vRA 7 Migration Tool

If you’re about to upgrade (or already have) to vRA 7.x and want to make sure your logins all work post upgrade then you will need to use the Migration Tool to shift your ID stores from the old SSO setup (whether this was a dedicated ID appliance or integrated with vCenter SSO etc) to the new vIDM system. If you don’t migrate the logins then you will have to create the SSO ID Stores manually which also requires creating a local vIDM user in the Tenant(s).

A good explanation of why VMware have moved from SSO to vIDM can be found here:-

vRealize Automation 7 – Part 5, Identity Management

How you perform the migration relies on which SSO method you were using for your 6.x system.  For example if you were running of a Windows based 5.5 vCenter SSO service you will need to run the migration tool on the Windows server that is hosting it.  Similarly if you were running a dedicated vCAC 6.x ID appliance you will need to run the linux version from the appliance.

In this example we will be running this migration from a dedicated appliance and as always make sure you have backups / snapshots etc before you go any further!!!

First off you will need to obtain the migration tool zip file URL:-

https://vra-app1.domain.local:5480 > vRA Settings > SSO and copy the migration tools URL.

SSH to your old SSO ID appliance (SSH can be enabled from https://<SSO ID Appliance IP>:5480 > Admin), cd /tmp, download and extract the zip:-


Now cd to the new dir and set your environment:-

Now migrate your ID Stores (you will be prompted at various points for passwords and confirmations):-


The script claimed to add everything but it wasn’t 100% clean. For some reasons it failed to sync my groups and when I got in to take a look it turns out the Group DN was missing.  I didn’t look too deep into this as the previous step gave me enough access to start putting my AD logins back in the right place!

SSO [email protected] account expiry

The other day I hit the “Associated user’s password is expired” when trying to login to my SSO as the [email protected] account.

You can just reset the password for the account as per VMware KB 2035864. However, on vSphere 5.1 this causes some confusion over the SSO user password and the so called master password (which never changes) – see this communities post for more info.

A quick and dirty fix for this (if you are running the vCenter with a SQL DB) follows.

  1. Take a backup of your RSA DB (if you don’t and you trash your DB then don’t complain to me :)).
  2. Open SQL Server Management Studio, expand the RSA DB, expand the Tables folder and find the dbo.IMS_AUTHN_PASSWORD_POLICY table.
  3. Right click and select Edit Top 200 Rows.
  4. Now edit the MAX_LIFE_SEC column (this is in seconds), so for example if you want to set it to 5 years it would be 157680000 (apparently you can set this to 0 for never expire).  I’m setting mine to 90000000 (1014 days).

  1. Restart the SSO service.
  2. Log back into the Web Client as [email protected]
  3. Go to Administration, Configuration, Policies tab.  It should now look like this:-