With AM's support for containers more and more customers are looking into migrating existing AM setup to containerized setup.
But to do that efficiently we are missing utility that would allow us to migrate configuration between different Access Manage flavors in a simple way.
There is code promotion functionality and although documentation does not mention any limitations regarding containerized environments, there are still some very important limitations like inability to move:
- Shared secrets
- Persistent federation data
- Certificate stores
- OAuth clients and secrets (for that I am not sure if Code Promotion supports it)
Of course we could recreate configuration on containerized environment from scratch, but we would still need a way to move things that cannot be configured, like shared secrets, persistent federation data, oauth clients and secrets (we have customers with hundreds of oauth clients).
I would expect this utility to have interface to export configuration on old admin console and import it on new. Before importing configuration on new admin console, there should probably already be basic cluster configuration, but nothing else. Basic cluster configuration would be needed to be able to support configurations with multiple IDP/AGW clusters (utility should of course ask how to map them).
I also understand that there are differences between supported functionalities on different Access Manage flavors (specifically appliance and service/containers), but utility could have an interface asking user how to map data.
For example with certificates, if moving from appliance to service/container there should not be any problem (just copy default keystore multiple times), but when going from service/container to appliance, have possibility for user to choose cert for ssl/signing/encryption and notify user that this is the only certificate supported (because of appliance limitations) and existing federations will need to be updated.
And for example when dealing with IP addresses assigned to Access Gateway Reverse proxies, during import there should be possibility to map old IP address to new one, and of course import cannot be performed if new Access Gateway does not have enough IP addresses.
Regarding appliance IP management (either AM appliance or AGW appliance), I think this can be simply ignored, since if moving FROM appliance, information is irrelevant. But if moving TO appliance, basic cluster should also be created, so this should already be set.
I do understand that coding this utility would give a lot of challenges to development team, but it would be tremendous help for anybody trying to maintain Access Manager.