This document describes how to move your data from On-Premise Centrify PAS database to Hyper-scalable PAS (also referred to as Hyper-scalable PAS) database. The migration process requires you to run the migration scripts to gather configuration and database data from the On-Premise Centrify PAS server and then build a Centrify Hyper-scalable Privileged Access Service installation using the migrated configuration and database data.
Note: The migration disables the On-Premise Centrify PAS server to prevent data corruption. It is critical that the On-Premise Centrify PAS server remains disabled; otherwise data and account corruption may occur. The Privileged Access Service is not available until the entire migration and deployment process is complete (in other words, there is a period of downtime during which the Privileged Access Service is unavailable).
You will need the following in order to perform the migration procedures:
- Full access with administrative rights and the ability to run PowerShell scripts to the On-Premise Centrify PAS server.
- Minimum software and hardware requirements for deploying Hyper-scalable PAS. See the Installation and Configuration Guide for Hyper Scalable Privileged Access Service for specific details.
- Migration scripts: Centrify-PAS-PrepareOnPremMigration.ps1 and Centrify-PAS-InstallationFromOnPremMigration.ps1 (These scripts come with the Hyper-scalable PAS software package)
- Hyper-scalable PAS software package: install.ps1, CentrifyPlatform[Build.Number].zip
Note: Hyper-scalable PAS may need to use the same database server operating system as On-Premise Centrify PAS, as PostgreSQL retrieves (and uses) the collation/character type settings from the On-Premise Centrify PAS host operating system.
For example, the LC-COLLATE value, English_UnitedStates.1252, is roughly the Windows PostgreSQL equivalent of en_US.UTF-8 on some Linux distributions, both with Encoding set to UTF8. PostgreSQL cannot discern that they are functionally similar however, so it lacks trivial porting between them. Consequently, to migrate to Hyper-scalable PAS with pre-existing data, you need to ensure the same localization settings are available on the new database server by using the same database pod.
The following is an overview of the steps required to migrate from On-Premise Centrify PAS to Hyper-scalable PAS.
- Install a Hyper-scalable PAS Management node.
- Verify that you have the migration preparation script and the migration installation script in the C:\Centrify\Migration folder on the Management node (centrify-PAS-PrepareOnPremMigration.ps1) and centrify-PAS-InstallationFromOnPremMigration.ps1.
- Copy the migration preparation script (centrify-PAS-PrepareOnPremMigration.ps1) from the Management node to your current On-Premise Centrify PAS server.
Prepare the On-Premise Centrify PAS server for migration.
For a standard migration, you need to perform the following steps on the On-Premise Centrify PAS server (if you have an external database configuration you only need to perform the shutdown cluster step in the Failover Cluster Manager):
- In the Failover Cluster Manager, remove the disk from the role and the cluster
- Shutdown the cluster
- Bring the cluster disk that contains the database information online
- Start the On-Premise Infrastructure Services database
Note: As stated above, for external database configurations , you only need to perform the shutdown cluster step, then you can run the .\Centrify-PAS-PrepareOnPremMigration.ps1 script.
From the On-Premise Infrastructure Services server, run the migration preparation script to package the data needed for migration.
To avoid the possibility of inconsistent data, the On-Premise Infrastructure Services server is disabled.
- After running the migration preparation script, copy the directory results to the Management node.
- Run the Centrify-PAS-InstallationFromOnPremMigration.ps1 script in the Management node Migration directory, specifying the directory where you copied the On-Premise Centrify PAS data, to create an Installation.
At this point the migration is complete and you need to continue with Hyper-scalable PAS deployment as described in the Installation and Configuration Guide for Hyper Scalable Privileged Access Service. You will need to:
- Create a deployment
- Deploy Windows servers to create Logging (if desired), Web, Background and Relay nodes
- Update the Load Balancer and set the new deployment active
Detailed migration procedures
Important: To avoid synchronization issues, such as passwords or credentials becoming out-of-sync and disabling account access, the On-Premise Centrify PAS server must be shut down when the migration preparation script is started, and must not be restarted. If you are running Windows Clustering, shut the entire cluster down and do not restart it. Only one On-Premise Centrify PAS server should be active prior to running the migration preparation script. After the migration no On-Premise Centrify PAS servers are active.
All PowerShell sessions must be elevated (RunAs Administrator).
The following instructions are also available in the Installation and Configuration Guide for Hyper Scalable Privileged Access Service. Refer to that document for additional details.
Installing the Management node
Download/copy the Hyper-scalable PAS software package from Centrify to the Windows server you have designated to be the Management node.
The installation package includes the following software components: install.ps1, centrifyPlatform[Build.Number].zip
Open an elevated PowerShell session and run the install.ps1 script to create the Management node.
This expands and installs the centrifyPlatform[Build.Number].zip (you can optionally set the target directory with the -target parameter). The default directory is C:\Centrify). Once completed, the necessary scripts are available on the Management node for installation and deployment.
For detailed instructions, see the Installation and Configuration Guide for Hyper Scalable Privileged Access Service documentation.
Copying the migration preparation script
Copy the centrify-PAS-PrepareOnPremMigration.ps1 script from the C:\Centrify\Migration directory on the Hyper-scalable PAS Management node to your On-Premise Centrify PAS server.
The destination location of the script on the On-Premise Centrify PAS server doesn't matter as long as you can read and write to that location.
Preparing the On-Premise Centrify PAS server for migration
For standard migrations running Windows clustering:
To ensure data synchronization and that the On-Premise Centrify PAS server database is accessible, you need to perform all of the following tasks in the Windows Failover Cluster Manager before running the migration script.
For migrations that use an external database:
If your configuration uses an external database, you only need to perform steps in the Shutdown the cluster section below before running the migration script.
Note: The following procedures are performed on the On-Premise Centrify PAS server.
Remove the disk from the role and the cluster:
Access the Windows Server Manager > click the Tools menu > click Failover Cluster Manager, and then navigate to the cluster resource.
- In the Failover Cluster Manager, expand the cluster name and navigate to Storage >Disks.
Right-click the disk and select Remove from role and then select Yes at the confirmation screen.
- Right-click the disk again and select Remove and then select Yes at the confirmation screen.
Shutdown the cluster:
This step is required for both standard and external database migrations.
- In the Failover Cluster Manager, right-click the cluster name and select More Actions > Shut Down Cluster...
- Select Yes at the confirmation screen.
Bring the cluster disk that contains the database information online:
Navigate to the Windows Disk Management screen.
- Right-click the disk and then select Online from the menu.
Start the On-Premise Infrastructure Services database:
In Windows, navigate to Administrative Tools > Services.
- Locate the service centrify Identity Service Databaseright-click the service and select Start.
From the On-Premise Infrastructure Services server, run the centrify-PAS-PrepareOnPremMigration.ps1 script to package the data needed for migration.
By default the migration data is copied to C:\OnPremData. If necessary, you can change the destination of the output directory.
Enter Disable Server when prompted to continue.
This disables the On-Premise Centrify PAS server; making the Hyper-scalable PAS inaccessible. Do not re-enable the On-Premise Centrify PAS server, as this could result in Hyper-scalable PAS data getting out-of-sync. Instead, complete the steps in this Migration Guide to enable Hyper-scalable PAS Web Nodes and set the Deployment to Active.
Copy the On-Premise Centrify PAS data to the Management node
Copy the entire contents of the On-Premise Centrify PAS server C:\OnPremData (or as specified) folder to the Management node. This includes two SQL files and one ZIP file. The files must go into a single directory on your Management node.
Create the installation from the migrated data
From the Management node, in the C:\Centrify\Migration directory, run the centrify-PAS-InstallationFromOnPremMigration.ps1 script.
The migration installation script has similar requirements to the standard centrify-PAS-NewInstallation script, with a few differences:
- -MigrationDirectory – points to the directory with the three files from the On-Premise Centrify PAS migration
- No need for the administrative user credentials, as those are migrated with the other data