Introduction
This article describes the steps to migrate an existing installation of vSEC:CMS from one server to a new server.
Procedure on Current Server
This section describes the steps which need to be performed on the server where the current vSEC:CMS is running.
1. Log onto the Admin console and navigate to Help - Diagnostic and make a note of the Bootstrapped version in the Product section as in sample below.
If the version is v1 then it will be required to use the System Owner credential when logging onto the vSEC:CMS Admin console on the new server on the first attempt. This is required to decrypt the internal database file.
2. It is required to stop all work on the vSEC:CMS system, i.e. logout all operators and shutdown the vSEC:CMS service from Windows service control manager. It is recommended to keep the vSEC:CMS services switched off permanently unless of course the migration is abandoned for some reason.
3. Make a copy of all the contents of the dat folder on the current server. The permissions of the dat folder must be changed. By default, the owner of the dat folder is set to local SYSTEM and to be able to copy the dat folder the ownership must be changed from SYSTEM to a different user account that has the rights to copy the folder. If the vSEC:CMS service is running under a dedicated Windows account then it is best to log onto the server with this account in order to be able to copy the contents of the dat folder.
Procedure on New Server
Prerequisites
- Depending on the credential that you are using it will be necessary to have the appropriate credential drivers installed on your host. Please check with the credential provider that you have the correct credential drivers installed.
- From version 6.0 and above Microsoft .NET Framework 4.8 should be installed.
- If you use a HSM make sure that you have installed the exact same PKCS#11 client drivers on the new server and ensure that the communication with the HSM is possible from the new server.
- If you use MS SQL as the database for the current system make sure that on the new server you can communicate via ODBC to the MS SQL server and that the same ODBC driver that is used on the current system is available on the new server.
You can validate what version of Microsoft .NET Framework is installed on your host by running the Powershell command below to see the full version information:
1. On the new server you will need to install the vSEC:CMS.
2. After the installation, the vSEC:CMS service is started automatically. The service must be stopped (using Windows service control manager) to be able to replace the database files in dat folder.
3. If the vSEC:CMS service on the current server is running under a dedicated Windows account then you need to follow the instruction here.
4. Copy the entire contents of the dat folder, including all the files, as described in the Procedure on Current Server step and place them on the new server.
5. Open Regedit on the server and navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Versatile Security\vSEC_CMS_T\Service] (if 32-bit version of vSEC:CMS then navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Versatile Security\vSEC_CMS_T\Service]), and set a DWORD named db.createnewguid with a value of 1.
6. Now start the vSEC:CMS service (from Windows service control manager) to complete the migration.
7. If the vSEC:CMS is bootstrapped from v1, as described in step 1 in Procedure on Current Server above, then log into the Admin console directly on the server with the System Owner credential and go to Options – Operators and select the Service key store operator Type and click the Activate button.
8. If Microsoft Certificate Services are used then you will need to issue a new Enrollment Agent (EA) certificate on the new server. It will be required to log onto the Admin console on the server as an operator who has System Administrator role to perform this task. From Options – Connections select your Microsoft CA connection. Hold down the Ctrl key and click Edit at the same time. Click the Request button to start the issuance. If more than one EA certificate templates are configured on the CA a dialog will be presented from which the EA certificate template that is to be used should be selected. An EA certificate will then be issued to the local certificate store for the Windows account that the vSEC:CMS is running under. Click Save to save changes and close.
The EA certificate will be issued to the Windows account that vSEC:CMS service is running under. The certificate template configured directly on the CA will need to have disabled the checkbox This number of authorized signatures from the Issuance Requirements tab on the CA template.
The dedicated Windows account that the vSEC:CMS service runs under will need to have the appropriate permissions on the CA template that it is using in order to connect to it. The permission in this case is Enroll which needs to be set from the Security tab of the template. This permission will need to be set on any CA template that the vSEC:CMS is using. Additionally, the Windows account that the vSEC:CMS service runs under will perform the revocation requests on the CA. Therefore, this user needs to have Issue and Manage Certificates permissions on the CA, which are configurable from the certsrv console on the CA.
9. If you are using Operator Console Service and User Self-Service services then it will be required that a TLS (SSL) certificate is issued on the new server. It is recommended to make a note of how these services were configured on the current server before making the updates on the new server. Refer to this guide as a reference as well, especially around how the certificate type is issued when gRPC is used. Additionally, to avoid manual client reconfiguration during a server migration, use DNS records to map the existing hostname to the new server's IP address. This ensures a seamless transition for all end-users..