Steps to migrate users and groups between CA API Gateways
search cancel

Steps to migrate users and groups between CA API Gateways

book

Article ID: 126210

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

To migrate users and groups, you will need to use the combination of RESTman and the GMU tool, as the users/groups are not listed under the migrateOut option of the GMU tool. A high level concept would be to use the RESTman option to export the users/groups into an xml file, then use the migrateIn option from the GMU tool, or RESTman POST option to import it to the other Gateway environment.

Environment

Release: All - Gateway 9.x 10.x 11.x
Component: APIGTW

Resolution

1. There are two options to get the list of users:
    a) Hit the following URL:
        https://<source_gateway_hostame>:8443/restman/1.0/users

    b) Use the following GMU command:
       GatewayMigrationUtility.bat restman -argFile source.txt --method GET --path '1.0/identityProviders/0000000000000000fffffffffffffffe/users' --trustCertificate --trustHostname > exportusers.xml  

2. Once you get the user list, you need to prepare the file to be read and imported into the target gateway (create_user.xml). Please take note that the RESTman POST command will only allow one user to be imported at a time. For example, the content of your 'create_user.xml' file should look similar to the following:

<l7:User providerId="0000000000000000fffffffffffffffe" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management"> 
<l7:Login>johns</l7:Login> 
<l7:Password format="plain">7layer</l7:Password> 
<l7:FirstName>John</l7:FirstName> 
<l7:LastName>Smith</l7:LastName> 
<l7:Email/> 
<l7:Properties> 
<l7:Property key="accountExpiration"> 
<l7:LongValue>-1</l7:LongValue> 
</l7:Property> 
<l7:Property key="enabled"> 
<l7:BooleanValue>true</l7:BooleanValue> 
</l7:Property> 
<l7:Property key="name"> 
<l7:StringValue>migrationadmin</l7:StringValue> 
</l7:Property> 
</l7:Properties> 
</l7:User> 

3. Import the user using the RESTman POST command. For example:

GatewayMigrationUtility.bat restman -h <target_server_name> --trustCertificate --method POST --path /1.0/identityProviders/0000000000000000fffffffffffffffe/users --trustHostname --clientCert "<path_to_client_cert_key>\gmuclientkey.p12" --request create_user.xml 

**Some rules to take note of: 
- The pkcs12 file must contain the private key and certificate 
- The pkcs12 file may or may not be password protected 
- If the pkcs12 file is password protected, use the -x, --password, or --plaintextPassword arguments to specify the password 
- If the pkcs12 file is not password protected, do not include a password argument 
- Do not specify a username when using mutual authentication; the user is identified by the certificate 
- The certificate must be associated with the migration Administrators user on the CA API Gateway 
- If using the Internal Identity Provider, the certificate Common Name (CN) must be the same as the user login

Powered by Wolken Software