
2.5 Migration Guide

34

About Dell

Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.

Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
info@software.dell.com

Technical Support Resources

Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
https://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a
day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:

Create, update, and manage Service Requests (cases)

View Knowledge Base articles

Engage in community discussions

Chat with a support engineer

TPAM 2.5
2.5 Migration Guide

35