Transferring data between BMC Helix SSO servers
You can export or import the configuration from one BMC Helix Single Sign-On server to another BMC Helix SSO server by running the data transfer tool from a command line on any local machine.
Data transfer tool usage considerations
Before you export or import the BMC Helix SSO server configuration, consider the following information:
- Use the data transfer tool when you need to export configuration from one BMC Helix SSO server (for example, QA server), and import it to another BMC Helix SSO server (for example, Dev server).
- The data transfer tool is designed to work across the same versions of BMC Helix SSO. You must not export or import data between different versions of BMC Helix SSO server.
- The data transfer tool imports all data, except issued tokens, sessions, authorization codes, and SAML signing and encryption certificates.
You can import all configurations (including general configuration, launchpad settings, registered OAuth2 clients, administrator users, and tenants), or segments of the configuration (one or more realms with branding, associated local users or groups, and the assignments of those users and groups).
The import job runs as a single transaction.
Model change in 22.1 version
Starting from the BMC Helix SSO 22.1 version, data transfer process requires to create a command_import.txt
file in the user file system. The data specified in the file is mapped with the the container's directory. When the container starts, all the data from the file is recorded into the container.
To export or import data
- In your file system, create
/opt/datatool/command_import.txt
file. - Grant this file with the Read, Write and Execute permissions.
To execute the export of configuration from the source server, open
command_import.txt
in edit mode. Add a command for export with a full path and archive file name where exported data will be saved. For example, export /opt/datatool/data/hsso-config-import.zipSave the file.
In the command line, run the following command:
docker run -v /opt/datatool/:/opt/datatool/data/ \
--env DB_JDBC_CONNECTION="jdbc:postgresql://172.21.128.1:5432/rsso" \
--env DB_TYPE="postgres" \
--env DB_USER="postgres" \
--env DB_PWD="password" \
aus-harboreg-01.bmc.com/rsso/datatransfer:HSSO_XX.XX.XX-RTM @/opt/datatool/data/command_import.txt
- To import data to the target server, open
command_import.txt
and update it with the import command. Change export to import. Provide the full path to the zip archive file and keep its name the same. Add the sours tenant ID from which data was exported and the target tenant ID to which data will be imported. For example, import /opt/datatool/data/hsso-config-import.zip -s 00000000-0000-0000-0000-000000000000 -t 00000000-0000-0000-0000-000000000000 - Save the file.
- In the command line, run the command from step 5.
The description of the docker run command parameters is displayed in the following table:
Parameter | Description |
---|---|
DB_JDBC_CONNECTION | The JDBC connection string address For example: (PostgreSQL server) jdbc:postgresql://172.21.128.1:5432/rsso |
db.type | The type of a database |
db.password | The password of a database |
db.username | The name of a database |
opt/datatool/data | Container's directory which acquires the file's path |
Available options to import data
Complete one or more of the following tasks to import data. For more details about the command parameters, see Import command parameters.
Task | Commands to run | Notes |
---|---|---|
Import realms |
Or
| The target realm will be overwritten by the realm which has the same name from the source tenant along with its local users and roles. At the same time, local users of the realm in the target database that do not overlap with the imported ones remain unchanged. |
To import and rename realms |
Or
| Ensure that the new name of a realm corresponds to the following requirements:
If you rename a realm during import, and the target server has a realm with the same name, then the target realm is not overwritten, but a new realm is created. |
To import OAuth clients to a target tenant |
Or
| Not applicable |
To import a source tenant to a target tenant |
Or
| You must first create a target tenant in the target database before you run the data transfer tool. A target tenant ID is auto-generated and unique for each tenant. The ID can be identical only for SaaS source and target tenants. The cookie domain is overwritten to a default value. You must manually change it to the value of the source tenant. |
To rename a tenant during the realm migration |
Or
| Specify the new value in the tenant field inside the particular realm before the realm migration. |
Import command parameters
The following table describes the import command parameters:
Parameter | Description |
---|---|
import <filename> | Command to perform import of data (obligatory). |
-s
or
--sourcetid | Enter the ID of a source tenant from which data will be imported. |
-t
or
--targettid | You must first create a target tenant in the target database before you run the data transfer tool. A target tenant ID is auto-generated and unique for each tenant. The ID can be identical only for SaaS source and target tenants. |
-r
or--realms | Enter realms that you want to export. For example, <realmID1>,<realmID2>,<realmID3> . Only specified realms with their related local users and groups are imported. All other configuration in the target database remain unchanged. You can also rename a realm during import. |
| Enter client IDs that you want to export. For example, <clientID1>,<clientID2>,<clientID3> . When the client IDs are specified, only these OAuth2 clients are imported. All other configuration in the target database remains unchanged. |
Comments
Log in or register to comment.