Migrating component configuration and data
You can migrate component configuration and data using the following methods:
See also
Components shows you how to manage and create components and environment files.
Replacing an instance’s configuration using environment files
Solution architects can work with clients to create environment files that store specific component information such as target configuration, team setup, authentication setup and workflow. Using these files saves time in reconfiguring the components when migrating between environments. For example:
A client sets up a Bravura Security Fabric test environment with all the required components and settings.
The client conducts testing and makes changes where required.
When the test environment is complete, the solution architect can help create environment files that will capture the existing component settings.
Bravura Security Fabric is installed in the production environment.
The environment files from the test environment are copied to production.
Some settings in these files must be adjusted for the new environment, such as target addresses and credentials.
Each component is then installed, and during the installation, the components will use the environment files and preconfigure the environment the same way it was in the test.
Environment files can also be loaded later after a component is installed; for example, a client can test changes to a component, then when they are ready for production, copy and load the file in the production environment.
Contact support@bravurasecurity.com for assistance.
Migrating using export_data_components.py
The export_data_components.py script exports product configurations as components and an environment file. The resulting data components and an environment file can be applied to a different instance.
This section shows you how to export current configurations into components and environment files using the export_data_components.py script.
This is supported only for components from the same major+minor release.
Warning
Consult with support@bravurasecurity.com before using this script.
Preparation
Set up the configuration export command-line program
The configuration export program (export_data_components.py) is a Python executable script located in the script directory. To run it from the command line, you need to configure several environment variables. To do this:
Launch a command prompt as an Administrator and navigate to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ directory.
Run the command:
instance.bat
Navigate to the script directory.
You should now be able to run the configuration export program. Ensure that you always run it as an Administrator.
Prepare an export folder
You should create a temporary folder, for example, c:\temp\export, to export files. Ensure that script users have write permission.
Export configurations
The export option is used export all the configurations since the installation of the product. It will generate an environment file that contains all the changes that have occurred in the installed components. It will also generate data components for all other configurations.
export_data_components.py export
They can also be specified in the output option.
export_data_components.py --output env export
Example: Export account attributes
Often during component-based configuration migration, it's required to export account attribute override changes. Bravura Security Fabric version 12 introduced a number of changes, such as to component Types.
To export account attributes:
Export all ObjectAttrs:
C:\Program Files\Bravura Security\Bravura Security Fabric\<instance>\script\export_data_components.py --dir c:\temp\AcctAttrs --output component export --type ObjectAttr
Find the relevant json and manifest files by searching in the export for the relevant attribute names.
For example, in a bash window open in the c:\temp\AcctAttrs\Data\ :
$ grep -r lastLogoff * objectattr_00a74f927a3c4367a2ed88c108a03a7f/config.json: "attrkey": "lastLogoff", objectattr_b6c58ea86bd44ea2abb16a18f5ba8fa7/config.json: "attrkey": "lastLogoff",
Collect all Custom attribute components from the export, and clear out (delete) the rest of the Data directory, or datestamp the name of the Data directory and keep it for later reference or for bulk comparisons/diffs
If the override is changed later, edit the .json file manually or perform the export update on it:
C:\Program Files\Bravura Security\Bravura Security Fabric\<instance>\export_data_components.py --dir c:\temp\AcctAttrs --output component export --comparison_set c:\temp\AcctAttrs\custom_pam_2022-10-26.json --type ObjectAttr
Notes:
AccountAttr Data component Type is deprecated and exists only for legacy compatibility.
From version 12.0.0+, AccountAttrs export as ObjectAttrs.
There are currently three types of listed objects: "ATTR", "GRP" and "COMP", for account, group and computer, respectively.
ObjectAttrs also exports the "Attribute" Data type, which is for profile attributes.
Bravura Security highly recommends using comparison sets (step 5) on an already existing JSON Data file, that is pre-exported or manually created (instead of using --ignore_filesystem),
As demonstrated in step 2 above, ObjectAttrs are over-exported due to not being able to detect changes against legacy (pre-12.0.0 AccountAttr) components.
Failure to export AccountAttr Data Type
While importing legacy AccountAttr Type Data components will succeed, attempting to export them will fail:
C:\Program Files\Bravura Security\Bravura Security Fabric\<instance>\script\export_data_components.py --dir c:\temp\AcctAttrs --output component export --ignore_filesystem --type AccountAttr ERROR: AccountAttr does not support direct listing
Example config.json for the ObjectAttr Data Type
Use Prerequisites for the target, targets or target type (also known as "platform") where the attribute is to be overridden.
{
"Prerequisites": [
{
"Reference": {
"id": "AD"
},
"Type": "Target"
}
],
"Fields": {
"attrkey": "SOME_ATTR",
"attrtype": "S",
"chgboost": false,
"copy": true,
"createaction": "S",
"discoveredtype": "ACCT",
"encoding": "N",
"grpno": 0,
"guid": "778dac0d-52f7-4392-98f7-01a2121d5dbb",
"ignore": true,
"listattr": true,
"makediffs": true,
"maxvalues": 1,
"minvalues": 0,
"override": 2,
"platformid": "AD",
"priority": 50,
"profileattr": "DESC_APP",
"replace": true,
"seqno": 0,
"set": true,
"setuserattr": true,
"structid": "",
"targetid": "AD",
"updateaction": "S"
},
"Type": "ObjectAttr"
}Export configurations to components
The export option can also be used to export a complete set of components which includes installed components, with updated configuration settings, and components for all other configurations.
To create data components of the configuration changes, specify the output option to component.
export_data_components.py --output component export
Examples:
To export all configuration objects: (this may take a while, you should only run this command if you do not know what the export type is.)
script\export_data_components.py --output component --dir export export --ignore_filesystem
To export attribute configuration:
script\export_data_components.py --output component --dir "export" export --type Attribute --ignore_filesystem
To export target configuration:
script\export_data_components.py --output component --dir "export" export --type Target --ignore_filesystem
To export system variables:
script\export_data_components.py --dir export --output both export --type SysVar
To export question sets:
script\export_data_components.py --dir export --output both export --type QuestionSet
To export HRAPP target:
script\export_data_components.py --dir export --output both export --type ObjectAttr --field targetid=HRAPP
To export AD target account attributes:
script\export_data_components.py --dir export --output both export --type ObjectAttr --field targetid=AD
Export to a specific directory
A specific location can be specified for the script to export to. The default is the instance directory. The following will export to the specified folder. If the folder does not exist, it will create it.
export_data_components.py --dir c:\Temp export
Additional export options
The script can filter the results using the following options.
Option | Meaning |
|---|---|
---audit | Try to calculate changes from the audit table. |
---comparison_set | A json configuration to compare product configuration against. You can generate complete comparison sets using product_json mode. |
---ignore_filesystem | Ignore existing components in component\Default and component\Custom. |
---type | The idmconfig Type of the desired object. If none is given, all types will be searched. |
---field | Key/Value pair of form: key=value. Specify a single key/value pair to match against. Can be specified multiple times. |
---user or ---not_user | Specify audit user(s) to search or filter out configs for. |
---module or ---not_module | Specify audit module(s) to search or filter out configs for. |
---start_time | A start time to search for configs from. The format is SQL format YYYY-MM-DD hh:mm:ss |
---end_time | An end time to search for configs, too. The format is SQL format YYYY-MM-DD hh:mm:ss |
Encrypted fields
The script will not decrypt encrypted fields in the component configurations. When moving components to a new environment, the script can be used to ensure the encryption is valid. If the script determines that the encrypted fields are not valid it will allow the user to update the fields.
To use this option, the new components will be copied into the Custom directory of the new environment. To validate the encrypted fields, specify the check_encrypted option.
export_data_components.py check_encypted
Product configuration dump
The script can output a complete product configuration into a single json file. This json configuration can be used when exporting with the comparison_set option.
export_data_components.py product_json