Migrate the Central Manager

This procedure walks you through migrating the ASMS Central Manager (CM) to a new appliance (virtual, physical, or cloud-based). Migration is initiated from the source Central Manager itself.

You may want to do this while in the process of decommissioning end-of-life appliances or moving up to the cloud.

Important: This process breaks HA/DR clusters. You’ll need to rebuild them after migration.

Preparation Steps Before Migration

Do the following:

Verify identical ASMS version and build on both source and target appliances.
Ensure valid licenses match between appliances – including support for routers or no routers as applicable.
Check system specifications:

Important: We recommend you consult with AlgoSec Support with any disk space issue you may encounter.
1. Target machine must meet System requirements.
2. Verify how much storage is being used on the /data partition on the source machine. You must have at least the same amount of storage plus another 5% free on the target machine's /data partition.
3. Source /root partition must be healthy. Required free disk space on target /root depends on usage on source.
Validate port availability – ensure required ports are open between source and target. For more information, see Required port connections.
Back up your environment – take a VM snapshot or physical backup of the source CM.
Disable analysis and monitoring jobs:
1. Document and delete scheduled analyses. For details, see Schedule analysis.
2. Turn off real-time monitoring and device polling in Administration. For details, see Configure real-time monitoring.
Remove or migrate SSL certificate passphrase:

You can either:
- Remove it by creating a passphrase script (sslpassphrase) and updating ssl.conf accordingly.
- Copy it to the new appliance using rsync, then update and verify it on the target.
To remove the SSL certificate pass phrase:
1. On the CLI, enter the following script to print the pass phrase:
  echo -e '#!/bin/bash\necho "Enter your SSL Passphrase here"' > /etc/httpd/conf.d/sslpassphrase
  chmod 700 /etc/httpd/conf.d/sslpassphrase
2. Configure httpd to use the pass phrase script by entering the following:
  1. Edit /etc/httpd/conf.d/ssl.conf
  2. Change text from:
    
    SSLPassPhraseDialog builtin
    
    to:
    
    SSLPassPhraseDialog exec:/etc/httpd/conf.d/sslpassphrase
3. Check that httpd starts without having to enter a pass phrase. Enter:
  
  /etc/init.d/httpd restart
To copy the SSL certificate pass phrase:
1. Log in to Source as root user.
  1. Run the commands:
    
    PASSP=`grep SSLPassPhraseDialog /etc/httpd/conf.d/ssl.conf | grep -v builtin | cut -f2 -d\:` ; chmod a+x $PASSP
    
    PFILE=`echo ${PASSP##*/}` ; echo $PFILE
  2. Copy the CLI printed output.
    
    In this case, httpd-ssl-pass-dialog.
  3. Run the following replacing the actual Target IP:
    
    rsync -rtu $PASSP <TARGET_IP>:/usr/libexec/
  4. Enter password when prompted.
2. Log in to Target as root user and enter the following replacing the string you copied from step 1:
  \cp -rpv /usr/libexec/httpd-ssl-pass-dialog{,.BACKUP_COPY} ; \cp -rpv /usr/libexec/<Copied string from step 1> /usr/libexec/httpd-ssl-pass-dialog
  For Example, if the copied string is <httpd-ssl-pass-dialog>, the command will be:
  \cp -rpv /usr/libexec/httpd-ssl-pass-dialog/usr/libexec/httpd-ssl-pass-dialog
1. Verification: Restart httpd and ensure httpd starts up:
  service httpd restart

Sync Reports

Reports are pulled from the peer node.

Important: You can only sync reports from one peer. If you try to sync from more than one, data will be overwritten.

Note: his is the most time-consuming step of the migration process.

Sync reports from peer nodes (optional but recommended to minimize downtime):
1. On the CLI, connect to the target Central Manager administration interface via SSH and log in as root. For details, see Connect to and Utilize the Administration Interface.
2. In the main menu, enter 16 to migrate ASMS units.
3. Enter option 3 -Sync reports from peer node.