PFMigrate Utility Modes

Different modes of PFMigrate

PFMigrate has three modes. You call these modes with flags:

Other flags:

The product name (-p) flag allows you to specify the target product. Valid values are CTE/cte or CTE-U/cte-u with CTE as the default value.

Example of specifying product name:

[root@myvm PFMigrate] #./pfmigrate -p cte-u -d

Note

You MUST specify the productname tag with every mode.

Create Mode

This mode is used to fetch ProtectFile and CTE UserSpace clients and shares from the CipherTrust Manager, and create input files for the migration. Thales recommends that you run this mode before the Dry Run or Normal mode. If you want to migrate only specific clients, then edit newly created sample file pfClientInfo.json.

Example of pfClientInfo.json

[root@myvm PFMigrate] #cat pfClientinfo.json

Response:

[
  {
  "name": "JenkinsTest-c2a39e5cfbc3",
  "id": "7b4d60e3-b678-4aad-8672-780cl434a8c5",
  "ipHostname": "10.164.14.166",
  "isBootstrapped": true
  }
]

Similarly, edit the Mapping.json file if you want to migrate any specific network shares.

Example of Mapping.json

[root@myvm PFMigrate] #cat Mapping.json

Response:

[
    {
      "name": "Nfsv3-JenkinsTest-fb7ac5105c4b",
      "encryptorClient": "JenkinsTest-fb7ac5105c4b",
      "MountPoint": ""
    },
    {
      "name": "Nfsv3-JenkinsTest-7d84b5ef1315",
      "encryptorClient": "JenkinsTest-7d84b5ef1315",
      "MountPoint": ""
    }
]

Dry Run Mode

Dry Run mode is a simple validation mode to check if all of the added clients can be migrated. It runs a validation for all of the clients listed in the pfClientInfo.json file to check if those clients can be migrated.

Thales recommends that you run in Dry Run mode before migrating the clients to CTE and/or CTE-U. When you run the utility in this mode, a Dry Run Report is generated. It gives you a summary of clients that can be migrated along with a failure report to rectify input file before running actual migration using the Normal mode.

Example of Dry Run Report

[root@myvm PFMigrate] #cat DryRunReport

Response

[DryRun Mode] 2022/01/13 10:56:51    ---------------DryRun Report------------------------
[DryRun Mode] 2022/01/13 10:56:51
[DryRun Mode] 2022/01/13 10:58:38
[DryRun Mode] 2022/01/13 10:58:38    ---------------SUMMARY------------------------------
[DryRun Mode] 2022/01/13 10:58:38      Number of PF Clients: 2
[DryRun Mode] 2022/01/13 10:58:38      Number of failed ${cteu} Clients: 0
[DryRun Mode] 2022/01/13 10:58:38      Number of successfully migrated ${cteu} Clients: 2
[DryRun Mode] 2022/01/13 10:58:38    -------------------------------------------------
[DryRun Mode] 2022/01/13 10:58:38

Normal Mode

When the utility is executed in this mode, all of the clients (mentioned in pfClientInfo.json) and the Network Shares (mentioned in Mapping.json) will be migrated to their equivalent configuration elements in CTE or CTE-U in the following order:

1. All of the access policies

2. The client

3. All of the encryption policies

For each encryption policy in ProtectFile, two corresponding CTE policies are created. One is a transform policy and the other one is the actual encryption policy. If migrating to CTE-U v10, then it does not need any data transformation. Therefore, only one encryption policy is created.

If the utility modifies any resource name due to CTE or CTE-U naming conventions, then it is mentioned in the description field that the client has been migrated from ProtectFile (or CTE-U) with the original name mentioned in it. You can also check this mapping from the mapping file (PfMapping.json) created at the completion of migration.

Example of Mapping.txt

[root@myvm PFMigrate] #cat PfMapping.json

Response

{
  "mapping": [
      {
        "${fuse}_client_name": "Explorer c81d6a59al6",
        "cte_client_name": "explorer_c81d6a59al6"
      },
      {
        "${fuse}_client_name": "Win-Acceptance_db9c2e65746",
        "cte_client_name": "win-acceptance_db9c2e65746"
      }
  ]
}