Prepare the Source System (OneSpan Authentication Server or OneSpan Authentication Server Appliance)

When you perform a data migration, the source system should be configured as follows:

• Replication. If you have more than one source product, ensure that replication between servers—or between databases—is fully up-to-date before the migration.

• Source available. The source system must be running and available for administrative connections.

• Authentication paused. The source system should not handle authentications while the data migration is in progress.

• Disabled maker–checker authorization. The source system cannot have maker–checker authorization enabled, if applicable.

• Latest updates applied. The latest available patch for the OneSpan server software should be applied, to allow correct connection by Data Migration Tool.

An administrator account must be available in the source system that is used to connect to the system and read the data. The user account must exist in the master domain and have the Access Data in All Domains administrative privilege assigned. Its administrator level must be set to the maximum value (255 on OneSpan Authentication Server, 100 on OneSpan Authentication Server Appliance).

Additionally, the account will need permissions to read, write, and delete the following record types:

• Authenticators

• Authenticator applications

• User accounts

• Policies

• Components

• Back-end servers

• Report definitions

We highly recommend to create and use a dedicated administrator account for data migration to avoid any issues during or after migration. Since OneSpan Authentication Server does not allow to change the permissions of the active user account, you will receive a respective error when DMT attempts to migrate the administrator account that is used to connect to the system.

When you apply the bundle file to set OneSpan Authentication Server Appliance to migration mode, the Update wizard provides a dedicated user account that you should explicitly use for migration purposes. By default, that user account is called migration_user, unless another user account with that name already exists. In that case, it is named differently.

Data Migration Tool (DMT) does not support SSL connections to OneSpan Authentication Server. Verify the configuration for the OneSpan Authentication Server instance to be used by DMT.

To verify which port is used for non-SSL SEAL connections

1. Log in to the OneSpan Authentication Server Administration Web Interface.

2. Connect to the OneSpan Authentication Server instance to be used.

3. Select SYSTEM > Server Configuration.

4. Switch to the Communicators tab and expand the SEAL Communicator (non-secure) section

5. Verify which port is used for non-SSL SEAL connections to OneSpan Authentication Server. By default, this is 20003.

   Use this port for the data migration.

To prepare a source OneSpan Authentication Server instance that uses custom keys

1. Log in to the OneSpan Authentication Server Administration Web Interface.

2. Connect to the OneSpan Authentication Server instance to be used.

3. Ensure that no key rotation tasks are running.

4. Launch the OneSpan Authentication Server Maintenance Wizard. Select the Export Key Data wizard and use it to export the sensitive and storage keys.

5. Start the source OneSpan Authentication Server instance in migration mode (see Migration mode).

6. Ensure that no key rotation tasks are running or due to run during the scheduled migration.

7. When you set up the data migration process (see Migrate data), configure Data Migration Tool to use the key exported earlier. To do so, enable Use Encryption and enter the details for the exported key in the Source Data Options page.

This step is required only if you migrate from OneSpan Authentication Server to OneSpan Authentication Server Appliance!

Each administrative user account has an administrator level set. The administrator level of a user account can be viewed in the Administration Web Interface. On OneSpan Authentication Server, the administrator level is an integer value ranging between 0–255. However, OneSpan Authentication Server Appliance only allows and uses a value range of 0–100, and the system accounts are all set to 100 by default.

Administrative user accounts that have an administrator level greater than 100 are automatically set to 100 on the OneSpan Authentication Server Appliance target instance during the migration process. Administrator levels lower or equal 100 remain unchanged (see Administrator level adjustment during data migration (Example)).

If the source system uses administrator levels to create an administrator account hierarchy, you should normalize the values down to a range between 0–100 before the data migration. Alternatively, you can verify the results after data migration and adjust the administrator levels accordingly.