Migrate from SmartACT to Identity Manager
This article describes how to migrate from SmartACT to Smart ID Identity Manager.
This is a summary of what must be in place before the migration starts. More information is found in the article.
- Java 8 Runtime is installed
- JRE_HOME is set as environmental variable
- java-security-policy-fix is recorded
- Databases are correctly registered in database.properties
- Run Data Encryption Certificate is provided and configured in encryption-config.xml
- Personalization is done correctly in migrate_persons.properties
- Configuration for cards/tokens is correct in migrate_cards.properties
- Certificates configuration is correct in migrate_certificates.properties (PKI only Card management)
- Smart ID configurations (for example, Base, Physical ID, DIgital ID) in the latest version are available
Step-by-step instruction
Preparation
- Install the current version of Java Runtime Environment (JRE).
- Set JRE_HOME to the installation directory of java jre
(for example: C:\Program Files\Java\jre1.8.0_161\bin) - Import the java-security-policy-fix for the installed Java version. The jce-policy-8.zip is provided with the migration package.
- Unpack the migration package of delivery in a directory of your choice.
Go to the specified migration directory.
In the file database.properties specify the attributes HOST_NAME, DB_PORT, DB_NAME, USER_NAME and USER_PASSWORD for SmartACT and Identity Manager. The properties inside database.properties match those, described in PRIME installation.
SmartACT database
CODE### SmartACT Database smartAct.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE #smartAct.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;databaseName=<DB_NAME>;instance=<INSTANCE_NAME>;AUTO_SERVER=TRUE - verwendet für SQLEXPRESS Datenbank-Server smartAct.user=<USER_NAME> smartAct.password=<USER_PASSWORD>
Identity Manager database
CODE### PRIME Database prime.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE #prime.jdbcUrl=jdbc:sqlserver://<HOST_NAME>:<DB_PORT>;instance=<INSTANCE_NAME>;databaseName=<DB_NAME>;AUTO_SERVER=TRUE - verwendet für SQLEXPRESS Datenbank-Server prime.user=<USER_NAME> prime.password=<USER_PASSWORD> ...
You must have read/write rights of the SQL users on the databases.
Make sure that the certificate for encrypting run data in SmartACT (idexpertcert02.p12) is stored in the directory config. The migration tools contains this certificate, if it is not supplied by you.
Open the file encryption-config.xml and check if the value of the attribute pin under the key idexpertcert02 is correct, otherwise set the value:
encryption-config.xml
CODE... <keys> <key name="idexpertcert02"> <type name="pkcs12" locationValue="config/idexpertcert02.p12" pin="XXXX"/> </key> </keys> ...
Configure migration - general
The configuration is done in the migrate_general.properties file, which is structured as follows.
Atribute | Value | Importance |
---|---|---|
abortOnError | true/false |
|
printReport | true/false |
|
printDetailReport | true/false |
|
prime.username | Name of the administrator of the respective tenant. | |
prime.userpassword | The administrator's password. | |
prime.tenantId | Tenant ID |
Configure migration - persons
The configuration is done in the migrate_persons.properties file, which is structured as follows.
These are examples of person statuses:
Example: Person status in SmartACT
...
smartact.person.state.active=1
smartact.person.state.inactive=2
smartact.person.states=${smartact.person.state.active},
${smartact.person.state.inactive}
Example: Person status in Identity Manager
...
prime.person.state.active=active
prime.person.state.inactive=inactive
prime.person.states=${prime.person.state.active}, ${prime.person.state.inactive}
...
Make sure that the number of states between SmartACT (attribute smartact.person.states
) and Identity Manager (attribute prime.person.states
) are always the same.
For the attribute smartact.masterdata.template.ids
, enter one or more comma-separated Master data template IDs if you only want to migrate specific master data templates.
...
prime.person.coretemplate.names=BaseCtEmployee
...
Make sure that the number of master data types between SmartACT (smartact.masterdata.template.ids
) and Identity Manager (prime.person.coretemplate.names
) are the same.
Every person from SmartACT is assigned the role BaseRoleSelfServiceUser
as part of the migration to Identity Manager, so access via USSP is possible. This can be customized in migrate_persons.properties under the parameter prime.person.roles.added
.
...
prime.person.roles.added=BaseRoleSelfServiceUser,<RoleNameIdM>,...
prime.person.roles.deleted=<RoleNameIdM>,...
...
The roles are specified as a comma-separated list. These are applied to all person objects during the migration process.
The mapping of the data fields between Identity Manager and SmartACT is configured in the file spring\migrate-persons-batch_jobs-beans.xml. The assignment must be adjusted according to the use of the data fields in the following area:
<util:map id="personFieldMapping">
<!-- <entry key="SmartAct_ColumnName"
value="Prime_CoreTemplate_FieldName"/> -->
<!-- migration specific mapping -->
<entry key="MigrationId" value="MigrationId"/>
<entry key="MD_MDTID" value="Meta_CoreTemplateName"/>
....
</util:map>
In Identity Manager, new data pool fields might have to be created as additional fields. At least, MigrationId
should be added as a numeric field, as this is not part of the standard Identity Manager modules.
The mapping of the persons is preset as follows:
SmartACT field | Identity Manager field | Comment |
---|---|---|
COMPANY | Company | |
DEPARTMENT | Department | |
FIRSTNAME | FirstName | |
INFOBIGTEXT0 | UPN | |
LASTNAME | LastName | |
MD_CREATEDATE | CreationDate | |
MD_DATE | ModificationDate | |
MD_ID | MigrationId | Alias and internal ID of the Master record in SmartACT |
MD_MDTID | TenantId Meta_CoreTemplateName_ BaseDpEmployee is set via | Alias and internal ID of the MDT in SmartACT |
MD_REASON | Meta_CoreObjectStateChangeReason_BaseDpEmployee | |
MD_STATE | Meta_CoreObjectState_ BaseDpEmployee | Status of the person in SmartACT (refer to Type conversion for the person) 1: Active |
For this, the MigrationId
field is used, which is already used in SmartACT as uniqueness criterion.
Field | Conversion rule | Mapping used |
---|---|---|
MasterdataId | BIGDECIMAL_TO_LONG | |
Meta_CoreObjectState | NUMBER_TO_STRING_CONDITIONAL | 1 > "registered" 2 > "active" 3 > "inactive" |
Configure migration - cards
The configuration is done in the migrate_cards.properties file, which is structured as follows.
...
smartact.card.field.PIN=PIN
smartact.card.field.PUK=PUK
smartact.card.field.CARD_CRKEY=CARD_CRKEY
smartact.card.encrypted.fields=${smartact.card.field.PIN}, ${smartact.card.field.PUK}, ${smartact.card.field.CARD_CRKEY}
...
All encrypted fields have to be available in this list otherwise the encrypted value which was created with SmartACT certificate will be saved in Identity Manager.
...
prime.card.field.PIN=PIN
prime.card.field.PUK=PUK
prime.card.field.CardManagerKey=CardManagerKey
prime.card.encrypted.fields=${prime.card.field.PIN}, ${prime.card.field.PUK}, ${prime.card.field.CardManagerKey}
...
A field which was not encrypted in SmartACT/ProACT can be encrypted in Identity Manager (subsequently encrypt).
Example:
...
smartact.card.state.issued=103
smartact.card.state.active=104
smartact.card.state.inactive=105
smartact.card.state.locked=106
smartact.card.states=${smartact.card.state.active}, ${smartact.card.state.inactive}, ${smartact.card.state.locked},${smartact.card.state.issued}
...
...
prime.card.state.issued=issued
prime.card.state.active=active
prime.card.state.inactive=inactive
prime.card.state.locked=locked
prime.card.states=${prime.card.state.active}, ${prime.card.state.inactive},
${prime.card.state.locked},${prime.card.state.issued}
Make sure that the number of status between SmartACT (attribute smartact.card.states
) and Identity Manager (attribute prime.card.states
) are the same.
Example:
...
smartact.card.template.ids = 3320,3321,3322, ...
...
Enter one or more card template IDs separated by commas. Enter all card types that you shall use.
...
prime.card.coretemplate.names = MyCtEmployeeCard, MyCtAdminCard, MyCtEmployeeCard
...
Mapping of card fields between Identity Manager and SmartACT is configured in the spring\migrate-cards-batch_jobs-beans.xml file.
The assignment must be adjusted according to the use of the data fields in the following area:
<util:map id="cardFieldMapping">
<!-- <entry key="SmartAct_ColumnName"
value="Prime_CoreTemplate_FieldName"/> -->
<!-- migration specific mapping -->
<entry key="MigrationId" value="MigrationId"/>
....
</util:map>
In Identity Manager, new data pool fields have to be created as additional fields. At least the MigrationId
should be added as a numeric field, as this is not part of the standard Identity Manager modules.
The mapping of the cards is preset as follows:
SmartACT field | Identity Manager field | Comment |
---|---|---|
CARD_NUMBER_TEXT | CardNumber | |
CARD_PIN | PIN | |
CARD_PUK | PUK | |
CARDOS_CHIP_ID | ICCSN | |
CRD_CTID | Meta_CoreTemplateName_PcmDpEmployeeCard | Internal ID of the master data template in SmartACT, which is linked to the core template name by further mapping (see |
CRD_DATE | ModificationDate | |
CRD_ID | MigrationId | Alias and internal ID of the card. |
CRD_MDID | Alias and internal ID that references the person's Data Pool field MigrationId . | |
CRD_PERSDATE | CreationDate | |
CRD_PERSFLAGS | ||
CRD_REQID | ||
CRD_STATE | Meta_CoreObjectState_PcmDpEmployeeCard | Status of the card in SmartACT: |
CRD_TIMESTAMP | ||
DEPARTMENT | Department | |
FIRSTNAME | FirstName | |
INFOBIGTEXT0 | ||
UPN | ||
LASTNAME | LastName |
The field MigrationId
is used, which is already used in SmartACT as uniqueness criterion.
Status SmartACT | Value SmartACT | Mapping in Identity Manager |
---|---|---|
Card is personalized | 100 | None/not accepted |
Card has been personalized | 101 | None/not accepted |
Card has been personalized and confirmed | 102 | None/not accepted |
Card was issued | 103 | Issued |
Card is active | 104 | Active |
Card is temporarily inactive | 105 | Inactive |
Card is permanently blocked | 106 | Locked |
Card was destroyed | 107 | None/not accepted |
Repetition of personalization | 108 | None/not accepted |
Card is reusable (for example, unallocated quota card) | 109 | None/not accepted |
Card is on a transportation or shipping route | 110 | None/not accepted |
Card was destroyed during personalization | 111 | None/not accepted |
Card is temporarily inactive - by user group 1 | 113 | None/not accepted |
Card is temporarily inactive - by user group 2 | 114 | None/not accepted |
Card is back again from a transportation or shipping route | 115 | None/not accepted |
Card is lost on a transportation or shipping route | 116 | None/not accepted |
Field | Conversion rule | Used mapping |
---|---|---|
TenantId | BIGDECIMAL_TO_STRING | |
MasterdataId | BIGDECIMAL_TO_STRING | |
MigrationId | BIGDECIMAL_TO_STRING | |
Meta_CoreObjectState | NUMBER_TO_STRING_CONDITIONAL | 103 > "issued" |
The following relation is defined especially for the card (see also Relation between the objects)
Attribute | Value |
---|---|
sourceDataPool | PcmDpEmployeeCard |
sourceForeignKey | MasterdataId |
targetDataPool | BaseDpEmployee |
targetForeignKey | MigrationId |
Configure migration - certificates
The configuration is done in the migrate_certificates.properties file, which is structured as follows.
...
smartact.certificate.state.locked = 2
smartact.certificate.state.active = 3
smartact.certificate.states = ${smartact.certificate.state.locked}, $ {smartact.certificate.state.active}
...
...
prime.certificate.coretemplate.names = MyCtMigration%Certificate
...
For the attribute smartact.certificate.template.ids
, use one or more comma-separated Template IDs.
...
prime.certificate.state.locked = locked
prime.certificate.state.active = active
prime.certificate.states = ${prime.certificate.state.locked}, $ {prime.certificate.state.active}
...
Make sure that the number of states between SmartACT (attribute smartact.certificate.states
) and Identity Manager (attribute prime.certificate.states
) are the same.
If a card is permanently replaced in SmartACT, the new certificate entry points to the preceding certificate. When migrating certificates, only the "origin certificates" are adopted. This is easy to determine by keeping track of the certificate reference until you find a certificate without predecessor.
The mapping of card data fields between Identity Manager and SmartACT is configured in the file spring\migrate-certificates-batch_jobs-beans.xml. The assignment must be adjusted according to the use of the data fields in the following area:
<util:map id="certificateFieldMapping">
<!-- <entry key="SmartAct_ColumnName"
value="Prime_CoreTemplate_FieldName"/> -->
<!-- migration specific mapping -->
<entry key="MigrationId" value="MigrationId"/>
....
</util:map>
In Identity Manager, new data pool fields have to be created as additional fields. At least, MigrationId
should be added as a numeric field, as this is not part of the standard Identity Manager modules.
The mapping of the certificates is preset as follows:
SmartACT field | Identity Manager field | Comment |
---|---|---|
CERT_ID | MigrationId | Internal ID of the certificate in SmartACT |
CERT_DATE | creationDate | Creation date |
CERT_CARDID | CardId | Internal ID of referencing card |
CERT_CAID | None | Internal ID of the issuing CA (is configured in Identity Manager) |
CERT_REFERENCE | None | Internal ID of the predecessor certificate, which was "replaced" by the restore |
CERT_CERTTEMPLATEID | certTemplateId | Internal ID of certificate template in SmartACT |
CERT_CERTSERIAL | certSerial | Certificate serial number |
CERT_CARDSERIAL | None | |
CERT_STATE | Meta_CoreObjectState | Certificate status: |
CERT_VALID_FROM | validFrom | Validity start date |
CERT_VALID_TO | validTo | Validity end date |
CERT_KEYARCHIVAL | None | Note if this certificate has been restored: 0: no recovery |
CERT_DATA | data | Certificate in binary format |
CERT_RENEWAL_APPLIED | renewalApplied | Note whether a renewal of the certificate is pending in User Self Service: 0: no renewal |
CERT_KEYDATA | ||
MDT_ID | tid | Internal ID of the client |
The field MigrationId
is used, which is already used in SmartACT as uniqueness criterion.
Status in SmartACT | Value in SmartACT | Mapping in Identity Manager |
---|---|---|
Certificate is locked | 2 | locked |
Certificate is valid | 3 | active |
Certificate invalid / never issued (for example, incorrect request) | 4 | none / will not be accepted |
Specifically for the certificate, the following relation is defined (see also Relation between the objects)
Attribute | Value |
---|---|
sourceDataPool | PcmDpCertificate |
sourceForeignKey | CardId |
targetDataPool | PcmDpEmployeeCard |
targetForeignKey | MigrationId |
Start migration
To start the migration:
- run the batch file start_migration.bat on Windows
or - run the shell script start_migration.sh on Linux/Unix.
Under Unix/Linux, give the shell scripts the correct rights using chmod
.
During the migration, log files are created in the subdirectory logs/
- batch.log
Contains the complete logging of the data migration, except the migration of old CA certificates to Nexus Certificate Manager. - batch_skipped.log
Contains a log of all data records (with all data) that could not be transferred, including the error message. This is for error analysis. - batch_overview.log
Is only created when the data migration completes successfully. Contains a quantitative comparison of the two databases after migration, structured by tenant, type and status.
The files are created on every new run and they will overwrite existing ones. For a fully documented step-by-step documentation of the data records, these must be saved by the user before the next run is performed.
If necessary, you can customize the path of the log messages by opening the log4j.xml file and specifying the file (Attribute File) and maximum index (attribute MaxBackupIndex
) in the sections BATCHLOG, BATCHLOG_SKIPPED and BATCHLOG_OVERVIEWLOG as below. The log levels should only be adjusted after consultation with the consultant or project manager at Nexus, as these can have a major impact on the duration of the migration.
log4j.xml
...
<!-- definition of output sources -->
<!-- Logging to Console -->
<appender name="STDOUT" class="org.apache.log4j.ConsoleAppender">
<param name="Encoding" value="UTF-8"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %-25t (%F:%L) : %m%n"/>
</layout>
</appender>
<appender name="BATCHLOG" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/batch.log" />
<param name="Append" value="true" />
<param name="Encoding" value="UTF-8"/>
<param name="BufferedIO" value="false" />
<param name="MaxBackupIndex" value="40" />
<param name="MaxFileSize" value="50MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="(%d) %-5p %-15t (%F:%L) : %m%n"/>
</layout>
</appender>
<appender name="BATCHLOG_SKIPPED" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/batch_skipped.log" />
<param name="Append" value="true" />
<param name="Encoding" value="UTF-8"/>
<param name="BufferedIO" value="false" />
<param name="MaxBackupIndex" value="40" />
<param name="MaxFileSize" value="50MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="(%d) %-5p %-15t (%F:%L) : %m%n"/>
</layout>
</appender>
<appender name="BATCHLOG_OVERVIEWLOG" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/batchoverview.log" />
<param name="Append" value="true" />
<param name="Encoding" value="UTF-8"/>
<param name="BufferedIO" value="false" />
<param name="MaxBackupIndex" value="40" />
<param name="MaxFileSize" value="2MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="(%d): %m%n"/>
</layout>
</appender>
<appender name="BATCHLOG_CERTIFICATEEXPORT" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/batch_certCA.log" />
<param name="Append" value="true" />
<param name="Encoding" value="UTF-8"/>
<param name="BufferedIO" value="false" />
<param name="MaxBackupIndex" value="40" />
<param name="MaxFileSize" value="2MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="(%d): %m%n"/>
</layout>
</appender>
...
The term client refers to the master data template from SmartACT (table T_MASTERDATATEMPLATE), which is used as the data source of the migration. All tenants are created with their own IDs, the initially existing tenant with ID 1 remains. The clients are stored in Identity Manager in the table Tenant.
When mapping the person, type conversion rules can be specified for the fields in Identity Manager (see Type conversion for the person). A conversion rule is defined as follows:
Attribute | Definition | Example |
---|---|---|
fieldName | Field name in Identity Manager | Meta_CoreObjectState, |
conversionType | The following conversion types are supported:
| NUMBER_TO_STRING: 104 → "104" |
selection | A choice for the conditional conversion | 104 → "active" 105 → "inactive" |
parsePattern | Formatting pattern for the conversion type DATE_TO_STRING | yyyy-MM-dd HH: mm: ss.SSS |
When saving, the corresponding record (object) can be linked to one or more objects, for example:
- Card with person
- Certificate with card and person
The desired relations are set using the attribute dataPoolRelations, which refers to a list consisting of one or more relations of type DataPoolRelation. Person should be related to card and card should be related to certificate.
DataPoolRelation
is defined as follows:
Attribute | Defnition |
---|---|
sourceDataPool | Source data pool from which a relation to the target data pool shall be established. |
sourceForeignKey | Source data pool field that references a data pool field in the destination data pool. |
targetDataPool | Target data pool from which to relate to the source data pool shall be established. |
targetForeignKey | Target data pool field that references a data pool field in the source data pool |