This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Move / Migrate PAM 3.2 audit data to a PAM 4.0 installation / Moving the encryption keys

We operate PAM V3.2 and PAM 4.0 at a large customer and need to move historical audit files from PAM 3.2 installation to PAM 4.0 installation.

We did successful tests with unencrypted audit data (.../audit/audit.db and.../audit/cmdctrl.db) by simply moving the .../audit directory from the PAM 3.2 server to the PAM 4.0 server. That worked and we were able to replay audited Unix session.

But we stuck with encypted audit data. Is there a procedure how to copy the historically used audit encryption keys to the new server?

Are they stored in ../audit/cmdctrl.db?

See audit encryptions settings in the screenshots attached.

Thank you!
Alex

Tags:

  • 0

    Hi Alex,

    Though it is a bit late for this answer, but I hope the below information helps.

    Generally it is not encouraged to copy the databases (where the configuration is stored) from an installation to the other, due to the encryption. However, the Audit databases can be copied from One system to other (If they are not encrypted), but as per the security practices, it should be avoided.

    The suggested way is -

    • Register a Backup Manager to the Primary in the existing deployment. The Backup Manager version should be as same as the Primary.
    • Make sure that the Configuration is replicated in all the modules (it usually takes a minute for replication and the data should be seen in the Backup UI directly)
    • Remove this Backup Manager from the Deployment (Hosts => Select this Backup => Delete Host)
    • This isolated Backup Manager can be promoted as a Primary and more backups can be added to this new deployment (Without affecting the old one)

    Things to consider in this way is - In the first step, the Backup Manager version should be same (Major + Minor) to avoid database schema discrepancies. After isolation, the New Manager can be upgraded once everything is verified.

    Thanks,

    Rajesh Nagella

  • 0 in reply to 

    Hi Rajesh,

    thank you so much for your reply and detailed description.

    May I ask you one more point:

    Our existing deployment is PAM V3.2 on Red Hat Linux 6 (RHEL6).

    Due to other reasons we need to install the Backup Manager on RHEL7.

    Should we

    (1) install the Backup Manager with PAM V3.2 on RHEL7 or

    (2) first upgrade the existing deployment to PAM V3.6 (as this supports RHEL6 and RHEL7).

    In other words:

    (1)

    PAM 3.2 (RHEL6) -> data replication -> PAM3.2 (RHEL7) Backup Manager

    (2)

    PAM 3.6 (RHEL6) -> data replication -> PAM3.6 (RHEL7) Backup Manager

    Thank you in advance!
    Alex Mansyreff

  • 0 in reply to 

    Hi Rajesh,

    we installed PAM V3.2 on a RHEL7 server. And registered it with the current deployment as a Backup Manager.

    PAM 3.2 (RHEL6) -> data replication -> PAM3.2 (RHEL7) Backup Manager

    These DBs were replicated immediately:

    /opt/netiq/npum/service/local/cmdctrl/cmdctrl.db

    /opt/netiq/npum/service/local/audit/audit.db

    But, as we've seen it before, this one was not replicated:

    /opt/netiq/npum/service/local/audit/cmdctrl.db

    Promoting the Audit Manager Module of the old server didn’t help.

    When we try to create a new report with the reporting module, we get the error message that no cmdctrl database has been found.

    The version number of the Audit Manager on the old server is 3.2.0.4 and on the new server it is 3.2.0.0

    Today we would install patches to get to the V 3.2.0.4 on the new server.

    Best,

    Alex