IBM Security Verify

I am migrating the reverseproxies and junctions of one ISAM to another with Ansible.

How to migrate the policy server ? 

As far as I know, there is no way to export/import the PD runtime / policy server configuration.  The only thing you can do is rebuild it, which also means rebuilding your reverse proxies.

There is an Ansible role for configuring the policy server.  We use it today for building new environments.  What I did is modify that role to register a fact variable that contains the output of the API call.  When it returns changed, then I set a global fact that the runtime was created.  This way, I can execute other stuff like creating domains that I don't want to run twice if the playbooks are executed again in the future.

https://github.com/IBM-Security/isam-ansible-roles/blob/master/config_policyserver/tasks/main.yml

or

https://github.com/IBM-Security/isam-ansible-collection/blob/master/roles/config_policyserver/tasks/main.yml

The only other alternative I could potentially offer is maybe if you are going from one virtual appliance to another is potentially using snapshots to get the PD runtime to another appliance.  But if you are going virtual appliance to containers, I am not aware of any other path other than rebuilding the PD runtime / policy server.

I am curious if anyone from IBM tech will chime in and offer any other alternatives.  I thought at one point they had entertained the ability to export/import the PD runtime, but I assume the idea was abandoned as I never heard mention of it again.

Hi Sampada,

Starting in 10.0.4.0 there is a Policy Server export/import feature.  This does not include the data from either the the embedded CONFIGDB or HVDB.  See https://www.ibm.com/docs/en/sva/10.0.7?topic=environment-exporting-runtime-configuration for details.

Nick, I didn't realize this exported the policy database, as I had assumed it just exported the config files.  I just tried it on my lab and in fact it does zip up everything.  I also found the REST API documentation for /isam/runtime_components?action=export which is great.

One question, I don't see an import option, nor do I see it listed in the REST API documentation.  How does the import work?  Perhaps I don't see it as my lab's runtime is currently configured.

Thanks for pointing this out!

Edit:  PS:  For others, the ibmsecurity Python library has a function to do this.  I don't see any Ansible roles built around it, but it would be simple to create one since the Python library function is there.

https://github.com/IBM-Security/ibmsecurity/blob/5f0eb04fff1b075eee749e7d6b63726de08890f5/ibmsecurity/isam/web/runtime/process.py#L108C5-L108C25

It also looks like there is an import function, which I assume I don't see because as I referenced above my lab is already configured.  I don't see it mentioned in the REST API documentation, but the Python library also has it coded up:

https://github.com/IBM-Security/ibmsecurity/blob/5f0eb04fff1b075eee749e7d6b63726de08890f5/ibmsecurity/isam/web/runtime/process.py#L127

------------------------------
Matt Jenkins
------------------------------

Matt,

As you noted if already configured there is no import option.  When configuring fresh there are now three options:

1) Local
2) Remote
3) Import