Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

Hello Sanjay,

Its not possible to jump from ITIM 5.X to ISIM 7.X.

Hence need to install ISIM 6 first then you migrate or upgrade.

Thanks
Das

------------------------------
khader basha dastageer
------------------------------

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

Hi Sanjay...

ITIM 5.0 went end of support in 2014, before ISIM 7.0 was released (2015), so the only tested/supported migration path was from ITIM 5.1 to ISIM 7.x.  If you're really that far back leveled, you'll likely need to upgrade to something in between first.  Or may want to look into getting help from IBM Services to assist in the migration.

------------------------------
Grey Thrasher
IBM
------------------------------

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

HI sanjay,

Well i did this on a client and was a pain, as far as i understand the DB and LDAP schemas are different, so you have to take that in count, also in theory you can migrate the sim encryption key to ISIM 7/6 but that process never work for me, also as far as i understand is that ISIM6 and ISIM 7 are the same application version, but we have some issues with WAS parameter that we cant tune on the 7 version of the product due to the VA restrictions (i think that this is why IBM dont kick out of support ISIM6 yet, you could get a surprise if IBM kick out of support ISIM6/7 at once when IGI get more features from ISIM. like custom workflows for specific access and ITDI HR reconciliations like ISIM).

How we migrate the solution?

We install SIM 7 and migrate all the workflows, connectors and configurations form SIM5 to SIM7 using the export tool and some manual process(ACL and properties on ISIM files) 

After this we have to start to fix the errors on the workflows and on the custom connectors. (if you develop custom connectors for ISIM on this deployment you probably are using TDI6 and when you migrate this to SDI7.2 or TDI7.1 you will have some troubles.)

And finally we create all the ISIM users/persons from scratch (I imagine that you could migrate the persons and systemusers branch with an LDIF file but this is only possible when you have the keyfiles from ISIM6 migrated to ISIM7, hope your client have all the isim keyfiles passwords)

------------------------------
Gabriel Labarrera Vega
------------------------------

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

ISIM 6 and 7 are the exact same ISIM application, just two different install types (Software Stack vs Virtual Appliance).   You should really think about what you currently do in ITIM 5 and what you might need to do going forward...as this dictate which install type you should opt for.

ISIM 7 Virtual Appliance is slightly easier to deploy/maintain, but doesn't necessary buy you much, as you still need to install/maintain the data tier separately (which would be same effort as with ISIM 6).  Also ISIM 7 Virtual Appliance is locks down shell access, as well as WebSphere access (no WAS console).  So greatly limits what you might be able to do, when compared to ISIM 6 where you have full control/access.  So if your current ITIM 5 env is heavily customized, you might want to opt for ISIM 6.

Also there has been no end of life planned for either ISIM 6 or 7, in fact there have been new releases each a couple months ago (6.0.2 and 7.0.2).

As for IGI replacing ISIM, I don't see that happening.  That said, I believe at least some of the IGA offerings bundle both IGI and ISIM...where IGI would be more for the Attestation/Recertification, and ISIM for Provisioning/Complex Workflow/Compliance enforcement.

As for the encryption moving from such an old version...you'd likely need to address this in your migration path.   This is a must-read for that activity:  https://www.ibm.com/support/pages/demystifying-isim%E2%80%99s-encryption

------------------------------
Grey Thrasher
IBM
------------------------------

Original Message:
Sent: Thu August 13, 2020 12:36 PM
From: Gabriel Labarrera Vega
Subject: ITIM 5.0 to ISIM 7.0 upgrade

HI sanjay,

Well i did this on a client and was a pain, as far as i understand the DB and LDAP schemas are different, so you have to take that in count, also in theory you can migrate the sim encryption key to ISIM 7/6 but that process never work for me, also as far as i understand is that ISIM6 and ISIM 7 are the same application version, but we have some issues with WAS parameter that we cant tune on the 7 version of the product due to the VA restrictions (i think that this is why IBM dont kick out of support ISIM6 yet, you could get a surprise if IBM kick out of support ISIM6/7 at once when IGI get more features from ISIM. like custom workflows for specific access and ITDI HR reconciliations like ISIM).

How we migrate the solution?

We install SIM 7 and migrate all the workflows, connectors and configurations form SIM5 to SIM7 using the export tool and some manual process(ACL and properties on ISIM files) 

After this we have to start to fix the errors on the workflows and on the custom connectors. (if you develop custom connectors for ISIM on this deployment you probably are using TDI6 and when you migrate this to SDI7.2 or TDI7.1 you will have some troubles.)

And finally we create all the ISIM users/persons from scratch (I imagine that you could migrate the persons and systemusers branch with an LDIF file but this is only possible when you have the keyfiles from ISIM6 migrated to ISIM7, hope your client have all the isim keyfiles passwords)

------------------------------
Gabriel Labarrera Vega

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

First of all - Grey is the authoritative person to listen to - what we other say is only hearsay and tales from the field ;-)

But let me add a little to this - from ITIM 5.1 to 6/7.0.2 the path is clear and well documented - but you will need to perform the database/ldap upgrades from 5.0 - 5.1 first which means that you will need to get the ddl files from a 5.1 system and you will also have to get your hands on the ldap schema file from the same - this is to be able to perform the dbUpgrade/ldapUpgrade manually - this can be tricky so I would recommend do a full ITIM 5.1 upgrade - IIRC that was pretty straight forward - but of course for technical person with the will to do something extraordinary the first manual option is the most fun (but comes with a lot of risk and resource consumption)...

Extra things to consider is if the system is migrated from 4.6 - you will need some of the older jar files in <itim_home>/lib to be moved to your target platform - I believe this was documented in the 5.x upgrade documentation but was removed in 6/7.0 - and it is definitely missing in all utility scripts in <itim_home>/bin - so be aware of that also.

Selecting between ISIM 6 and 7 I would in most cases always go for the SW (ISIM 6) - if you run into problems you have access to the full file system and WAS console which makes debugging - not a walk in the park - but relatively straight forward and enables you to follow log files in real time. ISIM 7 means you have to debug the system through support files and often you will need custom interim fixes to set some parameter that is protected or not accessible through the LMI UI...  

I recommend you contact IBM Security Expert Labs in your region to help you out - we have the people that can help you through this. If you are already engaged withe some IBM Services talk to them or if in doubt contact your local IBM representative/office.

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Thu August 13, 2020 01:34 PM
From: Grey Thrasher
Subject: ITIM 5.0 to ISIM 7.0 upgrade

ISIM 6 and 7 are the exact same ISIM application, just two different install types (Software Stack vs Virtual Appliance).   You should really think about what you currently do in ITIM 5 and what you might need to do going forward...as this dictate which install type you should opt for.

ISIM 7 Virtual Appliance is slightly easier to deploy/maintain, but doesn't necessary buy you much, as you still need to install/maintain the data tier separately (which would be same effort as with ISIM 6).  Also ISIM 7 Virtual Appliance is locks down shell access, as well as WebSphere access (no WAS console).  So greatly limits what you might be able to do, when compared to ISIM 6 where you have full control/access.  So if your current ITIM 5 env is heavily customized, you might want to opt for ISIM 6.

Also there has been no end of life planned for either ISIM 6 or 7, in fact there have been new releases each a couple months ago (6.0.2 and 7.0.2).

As for IGI replacing ISIM, I don't see that happening.  That said, I believe at least some of the IGA offerings bundle both IGI and ISIM...where IGI would be more for the Attestation/Recertification, and ISIM for Provisioning/Complex Workflow/Compliance enforcement.

As for the encryption moving from such an old version...you'd likely need to address this in your migration path.   This is a must-read for that activity:  https://www.ibm.com/support/pages/demystifying-isim%E2%80%99s-encryption

------------------------------
Grey Thrasher
IBM

Original Message:
Sent: Thu August 13, 2020 12:36 PM
From: Gabriel Labarrera Vega
Subject: ITIM 5.0 to ISIM 7.0 upgrade

HI sanjay,

Well i did this on a client and was a pain, as far as i understand the DB and LDAP schemas are different, so you have to take that in count, also in theory you can migrate the sim encryption key to ISIM 7/6 but that process never work for me, also as far as i understand is that ISIM6 and ISIM 7 are the same application version, but we have some issues with WAS parameter that we cant tune on the 7 version of the product due to the VA restrictions (i think that this is why IBM dont kick out of support ISIM6 yet, you could get a surprise if IBM kick out of support ISIM6/7 at once when IGI get more features from ISIM. like custom workflows for specific access and ITDI HR reconciliations like ISIM).

How we migrate the solution?

We install SIM 7 and migrate all the workflows, connectors and configurations form SIM5 to SIM7 using the export tool and some manual process(ACL and properties on ISIM files) 

After this we have to start to fix the errors on the workflows and on the custom connectors. (if you develop custom connectors for ISIM on this deployment you probably are using TDI6 and when you migrate this to SDI7.2 or TDI7.1 you will have some troubles.)

And finally we create all the ISIM users/persons from scratch (I imagine that you could migrate the persons and systemusers branch with an LDIF file but this is only possible when you have the keyfiles from ISIM6 migrated to ISIM7, hope your client have all the isim keyfiles passwords)

------------------------------
Gabriel Labarrera Vega

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

Yeah, he should ask to IBM Services because every deployment is different, my response was sharing my experience and what we did on the deployment where we work, in any case this is a step by step guide, I only share the process that we use and the problems that we face when we do this, we make this on 2017-2018.

As for IGI replacing ISIM, yeah, IGI has some limitation on provisioning/workflow/Compliance capabilities that's a fact, but the last time that assist to a IBM Master Skills they told me that the idea is implement more of the ISIM features on IGI, at that time my question was if you could specify a workflow for a single access like you do on ISIM, at the time ISIM is one of the most powerful provisioning/compliance solutions on the market.

------------------------------
Gabriel Labarrera Vega
------------------------------

Original Message:
Sent: Thu August 13, 2020 01:59 PM
From: Franz Wolfhagen
Subject: ITIM 5.0 to ISIM 7.0 upgrade

First of all - Grey is the authoritative person to listen to - what we other say is only hearsay and tales from the field ;-)

But let me add a little to this - from ITIM 5.1 to 6/7.0.2 the path is clear and well documented - but you will need to perform the database/ldap upgrades from 5.0 - 5.1 first which means that you will need to get the ddl files from a 5.1 system and you will also have to get your hands on the ldap schema file from the same - this is to be able to perform the dbUpgrade/ldapUpgrade manually - this can be tricky so I would recommend do a full ITIM 5.1 upgrade - IIRC that was pretty straight forward - but of course for technical person with the will to do something extraordinary the first manual option is the most fun (but comes with a lot of risk and resource consumption)...

Extra things to consider is if the system is migrated from 4.6 - you will need some of the older jar files in <itim_home>/lib to be moved to your target platform - I believe this was documented in the 5.x upgrade documentation but was removed in 6/7.0 - and it is definitely missing in all utility scripts in <itim_home>/bin - so be aware of that also.

Selecting between ISIM 6 and 7 I would in most cases always go for the SW (ISIM 6) - if you run into problems you have access to the full file system and WAS console which makes debugging - not a walk in the park - but relatively straight forward and enables you to follow log files in real time. ISIM 7 means you have to debug the system through support files and often you will need custom interim fixes to set some parameter that is protected or not accessible through the LMI UI...  

I recommend you contact IBM Security Expert Labs in your region to help you out - we have the people that can help you through this. If you are already engaged withe some IBM Services talk to them or if in doubt contact your local IBM representative/office.

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Thu August 13, 2020 01:34 PM
From: Grey Thrasher
Subject: ITIM 5.0 to ISIM 7.0 upgrade

ISIM 6 and 7 are the exact same ISIM application, just two different install types (Software Stack vs Virtual Appliance).   You should really think about what you currently do in ITIM 5 and what you might need to do going forward...as this dictate which install type you should opt for.

ISIM 7 Virtual Appliance is slightly easier to deploy/maintain, but doesn't necessary buy you much, as you still need to install/maintain the data tier separately (which would be same effort as with ISIM 6).  Also ISIM 7 Virtual Appliance is locks down shell access, as well as WebSphere access (no WAS console).  So greatly limits what you might be able to do, when compared to ISIM 6 where you have full control/access.  So if your current ITIM 5 env is heavily customized, you might want to opt for ISIM 6.

Also there has been no end of life planned for either ISIM 6 or 7, in fact there have been new releases each a couple months ago (6.0.2 and 7.0.2).

As for IGI replacing ISIM, I don't see that happening.  That said, I believe at least some of the IGA offerings bundle both IGI and ISIM...where IGI would be more for the Attestation/Recertification, and ISIM for Provisioning/Complex Workflow/Compliance enforcement.

As for the encryption moving from such an old version...you'd likely need to address this in your migration path.   This is a must-read for that activity:  https://www.ibm.com/support/pages/demystifying-isim%E2%80%99s-encryption

------------------------------
Grey Thrasher
IBM

Original Message:
Sent: Thu August 13, 2020 12:36 PM
From: Gabriel Labarrera Vega
Subject: ITIM 5.0 to ISIM 7.0 upgrade

HI sanjay,

Well i did this on a client and was a pain, as far as i understand the DB and LDAP schemas are different, so you have to take that in count, also in theory you can migrate the sim encryption key to ISIM 7/6 but that process never work for me, also as far as i understand is that ISIM6 and ISIM 7 are the same application version, but we have some issues with WAS parameter that we cant tune on the 7 version of the product due to the VA restrictions (i think that this is why IBM dont kick out of support ISIM6 yet, you could get a surprise if IBM kick out of support ISIM6/7 at once when IGI get more features from ISIM. like custom workflows for specific access and ITDI HR reconciliations like ISIM).

How we migrate the solution?

We install SIM 7 and migrate all the workflows, connectors and configurations form SIM5 to SIM7 using the export tool and some manual process(ACL and properties on ISIM files) 

After this we have to start to fix the errors on the workflows and on the custom connectors. (if you develop custom connectors for ISIM on this deployment you probably are using TDI6 and when you migrate this to SDI7.2 or TDI7.1 you will have some troubles.)

And finally we create all the ISIM users/persons from scratch (I imagine that you could migrate the persons and systemusers branch with an LDIF file but this is only possible when you have the keyfiles from ISIM6 migrated to ISIM7, hope your client have all the isim keyfiles passwords)

------------------------------
Gabriel Labarrera Vega

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------

Let me be clear on the ISIM versus IGI discussion - IBM is not replacing ISIM with IGI - whether a client wants to implement the one product or/and the other depends on the usecases that needs to be supported. For existing ISIM clients using IGI on top of ISIM is definitely an option and hopefully we will see this become easier and simpler as the products are aligned.

ISIM is still developed and we will hopefully see interesting RFEs coming in the Q4 release.

That said - the log term strategy is of course to aggressively develop our cloud IGA solutions featuring multitenant and microservices design patterns - these are evolving fast and there is a lot of interesting integration scenarios with current on-prem solutions ISIM and IGI - it can provide anaylytics and also work together as a "cloud services" adapter or having the cloud solution utilizing on-prem provisioning.

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Thu August 13, 2020 02:34 PM
From: Gabriel Labarrera Vega
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Yeah, he should ask to IBM Services because every deployment is different, my response was sharing my experience and what we did on the deployment where we work, in any case this is a step by step guide, I only share the process that we use and the problems that we face when we do this, we make this on 2017-2018.

As for IGI replacing ISIM, yeah, IGI has some limitation on provisioning/workflow/Compliance capabilities that's a fact, but the last time that assist to a IBM Master Skills they told me that the idea is implement more of the ISIM features on IGI, at that time my question was if you could specify a workflow for a single access like you do on ISIM, at the time ISIM is one of the most powerful provisioning/compliance solutions on the market.

------------------------------
Gabriel Labarrera Vega

Original Message:
Sent: Thu August 13, 2020 01:59 PM
From: Franz Wolfhagen
Subject: ITIM 5.0 to ISIM 7.0 upgrade

First of all - Grey is the authoritative person to listen to - what we other say is only hearsay and tales from the field ;-)

But let me add a little to this - from ITIM 5.1 to 6/7.0.2 the path is clear and well documented - but you will need to perform the database/ldap upgrades from 5.0 - 5.1 first which means that you will need to get the ddl files from a 5.1 system and you will also have to get your hands on the ldap schema file from the same - this is to be able to perform the dbUpgrade/ldapUpgrade manually - this can be tricky so I would recommend do a full ITIM 5.1 upgrade - IIRC that was pretty straight forward - but of course for technical person with the will to do something extraordinary the first manual option is the most fun (but comes with a lot of risk and resource consumption)...

Extra things to consider is if the system is migrated from 4.6 - you will need some of the older jar files in <itim_home>/lib to be moved to your target platform - I believe this was documented in the 5.x upgrade documentation but was removed in 6/7.0 - and it is definitely missing in all utility scripts in <itim_home>/bin - so be aware of that also.

Selecting between ISIM 6 and 7 I would in most cases always go for the SW (ISIM 6) - if you run into problems you have access to the full file system and WAS console which makes debugging - not a walk in the park - but relatively straight forward and enables you to follow log files in real time. ISIM 7 means you have to debug the system through support files and often you will need custom interim fixes to set some parameter that is protected or not accessible through the LMI UI...  

I recommend you contact IBM Security Expert Labs in your region to help you out - we have the people that can help you through this. If you are already engaged withe some IBM Services talk to them or if in doubt contact your local IBM representative/office.

------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Thu August 13, 2020 01:34 PM
From: Grey Thrasher
Subject: ITIM 5.0 to ISIM 7.0 upgrade

ISIM 6 and 7 are the exact same ISIM application, just two different install types (Software Stack vs Virtual Appliance).   You should really think about what you currently do in ITIM 5 and what you might need to do going forward...as this dictate which install type you should opt for.

ISIM 7 Virtual Appliance is slightly easier to deploy/maintain, but doesn't necessary buy you much, as you still need to install/maintain the data tier separately (which would be same effort as with ISIM 6).  Also ISIM 7 Virtual Appliance is locks down shell access, as well as WebSphere access (no WAS console).  So greatly limits what you might be able to do, when compared to ISIM 6 where you have full control/access.  So if your current ITIM 5 env is heavily customized, you might want to opt for ISIM 6.

Also there has been no end of life planned for either ISIM 6 or 7, in fact there have been new releases each a couple months ago (6.0.2 and 7.0.2).

As for IGI replacing ISIM, I don't see that happening.  That said, I believe at least some of the IGA offerings bundle both IGI and ISIM...where IGI would be more for the Attestation/Recertification, and ISIM for Provisioning/Complex Workflow/Compliance enforcement.

As for the encryption moving from such an old version...you'd likely need to address this in your migration path.   This is a must-read for that activity:  https://www.ibm.com/support/pages/demystifying-isim%E2%80%99s-encryption

------------------------------
Grey Thrasher
IBM

Original Message:
Sent: Thu August 13, 2020 12:36 PM
From: Gabriel Labarrera Vega
Subject: ITIM 5.0 to ISIM 7.0 upgrade

HI sanjay,

Well i did this on a client and was a pain, as far as i understand the DB and LDAP schemas are different, so you have to take that in count, also in theory you can migrate the sim encryption key to ISIM 7/6 but that process never work for me, also as far as i understand is that ISIM6 and ISIM 7 are the same application version, but we have some issues with WAS parameter that we cant tune on the 7 version of the product due to the VA restrictions (i think that this is why IBM dont kick out of support ISIM6 yet, you could get a surprise if IBM kick out of support ISIM6/7 at once when IGI get more features from ISIM. like custom workflows for specific access and ITDI HR reconciliations like ISIM).

How we migrate the solution?

We install SIM 7 and migrate all the workflows, connectors and configurations form SIM5 to SIM7 using the export tool and some manual process(ACL and properties on ISIM files) 

After this we have to start to fix the errors on the workflows and on the custom connectors. (if you develop custom connectors for ISIM on this deployment you probably are using TDI6 and when you migrate this to SDI7.2 or TDI7.1 you will have some troubles.)

And finally we create all the ISIM users/persons from scratch (I imagine that you could migrate the persons and systemusers branch with an LDIF file but this is only possible when you have the keyfiles from ISIM6 migrated to ISIM7, hope your client have all the isim keyfiles passwords)

------------------------------
Gabriel Labarrera Vega

Original Message:
Sent: Mon July 13, 2020 04:50 AM
From: SANJAY LOHOMI
Subject: ITIM 5.0 to ISIM 7.0 upgrade

Is anyone having experience to migrate ITIM 5.0 to ISIM 7.0 ? documented steps at knowledge centre available for itim 5.1 to isim 7.0 , I believe same would be working for 5.0 to 7.0 too. Is anyone having experience please share steps or any issue faced ?

------------------------------
SANJAY LOHOMI
------------------------------