Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.
This document outlines the high-level strategy and actions required to perform a migration from an existing IBM® Security Access Manager software deployment to an IBM® Security Access Manager 9 Appliance deployment.
Hi Abhishek,
I assume the ISVA appliances are KVMs right now, correct?
There is not really a lift and shift pattern for migrating ISVA KVMs. What has worked well in the past for other customers is:
I have not tested but it might be possible to:
The process for ISVD LDAP and DB2 will be similar.
Hi Nick, We are planning to move our complete ISVA appliances and ISVD LDAP + DB2 to red hat KVM 9, can you please me to understand how smoothly it can be migrated.
Currently it's running on EOL machine Red hat 7.9
Hi Patrick,
There is not a similar guide. Migrating from HW to VM is really no different than migrating VMs around. We see this especially when customers need to migrate to the Cloud VMs or from one datacenter to another.
One successful method other customers have used to migrate DCs or to a Cloud deployment is,
1) Setup a VPN between the source and target.2) Setup appliances in the target.3) Add them as nodes to the source cluster. If the internal HVDB or CONFIGDB is being used it needs to be made a secondary.4) Promote the secondary to be the Primary Master of the Cluster. This node should have all activations that are enabled on any node.5) If in use this has now moved the embedded LDAP and internal configdb and hvdb to the target cluster.6) The WRP instances are exported from the source cluster and imported into the target cluster appliances using the WRP export/import feature.7) The source nodes are slowly decommissioned and removed from the cluster.8) The VPN is shut down and the cluster has been migrated.
Other options:
Verify Access Runtime Migration
When using external AAC Runtime configdb and hvdb databases the following feature added in 10.0.4.0 can be used,
https://www.ibm.com/docs/en/sva/10.0.4?topic=environment-exporting-runtime-configuration
This will migrate the Policy Server (and embedded LDAP if used) to a new appliance. If using a remote LDAP, it needs to accessible via VPN or a new LDAP setup in the cloud that is then also accessible to the still existing on-prem VMs. New WRP appliance can be build and the instance migrated using the export/import feature. This assumes the CONFIGDB and HVDB are accessible or have been migrated as well.
Appliance Snapshots
While snapshots are really meant to be used as an exact appliance rebuild they can be used to migrate the Primary Master of a cluster. However, the cluster must be re-configured to only have a Primary Master before a snapshot is created.
This snapshot can be applied on a target machine in the target environment built to match the source. That is, same number of NICs, activations, etc.
Once applied the network settings will need to be reconfigured using the console CLI. The snapshot cannot be altered beforehand with the target network information. Snapshots have a checksum for security purposes. This method has been successful as well.
Is there any migration guide from hardware appliance to virtual machine since the end of support for appliances is September 2025?