TSchmauch Absent Member.
Absent Member.
502 views

IDM Co-existence Question

Is it possible to have two separate IDM environments using the same tree on a temporary basis for a staggered migration? Something like server A is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8). Server B is running IDM 4.7 and connecting to tree A (running 9.x). Can we migrate drivers from 4.02 to 4.7 one by one and would this be supported?

Thank you
Tom
Labels (1)
0 Likes
14 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IDM Co-existence Question

TSchmauch,
>
> Is it possible to have two separate IDM environments using the same tree
> on a temporary basis for a staggered migration? Something like server A
> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
> supported?
>
> Thank you
> Tom
>
>

I'm not sure you can go directly from 4.02 to 4.7, but this approach
should work for going from 4.02 to 4.6.3. I can say that because I just
did it. I can provide high-level step-by-step instructions if you need
them.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDM Co-existence Question

Just to be clear, there aren't "two separate IDM environments" in my
approach. Rather, I added a new IDM 4.6.3 server to my existing driver
set, copied the server-specific data, then stopped the driver running on
the old server and started it on the new one.
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM Co-existence Question

6423241 <dougperiodblack@osumcperiod.edu> wrote:
> TSchmauch,
>>
>> Is it possible to have two separate IDM environments using the same tree
>> on a temporary basis for a staggered migration? Something like server A
>> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
>> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
>> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
>> supported?
>>
>> Thank you
>> Tom
>>
>>

> I'm not sure you can go directly from 4.02 to 4.7, but this approach
> should work for going from 4.02 to 4.6.3. I can say that because I just
> did it. I can provide high-level step-by-step instructions if you need
> them.
>


you can definitely use a migrate to new server approach to go from 4.0.2 to
4.7. without going through interim 4.6.x stage.

I have done that recently.

The wrinkles come with upgrading specific drivers especially user
application, but even that can be solved.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
TSchmauch Absent Member.
Absent Member.

Re: IDM Co-existence Question

Thank you for the help! My thought was to create 2 new driver sets to get the critical drivers over to 4.7, then for the less critical ones migrate the existing to 4.7.

The driver upgrades we did in our development environment and they were entertaining 🙂
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM Co-existence Question

On 4/2/2019 7:54 PM, TSchmauch wrote:
>
> Thank you for the help! My thought was to create 2 new driver sets to
> get the critical drivers over to 4.7, then for the less critical ones
> migrate the existing to 4.7.


Do not make a new driver set. Just have the 4.02 annd 4.7 servers in the
same driver set and stop each driver on one, restart on th eother (after
copying server specific info).


0 Likes
TSchmauch Absent Member.
Absent Member.

Re: IDM Co-existence Question

6423241;2497665 wrote:
TSchmauch,
>
> Is it possible to have two separate IDM environments using the same tree
> on a temporary basis for a staggered migration? Something like server A
> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
> supported?
>
> Thank you
> Tom
>
>

I'm not sure you can go directly from 4.02 to 4.7, but this approach
should work for going from 4.02 to 4.6.3. I can say that because I just
did it. I can provide high-level step-by-step instructions if you need
them.


If you can send high level instructions, that would be very helpful. Thank you!
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDM Co-existence Question

TSchmauch,
>
> If you can send high level instructions, that would be very helpful.
> Thank you!
>


Okay, here's the process in a nutshell:

1. Install IDM vault & engine software on new server and add it to the tree

2. Add new server to the existing driver set
a. In Designer, right-click on the Identity Vault object and select
'New > Server'. Enter the DN of the new server (or browse to it) and
click OK.
b. right-click on the driver set object and select Properties. Click
'Server List', then move the new server from the 'Available Servers'
column to the 'Selected Servers' column. Click Apply

3. Copy settings to the new server
a. Right-click on the driver you are migrating
b. Select Copy > Server-Specific settings
c. Select the source (old) server, then check the box that corresponds
to the target driver & server
d. Select the data you want to copy (GCVs, named passwords,
authentication information, etc) and click OK
NB: If memory serves, you can't copy passwords as part of this process
unless they are named passwords. If they are not, you may have to reset
driver object, application, and/or remote loader passwords later in the
process

4. Stop the driver, then deploy your new configuration. Double-check to
make sure the driver is stopped and disabled on the old server, then
start it on the new server.



0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM Co-existence Question

On 4/2/2019 4:24 PM, TSchmauch wrote:
>
> Is it possible to have two separate IDM environments using the same tree
> on a temporary basis for a staggered migration? Something like server A
> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
> supported?


The Engine is a honey badger, and the Engine don't care.

User App is a high maintenance partner and is somewhat picky.


0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: IDM Co-existence Question

On 02.04.19 22:24, TSchmauch wrote:
>
> Is it possible to have two separate IDM environments using the same tree
> on a temporary basis for a staggered migration? Something like server A
> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
> supported?
>
> Thank you
> Tom
>
>


To my understanding, you cannot officially go directly from 4.0.2 to
4.7. You need 4.5.6 or 4.6.x

The documentation for 4.6 spells out that you need 4.5 if you come from
4.0.2.

The easiest is 4.0.2 -> 4.5.6 -> 4.7

Documentation:
https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/supported-upgrade-paths.html



Casper
0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM Co-existence Question

On 4/3/2019 5:23 AM, Casper Pedersen wrote:
> On 02.04.19 22:24, TSchmauch wrote:
>>
>> Is it possible to have two separate IDM environments using the same tree
>> on a temporary basis for a staggered migration?  Something like server A
>> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
>> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
>> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
>> supported?
>>
>> Thank you
>> Tom
>>
>>

>
> To my understanding, you cannot officially go directly from 4.0.2 to
> 4.7. You need 4.5.6 or 4.6.x
>
> The documentation for 4.6 spells out that you need 4.5 if you come from
> 4.0.2.
>
> The easiest is 4.0.2 -> 4.5.6 -> 4.7
>
> Documentation:
> https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/supported-upgrade-paths.html


Is that really an engine issue or just a UA issue?

0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: IDM Co-existence Question

On 03.04.19 15:40, Geoffrey Carman wrote:
> On 4/3/2019 5:23 AM, Casper Pedersen wrote:
>> On 02.04.19 22:24, TSchmauch wrote:
>>>
>>> Is it possible to have two separate IDM environments using the same tree
>>> on a temporary basis for a staggered migration?  Something like server A
>>> is running IDM 4.02 and connecting to tree A (running eDirectory 8.8.8).
>>> Server B is running IDM 4.7 and connecting to tree A (running 9.x).
>>> Can we migrate drivers from 4.02 to 4.7 one by one and would this be
>>> supported?
>>>
>>> Thank you
>>> Tom
>>>
>>>

>>
>> To my understanding, you cannot officially go directly from 4.0.2 to
>> 4.7. You need 4.5.6 or 4.6.x
>>
>> The documentation for 4.6 spells out that you need 4.5 if you come
>> from 4.0.2.
>>
>> The easiest is 4.0.2 -> 4.5.6 -> 4.7
>>
>> Documentation:
>> https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/supported-upgrade-paths.html

>
>
> Is that really an engine issue or just a UA issue?
>


Taking my hat off ...

Possibly more an UA issue than engine. You need to upgrade the DB schema.



Casper

0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: IDM Co-existence Question

I think NetIQ does not support upgrade/migration from 4.02 to 4.7 because they did not tried it, but I confirm I did it without any problem:
1) Add new servers with IDM 4.7 in the tree
2) Migrate you drivers one by one from IDM 4.02 servers to IDM 4.7 servers (use Migrate option in Designer to copy config to new servers and then deploy the driver)
3) Upgrade the Remote loader if any
4) Optionally you can upgrade the drivers configuration/package, but it's a lot of work.
5) If you have RBPM (AE edition) you must upgrade your drivers configuration (Roles, UserApp)
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: IDM Co-existence Question

On 4/9/2019 10:24 AM, sma wrote:
>
> I think NetIQ does not support upgrade/migration from 4.02 to 4.7
> because they did not tried it, but I confirm I did it without any
> problem:
> 1) Add new servers with IDM 4.7 in the tree
> 2) Migrate you drivers one by one from IDM 4.02 servers to IDM 4.7
> servers (use Migrate option in Designer to copy config to new servers
> and then deploy the driver)
> 3) Upgrade the Remote loader if any
> 4) Optionally you can upgrade the drivers configuration/package, but
> it's a lot of work.
> 5) If you have RBPM (AE edition) you must upgrade your drivers
> configuration (Roles, UserApp)


I really think that the conversation about upgrading and requiring a
pass through a particular version (4.5.3 or 4.6.x) to get to the latest
is really about the User App/Identity Apps. And there it is really about
keeping the database intact.

We would be far better off if we could export the actual DB data, throw
away the old one, simply reinstall a new one and put back what we want.

the engine itself very rarely cares about upgrades and the path you took
it through.

Biggest compatability issues are things like Remote Loaders, needing a
JVM that matches the engine JVM so SSL/TLS/Ciphers all match. Easy to fix.

Also, the change from JDBM to MapDB to ZoomDB means you need to make
sure to update shims as well sometimes.

So always distinguish between engine and Identity Apps.

Also, there are platform support changes (Sometimes you need a new OS to
run the latest eDir which is needed by the latest IDM...)

I do wish it were simpler though.


0 Likes
Knowledge Partner
Knowledge Partner

Re: IDM Co-existence Question

Casper Pedersen <cpedersen@no-mx.forums.microfocus.com> wrote:
> On 02.04.19 22:24, TSchmauch wrote:




>
> To my understanding, you cannot officially go directly from 4.0.2 to
> 4.7. You need 4.5.6 or 4.6.x
>
> The documentation for 4.6 spells out that you need 4.5 if you come from
> 4.0.2.
>
> The easiest is 4.0.2 -> 4.5.6 -> 4.7
>
> Documentation:
> https://www.netiq.com/documentation/identity-manager-47/setup_linux/data/supported-upgrade-paths.html
>


This is for an in-place upgrade and is due to JRE constraints as far as I
know.

I was referring to a migrate to new IDM server (or Aaron’s identity
transfer) approach. This way you are primarily constrained by eDirectory
version interoperability.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.