Steps to migrate users and groups between CA API Gateways

Document ID : KB000126210
Last Modified Date : 04/02/2019
Show Technical Document Details
To migrate users and groups, you will need to use the combination of RESTman and the GMU tool, as the users/groups are not listed under the migrateOut option of the GMU tool. A high level concept would be to use the RESTman option to export the users/groups into an xml file, then use the migrateIn option from the GMU tool, or RESTman POST option to import it to the other Gateway environment.
1. There are two options to get the list of users:
    a) Hit the following URL:

    b) Use the following GMU command:
       GatewayMigrationUtility.bat restman -argFile source.txt --method GET --path '1.0/identityProviders/0000000000000000fffffffffffffffe/users' --trustCertificate --trustHostname > exportusers.xml  

2. Once you get the user list, you need to prepare the file to be read and imported into the target gateway (create_user.xm). Please take note that the RESTman POST command will only allow one user to be imported at a time. For example, the content of your 'create_user.xm' file should look similar to the following:

<l7:User providerId="0000000000000000fffffffffffffffe" xmlns:l7=""> 
<l7:Password format="plain">7layer</l7:Password> 
<l7:Property key="accountExpiration"> 
<l7:Property key="enabled"> 
<l7:Property key="name"> 

3. Import the user using the RESTman POST command. For example:

GatewayMigrationUtility.bat restman -h <target_server_name> --trustCertificate --method POST --path /1.0/identityProviders/0000000000000000fffffffffffffffe/users --trustHostname --clientCert "<path_to_client_cert_key>\gmuclientkey.p12" --request create_user.xml 

**Some rules to take note of: 
- The pkcs12 file must contain the private key and certificate 
- The pkcs12 file may or may not be password protected 
- If the pkcs12 file is password protected, use the -x, --password, or --plaintextPassword arguments to specify the password 
- If the pkcs12 file is not password protected, do not include a password argument 
- Do not specify a username when using mutual authentication; the user is identified by the certificate 
- The certificate must be associated with the migration Administrators user on the CA API Gateway 
- If using the Internal Identity Provider, the certificate Common Name (CN) must be the same as the user login
Additional Information:
Get Started and Run GMU