Product considerations for migration

Each significant version of Bravura Security software is likely to have different requirements for its database tables, table schema or data encoding.

Below is a compatibility matrix that should be taken into consideration when upgrading Connector Pack and Bravura Security Fabric in regards to MSSQL database requirements:

Latest version requirements

Additional considerations

Data migrations from Standard to Enterprise editions of MSSQL will require adding partitions to some of the database tables. Contact support@bravurasecurity.com if you are in this situation.

Migrating to Datacenter or Developer editions of MSSQL, as well as to database clusters or other database-replicated configurations that lock down the database schema are not supported by default. Please contact your account manager if you would like our Professional Services to do the migration for you.

The easiest way to migrate an entire cluster is to migrate the primary node, then install new replication node/proxy servers in the new environment and resynchronize from the primary. See Replication and Recovery to learn how to add a replication node into a cluster.

This procedure only synchronizes data in the backend database. Any component prerequisites (such as IDMLib or target system requirements) must still be installed on each node before resynchronizing. After resynchronization, you need to run updinst to synchronize files and registry settings .

Migrating just the primary node may result in some data loss from the nodes that are not migrated. Alternatively, you could migrate all nodes to ensure data preservation, but this may result in some synchronization problems.

updinst.exe [-list] | [-showconfig] |
  [-synchfile] [-syncreg]  [-globalcp] [-serverid <serverid>...] [-dry-run] |
  [-extdb[-forcerun]] | [-getlogs] [-proxyfile <proxylist.csv>] [-removelogs]

^\\\\script\\\\somefile.py$

\samples\script\somefile.py

psconfig\\\\discovered

# KVGROUP-V2.0  
"updinst" "cfg" = {  
# Registry path blacklist.  Registry paths that match the regular  
# expressions here are not considered for replication, unless they  
# appear in regWhitelist.  All paths are relative to the instance  
# registry root.  Registry keys (and value names) are separated by  
# double-escaped backslashes (\\\\). 
 "regBlacklist" = { "^IDAPISOAP\\\\endpoints";  
                     "SENDER_EMAIL";  
                     "ServerAddress" };
  # File path blacklist. Filesystem paths that match the regular
  # expressions here are not considered for propagation, unless they
  # appear in regWhitelist (see above). All paths are relative to the
  # instance root directory. Directories and files are separated
  # by double-escaped backslashes (\\\\).
  "fileBlacklist" = { "^\\\\psconfig\\\\.*\\.db$";
                      "plugin\\\\debug\\\\.*";
                      "design\\\\src\\\\ui.build\\\\.*";
                      "design\\\\src\\\\ui\\\\node_modules\\\\.*"
                  };
}

You should leave the logging service running, on the server on which you are running migration utilities, in order to capture the events generated during the data migration process.

To capture event run-time errors which are not captured by the logging service, redirect output to a text file. For example, to log the output of fixdb run:

fixdb > fixdb.txt 2>&1

If you get pop-up errors, copy the text inside and add it to the text file, or take a screenshot. If you get any errors (other than uppercase failures from fixdb), stop the process and send the text files to the support representative you have contacted for your migration.

When configuring Bravura Security software, various files may have been added or modified to implement various features or customizations.

Carefully analyze and test all scripts, plugins, and configuration files; for example:

Note the following for custom scripts, plugins, and configuration files:

File Locations

When you install any Bravura Security product, the default path for program files is <Program files path>\Bravura Security\ as of 12.5.0.

Prior to 12.5.0, the path is <Program files path>\Hitachi ID\.

The directory name is not changed when upgrading.

Bravura Security Fabric directories and files

Three main directories are created when you install Bravura Security Fabric instance, as detailed below.

It is recommended that you do not change these directory locations during the setup process. You cannot install any of the directories required for Bravura Security Fabric on a mapped drive.

Instance directory

<Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\

Directories marked with include files installed by Connector Pack .

Directories marked with include folders and files installed with the optional Analytics app.

Directories marked with include optional files. They are only installed in a complete installation or if selected in a custom installation.

Table 3. Instance directory files

Directory	Contains
addon	Files required for add-on software, such as Local Reset Extension and SKA. Some files, required to target Netegrity SiteMinder, are installed by Connector Pack . If you installed a global Connector Pack , these files are contained in the Connector Pack global directory.
agent	Instance-specific user management connectors (agents). If you installed a global Connector Pack , user management connectors are contained in the Connector Pack global directory.
analytics	Analytics app specific folders
analytics \ DataSets	Contains * .rsd files which are Shared Dataset Definitions. These files are only used by SQL Server versions higher than Express. They contain datasets that are shared between reports.
analytics \ Hidden	Contains * .rdl files which are Report Definitions. These files are the drillthrough reports used by other reports. They are not visible to the end-user.
analytics \ ReportItems	This folder contains other folders. Each folder in this folder is a category in the Analytics app. Within these folders are * .rdl files which are Report Definitions. The folders need to be added to the CUSTOM ANALYTICCATEGORIES system variable to be visible. These reports are then visible to the end-users in the Analytics app.
cgi-bin	The user web interface modules (* .exe CGI programs).
db	The Bravura Security Fabric database sqlscripts.
db \ cache	Search engine temporary search results. These files are cleaned up nightly by psupdate .
db \ replication	Stored procedure replication queues, and temporary replicated batch data.
design	Files necessary to make modifications to the GUI. Some files are installed by Connector Pack . If you install a global Connector Pack , files related to connectors are located in the global design directory.
dictionary	A flat file, words.dat, that contains dictionary words. Bravura Security Fabric uses this file to determine if new passwords fail dictionary-based password-policy rules.
idapiservice	Files required to use the SOAP API.
interface	Instance-specific ticket management connectors (exit trap programs). If you installed a global Connector Pack , ticket management connectors are contained in the Connector Pack global directory.
lib	Contains the pslangapi.dll.
license	The license file for Bravura Security Fabric .
plugin	Plugin programs executed by Bravura Security Fabric .
psconfig	List files produced by auto discovery and the idmsetup.inf file.
report	Files and programs for report generation.
samples	Instance-specific sample scripts and configuration files. If you installed a global Connector Pack , connector-related sample files are contained in the Connector Pack global directory.
script	Configuration files and scripts used by connectors, psupdate , plugins and interface programs.
service	Service programs.
sessdata	Session data. A scheduled program removed old data files nightly.
skin	Compiled GUI files used at run-time (HTML and *.z).
smon	Monitored session data. This location can be changed by Recorded session management (smon) module options.
util	Command-line programs and utilities. If you install a global Connector Pack , tools related to connector configuration are located in the global util directory.
unix	The psunix archive, which is required to install the Unix Listener and supporting files on a Unix-based target system. If you installed a global Connector Pack , this directory is created in the Connector Pack global directory.
wwwdocs	Images and static HTML pages used by Bravura Security Fabric .

Log directory

<Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance>\

Any operation that is run by Bravura Security Fabric is logged. Those logs are invaluable when debugging an issue. The log directory by default is <Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance>\ . Each instance of Bravura Security Fabric that is installed will have at least one sub-directory within this directory.

The rotatelog scheduled job, which runs on a nightly basis, rotates the logs into a new folder, to reduce disk space usage.

Locks directory

<Program Files path>\Bravura Security\Bravura Security Fabric\Locks

Certain target systems can only be accessed serially, such as Lotus Notes. This is a limitation of the API used to access the target system. In these cases Bravura Security Fabric drops a lock file in the locks directory when an operation is being performed that should only be performed serially. For this reason the locks directory must be the same for all instances of Bravura Security Fabric that are installed on the same server.

Connector pack directories and files

When you install Connector Pack , files are placed in different locations depending on type of Connector Pack .

For an instance-specific connector pack, the installer, connector-pack-x64.msi, installs connectors and supporting files in:

<Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\

For a global connector pack, the installer, connector-pack-x64.msi, installs connectors and supporting files in:

<Program Files path>\Bravura Security\Connector Packs\global\

The table below describes the function of directories that are created when a Connector Pack is installed:

Table 4. Connector Pack directory files

Directory	Contains
addon	Files required to target Netegrity SiteMinder systems
agent	User management connectors (agents)
design	Connector Pack -related files necessary to make modifications to the GUI; for example target system address help pages. See the “Customization Guide” for details.
interface	Ticket management connectors (exit trap programs)
samples	Sample scripts and configuration files
unix	The psunix archive, which is required to install the Unix Listener and supporting files on a Unix-based target system
util	Tools to support the configuration of various target systems

There are several automation logic paths in Bravura Security Fabric, including:

Each logic path uses their own set of configuration options, including different "switch off" settings. During migration, it is recommended to disable the automation logic in the production environment while the initial discovery is run, to start off with a good baseline. However, it is easy to miss disabling one or more settings during migration.

Use the AUTOMATION ENABLED system variable, to control whether automation requests should be issued, which applies to all automation logic paths. By default, this is set to Enabled.

It is important to note the status of the AUTOMATION ENABLED system variable throughout the migration process. If it was set to False, ensure that it is set back to True unless you want to continue preventing all automation requests from being issued.

To allow certain automation requests to proceed while AUTOMATION ENABLED is set to False, include the CIRCUMVENT_AUTOMATION_BLOCKAGE built-in request attribute with the request. This request attribute will circumvent the automation block when set to True; for example, it can be used by custom scripts to submit automation requests even if automation is disabled.

Saved reports will not be preserved when upgrading from earlier versions. After the upgrade, scheduled reports can be viewed on the Manage the system > Maintenance > Scheduled jobs page, but cannot be run or modified.

Reports in Bravura Security Fabric versions 9.0 or later are SQLite databases.

After upgrades or patches you can expect to see errors from loadreports on reports not covered in your product license.

In addition to configuration files, your Bravura Security Fabric instance may contain custom binaries and/or schema. These could include web modules, connectors, plugin programs, external interface programs, and so on.

Once custom binaries are identified, their purpose should be determined to decide whether they are still necessary. For example, if the custom binary was created to resolve a product deficit, the deficit was likely resolved in the base product. Similarly, if the purpose of the binary was to add custom functionality, it is also possible that the feature was added to the base product.

Read the Release notes to determine whether a custom binary is necessary. If it is still not obvious, contact support@bravurasecurity.com for assistance.

Only in very specific cases will an older binary be usable in a newer product. A previous service engagement or product fixes on an existing instance (including binary and/or schema) might require assistance from Support to either initiate a new service engagement, verify the fixes provided in a previous release, or indicate a new feature or functionality that supersedes fixes in older functionality.

A careful examination of the registry in both the source and destination instance subkeys will reveal manually entered subkeys.

Like custom binaries, each subkey identified as manually entered should be evaluated on a case by case basis before choosing to export it to another instance. This is especially true of version migrations. See Release notes to determine whether the key needs to be migrated or whether product enhancements have been made to toggle these keys from the administration interface. Contact support@bravurasecurity.com for details about any specific registry subkeys.

If a key needs to be migrated, you can make the change directly using the Windows registry editor (regedit.exe) utility on the new instance, or by exporting from the old and importing to the new server using the same utility.

One key of vital importance in older product versions is the "MASTERKEY". This key was used for communication between various components of the software. For example, transparent password synchronization triggers use the key to communicate with the pushpass/idpm service, and some connectors use it to communicate with their associated agent installed on the target system. In new product versions, this key is now known as the "CommKey" (short for communications key.) This key cannot be copied and renamed as it is now stored in an encrypted format. To set the key, use the resetkey program .

resetkey.exe -type <keytype> -value <keyvalue>

resetkey.exe -type <keytype> -export [-value <keyvalue>] [-file <file>]

A new version of Bravura Security Fabric may need a newer version of the target system client software installed on the primary node.

As of 9.0, Bravura Security Fabric is completely 64-bit, so it requires any target tools (for example, database clients, SDKs or any software our product loads directly to integrate with targets), to also be installed as 64-bit versions. This means that for fresh installs (including replication migrations), the 64-bit clients must be installed, and for cloned migration, the 32-bit clients must be uninstalled and the 64-bit client installed.

Refer to Connector Pack documentation for details on any targets that require target clients or tools.

When migrating instances, you must use an existing license (which is installed by default with the product). When you migrate using a fresh installation (rather than replication or cloning), the license will be the same as when you originally installed Bravura Security Fabric. If you have updated your license since first installing Bravura Security Fabric, ensure that you manually copy the most recent license.

All custom web interface modifications should be reviewed. Some existing modifications will require modification or deletion, while new modifications may need to be added.

The best method to address this issue is to go through every file in the custom directory in the source instance and confirm the same file exists in the destination instance src directory. If a file does not exist in the new instance, the custom version of the file can probably be deleted. If a file does exist, go through the entire file and search for each tag or KVGroup in the new instance. If the tag or KVGroup does not exist, it can probably be deleted from the file. If it does exist, compare the custom version to the default version in the new instance and figure out what if any modification will need to be made to the custom version.

Finally, test all the web pages and verify that the desired modifications have been migrated properly. Also look for new web interface constructs that may require new modifications.

See Customization for more information.

The Bravura Security Fabric server must have a running web server. Microsoft Internet Information Services (IIS) is supported for automatic configuration by Bravura Security Fabric’s installer.

IIS URL Rewrite module is also required. If it was not installed as part of your IIS web server install, install it from http://www.iis.net/downloads/microsoft/url-rewrite .

By default, the setup program of your new instance would have configured the web server so that the necessary virtual directories are created, the CGIs are all registered, and determined whether clients navigating to the base URL will get redirected to a specific instance. If you have customized the behavior of the web server on your old instance in some way, you will have to manually do the same thing for the new instance.

As mentioned in Inventory of systems , there are a number of potentially related supporting systems to consider in addition to the Bravura Security Fabric servers themselves. These systems fall into two categories; systems with Bravura Security Fabric software components installed on them, and other technologies that support the Bravura Security Fabric server.

When upgrading, ensure that the server requirements for the new product version are met on the server. See the latest Server requirements. Attempts to upgrade or patch on under-provisioned servers are likely to fail.

In particular, each local service will require redeployment for workstations to allow reintegrating to the new instance.

Verify the minimum Python requirements for the upgrade.

Python must be installed for all users.

The upgrade in support may cause issues with some scripts.

See also

Review the latest Release notes to identify changes that might affect expected product behavior.

Pay particular attention to:

Verify there are no pending Windows updates to be installed, and verify that no server restarts are scheduled before starting the upgrade or patching process.

Ensure that you know the Bravura Security Fabric service user (psadmin) password. This will be required to upgrade existing systems.

Learn more about Changes to the service account (psadmin) with serviceacct.

Review the following: