Migrating On-Premise PAS to Hyper-scalable PAS

This document describes how to move your data from On-Premise PAS database to Hyper-scalable PAS (also referred to as Hyper-scalable PAS) database. The migration process requires you to run the migration scripts to gather configuration and database data from the On-Premise PAS server and then build a Hyper-scalable Privileged Access Service installation using the migrated configuration and database data.

The migration disables the On-Premise PAS server to prevent data corruption. It is critical that the On-Premise PAS server remains disabled; otherwise data and account corruption may occur. The Privileged Access Service is not available until the entire migration and deployment process is complete (in other words, there is a period of downtime during which the Privileged Access Service is unavailable).

Prerequisites

You will need the following in order to perform the migration procedures:

  • Full access with administrative rights and the ability to run PowerShell scripts to the On-Premise PAS server.

  • Minimum software and hardware requirements for deploying Hyper-scalable PAS. See the Installation and Configuration Guide for Hyper Scalable Privileged Access Service for specific details.

  • Migration scripts: Centrify-PAS-PrepareOnPremMigration.ps1 and Centrify-PAS-InstallationFromOnPremMigration.ps1 (These scripts come with the Hyper-scalable PAS software package)

  • Hyper-scalable PAS software package: install.ps1, CentrifyPlatform[Build.Number].zip

    Hyper-scalable PAS may need to use the same database server operating system as On-Premise PAS, as PostgreSQL retrieves (anduses) the collation/character type settings from the On-Premise PAS host operating system.

    For example, the LC-COLLATE value, English_UnitedStates.1252, is roughly the Windows PostgreSQL equivalent of en_US.UTF-8 on some Linuxdistributions, both with Encoding set to UTF8. PostgreSQL cannot discernthat they are functionally similar however, so it lacks trivial portingbetween them. Consequently, to migrate to Hyper-scalable PAS withpre-existing data, you need to ensure the same localization settings are available on the new database server by using the same database pod.

Migration Overview

The following is an overview of the steps required to migrate from On-Premise PAS to Hyper-scalable PAS.

  • Install a Hyper-scalable PAS Management node.

  • Verify that you have the migration preparation script and the migration installation script in the C:\Centrify\Migration folder on the Managementnode (centrify-PAS-PrepareOnPremMigration.ps1) andcentrify-PAS-InstallationFromOnPremMigration.ps1.

  • Copy the migration preparation script (centrify-PAS-PrepareOnPremMigration.ps1) from the Management node to your current On-Premise PAS server.

  • Prepare the On-Premise PAS server for migration.

    For a standard migration, you need to perform the following steps on the On-Premise PAS server (if you have an external databaseconfiguration you only need to perform the shutdown cluster step in the Failover Cluster Manager):

    • In the Failover Cluster Manager, remove the disk from the role and the cluster

    • Shutdown the cluster

    • Bring the cluster disk that contains the database information online

    • Start the On-Premise Infrastructure Services database

      As stated above, for external database configurations, you only need to perform the shutdown cluster step, then you can run the .\Centrify-PAS-PrepareOnPremMigration.ps1 script.

  • From the On-Premise Infrastructure Services server, run the migration preparation script to package the data needed for migration.

    To avoid the possibility of inconsistent data, the On-Premise Infrastructure Services server is disabled.

  • After running the migration preparation script, copy the directory results to the Management node.

  • Run the Centrify-PAS-InstallationFromOnPremMigration.ps1 script in the Management node Migration directory, specifying the directory where you copied the On-Premise PAS data, to create an Installation.

At this point the migration is complete and you need to continue with Hyper-scalable PAS deployment as described in the Installation and Configuration Guide for Hyper Scalable Privileged Access Service. You will need to:

  • Create a deployment

  • Deploy Windows servers to create Logging (if desired), Web, Background and

    Relay nodes

  • Update the Load Balancer and set the new deployment active

Detailed Migration Procedures

Important: To avoid synchronization issues, such as passwords or credentials becoming out-of-sync and disabling account access, the On-Premise PAS server must be shut down when the migration preparation script is started, and must not be restarted. If you are running Windows Clustering, shut the entire cluster down and do not restart it. Only one On-Premise PAS server should be active prior to running the migration preparation script. After the migration no On-Premise PAS servers are active.

All PowerShell sessions must be elevated (RunAs Administrator).

The following instructions are also available in the Installation and Configuration Guide for Hyper Scalable Privileged Access Service. Refer to that document for additional details.

Installing the Management Node

  1. Download/copy the Hyper-scalable PAS software package from Delinea to the Windows server you have designated to be the Management node.

    The installation package includes the following software components: install.ps1,centrifyPlatform[Build.Number].zip

  2. Open an elevated PowerShell session and run the install.ps1 script to create the Management node.

    This expands and installs the centrifyPlatform[Build.Number].zip (you can optionally set the target directory with the -target parameter). The defaultdirectory is C:Delinea). Once completed, the necessary scripts are available on the Management node for installation and deployment.

    For detailed instructions, see the Installation and Configuration Guide for Hyper Scalable Privileged Access Service documentation.

Copying the Migration Preparation Script

Copy the centrify-PAS-PrepareOnPremMigration.ps1 script from the C:\Centrify\Migration directory on the Hyper-scalable PAS Management node to your On-Premise PAS server.

The destination location of the script on the On-Premise PAS server doesn't matter as long as you can read and write to that location.

Preparing the On-Premise PAS Server for Migration

For standard migrations running Windows clustering:

To ensure data synchronization and that the On-Premise PAS server database is accessible, you need to perform all of the following tasks in the Windows Failover Cluster Manager before running the migration script.

For migrations that use an external database:

If your configuration uses an external database, you only need to perform steps in the Shutdown the cluster section below before running the migration script.

The following procedures are performed on the On-Premise PAS server.

Remove the disk from the role and the cluster:

  1. Access the Windows Server Manager > Tools > Failover Cluster Manager, then navigate to the cluster resource.

  2. In the Failover Cluster Manager, expand the cluster name and navigate to

    Storage > Disks.

  3. Right-click the disk and select Remove from role and then select Yes

    at the confirmation screen.

  4. Right-click the disk again and select Remove and then select Yes at

    the confirmation screen.

Shut down the cluster:

This step is required for both standard and external database migrations.

  1. In the Failover Cluster Manager, right-click the cluster name and select

    More Actions > Shut Down Cluster...

  2. Select Yes at the confirmation screen.

Bring the cluster disk that contains the database information online:

  1. Navigate to the Windows Disk Management screen.
  2. Right-click the disk and then select Online from the menu.

Start the On-Premise Infrastructure Services database:

  1. In Windows, navigate to Administrative Tools > Services.
  2. Locate the service Identity Service Database
  3. Right-click the service and select Start.

Running the Migration Preparation Script

  1. From the On-Premise Infrastructure Services server, run the centrify-PAS-PrepareOnPremMigration.ps1 script to package the data needed for migration.

    By default the migration data is copied to C:\OnPremData. If necessary, you can change the destination of the output directory.

  2. Enter Disable Server when prompted to continue.

    This disables the On-Premise PAS server; making the Hyper-scalable PAS inaccessible. Do not re-enable the On-Premise PAS server, asthis could result in Hyper-scalable PAS data getting out-of-sync. Instead,complete the steps in this Migration Guide to enable Hyper-scalable PAS Web Nodes and set the Deployment to Active.

Copy the On-Premise PAS Data to the Management Node

Copy the entire contents of the On-Premise PAS server C:\OnPremData (or as specified) folder to the Management node. This includes two SQL files and one ZIP file. The files must go into a single directory on your Management node.

Create the Installation from the Migrated Data

From the Management node, in the C:\Centrify\Migration directory, run the centrify-PAS-InstallationFromOnPremMigration.ps1 script.

The migration installation script has similar requirements to the standard centrify-PAS-NewInstallation script, with a few differences:

  • -MigrationDirectory – points to the directory with the three files from the

    On-Premise PAS migration

  • No need for the administrative user credentials, as those are migrated with

    the other data