Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------

HI

is it duplicate of the other post?

--------
HI

The objectspace webseal honors based on the server-name stanza entry.

usually, in an environment, multiple webseal instances shares a single objectspace and that is done by using same server-name value.

Is that the case in your old environment? if yes , then you can do the same between old and new environment
you can share the server-name of old webseal with server-name of new webseal which will automatically enforce the acls and pops attached on old objectspace.

similar to below

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/wrp_config/task/tsk_replic_frontend_ws_srvr.html


------------------------------
Tushar
Tushar
------------------------------

Original Message:
Sent: Wed January 22, 2020 10:42 PM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------

Thanks, Tushar for your response. 

No,  in the old environment, the server-name entry is specific to the hostname of the WebSEAL and not a generic name shared across WebSEALs.  Because of this,  each of the WebSEALs from the old environment has an objectspace associated with the hostname.

I can still refer the old server-name entry in the new WebSEAL server, however, my concern if I go ahead and unconfigure the old WebSEAL server, the associated objectspace, which is now being refered by new WebSEAL server as well, will be cleaned up (I believe). 
Are there any other options?

------------------------------
Raj
------------------------------

Original Message:
Sent: Fri January 24, 2020 03:30 AM
From: Tushar Prasad
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

HI

is it duplicate of the other post?

--------
HI

The objectspace webseal honors based on the server-name stanza entry.

usually, in an environment, multiple webseal instances shares a single objectspace and that is done by using same server-name value.

Is that the case in your old environment? if yes , then you can do the same between old and new environment
you can share the server-name of old webseal with server-name of new webseal which will automatically enforce the acls and pops attached on old objectspace.

similar to below

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.0/com.ibm.isam.doc/wrp_config/task/tsk_replic_frontend_ws_srvr.html


------------------------------
Tushar
Tushar

Original Message:
Sent: Wed January 22, 2020 10:42 PM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------

Raj,

The policy is considered to be 'owned' by the policy server and not the WebSEAL server.  This means that a migration of a WebSEAL instance will not migrate the corresponding acls/pops from the legacy software installation.  If you want to migrate the policy you really need to first migrate the policy server.

Thanks,

Scott.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: Wed January 22, 2020 10:42 PM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------

Hi Scott, 
Thanks for the response. 
I have done the Policy Server migration. However, ACL/POP are attached to the objectspaces which has hostname of the WebSEAL server. In the old implementation, the server-name entry of the WebSEAL is not generic entry. It is server specific.
I agree that the WebSEAL import won't migrate the ACL/POP etc. However, After creating a new WebSEAL instance on a new server, I have a new objectspace created.  I can update the server-name entry to point to the old value. Is there any other better option than this?

------------------------------
Raj
------------------------------

Original Message:
Sent: Fri January 24, 2020 03:47 PM
From: Scott Exton
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Raj,

The policy is considered to be 'owned' by the policy server and not the WebSEAL server.  This means that a migration of a WebSEAL instance will not migrate the corresponding acls/pops from the legacy software installation.  If you want to migrate the policy you really need to first migrate the policy server.

Thanks,

Scott.

------------------------------
Scott Exton
IBM
Gold Coast

Original Message:
Sent: Wed January 22, 2020 10:42 PM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------

Hi

 

One longer approach but that could be beneficial over time is to include a DevOps loop.

We opted to take opportunity of the V7 to V9 upgrade to review our ISAM practice.

We would not use IBM's provided migration utility.

We exported every ACL/POP/JCTs/JMT from V7 and saved everything in in Git.

We remodeled everything including new server, acl, pop naming convention, but within Git.

We also re-baselined all configuration settings of every server component (Policy Server, Web Reverse proxy) to come up with a uniform configuration baseline, but also dealing with exceptions.

Once satisfied with the remodeling, we built our new ISAM V9 infrastructure on a fresh clean slate, using our remodeled data in Git, and Ansible/ibm-security open source libraries.

Although it did cost us more in terms of efforts, now every configuration settings, acl/pop and junctions definitions are stored in Git. And we can opt to drop/recreate any server component without fear of loosing anything.

 

------------------------------
Sylvain Gilbert
------------------------------

Original Message:
Sent: Mon January 27, 2020 06:29 AM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Scott, 
Thanks for the response. 
I have done the Policy Server migration. However, ACL/POP are attached to the objectspaces which has hostname of the WebSEAL server. In the old implementation, the server-name entry of the WebSEAL is not generic entry. It is server specific.
I agree that the WebSEAL import won't migrate the ACL/POP etc. However, After creating a new WebSEAL instance on a new server, I have a new objectspace created.  I can update the server-name entry to point to the old value. Is there any other better option than this?

------------------------------
Raj

Original Message:
Sent: Fri January 24, 2020 03:47 PM
From: Scott Exton
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Raj,

The policy is considered to be 'owned' by the policy server and not the WebSEAL server.  This means that a migration of a WebSEAL instance will not migrate the corresponding acls/pops from the legacy software installation.  If you want to migrate the policy you really need to first migrate the policy server.

Thanks,

Scott.

------------------------------
Scott Exton
IBM
Gold Coast

Original Message:
Sent: Wed January 22, 2020 10:42 PM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------

Hi, Silvain, 

Have you some video or procedure of what you have done with git, we migrate webseal 6 to 10, because of the old versión we configure a diferente ldap, and then migrate in parts from old to new, i need some utility to keep update acl and JCT in new environment until we have migrate all WS instances.

When you say Migration Utility you mean each export utility that have each componente of webseal or it is another utility migration tool?

Thanks!

------------------------------
Victor Gabriel Amrich
------------------------------

Original Message:
Sent: Mon January 27, 2020 08:50 AM
From: Sylvain Gilbert
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi

 

One longer approach but that could be beneficial over time is to include a DevOps loop.

We opted to take opportunity of the V7 to V9 upgrade to review our ISAM practice.

We would not use IBM's provided migration utility.

We exported every ACL/POP/JCTs/JMT from V7 and saved everything in in Git.

We remodeled everything including new server, acl, pop naming convention, but within Git.

We also re-baselined all configuration settings of every server component (Policy Server, Web Reverse proxy) to come up with a uniform configuration baseline, but also dealing with exceptions.

Once satisfied with the remodeling, we built our new ISAM V9 infrastructure on a fresh clean slate, using our remodeled data in Git, and Ansible/ibm-security open source libraries.

Although it did cost us more in terms of efforts, now every configuration settings, acl/pop and junctions definitions are stored in Git. And we can opt to drop/recreate any server component without fear of loosing anything.

 

------------------------------
Sylvain Gilbert

Original Message:
Sent: Mon January 27, 2020 06:29 AM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Scott, 
Thanks for the response. 
I have done the Policy Server migration. However, ACL/POP are attached to the objectspaces which has hostname of the WebSEAL server. In the old implementation, the server-name entry of the WebSEAL is not generic entry. It is server specific.
I agree that the WebSEAL import won't migrate the ACL/POP etc. However, After creating a new WebSEAL instance on a new server, I have a new objectspace created.  I can update the server-name entry to point to the old value. Is there any other better option than this?

------------------------------
Raj

Original Message:
Sent: Fri January 24, 2020 03:47 PM
From: Scott Exton
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Raj,

The policy is considered to be 'owned' by the policy server and not the WebSEAL server.  This means that a migration of a WebSEAL instance will not migrate the corresponding acls/pops from the legacy software installation.  If you want to migrate the policy you really need to first migrate the policy server.

Thanks,

Scott.

------------------------------
Scott Exton
IBM
Gold Coast

Original Message:
Sent: Wed January 22, 2020 10:42 PM
From: Raj
Subject: ISAM migration || WebSEAL objectspace || acl and pop attachment issue

Hi Folks,

I am doing migration of an ISAM environment from ISAM 7.x in binary version to ISAM 9.06 in appliance version.
I have a doubt specific to the WebSEAL migration.

Take an example
1. My Old WebSEAL was hosted on a Server that is Server1 and WebSEAL hostname name was Default. All the ACL and pop attachment was to the object /WebSEAL/Server1-Default.

2. My new ISAM 9.06 appliance, is hosted on Server2. As per the process,
a. I ran a migration perl script and created a zip file of the data exported from perl script.
b. I created a new WebSEAL called Default on Server2. This created another object in the policy server that is  /WebSEAL/Server2-Default
c. I imported config zip which was created in step a.  Migration was successful and WebSEAL was up and running after the restart and all junction also got migrated.

However, all the ACLs, and Pop attachment is not migrated to the new WebSEAL object that is /WebSEAL/Server2-Default. I only see default ACL and no POP attached, however, my expectation was the old ACL and POP should have been attached on this new object. Do I need to apply the ACL and POP again? Or have I missed anything in the process?

pdadmin sec_master> object show /WebSEAL/Server1-default/TestJunction
Name:/WebSEAL/Server1-default/TestJunction
Description:
Type: 0 (Unknown)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: TestACL
Attached POP: TestPOP
Attached AuthzRule:

pdadmin sec_master>object show /WebSEAL/Server2-default/TestJunction
Name: object show /WebSEAL/Server2-default/TestJunction
Description:
Type: 16 (Management Object)
Is Policy Attachable: Yes
Extended Attributes:
Attached ACL: default-webseal
Attached POP: 
Attached AuthzRule:

------------------------------
Raj
------------------------------