Using PFMigrate Utility
Prerequisites
Obtain the following details:
CipherTrust Manager IP Address.
CipherTrust Manager port (by default it's 443).
Web Server Certificate Fingerprint for CipherTrust Manager.
Username for CipherTrust Manager Administrator.
Password for CipherTrust Manager Administrator.
Domain for CipherTrust Manager, (by default its root).
Note
If the destination of CipherTrust Manager is not the same, then all of the above details are required for the destination CipherTrust Manager too.
How to use PFMigrate
This section is divided in the following sections:
Migrating clients and their encryption policies.
Migrating NAS encryption policies bounded with client.
Migrating cluster policies.
Migration of local policies
First step to migrating the clients from PF to CTE is to use --create / -c option. This creates a sample file.
[root@myvm PFMigrate] # ./pfmigrate -c Flag: --create or -c The option will fetch PF clients and shares from the CipherTrust and create input files for the migration.
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Successfully created sample input files: 1. pfClientInfo.json - List of clients on the CM 2. Mapping.json - List of network shares on the CM Customize the files before running as input for the utility.
Run the utility with the
--dryrun / -d
option. This checks if all of the clients can be migrated to CTE.[root@myvm PFMigrate] # ./pfmigrate -d Flag: --dryrun or -d The 'dryrun' flag provides a preview of the migration on a given input file.
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): N Is the source CM, where you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
Response
Reading the input file pfClientinfo.json The number of ProtectFile Clients in the input file: 8 . DryRun Finished Successfully! ------------SUMMARY------------- Number of PF Clients: 8 Number of failed CTE Clients: 0 Number of successfully validated CTE Clients: 8 ----------------------------------------------- Please check DryRun report for details ...
This creates a Dry Run Report log file too. Note that in the above example, network shares were not transferred.
After DryRun mode is successful, you need to run the utility in normal mode. Running in normal mode does not require defining any options.
[root@myvm PFMigrate] # ./pfmigrate You have opted to run the utility in normal mode. We recommended to perform a dryrun on a your input file before doing actual migration. Enter 'YES' if want to continue in running the utility in the normal mode?
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): N Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
Response
Reading the input file pfClientinfo.json The number of ProtectFile Clients in the input file: 8 . Migration (normal mode) Finished Successfully! ------------SUMMARY------------- Number of PF Clients: 8 Number of failed CTE Clients: 0 Number of successfully migrated CTE Clients: 8 -------------------------------- Please check logs for details ...
You can now see the clients in CTE in CM:
Migration of NAS policies
Similar to the previous method, you need to follow the steps above and creating, running a dryrun and then running in normal mode.
When you use --create/ -c mode, then apart from the
pfClientInfo.json
file, amapping.json
also must be created. This is the map file for PF clients and the NAS servers associated with it. If there is any network share that you do not want to migrate, then you need to alter the file.[root@myvm PFMigrate] #cat mapping.json
[ { "name": "JenkinsTest-Of205fcOc07f", ''id'': "c97c2de3-d830-4c0a-bla7-0615d48c2f38'', "ipHostname": "NOIENC1PFL-VS10", "isBootstrapped": true }, { "name": "Win-Acceptance_lfc23bd05ea", ''id'': "37d32744-f665-4276-878b-d257cc404a95'', "ipHostname": "N0IENC1PFW-afc2", "isBootstrapped": true } ]
To migrate NAS polices from PF to CTE, add the clients to the
pfClientInfo.json
file. If any NAS servers are described inmapping.json
but the client is not defined inpfClientInfo.json,
then the NAS policies will not migrate for those servers. These two files are tightly coupled with each other.[root@myvm PFMigrate] # ./pfmigrate -d Flag: --dryrun or -d The 'dryrun' flag provides a preview of the actual migration on a given input file.
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): Y Failed while fetching and parsing PF share to mountpoint mapping file ERROR: empty ShareName/MountPoint in mapping file DryRun mode Failed!, check logs for details ...
By default, the MountPoint parameter is empty. You must fill in the mount points for all of the network shares that you wish to migrate.
[root@myvm PFMigrate] # ./pfmigrate -d Flag: --dryrun or -d The 'dryrun' flag provides a preview of the actual migration on a given input file.
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): n Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N Reading the input file pfClientinfo.json The number of ProtectFile Clients in the input file: 6 . Migration Finished Successfully! ------------SUMMARY------------- Number of PF Clients: 6 Number of failed CTE Clients: 6 Number of successfully validated CTE Clients: 0 ----------------------------------------------- Please check logs for details ...
After the DryRun mode is successful, you can run the utility in Normal Mode with the "Y" option selected when asked for "If you wish to migrate Network Shares...".
[root@myvm PFMigrate] # ./pfmigrate You have opted to run the utility in normal mode. We recommended to perform a dryrun on a your input file before doing actual migration. Enter 'YES' if want to continue in running the utility in the normal mode? Yes
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): Y Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N Reading the input file pfClientinfo.json The number of ProtectFile Clients in the input file: 6 . Migration (normal mode) Finished Successfully! ------------SUMMARY------------- Number of PF Clients: 6 Number of failed CTE Clients: 1 Number of successfully migrated CTE Clients: 5 ---------------------------------------------- Please check logs for details ...
Migrating Cluster Policies
Cluster policies are automatically migrated if the clients of the cluster policy are defined in pfClientInfo.json
file. The steps for migration are similar to the steps for local policies.
Create
pfClientInfo.json
file with cluster clients mentioned in it.[root@myvm PFMigrate] #cat pfClientinfo.json
[ { "name": "Clusterl 2Kl9", ''id'': "f3cbb52d-eb08-4481-Beb7-b9b38084b4db", "ipHostname": "WIN-CLSTl .. ' "isBootstrapped": true }, { "name": "Cluster2 2Kl9", ''id'': "b2f9de37-c0e7-45d0-Bf4a-ef4c8060f939", "ipHostname": "WIN-CLST2", "isBootstrapped": true
} ]Run the utility using DryRun Mode:
[root@myvm PFMigrate] # cat DryRunReport . [DryRun Mode] 2022/01/13 10:56:51 --------------------------DryRun Report------------- [DryRun Mode] 2022/01/13 10:56:51 #################################################### [DryRun Mode] 2022/01/13 10:58:38 The user opted not to migrate network shares. [DryRun Mode] 2022/01/13 10:58:38 Number of PF Clusters on CM: 1 [DryRun Mode] 2022/01/13 10:58:38 ------------SUMMARY--------------------------------- [DryRun Mode] 2022/01/13 10:58:38 Number of PF Clients: 6 [DryRun Mode] 2022/01/13 10:58:38 Number of failed CTE Clients: 6 [DryRun Mode] 2022/01/13 10:58:38 Number of successfully migrated CTE Clients: 0 [DryRun Mode] 2022/01/13 10:58:38 ------------------------------------------------- [DryRun Mode] 2022/01/13 10:58:38 Number of PF Cluster: 1 [DryRun Mode] 2022/01/13 10:58:38 Number of PF Clusters failed to migrate: 0 [DryRun Mode] 2022/01/13 10:58:38 Number of successfully validated CTE Clusters: 1 [DryRun Mode] 2022/01/13 10:58:38 #################################################### [DryRun Mode] 2022/01/13 10:58:38 #################################################################### [DryRun Mode] 2022/01/13 10:58:38 --------------------------DryRun Report-----------------------------
[DryRun Mode] 2022/01/13 10:58:38 #################################################################### [DryRun Mode] 2022/01/13 10:58:38 --------------------------DryRun Report----------------------------- [DryRun Mode] 2022/01/13 10:58:38 ####################################################################Now run in normal mode:
[root@myvm PFMigrate] # ./pfmigrate You have opted to run the utility in normal mode. We recommended to perform a dryrun on a your input file before doing actual migration. Enter 'YES' if want to continue in running the utility in the normal mode? Yes
Results
Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5 Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443): Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5 Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin Enter password of the CipherTrust Manager: Enter domain of the CipherTrust Manager (optional): domain1 Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): N Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
Response
Reading the input file pfClientinfo.json The number of ProtectFile Clients in the input file: 6 Migration (normal mode) Finished Successfully! ------------SUMMARY------------- Number of PF Clients: 6 Number of failed CTE Clients: 1 Number of successfully migrated CTE Clients: 5 ------------------------------------------------------ Please check logs for details ...
Getting Help
The pfmigrate utility is a command-line interface that helps the user create CTE resources corresponding to the existing PF resources on the CipherTrust Manager.
You can migrate single, multiple, or all ProtectFile clients by providing a list of PF clients in a predefined input file to perform migration. You can also preview the result before actual migration by running the utility in dryrun mode.
Usage: pfmigrate [flags] Flags: -c, --create Flag to create input files for migration -d, --dryrun Flag to run the utility to validate input files and preview output -h, --help help for pfmigrate -v, --version Flag to display the current version
Getting the latest version of the PFMigrate Utility
./pfmigrate –v
Results
pfmigrate 2.0.008