RSA Authentication Manager – Identity Source migration

Posted on November 29, 2020 by bdebnar

In our company we have a non-AD based user directory (and an AD, parallel, we are migrating) and this is our user source for RSA users. With the end of the year we will leave our non-AD directory so we have to switch the RSA’s user source to AD. Of course we can just unlink the old directory and reassign the tokens to the new users but if there is a better way, why not? And there is.

Basically the user – token pair based on the User ID and Unique Identifier (NOTE: this is the RSA side), so if this match (and it should be) you can simple export and import your users and tokens. So, you won’t lose all your configured tokens (PIN codes, “zum beispiel”).

There is an okay guide from the RSA but there is a huge gap in that documentation (I will mention it later and put the link at the end of the post).

Enough the words, here is how to do it (use your _LOCAL_ superadmin account!)

  •  Check your backup, I did create a snapshot (power off the machine before, for the safety).
  • Export tokens & users (SecurityConsole)
  • Unlink your old directory (SecurityConsole)
  • Modify your old directory (OperationConsole)
  • Link back your old directory (SecurityConsole)
  • Cleanup the RSA users (SecurityConsole)
  • Import the users&tokens (SecurityConsole)
  • Unlink the old directory (SecurityConsole)
  • (Optional) Delete the old directory (OperationConsole)
  • (Optional) Check your LDAP based logins

Users & tokens export:

First: download your encryption key,

RSA Download Encryption key for user export

RSA – Download Encryption key for user export

in the export part, upload it back,

RSA - Export users 1/2RSA - Export users 2/2

export every users&tokens

Here is the important part you have to unlink and modify your user directory, to NOT return with any user. With that trick your every user in the RSA will be orphanaged, you can clean it up later so the import will match with the new AD based directories user ID.

Unlink your old user directory (from the right panel move it to the left :))

RSA - Unlink old identity source

on Operation Console modify, to an empty return query (for example I modified the search scope from subtree to single level)

(Deployment Configuration -> Identity Sources -> Manage Existing, Select your old source, click edit and switch to the Map tab).

RSA - Modify identity source (OC) RSA - Modify Identity Source map tab, single level(OC)

Now link back your old directory (SecurityConsole).

Do a clean up, remove the tick from the Grace Period, remove every connection.

RSA - Clean up

Import tokens & users and map to the new directory, check your result.

If everything looks good you can unlink your old directory (SecurityConsole).

If there was any user with LDAP based login, you have to reassign her/his administrative role.

Source

[1]https://community.rsa.com/docs/DOC-45371

This entry was posted in English, RSA and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *