Export and Import

PAM provides an export option so that your database (configuration, settings, logs and records) can be safely stored for security, import and “break glass” procedures.

The export option can be performed automatically (encrypted) or on-demand (encrypted or decrypted).

If the export is performed with encryption (our recommendation), then your PAM Master Password will be required in order to decrypt the secured data.

If an Export is being executed inside a Vault Parent. Trying to import this export will give an error and will need to change the type from vault to folder, if importing inside a vault or folder container. Vaults cannot be created inside containers.

Importing your data to PAM from a previously created Export provides a System Administrator with the ability to recover from a loss of data or to rebuild a PAM deployment on a new host.

Some common use cases for Import include:

  • Disaster recovery.

  • Data loss recovery.

  • Populating a test or UAT environment with data.

  • Switching to a different PAM database.

And as with all things, the following items must be considered when considering and performing an import:

  • This procedure is similar to a database import, meaning all data currently in PAM will be replaced with that from the import. The process will remove all data currently in PAM and import only what is contained in the export.

  • If the import is using an encrypted export (which we recommend), then you will need to know the Master Password if importing to a new system.

  • The PAM instance that will be importing must be equal or newer in version number to the PAM instance that created the export.

Automatically export of PAM Database

To export your System Database Automatically:

  1. Login to PAM using a System Administrator account.
  2. Navigate to Administration > Settings > Parameters.
  3. Enter or accept the default location in the Export Location field to define the export storage location. Use $PAM_HOME to define the PAM installation location. Click the Save button to its right to save your change.
  4. Enter a value (measured in minutes) into the Export Schedule field. This value will be the number of minutes between automated exports (enter a zero value to disable the automated export). Click the Save button to its right to save your change.
  5. An event (Category: Application; Level: Info; Event: Export) will be created in the Audit Log when the export is complete.
  6. The export is now saved to your Export Location in a archived zip format, possibly multi-part if the export is large. The naming convention is: xtamexp-YYYYMMDDHHMMSS-{EventID}-{multipart}.zip

The first export will be immediately added to the PAM queue. Subsequent exports will take place in intervals based on the value entered into the Export Schedule parameter.

All automated exports will be executed with encryption.

On-Demand export of PAM Database

To export your PAM Database On-Demand:

  1. Login to PAM using a System Administrator account.
  2. Navigate to Administration > Settings > Parameters.
  3. Enter or accept the default location in the Export Location field to define the export storage location. Use $PAM_HOME to define the PAM installation location. Click the Save button to its right to save your change.
  4. Navigate to Administration > Settings > Database.
  5. Choose your desired export option to queue the Export procedure:
    • Export All Encrypted / Decrypted – Performs a full system export including all objects, historical logging and configuration.
    • Express Export Encrypted / Decrypted – Performs a limited system export that includes objects and configuration, but does not include historical log data like Audit, Job, Change History and others.
  6. An event (Category: Application; Level: Info; Event: Export or Event: Express export) will be created in the Audit Log when the export is complete.
  7. The export is now saved to your Export Location in a archived zip format, possibly multi-part if the export is large. The naming convention is: xtamexp-YYYYMMDDHHMMSS-{EventID}-{multipart}.zip or xtamexp_express-YYYYMMDDHHMMSS-{EventID}-{multipart}.zip.

The export will be immediately added to the PAM queue and will be performed a single time.

If the export includes encryption (recommended), the PAM Master Password will be required to access its secured data; however if it is exported decrypted (not recommended), then the secured data can be accessed without requiring any passwords.

master_password_to_export_database.png

System Export Retention

All system exports are stored indefinitely, however if you would like to implement a retention schedule for your exports (includes both Scheduled and On-Demand exports) then please configure the option described below.

  1. Login to PAM as a System Administrator.
  2. Navigate to Administration > Settings > Parameters > System Export Retention.
  3. Enter a value (defined in Days). PAM will delete all system export files after this specified number of days. A value of 0 (zero) will disable the retention schedule.
  4. Click the Save button next to this option.

Please note that this retention schedule is applied Globally for all system exports and exports that have been purged due to this schedule cannot be recovered.

Import back into the same PAM deployment

How to Import back into the same PAM deployment using an Encrypted or Decrypted Export.

This procedure details the steps required to import data back into the same PAM system that created the export.

This procedure supports the use of encrypted or decrypted export files.

  1. Login to PAM as a System Administrator.
  2. Navigate to Administration > Settings > Database.
  3. In the table list of available exported volumes, locate the one you wish to use and click the Import button to its right.

    4. FAQ-Import-Database-Action

  4. The Import operation will now be added to the PAM queue and will be executed shortly. Once the import begins, completion time depends on the amount of data that needs to be imported and may take several minutes to finish.

    5. During the import process, the application’s GUI may become temporarily unavailable. To check the status of the operation, you should open the PAM log file located at $PAM_HOME/web/logs/pam.log and when the message Importing Complete appears, the operation is finished.

  5. Refresh the All Records page to review the imported data.

Import into a new deployment with Encrypted Export

How to Import into a new PAM deployment using an Encrypted Export.

 

This procedure details the steps required to import data into a new PAM system; one that did not create the export.

This procedure supports the use of encrypted export files.

  1. Install a new PAM system where and as needed.
  2. Once the installation is complete, open a command line on this new host server, navigate to the folder where PAM is installed ($PAM_HOME) and issue the following command to update your current PAM Master Password with the one that was used to create your encrypted export.

    1. For Windows, substitute <MASTER PASSWORD> with the master password used with your export and issue:

      Copy
      bin\PamDirectory.cmd SetMasterPassword web <MASTER PASSWORD>

    2. For Unix or Linux, substitute <MASTER PASSWORD> with the master password used with your export and issue:

      Copy
      bin/PamDirectory.sh SetMasterPassword web <MASTER PASSWORD>

  3. Copy your exported file(s) to your new PAM system and paste them into $PAM_HOME/export/ or the custom location you defined in Administration > Settings > Parameters > Export Location.

  4. Login to PAM as a System Administrator.

  5. Navigate to Administration > Settings > Database.

  6. In the table list of available exported volumes, locate the one you wish to use and click the Import button to its right.

    FAQ-Import-Database-Action

  7. The Import operation will now be added to the PAM queue and will be executed shortly. Once the import begins, completion time depends on the amount of data that needs to be imported and may take several minutes to finish.

    8. During the import process, the application’s GUI may become temporarily unavailable. To check the status of the operation, you should open the PAM log file located at $PAM_HOME/web/logs/pam.log and when the message Importing Complete appears, the operation is finished.

  8. Refresh the All Records page to review the imported data.

Import into a new deployment with Decrypted Export

How to Import into a newPAM deployment using an Decrypted Export.

This procedure details the steps required to import data into a new PAM system; one that did not create the export. This procedure supports the use of decrypted export files.

 

  1. Install a new PAM system where and as needed.
  2. Copy your exported file(s) to your new PAM system and paste them into $PAM_HOME/export/ or the custom location you defined in Administration > Settings > Parameters > Export Location.
  3. Login to PAM as a System Administrator.
  4. Navigate to Administration > Settings > Database.
  5. In the table list of available exported volumes, locate the one you wish to use and click the Import button to its right.FAQ-Import-Database-Action

  6. The Import operation will now be added to the PAM queue and will be executed shortly. Once the import begins, completion time depends on the amount of data that needs to be imported and may take several minutes to finish.

    7. During the import process, the application’s GUI may become temporarily unavailable. To check the status of the operation, you should open the PAM log file located at $PAM_HOME/web/logs/pam.log and when the message Importing Complete appears, the operation is finished.

  7. Refresh the All Records page to review the imported data.