Migration

Edit online

Detailed procedure for migrating from Identity Manager -Software Stack to the IBM Verify Identity Governance - Container.

Before you begin

  1. Ensure that you have fulfilled the software and hardware requirements.
  2. Ensure that you have completed the relevant prerequisite configurations.
  3. Determine whether the database and LDAP are internal to IBM Verify Identity Governance - Container or whether they will be hosted externally. If you have chosen to use external IBM Security Directory Server and/or external database, then set up a supported version of the database and/or directory server.
  4. Gather the inputs required for the config.yaml file.
Tip: If you face any issues during migration, check the suggestions in the Migration troubleshooting topic.
Also, you must be aware of the following points:
  • After completing the migration to IBM Verify Identity Governance - Container, you might need to re-build and test any custom code that uses the Java APIs. The IBM Verify Identity Governance - Container provides some example code samples that have been modified to make them work with the Verify Identity Governance server running on WebSphere Liberty. For more information, see the Re-building examples code section in the Post-migration activities topic.
  • Since the IBM Verify Identity Governance - Container uses WebSphere Liberty platform instead of the traditional WebSphere Application Server, you must use a Liberty Client to call Remote Enterprise JavaBeans.

Upgrade/ migration process

The migration to the IBM Verify Identity Governance - Container involves the following steps.

Step 1: IBM Verify Identity Governance - Container installation
Install the IBM Verify Identity Governance - Container. For detailed information, see the Installing section.
Attention: When installing the IVIG Container, refrain from directly pointing to the existing Identity Manager production system’s DB and LDAP to prevent data loss during migration.
Step 2: Database migration

Complete the database migration. For detailed instructions, see the Database Migration topic.

Step 3: Directory Server migration

Complete the Directory Server migration, including LDAP settings. For detailed instructions, see the Directory Server Migration topic.

Next, perform the following steps:
  1. Start the IBM Verify Identity Governance - Container pod.

    Example: kubectl -n isvgim scale --replicas=1 statefulset isvgim.

    Here, isvgim indicates your Kubernetes namespace for IBM Verify Identity Governance - Container.

  2. Update the enRoleDatabase.properties, enRoleLDAPConnection.properties, and enRole.properties files to connect to the database and directory server where the data is migrated. Use the getConfig.sh and createConfigs.sh scripts to get and modify the property files. For more information, see Editing the properties files topic.

    enRoleDatabase.properties file
    In enRoleDatabase.properties file, ensure or update the below database-specific properties with the values as per your environment.
    • i. database.db.type
    • ii. database.db.owner
    • iii. database.db.user
    • iv. database.db.password
    • v. database.db.security.protocol
    • vi. database.jdbc.driverUrl
    • vii. database.jdbc.driver
    • viii. database.db.admin
    • ix. database.db.adminPwd
    enRoleLDAPConnection.properties file
    In enRoleLDAPConnection.properties file, ensure or update the below directory server-specific properties with the values as per your environment.
    • i. java.naming.provider.url
    • ii. java.naming.security.principal
    • iii. java.naming.security.credentials
    • iv. java.naming.security.protocol
    enRole.properties file
    In enRole.properties file, ensure or update the below LDAP server and tenant specific properties with the values as per your environment.
    • i. enrole.defaulttenant.id
    • ii. enrole.defaultadmin.id
    • iii. enrole.organization.name
    • iv. enrole.ldapserver.root
    • v. enrole.ldapserver.home
    • vi. enrole.ldap.provider

    Identify whether the password for the database connection is encrypted in enRoleDatabase.properties file. Based on that set the enrole.password.database.encrypted property value in enRole.properties file.

    Identify whether the password for the LDAP connection is encrypted in enRoleLDAPConnection.properties file. Based on that set the enrole.password.ldap.encrypted property value in enRole.properties file.

    SSL support
    If you plan to use SSL connection for database, then you must add the certificates in TrustStore.
    Important: Throughout the migration process, ensure that Directory Server is configured in non-SSL mode. You may switch the Directory Server to SSL mode after the migration process is complete.
    Perform the following steps:
    1. Place the required certificate files in the config/certs directory.
    2. Open the config/config.yaml file and go to server > truststore section.
    3. Specify the complete certificate chain.
    4. Run the script /starter/bin/createConfigs.sh
    5. Next, run the following command: kubectl -n isvgim rollout restart statefulset isvgim
  3. Scale down the IBM Verify Identity Governance - Container to zero.

    Example: kubectl -n isvgim scale --replicas=0 statefulset isvgim. Here, isvgim indicates your Kubernetes namespace for IBM Verify Identity Governance - Container.

  4. Run the LDAP upgrade script.

    starter/bin/util/ldapUpgrade.sh

  5. Run the database upgrade script.

    starter/bin/util/dbUpgrade.sh

  6. Run the role hierarchy data upgrade script.

    starter/bin/util/upgradeRoleHierarchy.sh

  7. In the IBM Security Verify Governance - Identity Manager (Software Stack) environment, locate the following files: ${ISVG_HOME}/data/keystore/itimKeystore.jceks and ${ISVG_HOME}/data/encryptionKey.properties
  8. Note: Perform this step if you are migrating from Identity Manager Software Stack version 10.0.1 Fix Pack 3 or later versions.
    On IM Software Stack system, run the backupRestoreMasterKey command. Copy the encrypted string (masterKey) returned by the command. Save this masterKey to some file. For more information, see this topic.
  9. Run the KeyStore migration script.

    starter/bin/util/migrateKeystore.sh

  10. Start the IBM Verify Identity Governance - Container pod.

    Example: kubectl -n isvgim scale --replicas=1 statefulset isvgim.

    Here, isvgim indicates your Kubernetes namespace for IBM Verify Identity Governance - Container.

  11. Test the IBM Verify Identity Governance - Container with the migrated data and verify that product features and functionalities are working correctly.
  12. If no longer needed, then you may decommission the database and directory server or instance that was used during installation but not used during migration.

Next steps

Post-migration tasks

Complete the post-migration activities. For detailed instructions, see the Post-migration tasks topic.

Customization migration

Migrate your legacy customizations from Software Stack to IBM Verify Identity Governance - Container. For detailed instructions, see the Customizations Migration topic.

[OPTIONAL] Production cutover

Optional activity to be performed only if there is a significant time gap between migration to IBM Verify Identity Governance - Container and going live on the new environment. For detailed instructions, see the Production cutover topic.