Académique Documents
Professionnel Documents
Culture Documents
(TPAM) 2.5
2.5 Migration Guide
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
TPAM 2.5 Migration Guide
Updated - November 2015
Software Version - 2.5
TPAM 2.5
2.5 Migration Guide
Contents
Migration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Outline of Migration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Take a Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Take a Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Start Up 2.5 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Power on the TPAM Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configure the Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Configure DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
View Running Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Flush DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
DNS Suffix Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Host File Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Set Date Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Archive Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Configure Archive Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Add Existing Cache Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Log on to the Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Configure Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Prepare the Cache for Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Add Cache Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Add Cache Client Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Add Cache Trusted Root Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Add the Cache Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Details Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Take a Backup of 2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Take a Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Run the Migration Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Put the 2.5 Appliance in Maintenance Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Migrate Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
TPAM 2.5
2.5 Migration Guide
TPAM 2.5
2.5 Migration Guide
1
Migration Overview
If using a backup from an existing 2.3.768/2.4.804 archive server, configuring the archive server on the
2.5 appliance.
Setup existing cache servers, users and trusted root certificates on 2.5 appliance.
If DPAs are configured on the 2.3.768/2.4.804 appliance the DPAs and the respective Affinity settings for these
DPAs will be migrated to the 2.5 appliance.
TPAM 2.5
2.5 Migration Guide
2
Take a Backup
Introduction
Take a Back Up
Introduction
Taking a backup of 2.3.768/2.4.804 provides the data source for the migration to 2.5.
Take a Back Up
To migrate to 2.5 a back up of the data from your old TPAM appliance is required. The backup file that is loaded
onto your 2.5 TPAM can come from one of the following sources:
Select the backup from the listing and click the Download button.
TPAM 2.5
2.5 Migration Guide
Save the backup file locally so it can be uploaded during the 2.5 migration process.
TPAM 2.5
2.5 Migration Guide
3
Start Up 2.5 Appliance
Introduction
Introduction
The next step in the migration is to start up and log on to the new 2.5 appliances.
Take a few moments to gather the tools you will need to perform the initial setup of the TPAM appliance, and
organize your environment. You will need the following items:
A laptop or workstation computer with a web browser and ethernet interface that can be located near
the appliance.
Document supplied by Dell Software containing usernames and passwords (located on the CD).
Connect a remote host computer (laptop, etc.) to the /config interface port using a crossover cable.
Set the IP address of the remote host to any address on the 192.168.1.XXX subnet, except for
192.168.1.105.
From the remote host, open a web browser session to: https://192.168.1.105/config. If prompted to
accept the certificate, click Yes.
Enter parmaster for the User Name. The password is supplied in the documentation accompanying the
appliance.
TIP: If you have problems accessing the config interface check your browser Security Settings. Try
using an alternate browser and/or make sure you have set up the URL as a trusted site.
Once logged on, you will see the /config home page:
TPAM 2.5
2.5 Migration Guide
TPAM 2.5
2.5 Migration Guide
4
Network Settings
Introduction
Flush DNS
Introduction
The /config interface provides the connection for the initial setup and configuration of the TPAM appliance, as
well as an ongoing management interface for accessing logs and other forensic information.
The /config interface is used to set the following parameters for the appliance:
IP Address
Subnet Mask
Default Gateway
DNS server(s)
Enter the IP Address, Subnet Mask, and Default Gateway. Click the Save Settings button.
TPAM 2.5
2.5 Migration Guide
10
Enter the Preferred DNS Server and the Alternate DNS Server. Click the Save Settings button.
Flush DNS
To immediately flush all cached DNS entries:
1
TPAM 2.5
2.5 Migration Guide
11
Enter the Host IP address and the Host Name. Click the + button.
Select Replicate hosts file to other consoles and include in backup to replicate the mappings to
replicas in the cluster.
Select the system date format that you are using on your 2.3.768/2.4.804 TPAM.
TPAM 2.5
2.5 Migration Guide
12
TPAM 2.5
2.5 Migration Guide
13
5
Archive Servers
Introduction
Introduction
To pull the 2.3.768/2.4.804 backup off an existing archive server the archive server must be added to the 2.5
appliance prior to migration. The archive method must be SCP using DSS key.
IMPORTANT: For migration purposes the name of the archive server added in 2.5 must exactly match the
archive server configured in 2.3/2.4.
The table below explains the options on the archive server management page:
Table 1. Archive Server Management: Details tab options
Field
Description
Required?
Server Name
Yes
Network
Address
Yes
TPAM 2.5
2.5 Migration Guide
Default
14
Description
Required?
Default
Archive Method
Yes
FTP
Port
No
NOTE: When using the Avail. System Std. Keys you cannot
specify the key that is used. One or all available keys may be
downloaded to the remote system, but TPAM attempts to use
all currently active keys when communicating with the remote
system.
Account Name
Yes
Path to Storage
Enter the full path as required for the storage location on the Yes
archive server.
Description
No
The connection and authentication between TPAM and the archive server can be tested by clicking the Test
button.
To clear the existing host keys for the archive server from the TPAM appliance click the Clear Host Entry button.
TPAM 2.5
2.5 Migration Guide
15
6
Add Existing Cache Servers
Introduction
Details Tab
Introduction
To migrate the existing cache servers in your TPAM environment you must perform the steps listed below.
Detailed procedures on each of these steps are included in this chapter.
Log on to each cache server and update the network settings and generate a new enrollment string.
Add the cache users in the /tpam interface on the 2.5 TPAM appliance.
IMPORTANT: Cache userIDs must be set up so the userid created in 2.5 is an exact match with what
is set up in 2.3.768/2.4.804.
Add cache client hosts in 2.5 exactly as you had them in the old environment.
Add the cache trusted root certificates exactly as you had them in the old environment.
Enter accsetup for the UserID and Setup4ACC as the password (unless you have changed the default
password to something else).
The following menu will appear listing all of the commands available from the configuration console.
TPAM 2.5
2.5 Migration Guide
16
Enter 4 and press the ENTER key to configure the network settings.
Enter the IP Address for eth0 as prompted and press the ENTER key
Enter the Network Mask for eth0 as prompted and press the ENTER key.
Enter the Gateway for eth0 as prompted and press the ENTER key.
From the Manage Network Settings menu, enter 1 and press the ENTER key to display the new running
values.
If a different network address is required/desired for application access to the cache, enter 3 and press
the ENTER key.
10 Press the ENTER key to return to the manage network settings menu.
11 Enter 4 and press the ENTER key to modify the DNS settings.
TPAM 2.5
2.5 Migration Guide
17
From the main menu, enter 3 and press the ENTER key.
When prompted, enter the IP address of the 2.5 TPAM primary or standalone device, and press the
ENTER key.
TPAM 2.5
2.5 Migration Guide
18
Copy the key that is presented. You will need to enter this key in procedure below.
Select Users & Groups| UserIDs | Add UserID from the menu.
Applications requesting passwords from the Password Virtual Cache must provide a client certificate in
order to be authenticated by the Cache. The client, or user certificate can be created by TPAM or
supplied by the customer. Each certificate is associated with a user type of Cache User in TPAM. Use one
of the following methods to select certificate type:
Select User-Supplied. Click the Select File button. Click the Browse button and select the file.
Click the Upload button. Additionally, when using a user-supplied certificate, a trusted root
certificate that can establish trust in the user certificate must be uploaded to TPAM and assigned
to the Cache(s) from which the user will request passwords. This is needed so that applications
requesting passwords using this user-supplied certificate can be authenticated by the Cache. See
Add Cache Trusted Root Certificates.
Select Created by TPAM. Click the Download TPAM Root Certificate button to generate the
certificate.The generated user certificate must be downloaded and used by applications
requesting passwords from the Cache.
Select Management | Cache Servers | Manage Client Hosts from the menu.
19
Select Management | Cache Servers | Manage Trusted Roots from the menu.
Select Upload certificate file. Click the Select File button. Click the Browse button and select
the file. Click the Upload button.
Select Management | Cache Servers | Manage Cache Servers from the menu.
Enter the information on the Details tab. For more information on these fields see Details Tab
Paste in the enrollment string generated from the enrollment on the cache log in.
The information populated on the cache accounts, root certificates, users, hosts and permissions tab will all be
migrated and does not have to added here.
TPAM 2.5
2.5 Migration Guide
20
Details Tab
The table below explains the fields available when adding a cache server in the TPAM interface.
Table 2. Cache Server Management: Details tab options
Field
Description
Required?
Cache Server
Name
Yes
Enabled?
Secure Bus
The network address that TPAM and the cache use to communicate.
Default
Off
Yes
Appl Interface The network address that cache userids use to access the cache server.
Yes
Description
Retention?
If selected, and the cache server does not communicate with TPAM
No
within X minutes entered in the Disable After field, the cache server will
shut down. This is a safeguard to prevent users retrieving passwords
when the TPAM appliance may be down.
Enroll String
The enroll string functions as the key exchange with the cache. The
enroll string is provided by the cache when you execute the prepare to
enroll/re-enroll with TPAM option of the Setup menu.
Yes
Logging
You have the option of having logs sent to a syslog address and/or a
specific email address.
No
Alerting
You have the option of having alerts sent to an SNMP address and/or a
specific email address.
No
SMTP
If the cache server uses a different SMTP server then TPAM enter the
address here.
No
Use DNS?
If selected, DNS is used to ask for the MX record, specifying the correct
server to use for sending mail.
No
TPAM 2.5
2.5 Migration Guide
Off
21
7
Take a Backup of 2.5
Introduction
Take a Back Up
Introduction
Prior to starting the migration process it is a good idea to take a backup of the 2.5 environment. This will save
all the pre-configuration work that has been done in the prior steps, such as the network settings and cache
server configuration.
Take a Back Up
To take an online backup on your 2.5 TPAM:
1
Click the Backup Now button. A message will be displayed on the bottom of the page that the backup
has started.
Select the backup from the listing and click the Download button.
Save the backup file locally so it can used at a later date if a restore is needed.
TPAM 2.5
2.5 Migration Guide
22
8
Run the Migration Job
Introduction
Migrate Data
Background Migration
Re-enroll DPAs
Start Agents
API
Introduction
This chapter describes the migration job. The migration job can be run many times with the data being
overwritten each time the job has run.
TPAM 2.5
2.5 Migration Guide
23
Migrate Data
The next step is to use the 2.3.768/2.4.804 backup file to migrate the data. During the live migration users
cannot log in to the /tpam interface and the appliance must remain in maintenance mode.
Log on to the /config interface of the 2.5 primary appliance using the parmaster user ID.
TIP: You must use the parmaster user ID when logging in to start the migration because any other
system administrator user id you have created in 2.5 prior to migration will be deleted.
Use one of the following methods to select the backup file source:
Select Backup To Migrate and select a specific backup from the list. This option is only available
if you have already run the migration process at least once before.
Select Upload Backup File. Click the Select File button. Click the Browse button and select the
file. Click the Upload button.
Select Retrieve from Archive Server. Select an archive from the list provided.
IMPORTANT: Only *.zip and *.zip2 backup file names that begin with PAR_*, EGP_*, EPAR_*, and
EEGP_* will be recognized.
IMPORTANT: In order to retrieve a backup from an existing archive server, this archive server must
have been added to 2.5 exactly as it was configured in your 2.3.768/2.4.804 environment and use
an archive method of SCP using DSS key. See Configure Archive Server.
TPAM 2.5
2.5 Migration Guide
24
If the backup file has secondary encryption, enter and confirm the password.
In order to translate dates and times in your 2.3/2.4 date select a time zone that matches the UTC offset
and daylight saving time (DST) rules on your old appliance. In 2.3 and 2.4 GMT time zones were used. In
2.5 the server time is always at UTC time with no adjustments for daylight savings time. The time zone
selected here will be used for any migrated user IDs that were set as "The user is in the same timezone
as the server" on the old appliance.
If the Automatically adjust clock for daylight saving changes was turned off on your old appliance
make sure to select the closet match on the list.
For example if your old appliance was at (UTC-5:00) Eastern time US and Canada, and the
Automatically adjust for daylight savings check box was turned off, then the closet match for both
offset and DST rules is (UTC-5:00) Bogota, Lima, Quito, which is always at UTC -5:00 and does not
adjust for DST.
This in 2.4
Select one of the following options to determine how managed passwords are migrated:
Current - If selected, the most recent password for managed accounts and synchronized
passwords are migrated immediately. All past and archived passwords will be queued up to be
migrated in batches after the initial migration job has completed and the appliance is put back in
operational mode. Choosing this option will speed up the initial migration job.
Current & Recent - If selected, the active and past passwords for managed accounts and
synchronized passwords are migrated immediately. The archived passwords will be queued up to
be migrated in batches after the initial migration job has completed and the appliance is put back
in operational mode.
Select one of the following options to determine how files are migrated:
Current - If selected, the most recent version of a file are migrated immediately. All past version
of files will be queued up to be migrated in batches after the initial migration job has completed
and the appliance is put back in operational mode. Choosing this option will speed up the initial
migration job.
TPAM 2.5
2.5 Migration Guide
25
All - If selected, current and past version of files are migrated immediately. Choose this option if
you have a small amount of files or require that current and past file versions be available
immediately after the migration job completes.
None - if selected, no files will be migrated.This can be used during testing to cut down on the
time of the migration run.
IMPORTANT: The choice of None should only be used during migration testing or if you do
not have any files loaded.
Select one of the following options to determine how the paradmin user account is migrated:
IMPORTANT: All users that have been set up in the 2.5 appliance prior to running the migration,
EXCEPT for cache user types, will be deleted during the migration process.
Do not change - If selected, all the settings for the paradmin account as it is on the 2.5 appliance,
prior to migration, will persist after the migration is run. None of the 2.3.768/2.4.804 settings for
this account will be imported. If the password was managed using TPAM in 2.3.768/2.4.804 the
password history will be migrated.
Reset - The password for the paradmin account will be reset to the factory default.
Migrate - Current and past passwords for the paradmin account will be migrated. If the paradmin
account is NOT managed by TPAM the password will be reset to the factory default.
Select one of the following options to determine how the parmaster user account is migrated:
NOTE: Regardless of the setting selected below if the parmaster or paradmin account is disabled in
the 2.3/2.4 migration file then it will be disabled in 2.5 after the migration is complete.
Do not change - If selected, all the settings for the parmaster account as it is on the 2.5
appliance, prior to migration, will persist after the migration is run. None of the 2.3.768/2.4.804
settings for this account will be imported. If the password was managed using TPAM in
2.3.768/2.4.804 the password history will be migrated.
Reset - The password for the parmaster account will be reset to the factory default.
Migrate - Current and past passwords for the parmaster account will be migrated. If the
parmaster account is NOT managed by TPAM the password will be reset to the factory default.
10 Select any of the following check boxes to migrate the settings from 2.3.768/2.4.804 for these jobs and
schedules to 2.5. All of the agents will be disabled after the migration is complete.
Backup Schedule
Daily Maintenance Agent - If selected this will be reset to factory default when the migration is
run. The other option is to go ahead and configure this on your 2.5 appliance prior to migration
and leave this check box cleared.
Mail Agent
TPAM 2.5
2.5 Migration Guide
26
Background Migration
Once the live migration has completed and the appliance is put back in operational mode, if not migrated
during the live migration, past passwords and past file versions will be migrated in batches during the
background migration process. During the background migration process the following is true:
The appliance can be rebooted if necessary, the background migration will continue when the appliance
is rebooted.
The migration log and progress tabs are available to monitor background migration status.
Do not add any replicas to the cluster until the background migration has completed.
27
Re-enroll DPAs
Any DPAs that were configured in your 2.3.768/2.4.804 environment will be migrated to 2.5, as well as their
affinity assignments. The remaining steps are to re-enroll the DPAs and flag them as active. When the DPAs are
migrated to 2.5, the DPA software version will be updated to v3.3.5.
From the main menu, enter 3 and press the ENTER key
When prompted, enter the IP address of the new 2.5 TPAM primary device, and press the ENTER key.
Copy the key that is presented. You will need to enter this key in procedure below.
10 Enter or paste the enrollment string that was generated from the DPA console.
11 Click the Save button.
TPAM 2.5
2.5 Migration Guide
28
12 If the DPA is successfully enrolled, enter Y back on the DPA console to complete the TPAM enrollment
process on the console.
13 Select the Appliance Active check box.
14 Select Active from the list.
15 Click the Save button.
16 Log on to the tpam interface.
17 Select Management | DPAs from the menu.
18 Select the DPA from the listing.
19 Click the Details tab.
20 Select the Allow PSM? flag.
21 Click the Save Changes button.
22 Repeat steps 1 - 21 for any additional DPAs.
Reset the password by entering a new password in the password and confirm fields.
Repeat steps 3-5 for all system administrator user IDs except for the parmaster account.
Delete the row in the file for the paradmin user ID.
In the password column, column I, paste in an initial password for all your users.
29
Log on to the /admin interface for the appliance you want to label as the primary.
Select the Name check box. It is recommended to change the name of the appliance to include
primary somewhere in the name. (optional)
TPAM 2.5
2.5 Migration Guide
30
12 Click the Save button.You will see a message that Appliance at address x.x.x.x is not yet registered in
the cluster.
13 Click the Make Enrollment Bundle button. This generates the key file that will be used to communicate
with the replica.
15 You will be prompted to save the enrollment bundle file. Click the OK button and save the file locally.
16 Log on to the /admin interface of the replica appliance.
17 Select System Status/Settings | Cluster Management from the menu.
18 Select the Run Level check box.
19 Select Maintenance form the Run Level list.
20 Click the Change Run Level button.
21 Click the Continue with Change button.
31
TPAM 2.5
2.5 Migration Guide
32
Start Agents
If the status of the Auto Management agent in the 2.3.768/2.4.804 backup was Running, then after the
migration is complete on the 2.5 appliance the agent will also have a status of Running, but all the individual
agents below will still need to be enabled:
Mail Agent
Check Agent
Change Agent
For details on how to start or enable these agents please see the TPAM System Administrator Guide for
instructions.
TPAM 2.5
2.5 Migration Guide
33
API
New API files that are compatible with 2.5 are posted on the customer portal. Please download these from
https://hq01.e-dmzsecurity.com/edmzcust.
TPAM 2.5
2.5 Migration Guide
34
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell
Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
info@software.dell.com
TPAM 2.5
2.5 Migration Guide
35