Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

PFMigrate Utility

Using PFMigrate Utility

search

Please Note:

print

Using PFMigrate Utility

copy link to clipboardPrerequisites

Obtain the following details:

  1. CipherTrust Manager IP Address.

  2. CipherTrust Manager port (by default it's 443).

  3. Web Server Certificate Fingerprint for CipherTrust Manager.

  4. Username for CipherTrust Manager Administrator.

  5. Password for CipherTrust Manager Administrator.

  6. Domain for CipherTrust Manager, (by default its root).

Note

If the destination of CipherTrust Manager is not the same, then all of the above details are required for the destination CipherTrust Manager too.

copy link to clipboardHow to use PFMigrate

This section is divided in the following sections:

  1. Migrating clients and their encryption policies.

  2. Migrating NAS encryption policies bounded with client.

  3. Migrating cluster policies.

copy link to clipboardMigration of local policies

  1. First step to migrating the clients from PF to CTE is to use --create / -c option. This creates a sample file.

    [root@myvm PFMigrate] # ./pfmigrate -c
Flag: --create or -c
The option will fetch PF clients and shares from the CipherTrust and create input files for the migration.
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1

Successfully created sample input files:
1. pfClientInfo.json - List of clients on the CM
2. Mapping.json - List of network shares on the CM
Customize the files before running as input for the utility.

  2. Run the utility with the --dryrun / -d option. This checks if all of the clients can be migrated to CTE. 

    [root@myvm PFMigrate] # ./pfmigrate -d
Flag: --dryrun or -d
The 'dryrun' flag provides a preview of the migration on a given input file.
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1
Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): N
Is the source CM, where you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
    copy link to clipboardResponse
    Reading the input file pfClientinfo.json
The number of ProtectFile Clients in the input file: 8
.
DryRun Finished Successfully!
------------SUMMARY-------------
Number of PF Clients: 8
Number of failed CTE Clients: 0
Number of successfully validated CTE Clients: 8
-----------------------------------------------
Please check DryRun report for details ...

    This creates a Dry Run Report log file too. Note that in the above example, network shares were not transferred.

  3. After DryRun mode is successful, you need to run the utility in normal mode. Running in normal mode does not require defining any options.

    [root@myvm PFMigrate] # ./pfmigrate
You have opted to run the utility in normal mode.
We recommended to perform a dryrun on a your input file before doing actual migration.
Enter 'YES' if want to continue in running the utility in the normal mode?
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1
Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): N
Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
    copy link to clipboardResponse
    Reading the input file pfClientinfo.json
The number of ProtectFile Clients in the input file: 8
.
Migration (normal mode) Finished Successfully!
------------SUMMARY-------------
Number of PF Clients: 8
Number of failed CTE Clients: 0
Number of successfully migrated CTE Clients: 8
--------------------------------
Please check logs for details ...

  4. You can now see the clients in CTE in CM:

    CM after PFM

copy link to clipboardMigration of NAS policies

Similar to the previous method, you need to follow the steps above and creating, running a dryrun and then running in normal mode.

  1. When you use --create/ -c mode, then apart from the pfClientInfo.json file, a mapping.json also must be created. This is the map file for PF clients and the NAS servers associated with it. If there is any network share that you do not want to migrate, then you need to alter the file.

    [root@myvm PFMigrate] #cat mapping.json

    [
    {
        "name": "JenkinsTest-Of205fcOc07f",
        ''id'': "c97c2de3-d830-4c0a-bla7-0615d48c2f38'',
        "ipHostname": "NOIENC1PFL-VS10",
        "isBootstrapped": true
        },
        {
        "name": "Win-Acceptance_lfc23bd05ea",
        ''id'': "37d32744-f665-4276-878b-d257cc404a95'',
        "ipHostname": "N0IENC1PFW-afc2",
        "isBootstrapped": true
    }
]

  2. To migrate NAS polices from PF to CTE, add the clients to the pfClientInfo.json file. If any NAS servers are described in mapping.json but the client is not defined in pfClientInfo.json, then the NAS policies will not migrate for those servers. These two files are tightly coupled with each other.

    [root@myvm PFMigrate] # ./pfmigrate -d
Flag: --dryrun or -d
The 'dryrun' flag provides a preview of the actual migration on a given input file.
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1
Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): Y
Failed while fetching and parsing PF share to mountpoint mapping file
ERROR: empty ShareName/MountPoint in mapping file
DryRun mode Failed!, check logs for details ...

    By default, the MountPoint parameter is empty. You must fill in the mount points for all of the network shares that you wish to migrate.

    [root@myvm PFMigrate] # ./pfmigrate -d
Flag: --dryrun or -d
The 'dryrun' flag provides a preview of the actual migration on a given input file.
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1
Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): n
Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
Reading the input file pfClientinfo.json
The number of ProtectFile Clients in the input file: 6
.
Migration Finished Successfully!
------------SUMMARY-------------
Number of PF Clients: 6
Number of failed CTE Clients: 6
Number of successfully validated CTE Clients: 0
-----------------------------------------------
Please check logs for details ...

  3. After the DryRun mode is successful, you can run the utility in Normal Mode with the "Y" option selected when asked for "If you wish to migrate Network Shares...".

    [root@myvm PFMigrate] # ./pfmigrate
You have opted to run the utility in normal mode.
We recommended to perform a dryrun on a your input file before doing actual migration.
Enter 'YES' if want to continue in running the utility in the normal mode? Yes
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1
Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): Y
Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
Reading the input file pfClientinfo.json
The number of ProtectFile Clients in the input file: 6
.
Migration (normal mode) Finished Successfully!
------------SUMMARY-------------
Number of PF Clients: 6
Number of failed CTE Clients: 1
Number of successfully migrated CTE Clients: 5
----------------------------------------------
Please check logs for details ...

copy link to clipboardMigrating Cluster Policies

Cluster policies are automatically migrated if the clients of the cluster policy are defined in pfClientInfo.json file. The steps for migration are similar to the steps for local policies.

  1. Create pfClientInfo.json file with cluster clients mentioned in it.

    [root@myvm PFMigrate] #cat pfClientinfo.json

    [
 {
    "name": "Clusterl 2Kl9",
    ''id'': "f3cbb52d-eb08-4481-Beb7-b9b38084b4db",
    "ipHostname": "WIN-CLSTl .. '
    "isBootstrapped": true
 },
 {
    "name": "Cluster2 2Kl9", 
    ''id'': "b2f9de37-c0e7-45d0-Bf4a-ef4c8060f939",
    "ipHostname": "WIN-CLST2",
    "isBootstrapped": true
    
 }
]

  2. Run the utility using DryRun Mode:

    [root@myvm PFMigrate] # cat DryRunReport
.
[DryRun Mode] 2022/01/13 10:56:51    --------------------------DryRun Report-------------
[DryRun Mode] 2022/01/13 10:56:51    ####################################################
[DryRun Mode] 2022/01/13 10:58:38    The user opted not to migrate network shares.
[DryRun Mode] 2022/01/13 10:58:38    Number of PF Clusters on CM: 1
[DryRun Mode] 2022/01/13 10:58:38    ------------SUMMARY---------------------------------
[DryRun Mode] 2022/01/13 10:58:38      Number of PF Clients: 6 
[DryRun Mode] 2022/01/13 10:58:38      Number of failed CTE Clients: 6 
[DryRun Mode] 2022/01/13 10:58:38      Number of successfully migrated CTE Clients: 0
[DryRun Mode] 2022/01/13 10:58:38    -------------------------------------------------
[DryRun Mode] 2022/01/13 10:58:38      Number of PF Cluster: 1 
[DryRun Mode] 2022/01/13 10:58:38      Number of PF Clusters failed to migrate: 0 
[DryRun Mode] 2022/01/13 10:58:38      Number of successfully validated CTE Clusters: 1
[DryRun Mode] 2022/01/13 10:58:38    ####################################################
[DryRun Mode] 2022/01/13 10:58:38   ####################################################################
[DryRun Mode] 2022/01/13 10:58:38   --------------------------DryRun Report-----------------------------  
    
[DryRun Mode] 2022/01/13 10:58:38   ####################################################################
[DryRun Mode] 2022/01/13 10:58:38   --------------------------DryRun Report-----------------------------
[DryRun Mode] 2022/01/13 10:58:38   ####################################################################

  3. Now run in normal mode:

    [root@myvm PFMigrate] # ./pfmigrate
You have opted to run the utility in normal mode.
We recommended to perform a dryrun on a your input file before doing actual migration.
Enter 'YES' if want to continue in running the utility in the normal mode? Yes
    copy link to clipboardResults
    Enter IP address of the CipherTrust Manager from which you are importing ProtectFile data: 192.168.0.5
Enter the port of the CipherTrust Manager from which you are importing ProtectFile data (Default 443):
Enter Web Server Certificate Fingerprint of the CipherTrust Manager from which you are importing ProtectFile data: 953746C2DA0817DDA18402E99B478F18416D5545AF006E593C6AC06C732172F5
Enter username of the CipherTrust Manager which is part of ProtectFile Admins and CTE Admins group: admin
Enter password of the CipherTrust Manager:
Enter domain of the CipherTrust Manager (optional): domain1
Do you wish to migrate Network Shares configured with ProtectFile linux clients? (Y/N): N
Is the source CM, you are importing ProtectFile data, different from the target server CM where you want to create CTE endpoints? (Y/N): N
    copy link to clipboardResponse
    Reading the input file pfClientinfo.json
The number of ProtectFile Clients in the input file: 6
Migration (normal mode) Finished Successfully!
------------SUMMARY-------------
Number of PF Clients: 6
Number of failed CTE Clients: 1
Number of successfully migrated CTE Clients: 5
------------------------------------------------------
Please check logs for details ...

  4. Getting Help

    The pfmigrate utility is a command-line interface that helps the user create CTE resources corresponding to the existing PF resources on the CipherTrust Manager.

    You can migrate single, multiple, or all ProtectFile clients by providing a list of PF clients in a predefined input file to perform migration. You can also preview the result before actual migration by running the utility in dryrun mode.

    Usage:
    pfmigrate [flags]

Flags:
    -c, --create    Flag to create input files for migration
    -d, --dryrun    Flag to run the utility to validate input files and preview output
    -h, --help      help for pfmigrate
    -v, --version   Flag to display the current version

  5. Getting the latest version of the PFMigrate Utility

    ./pfmigrate –v
    copy link to clipboardResults
    pfmigrate 2.0.008

On this page