Migration to IVIG Software

Edit online

Detailed procedure to migrate the data from IBM Security Verify Governance - Verify Governance (ISVG-GOV) system (alternatively called as IGI) to IBM Verify Identity Governance (IVIG) Software Stack.

Overview

It is recommended to execute the IGI Migration tool step by step, it can be either done an entity or configuration at a time. Refer the "Planning migration from ISVG-Gov" section for more details.

Migration

To execute the migration tool, follow below steps on the setup where IVIG software stack is installed.

  1. Navigate to <Liberty_Home>/usr/servers/defaultServer/bin/IGIMigration/bin directory. Uncomment and set IGI DB driver class name and IGI DB JDBC URL in setEnv.sh and setEnv.cmd scripts on Linux based platform and Windows platform respectively.
    For Linux based platform

    export IGI_DB_DRIVER_CLASS_NAME="<IGI DB DRIVER CLASSNAME>"

    export IGI_JDBC_URL="<JDBC URL of IGI DB>"

    For example,

    export IGI_DB_DRIVER_CLASS_NAME="com.ibm.db2.jcc.DB2Driver"

    export IGI_JDBC_URL="jdbc:db2://127.0.0.1:50000/IGI_DB"

    For Windows platform

    set "IGI_DB_DRIVER_CLASS_NAME=<IGI DB DRIVER CLASSNAME>"

    set "IGI_JDBC_URL=<JDBC URL of IGI DB>"

    For example,

    set "IGI_DB_DRIVER_CLASS_NAME=com.ibm.db2.jcc.DB2Driver"

    set "IGI_JDBC_URL=jdbc:db2://127.0.0.1:50001/SVG_MS"

  2. On an IVIG Software stack setup, navigate to <Liberty_Home>/usr/servers/defaultServer/bin/IGIMigration/config directory. Set all the prerequisites as suggested in the "Prerequisites" section.

  3. On an IVIG Software stack setup, navigate to <Liberty_Home>/usr/servers/defaultServer/bin/IGIMigration/bin directory. Execute below command to start the migration process.

    For Linux based platform,

    ./migration.sh -dbu <IGI_DB_User> -dbp <IGI_DB_Password> -ivigu <IVIG_User> -ivigp <IVIG_Password> -o <Operation> -e <Entities> -c <Configurations>

    where,

    IGI_DB_User is the database user for IGI database from where the data is to be migrated.

    IGI_DB_Password is the password for IGI database user mentioned above.

    IVIG_User is the IVIG administrator user who can load data into IVIG.

    IVIG_Password is the password for the IVIG administrator user mentioned above.

    Operation to be specified with option -o could have any of the below three values,

    1. read - To read data from IGI

    2. convert - To convert CSV to JSON

    3. load - To load data into IVIG

    Entities are objects which can be extracted from IGI and loaded into IVIG. Entities to be specified with option -e could correspond to,

    Entity name Supported Operation Prerequisite Entity Description With the -e option, the utility helps in migration of below mentioned entity details for the respective entity.
    users read None

    1. User details from AGC - Manage - Users in IGI.

    2. Accounts names associated with users - AGC - Manage - Users - Accounts.

    connectors read, convert, load users if service owner is defined IB connectors from Enterprise Connectors in IGI.
    roles read, convert, load connectors for application roles, users if role owner is defined

    1. Application/IT Roles from AGC - Manage - Roles in IGI.

    2. Organizational/Business Roles from AGC - Manage - Roles in IGI.

    ous read, convert, load None Organization units belonging to default 'Organizational_Unit' hierarchy in IGI.
    activities read, convert, load connectors for permission-activities mapping Business Activities from ARC - Manage - Business Activities in IGI.
    risks read, convert, load activities for activities-risk mapping Risks (SA and SOD) from ARC - Manage - Risk Definitions in IGI.
    mitigations read, convert, load

    risks for risk-mitigation mapping,

    users for mitigation mapping

    		Mitigations from ARC - Manage - Mitigation Controls in IGI.
    all read, convert, load NA
    Can read all above entities from IGI and export to respective CSV files.
    Note: The load and convert operations are not recommended to avoid inter-dependencies amongst entities.
    )
    none NA NA This could be used when only configuration data is to be exported from IGI.

    Configurations are objects which are extracted from IGI and are used for reference to manually configure certain Configurations to be specified with option -c could correspond to,

    Entity name Supported Operation Description - With the -c option, the utility helps in migration of below mentioned configuration details for the respective entity.
    user read

    1. User types

    2. UME user details

    3. User attribute mappings

    4. User account mapping details

    application read

    1. Application details (From AGC - Manage - Applications)

    2. Profile types

    3. Non IB Connectors

    account read

    1. Provisioning configurations

    2. Provisioning config rules

    3. Target Attributes

    4. Password configurations

    5. Password config rules

    6. Dictionary Words

    ous read

    1. OU types

    2. Organizational Unit hierarchy details

    3. Custom hierarchy details

    4. Organizational Unit properties

    roles read

    1. Permissions

    2. External roles

    3. Admin permissions and roles

    rules read

    1. Live and deferred event rules

    2. Account rules

    3. Advanced rules

    4. Attestation rules

    5. Hierarchy rules

    6. Password rules

    campaign read

    1. Campaign details

    2. Campaign dataset details

    email read

    1. Email notifications configurations (From AGC - Configure - Notifications - Notification Settings)

    2. Email notifications templates (From AGC - Configure - Notifications - Notification Templates)

    3. Email notifications in campaigns (AGC - Configure - Certification Campaigns - Notification)

    4. Email notifications in workflows (Process Designer - notification configurations associated with each workflow)

    all read This could be used when all the above configuration data is to be exported from IGI.
    none NA This could be used when only entities data is to be exported from IGI.

    For example,

    ./migration.sh -dbu db2admin -dbp Passw0rd -ivigu "itim manager" -ivigp secret -o read -e none -c all

    ./migration.sh -dbu db2admin -dbp Passw0rd -ivigu "itim manager" -ivigp secret -o read -e "users applications" -c "users applications rules"

    ./migration.sh -dbu db2admin -dbp Passw0rd -ivigu "itim manager" -ivigp secret -o convert -e roles -c none

    ./migration.sh -dbu db2admin -dbp Passw0rd -ivigu "itim manager" -ivigp secret -o load -e applications -c none

    For Windows platform

    ./migration.cmd -dbu <IGI_DB_User> -dbp <IGI_DB_Password> -ivigu <IVIG_User> -ivigp <IVIG_Password> -o <Operation> -e <Entities> -c <Configurations>

    For example,

    ./migration.cmd -dbu db2admin -dbp Passw0rd -ivigu "itim manager" -ivigp secret -o read -e roles -c all

  4. Upon completion of script execution, check the detailed logs in <Liberty_Home>/usr/servers/defaultServer/bin/IGIMigration/logs directory. The migrationScript.log contains script execution related logging whereas migration.log contains detailed execution logs.

  5. Once the script execution is completed for read operation, check the generated results at location <Liberty_Home>/usr/servers/defaultServer/bin/IGIMigration/result. The success.log file contains details about the records which are successfully migrated while the error.log file contains details about records which failed migration.

  6. Also, CSV files are generated at location defined for property "igi.reader.csv.filepath" defined in application.properties or by default in <Liberty_Home>/usr/servers/defaultServer/bin/IGIMigration/csv directory in case of read operation.