Steps to migrate users and groups between CA API Gateways


Article ID: 126210


Updated On:


STARTER PACK-7 CA Rapid App Security CA API Gateway


To migrate users and groups, you will need to use the combination of RESTman and the GMU tool, as the users/groups are not listed under the migrateOut option of the GMU tool. A high level concept would be to use the RESTman option to export the users/groups into an xml file, then use the migrateIn option from the GMU tool, or RESTman POST option to import it to the other Gateway environment.


Component: APIGTW


1. There are two options to get the list of users:
    a) Hit the following URL:

    b) Use the following GMU command:
       GatewayMigrationUtility.bat restman -argFile source.txt --method GET --path '1.0/identityProviders/0000000000000000fffffffffffffffe/users' --trustCertificate --trustHostname > exportusers.xml  

2. Once you get the user list, you need to prepare the file to be read and imported into the target gateway (create_user.xm). Please take note that the RESTman POST command will only allow one user to be imported at a time. For example, the content of your 'create_user.xm' file should look similar to the following:

<l7:User providerId="0000000000000000fffffffffffffffe" xmlns:l7=""> 
<l7:Password format="plain">7layer</l7:Password> 
<l7:Property key="accountExpiration"> 
<l7:Property key="enabled"> 
<l7:Property key="name"> 

3. Import the user using the RESTman POST command. For example:

GatewayMigrationUtility.bat restman -h <target_server_name> --trustCertificate --method POST --path /1.0/identityProviders/0000000000000000fffffffffffffffe/users --trustHostname --clientCert "<path_to_client_cert_key>\gmuclientkey.p12" --request create_user.xml 

**Some rules to take note of: 
- The pkcs12 file must contain the private key and certificate 
- The pkcs12 file may or may not be password protected 
- If the pkcs12 file is password protected, use the -x, --password, or --plaintextPassword arguments to specify the password 
- If the pkcs12 file is not password protected, do not include a password argument 
- Do not specify a username when using mutual authentication; the user is identified by the certificate 
- The certificate must be associated with the migration Administrators user on the CA API Gateway 
- If using the Internal Identity Provider, the certificate Common Name (CN) must be the same as the user login

Additional Information

Get Started and Run GMU