Migrate from SmartACT to Identity Manager

This article describes how to migrate from SmartACT to Smart ID Identity Manager.

Prerequisites

This is a summary of what must be in place before the migration starts. More information is found in the article.

Java 8 Runtime is installed
JRE_HOME is set as environmental variable
java-security-policy-fix is recorded
Databases are correctly registered in database.properties
Run Data Encryption Certificate is provided and configured in encryption-config.xml
Personalization is done correctly in migrate_persons.properties
Configuration for cards/tokens is correct in migrate_cards.properties
Certificates configuration is correct in migrate_certificates.properties (PKI only Card management)
Smart ID configurations (for example, Base, Physical ID, DIgital ID) in the latest version are available

Step-by-step instruction

Preparation

Set up migration distribution and system requirements

Install the current version of Java Runtime Environment (JRE).
Set JRE_HOME to the installation directory of java jre
(for example: C:\Program Files\Java\jre1.8.0_161\bin)
Import the java-security-policy-fix for the installed Java version. The jce-policy-8.zip is provided with the migration package.
Unpack the migration package of delivery in a directory of your choice.

Set database connection

Go to the specified migration directory.

In the file database.properties specify the attributes HOST_NAME, DB_PORT, DB_NAME, USER_NAME and USER_PASSWORD for SmartACT and Identity Manager. The properties inside database.properties match those, described in PRIME installation.

SmartACT database

CODE

### SmartACT Database
smartAct.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE
#smartAct.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;databaseName=<DB_NAME>;instance=<INSTANCE_NAME>;AUTO_SERVER=TRUE - verwendet für SQLEXPRESS Datenbank-Server
smartAct.user=<USER_NAME>
smartAct.password=<USER_PASSWORD>

Identity Manager database

CODE

### PRIME Database
prime.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE
#prime.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;instance=<INSTANCE_NAME>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE - verwendet für SQLEXPRESS Datenbank-Server
prime.user=<USER_NAME>
prime.password=<USER_PASSWORD>
...

You must have read/write rights of the SQL users on the databases.

Run data encryption in SmartACT

Make sure that the certificate for encrypting run data in SmartACT (idexpertcert02.p12) is stored in the directory config. The migration tools contains this certificate, if it is not supplied by you.
Open the file encryption-config.xml and check if the value of the attribute pin under the key idexpertcert02 is correct, otherwise set the value:
encryption-config.xml

CODE
```
...
	<keys>
		<key name="idexpertcert02">
			<type name="pkcs12" locationValue="config/idexpertcert02.p12" 
pin="XXXX"/>
		</key>
	</keys>
...
```

Configure migration - general

The configuration is done in the migrate_general.properties file, which is structured as follows.

migrate_general.properties

Atribute	Value	Importance
abortOnError	true/false	If true, the migration aborts (this is the default value). If false, the migration continues despite errors.
printReport	true/false	If true, the migration saves a migration summary of the migrated tenants and their run data (this is the default value). If false, there is no migration overview.
printDetailReport	true/false	If false, the migration does not write any details regarding the deviation of run data between SmartACT and Identity Manager (this is the default value). If true, the migration writes details about the deviation of run data (status and number) in the migration overview.
prime.username		Name of the administrator of the respective tenant.
prime.userpassword		The administrator's password.
prime.tenantId		Tenant ID

Configure migration - persons

The configuration is done in the migrate_persons.properties file, which is structured as follows.

Person status

These are examples of person statuses:

Example: Person status in SmartACT

CODE

...
smartact.person.state.active=1
smartact.person.state.inactive=2
smartact.person.states=${smartact.person.state.active}, 
${smartact.person.state.inactive}

Example: Person status in Identity Manager

CODE

...
prime.person.state.active=active
prime.person.state.inactive=inactive
prime.person.states=${prime.person.state.active}, ${prime.person.state.inactive}
...

Make sure that the number of states between SmartACT (attribute smartact.person.states) and Identity Manager (attribute prime.person.states) are always the same.

For the attribute smartact.masterdata.template.ids, enter one or more comma-separated Master data template IDs if you only want to migrate specific master data templates.

Assignment of master data template IDs to master data types in Identity Manager

CODE

...
prime.person.coretemplate.names=BaseCtEmployee
...

Make sure that the number of master data types between SmartACT (smartact.masterdata.template.ids) and Identity Manager (prime.person.coretemplate.names) are the same.

Role assignment

Every person from SmartACT is assigned the role BaseRoleSelfServiceUser as part of the migration to Identity Manager, so access via USSP is possible. This can be customized in migrate_persons.properties under the parameter prime.person.roles.added.

CODE

...
prime.person.roles.added=BaseRoleSelfServiceUser,<RoleNameIdM>,...
prime.person.roles.deleted=<RoleNameIdM>,...
...

The roles are specified as a comma-separated list. These are applied to all person objects during the migration process.

Map persons

The mapping of the data fields between Identity Manager and SmartACT is configured in the file spring\migrate-persons-batch_jobs-beans.xml. The assignment must be adjusted according to the use of the data fields in the following area:

CODE

	<util:map id="personFieldMapping">
		<!-- <entry key="SmartAct_ColumnName" 
value="Prime_CoreTemplate_FieldName"/> -->

		<!-- migration specific mapping -->
		<entry key="MigrationId" value="MigrationId"/>
		<entry key="MD_MDTID" value="Meta_CoreTemplateName"/>
....
	</util:map>

In Identity Manager, new data pool fields might have to be created as additional fields. At least, MigrationId should be added as a numeric field, as this is not part of the standard Identity Manager modules.

The mapping of the persons is preset as follows:

SmartACT field	Identity Manager field	Comment
COMPANY	Company
DEPARTMENT	Department
EMAIL	Email
FIRSTNAME	FirstName
INFOBIGTEXT0	UPN
LASTNAME	LastName
MD_CREATEDATE	CreationDate
MD_DATE	ModificationDate
MD_ID	MigrationId	Alias and internal ID of the Master record in SmartACT
MD_MDTID	TenantId Meta_CoreTemplateName_ BaseDpEmployee is set via `master data type_location`	Alias and internal ID of the MDT in SmartACT
MD_REASON	Meta_CoreObjectStateChangeReason_BaseDpEmployee
MD_STATE	Meta_CoreObjectState_ BaseDpEmployee	Status of the person in SmartACT (refer to Type conversion for the person) 1: Active 2: Inactive 3: Deleted

Uniqueness criterion of the person

For this, the MigrationId field is used, which is already used in SmartACT as uniqueness criterion.

Type conversion for the person

Field	Conversion rule	Mapping used
MasterdataId	BIGDECIMAL_TO_LONG
Meta_CoreObjectState	NUMBER_TO_STRING_CONDITIONAL	1 > "registered" 2 > "active" 3 > "inactive"

Configure migration - cards

The configuration is done in the migrate_cards.properties file, which is structured as follows.

Encrypted fields when showing in SmartACT

CODE

...
smartact.card.field.PIN=PIN
smartact.card.field.PUK=PUK
smartact.card.field.CARD_CRKEY=CARD_CRKEY
smartact.card.encrypted.fields=${smartact.card.field.PIN}, ${smartact.card.field.PUK}, ${smartact.card.field.CARD_CRKEY}
...

All encrypted fields have to be available in this list otherwise the encrypted value which was created with SmartACT certificate will be saved in Identity Manager.

Encrypted fields saved in Identity Manager

CODE

...
prime.card.field.PIN=PIN
prime.card.field.PUK=PUK
prime.card.field.CardManagerKey=CardManagerKey
prime.card.encrypted.fields=${prime.card.field.PIN}, ${prime.card.field.PUK}, ${prime.card.field.CardManagerKey}
...

A field which was not encrypted in SmartACT/ProACT can be encrypted in Identity Manager (subsequently encrypt).

Card status in SmartACT

Example:

CODE

...
smartact.card.state.issued=103
smartact.card.state.active=104
smartact.card.state.inactive=105
smartact.card.state.locked=106
smartact.card.states=${smartact.card.state.active}, ${smartact.card.state.inactive}, ${smartact.card.state.locked},${smartact.card.state.issued}
...

Card status in Identity Manager

CODE

...
prime.card.state.issued=issued
prime.card.state.active=active
prime.card.state.inactive=inactive
prime.card.state.locked=locked
prime.card.states=${prime.card.state.active}, ${prime.card.state.inactive}, 
${prime.card.state.locked},${prime.card.state.issued}

Make sure that the number of status between SmartACT (attribute smartact.card.states) and Identity Manager (attribute prime.card.states) are the same.

Definitione of card template IDs in SmartACT

Example:

CODE

...

smartact.card.template.ids = 3320,3321,3322, ...

...

Enter one or more card template IDs separated by commas. Enter all card types that you shall use.

Allocate card IDs to card types in Identity Manager

CODE

...

prime.card.coretemplate.names = MyCtEmployeeCard, MyCtAdminCard, MyCtEmployeeCard

...

Map cards

Mapping of card fields between Identity Manager and SmartACT is configured in the spring\migrate-cards-batch_jobs-beans.xml file.

The assignment must be adjusted according to the use of the data fields in the following area:

CODE

<util:map id="cardFieldMapping">
		<!-- <entry key="SmartAct_ColumnName" 
value="Prime_CoreTemplate_FieldName"/> -->

		<!-- migration specific mapping -->
		<entry key="MigrationId" value="MigrationId"/>
....
	</util:map>

In Identity Manager, new data pool fields have to be created as additional fields. At least the MigrationId should be added as a numeric field, as this is not part of the standard Identity Manager modules.

The mapping of the cards is preset as follows:

SmartACT field	Identity Manager field	Comment
CARD_NUMBER_TEXT	CardNumber
CARD_PIN	PIN
CARD_PUK	PUK
CARDOS_CHIP_ID	ICCSN
CRD_CTID	Meta_CoreTemplateName_PcmDpEmployeeCard	Internal ID of the master data template in SmartACT, which is linked to the core template name by further mapping (see `coreTemplateMap` or `cardCoreTemplateMap`)
CRD_DATE	ModificationDate
CRD_ID	MigrationId	Alias and internal ID of the card.
CRD_MDID		Alias and internal ID that references the person's Data Pool field `MigrationId`.
CRD_PERSDATE	CreationDate
CRD_PERSFLAGS
CRD_REQID
CRD_STATE	Meta_CoreObjectState_PcmDpEmployeeCard	Status of the card in SmartACT: 103: issued 104: active 105: temporarily locked 106: finally locked
CRD_TIMESTAMP
DEPARTMENT	Department
EMAIL	Email
FIRSTNAME	FirstName
INFOBIGTEXT0
UPN
LASTNAME	LastName

Uniqueness criterion of the card

The field MigrationId is used, which is already used in SmartACT as uniqueness criterion.

Map card status between SmartACT and Identity Manager

Status SmartACT	Value SmartACT	Mapping in Identity Manager
Card is personalized	100	None/not accepted
Card has been personalized	101	None/not accepted
Card has been personalized and confirmed	102	None/not accepted
Card was issued	103	Issued
Card is active	104	Active
Card is temporarily inactive	105	Inactive
Card is permanently blocked	106	Locked
Card was destroyed	107	None/not accepted
Repetition of personalization	108	None/not accepted
Card is reusable (for example, unallocated quota card)	109	None/not accepted
Card is on a transportation or shipping route	110	None/not accepted
Card was destroyed during personalization	111	None/not accepted
Card is temporarily inactive - by user group 1	113	None/not accepted
Card is temporarily inactive - by user group 2	114	None/not accepted
Card is back again from a transportation or shipping route	115	None/not accepted
Card is lost on a transportation or shipping route	116	None/not accepted

Type conversion for the card

Field	Conversion rule	Used mapping
TenantId	BIGDECIMAL_TO_STRING
MasterdataId	BIGDECIMAL_TO_STRING
MigrationId	BIGDECIMAL_TO_STRING
Meta_CoreObjectState	NUMBER_TO_STRING_CONDITIONAL	103 > "issued" 104 > "active" 105 > "inactive" 106 > "locked"

Relationship between card and person

The following relation is defined especially for the card (see also Relation between the objects)

Attribute	Value
sourceDataPool	PcmDpEmployeeCard
sourceForeignKey	MasterdataId
targetDataPool	BaseDpEmployee
targetForeignKey	MigrationId

Configure migration - certificates

The configuration is done in the migrate_certificates.properties file, which is structured as follows.

SmartACT certificate status

CODE

...
smartact.certificate.state.locked = 2
smartact.certificate.state.active = 3
smartact.certificate.states = ${smartact.certificate.state.locked}, $ {smartact.certificate.state.active}
...

Identity Manager certificate template

CODE

...
prime.certificate.coretemplate.names = MyCtMigration%Certificate
...

For the attribute smartact.certificate.template.ids, use one or more comma-separated Template IDs.

Identity Manager certificate status

CODE

...
prime.certificate.state.locked = locked
prime.certificate.state.active = active
prime.certificate.states = ${prime.certificate.state.locked}, $ {prime.certificate.state.active}
...

Make sure that the number of states between SmartACT (attribute smartact.certificate.states ) and Identity Manager (attribute prime.certificate.states) are the same.

If a card is permanently replaced in SmartACT, the new certificate entry points to the preceding certificate. When migrating certificates, only the "origin certificates" are adopted. This is easy to determine by keeping track of the certificate reference until you find a certificate without predecessor.

Map certificates

The mapping of card data fields between Identity Manager and SmartACT is configured in the file spring\migrate-certificates-batch_jobs-beans.xml. The assignment must be adjusted according to the use of the data fields in the following area:

CODE

<util:map id="certificateFieldMapping">
		<!-- <entry key="SmartAct_ColumnName" 
value="Prime_CoreTemplate_FieldName"/> -->


		<!-- migration specific mapping -->
		<entry key="MigrationId" value="MigrationId"/>
....
	</util:map>

In Identity Manager, new data pool fields have to be created as additional fields. At least, MigrationId should be added as a numeric field, as this is not part of the standard Identity Manager modules.

The mapping of the certificates is preset as follows:

SmartACT field	Identity Manager field	Comment
CERT_ID	MigrationId	Internal ID of the certificate in SmartACT
CERT_DATE	creationDate	Creation date
CERT_CARDID	CardId	Internal ID of referencing card
CERT_CAID	None	Internal ID of the issuing CA (is configured in Identity Manager)
CERT_REFERENCE	None	Internal ID of the predecessor certificate, which was "replaced" by the restore
CERT_CERTTEMPLATEID	certTemplateId	Internal ID of certificate template in SmartACT
CERT_CERTSERIAL	certSerial	Certificate serial number
CERT_CARDSERIAL	None
CERT_STATE	Meta_CoreObjectState	Certificate status: 2: Certificate is locked 3: Certificate is valid 4: Certificate is invalid / never issued (for example, faulty request)
CERT_VALID_FROM	validFrom	Validity start date
CERT_VALID_TO	validTo	Validity end date
CERT_KEYARCHIVAL	None	Note if this certificate has been restored: 0: no recovery 1: certificate has been restored
CERT_DATA	data	Certificate in binary format
CERT_RENEWAL_APPLIED	renewalApplied	Note whether a renewal of the certificate is pending in User Self Service: 0: no renewal 1: certificate must be renewed (no longer required after the user has completed the renewal process in the User Self Service)
CERT_KEYDATA
MDT_ID	tid issuer modificationDate creationUser modificationUser	Internal ID of the client Issuer Change date Create user Change user

Uniqueness criterion of the certificate

The field MigrationId is used, which is already used in SmartACT as uniqueness criterion.

Map certificate status between SmartACT and Identity Manager

Status in SmartACT	Value in SmartACT	Mapping in Identity Manager
Certificate is locked	2	locked
Certificate is valid	3	active
Certificate invalid / never issued (for example, incorrect request)	4	none / will not be accepted

Relationship between certificate and card

Specifically for the certificate, the following relation is defined (see also Relation between the objects)

Attribute	Value
sourceDataPool	PcmDpCertificate
sourceForeignKey	CardId
targetDataPool	PcmDpEmployeeCard
targetForeignKey	MigrationId

Start migration

To start the migration:

run the batch file start_migration.bat on Windows
or
run the shell script start_migration.sh on Linux/Unix.

Under Unix/Linux, give the shell scripts the correct rights using chmod.

Log migration

During the migration, log files are created in the subdirectory logs/

batch.log
Contains the complete logging of the data migration, except the migration of old CA certificates to Nexus Certificate Manager.
batch_skipped.log
Contains a log of all data records (with all data) that could not be transferred, including the error message. This is for error analysis.
batch_overview.log
Is only created when the data migration completes successfully. Contains a quantitative comparison of the two databases after migration, structured by tenant, type and status.

The files are created on every new run and they will overwrite existing ones. For a fully documented step-by-step documentation of the data records, these must be saved by the user before the next run is performed.

If necessary, you can customize the path of the log messages by opening the log4j.xml file and specifying the file (Attribute File) and maximum index (attribute MaxBackupIndex) in the sections BATCHLOG, BATCHLOG_SKIPPED and BATCHLOG_OVERVIEWLOG as below. The log levels should only be adjusted after consultation with the consultant or project manager at Nexus, as these can have a major impact on the duration of the migration.

log4j.xml

CODE

...
<!-- definition of output sources -->

	<!-- Logging to Console -->
	<appender name="STDOUT" class="org.apache.log4j.ConsoleAppender">
		<param name="Encoding" value="UTF-8"/>
		<layout class="org.apache.log4j.PatternLayout">
			<param name="ConversionPattern" value="%d %-5p %-25t (%F:%L) : %m%n"/>
		</layout>
	</appender>
	<appender name="BATCHLOG" class="org.apache.log4j.RollingFileAppender">
		<param name="File" value="logs/batch.log" />
		<param name="Append" value="true" />
		<param name="Encoding" value="UTF-8"/>
		<param name="BufferedIO" value="false" />
		<param name="MaxBackupIndex" value="40" />
		<param name="MaxFileSize" value="50MB" />
		<layout class="org.apache.log4j.PatternLayout">
			<param name="ConversionPattern" value="(%d) %-5p %-15t (%F:%L) : %m%n"/>
		</layout>
	</appender>


	<appender name="BATCHLOG_SKIPPED" class="org.apache.log4j.RollingFileAppender">
		<param name="File" value="logs/batch_skipped.log" />
		<param name="Append" value="true" />
		<param name="Encoding" value="UTF-8"/>
		<param name="BufferedIO" value="false" />
		<param name="MaxBackupIndex" value="40" />
		<param name="MaxFileSize" value="50MB" />
		<layout class="org.apache.log4j.PatternLayout">
			<param name="ConversionPattern" value="(%d) %-5p %-15t (%F:%L) : %m%n"/>
		</layout>
	</appender>
	
	<appender name="BATCHLOG_OVERVIEWLOG" class="org.apache.log4j.RollingFileAppender">
		<param name="File" value="logs/batchoverview.log" />
		<param name="Append" value="true" />
		<param name="Encoding" value="UTF-8"/>
		<param name="BufferedIO" value="false" />
		<param name="MaxBackupIndex" value="40" />
		<param name="MaxFileSize" value="2MB" />
		<layout class="org.apache.log4j.PatternLayout">
			<param name="ConversionPattern" value="(%d): %m%n"/>
		</layout>
	</appender>

	<appender name="BATCHLOG_CERTIFICATEEXPORT" class="org.apache.log4j.RollingFileAppender">
		<param name="File" value="logs/batch_certCA.log" />
		<param name="Append" value="true" />
		<param name="Encoding" value="UTF-8"/>
		<param name="BufferedIO" value="false" />
		<param name="MaxBackupIndex" value="40" />
		<param name="MaxFileSize" value="2MB" />
		<layout class="org.apache.log4j.PatternLayout">
			<param name="ConversionPattern" value="(%d): %m%n"/>
		</layout>
	</appender>
...

Migrate tenants

The term client refers to the master data template from SmartACT (table T_MASTERDATATEMPLATE), which is used as the data source of the migration. All tenants are created with their own IDs, the initially existing tenant with ID 1 remains. The clients are stored in Identity Manager in the table Tenant.

General functions of migration, type conversion

When mapping the person, type conversion rules can be specified for the fields in Identity Manager (see Type conversion for the person). A conversion rule is defined as follows:

Attribute	Definition	Example
fieldName	Field name in Identity Manager	Meta_CoreObjectState, Meta_CoreObjectStateChangeReason, etc.
conversionType	The following conversion types are supported: NUMBER_TO_STRING NUMBER_TO_STRING_CONDITIONAL STRING_TO_NUMBER STRING_TO_NUMBER_CONDITIONAL DATE_TO_STRING STRING_TO_DATE BIGDECIMAL_TO_LONG	NUMBER_TO_STRING: 104 → "104" NUMBER_TO_STRING_CONDITIONAL: 104 → "active" STRING_TO_NUMBER: "104" → 104 STRING_TO_NUMBER_CONDITIONAL: "one" → "1", "two" → "2", ... DATE_TO_STRING: (refer to parsePattern) STRING_TO_DATE: (refer parsePattern) BIGDECIMAL_TO_LONG: SmartACT specific conversion of numerical values
selection	A choice for the conditional conversion	104 → "active" 105 → "inactive"
parsePattern	Formatting pattern for the conversion type DATE_TO_STRING or STRING_TO_DATE	yyyy-MM-dd HH: mm: ss.SSS

Relation between the objects

When saving, the corresponding record (object) can be linked to one or more objects, for example:

Card with person
Certificate with card and person

The desired relations are set using the attribute dataPoolRelations, which refers to a list consisting of one or more relations of type DataPoolRelation. Person should be related to card and card should be related to certificate.

DataPoolRelation is defined as follows:

Attribute	Defnition
sourceDataPool	Source data pool from which a relation to the target data pool shall be established.
sourceForeignKey	Source data pool field that references a data pool field in the destination data pool.
targetDataPool	Target data pool from which to relate to the source data pool shall be established.
targetForeignKey	Target data pool field that references a data pool field in the source data pool