Steps to migrate users and groups between CA API Gateways

Document ID : KB000126210
Last Modified Date : 04/02/2019
Show Technical Document Details
Introduction:
To migrate users and groups, you will need to use the combination of RESTman and the GMU tool, as the users/groups are not listed under the migrateOut option of the GMU tool. A high level concept would be to use the RESTman option to export the users/groups into an xml file, then use the migrateIn option from the GMU tool, or RESTman POST option to import it to the other Gateway environment.
Instructions:
1. There are two options to get the list of users:
    a) Hit the following URL:
        https://<source_gateway_hostame>:8443/restman/1.0/users

    b) Use the following GMU command:
       GatewayMigrationUtility.bat restman -argFile source.txt --method GET --path '1.0/identityProviders/0000000000000000fffffffffffffffe/users' --trustCertificate --trustHostname > exportusers.xml  

2. Once you get the user list, you need to prepare the file to be read and imported into the target gateway (create_user.xm). Please take note that the RESTman POST command will only allow one user to be imported at a time. For example, the content of your 'create_user.xm' file should look similar to the following:

<l7:User providerId="0000000000000000fffffffffffffffe" xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management"> 
<l7:Login>johns</l7:Login> 
<l7:Password format="plain">7layer</l7:Password> 
<l7:FirstName>John</l7:FirstName> 
<l7:LastName>Smith</l7:LastName> 
<l7:Email/> 
<l7:Properties> 
<l7:Property key="accountExpiration"> 
<l7:LongValue>-1</l7:LongValue> 
</l7:Property> 
<l7:Property key="enabled"> 
<l7:BooleanValue>true</l7:BooleanValue> 
</l7:Property> 
<l7:Property key="name"> 
<l7:StringValue>migrationadmin</l7:StringValue> 
</l7:Property> 
</l7:Properties> 
</l7:User> 


3. Import the user using the RESTman POST command. For example:

GatewayMigrationUtility.bat restman -h <target_server_name> --trustCertificate --method POST --path /1.0/identityProviders/0000000000000000fffffffffffffffe/users --trustHostname --clientCert "<path_to_client_cert_key>\gmuclientkey.p12" --request create_user.xml 

**Some rules to take note of: 
- The pkcs12 file must contain the private key and certificate 
- The pkcs12 file may or may not be password protected 
- If the pkcs12 file is password protected, use the -x, --password, or --plaintextPassword arguments to specify the password 
- If the pkcs12 file is not password protected, do not include a password argument 
- Do not specify a username when using mutual authentication; the user is identified by the certificate 
- The certificate must be associated with the migration Administrators user on the CA API Gateway 
- If using the Internal Identity Provider, the certificate Common Name (CN) must be the same as the user login
Additional Information:
Get Started and Run GMU
RESTMAN Command