Migrating On-Premise Infrastructure Services to Hyper-scalable PAS

This document describes how to move your data from Centrify On-Premise Infrastructure Services database to Hyper-scalable PAS (also referred to as Hyper-scalable PAS) database. The migration process requires you to run the migration scripts to gather configuration and database data from the On-Premise Infrastructure Services server and then build a Centrify Hyper-scalable Privileged Access Service installation using the migrated configuration and database data.

Note:   The migration disables the On-Premise Infrastructure Services server to prevent data corruption. It is critical that the On-Premise Infrastructure Services server remains disabled; otherwise data and account corruption may occur. The Privileged Access Service is not available until the entire migration and deployment process is complete (i.e., there is a period of downtime during which the Privileged Access Service is unavailable).

Prerequisites

You will need the following in order to perform the migration procedures:

  • Full access with administrative rights and the ability to run PowerShell scripts to the On-Premise Infrastructure Services server.
  • Minimum software and hardware requirements for deploying Hyper-scalable PAS. See the Installation and Configuration Guide for Hyper Scalable Privileged Access Service for specific details.
  • Migration scripts: Centrify-PAS-PrepareOnPremMigration.ps1 and Centrify-PAS-InstallationFromOnPremMigration.ps1 (These scripts come with the Hyper-scalable PAS software package)
  • Hyper-scalable PAS software package: install.ps1, CentrifyPlatform[Build.Number].zip

Note:   Hyper-scalable PAS may need to use the same database server operating system as On-Premise Infrastructure Services, as PostgresSQL retrieves (and uses) the collation/character type settings from the On-Premise Infrastructure Services host operating system.

For example, the LC-COLLATE value, English_UnitedStates.1252, is roughly the Windows PostgresSQL equivalent of en_US.UTF-8 on some Linux distros, both with Encoding set to UTF8. PostgresSQL cannot discern that they are functionally similar however, so it lacks trivial porting between them. Consequently, to migrate to Hyper-scalable PAS with pre-existing data, you need to ensure the same localization settings are available on the new database server by using the same database pod.

Migration Overview

The following is an overview of the steps required to migrate from Centrify On-Premise Infrastructure Services to Hyper-scalable PAS.

  • Install a Hyper-scalable PAS Management node.
  • Verify that you have the migration preparation script and the migration installation script in the C:\Centrify\Migration folder on the Management node (Centrify-PAS-PrepareOnPremMigration.ps1) and Centrify-PAS-InstallationFromOnPremMigration.ps1.
  • Copy the migration preparation script (Centrify-PAS-PrepareOnPremMigration.ps1) from the Management node to your current On-Premise Infrastructure Services server.
  • Prepare the On-Premise Infrastructure Services server for migration.

    For a standard migration, you need to perform the following steps on the On-Premise Infrastructure Services server (if you have an external database configuration you only need to perform the shutdown cluster step in the Failover Cluster Manager):

    • In the Failover Cluster Manager, remove the disk from the role and the cluster
    • Shutdown the cluster
    • Bring the cluster disk that contains the database information online
    • Start the On-Premise Infrastructure Services database
  • Note:   As stated above, for external database configurations , you only need to perform the shutdown cluster step, then you can run the .\Centrify-PAS-PrepareOnPremMigration.ps1 script.

  • From the On-Premise Infrastructure Services server, run the migration preparation script to package the data needed for migration.

    To avoid the possibility of inconsistent data, the On-Premise Infrastructure Services server is disabled.

  • After running the migration preparation script, copy the directory results to the Management node.
  • Run the Centrify-PAS-InstallationFromOnPremMigration.ps1 script in the Management node Migration directory, specifying the directory where you copied the On-Premise Infrastructure Services data, to create an Installation.

At this point the migration is complete and you need to continue with Hyper-scalable PAS deployment as described in the Installation and Configuration Guide for Hyper Scalable Privileged Access Service. You will need to:

  • Create a deployment
  • Deploy Windows servers to create Logging (if desired), Web, Background and Relay nodes
  • Update the Load Balancer and set the new deployment active

Detailed migration procedures

Important: To avoid synchronization issues, such as passwords or credentials becoming out-of-sync and disabling account access, the On-Premise Infrastructure Services server must be shut down when the migration preparation script is started, and must not be restarted. If you are running Windows Clustering, shut the entire cluster down and do not restart it. Only one On-Premise Infrastructure Services server should be active prior to running the migration preparation script. After the migration no On-Premise Infrastructure Services servers are active.

All PowerShell sessions must be elevated (i.e. RunAs Administrator).

The following instructions are also available in the Installation and Configuration Guide for Hyper Scalable Privileged Access Service. Refer to that document for additional details.

Installing the Management node

  1. Download/copy the Hyper-scalable PAS software package from Centrify to the Windows 2016 server you have designated to be the Management node.

    The installation package includes the following software components: install.ps1, CentrifyPlatform[Build.Number].zip

  2. Open an elevated PowerShell session and run the install.ps1 script to create the Management node.

    This expands and installs the CentrifyPlatform[Build.Number].zip (you can optionally set the target directory with the -target parameter). The default directory is C:\Centrify). Once completed, the necessary scripts are available on the Management node for installation and deployment.

    For detailed instructions, see the Installation and Configuration Guide for Hyper Scalable Privileged Access Service documentation.

Copying the Migration Preparation script

Copy the Centrify-PAS-PrepareOnPremMigration.ps1 script from the C:\Centrify\Migration directory on the Hyper-scalable PAS Management node to your On-Premise Infrastructure Services server.

The destination location of the script on the On-Premise Infrastructure Services server doesn't matter as long as you can read and write to that location.

Preparing the On-Premise Infrastructure Services server for migration

For standard migrations running Windows clustering:

To ensure data synchronization and that the On-Premise Infrastructure Services server database is accessible, you need to perform all of the following tasks in the Windows Failover Cluster Manager before running the migration script.

For migrations that use an external database:

If your configuration uses an external database, you only need to perform steps in the Shutdown the cluster section below before running the migration script.

Note:   The following procedures are performed on the On-Premise Infrastructure Services server.

Remove the disk from the role and the cluster:

  1. Access the Windows Server Manager > click the Tools menu > click Failover Cluster Manager, and then navigate to the cluster resource.

  2. In the Failover Cluster Manager, expand the cluster name and navigate to Storage >Disks.
  3. Right-click the disk and select Remove from role and then select Yes at the confirmation screen.

  4. Right-click the disk again and select Remove and then select Yes at the confirmation screen.

Shutdown the cluster:

This step is required for both standard and external database migrations.

  1. In the Failover Cluster Manager, right-click the cluster name and select More Actions > Shut Down Cluster...
  2. Select Yes at the confirmation screen.

Bring the cluster disk that contains the database information online:

  1. Navigate to the Windows Disk Management screen.

  2. Right-click the disk and then select Online from the menu.

Start the On-Premise Infrastructure Services database:

  1. In Windows, navigate to Administrative Tools > Services.

  2. Locate the service Centrify Identity Service Databaseright-click the service and select Start.

Running the Migration Preparation script

  1. From the On-Premise Infrastructure Services server, run the Centrify-PAS-PrepareOnPremMigration.ps1 script to package the data needed for migration.

    By default the migration data is copied to C:\OnPremData. If necessary, you can change the destination of the output directory.

  2. Enter Disable Server when prompted to continue.

    This disables the On-Premise Infrastructure Services server; making the Hyper-scalable PAS inaccessible. Do not re-enable the On-Premise Infrastructure Services server, as this could result in Hyper-scalable PAS data getting out-of-sync. Instead, complete the steps in this Migration Guide to enable Hyper-scalable PAS Web Nodes and set the Deployment to Active.

Copy the On-Premise Infrastructure Services data to the Management node

Copy the entire contents of the On-Premise Infrastructure Services server C:\OnPremData (or as specified) folder to the Management node. This includes two SQL files and one ZIP file. The files must go into a single directory on your Management node.

Create the Installation from the migrated data

From the Management node, in the C:\Centrify\Migration directory, run the Centrify-PAS-InstallationFromOnPremMigration.ps1 script.

The migration installation script has similar requirements to the standard Centrify-PAS-NewInstallation script, with a few differences:

  • -MigrationDirectory – points to the directory with the three files from the On-Premise Infrastructure Services migration
  • No need for the administrative user credentials, as those are migrated with the other data