Using SlapTool to migrate SecureLogin User Data

Document ID:7018249
Creation Date:07-Nov-2016
Modified Date:07-Nov-2016
- Micro Focus Products:
  SecureLogin

Environment

NetIQ SecureLogin

NSL 8.x

Situation

How to migrate user data from one SecureLogin datastore to another

Backing up and restoring SecureLogin user data with slaptool

NSL Utilities for migrating user credentials and settings

How to save user information with NSL

Resolution

Three utilities are available for migrating SecureLogin user data from one environment to another.

1. The backup and restore options under the "advanced" menu from the SecureLogin system tray utility. https://www.netiq.com/documentation/securelogin-85/administration_guide/data/b9p5xf7.html

2. slMigrationHelper.exe. https://www.netiq.com/documentation/securelogin-81/administration_guide/data/b16xhnzw.html

3. slAPTool.exe. https://www.netiq.com/documentation/securelogin-81/administration_guide/data/b9p6vch.html

This article describes a method for using slAPTool to backup and restore user data for SecureLogin. slAPTool.exe is included with the SecureLogin installation files in the directory ...\SecureLoginTools\Administration\Provision Tools. Slaptool with the associated switches can be run from a batch file, cmd file, login script, or otherwise pushed out to workstations.

To backup user data, run the following slaptool command (change "MyPassword" to the desired value. The password needs to be at least 8 characters):

slaptool.exe -e -a -s -P -E MyPassword -f -S "%USERPROFILE%"\backup.esx >>"%USERPROFILE%"\backup.log 2>&1

This will create a file called backup.esx file in the users directory (e.g. C:\Users\<username>). It will also create a backup.log file in the same directory that will show any errors.

To restore user data, run this command (change the password to match the one used for backing up):

slaptool.exe -E MyPassword -f -S "%USERPROFILE%"\backup.esx >>"%USERPROFILE%"\restore.log 2>&1

Restart SecureLogin as the user.

Detail of switches used for backup operation:

-e ---> Performs an export rather than an import.

-a ---> Excludes applications.

-s ---> Excludes settings.

-P ---> Exclude Passphrase.

-E LongPassword ---> Encrypt with "LongPassword"

-f ---> Use the current user, allow inclusion of password credentials. .

-S ---> Include passwords.

Detail of switches used for restore operation:

-E LongPassword ---> Decrypt with "LongPassword."

-f ---> Use the current user.

-S ---> Include passwords.

slAPTool syntax switches: https://www.netiq.com/documentation/securelogin-81/administration_guide/data/b9p6wix.html

SecureLogin Startup Scripts can be used to determine whether to run the slAppTool backup or restore command.

Additional Information

Example:

backup.cmd

REM Version 1.2 of backup script
REM Jan 9th 2012 - Novell - gmorris

Echo off

Echo "Performing backup of SecureLogin user data"

REM This cmd file is to backup user credentia data excluding passphrase, settings, and applications

REG DELETE HKCU\Software\Protocom\SecureLogin /v BackupStatus /f >>"%USERPROFILE%"\backup.log 2>&1
Date /t >"%USERPROFILE%"\backup.log 2>&1
Time /t >>"%USERPROFILE%"\backup.log 2>&1
slaptool.exe -e -a -s -P -E %1 -f -S "%USERPROFILE%"\backup.esx >>"%USERPROFILE%"\backup.log 2>&1
REG ADD HKCU\Software\Protocom\SecureLogin /v BackupStatus /t REG_DWORD /d %ERRORLEVEL% /f >>"%USERPROFILE%"\backup.log 2>&1
Exit

restore.cmd

REM Version 1.2 of restore script
REM Jan 9th 2012 - Novell - gmorris
REM This cmd file is to restore user credential data

Echo off
Echo "Performing restore of SecureLogin user data"

REG DELETE HKCU\Software\Protocom\SecureLogin /v RestoreStatus /f >>"%USERPROFILE%"\restore.log 2>&1

Date /t >"%USERPROFILE%"\restore.log 2>&1
Time /t >>"%USERPROFILE%"\restore.log 2>&1
slaptool.exe -E %1 -f -S "%USERPROFILE%"\backup.esx >>"%USERPROFILE%"\restore.log 2>&1
REG ADD HKCU\Software\Protocom\SecureLogin /v RestoreStatus /t REG_DWORD /d %ERRORLEVEL% /f >>"%USERPROFILE%"\restore.log 2>&1

REG DELETE HKCU\Software\Protocom\SecureLogin /v BackupStatus /f >>"%USERPROFILE%"\restore.log 2>&1

Exit

"Back up" Startup Script:

###########
# Startup application to automatically backup user data
# Users credential data is stored in the users profile directory
# Data is stored in an encrypted XML file
# Encryption key is derived from ?syspassword with a zero character added. If password is less then
# 8 characters long then additional zeros are added until length equals or exceeds 8 characters in length.
# This script calls backup.cmd which should be placed into the folder c:\program files\novell\securelogin
# This script will backup user data on each load of the NSL client. This ensures that latest information has been captured.
#
# Script version 1.0 - Greg Morris (Novell) - Aug 11th 2011 - Initial Release
# Script version 1.1 - Greg Morris (Novell) - Aug 14th 2011 - Added error handling
# Script version 1.2 - Greg Morris (Novell) - Jan 9th 2012 - Modified for use with new version of slaptool
#
###########

# Check to make sure we are online
GetDirectoryStatus ?status
If ?status eq "offline"
MessageBox "We are offline and cannot perform a backup of the user data."
Endscript
Endif

# Build the password variable
Strcat ?userpass ?syspassword "0"

# Password to encrypt must be at least 8 characters long
Repeat
StrLength ?Length ?userpass
if ?Length Gt 7
break
Endif
StrCat ?userpass ?userpass "0"
EndRepeat

# Run slaptool to perform the backup
Run "c:\program files\novell\securelogin\backup.cmd" ?userpass

Set ?loopctr 0
Repeat
# Add a .5 second delay to let the backup process complete.
Delay 500

# Check status of the backup process
#
# Not present - No previous backup attempted
# 0 - Last backup successful
# non-zero - Last backup failed

GetReg "HKCU\SoftWare\Protocom\SecureLogin\BackupStatus" ?backupstatus

#
# Check for success
#
If ?backupstatus Eq 0
MessageBox "Backup of user data completed successfully."
Endscript
Endif

#
# Check for errors
#
If ?backupstatus Gt 0
MessageBox "The backup process has failed with error (" ?backupstatus "). Please contact the help desk."
EndScript
Endif

#
# The loopctr value can be changed to limit the amount of time the script will try to complete the backup.
# Default value of loopctr is 10 x .5 seconds (Max 5 seconds)
# If backup does not complete in this time then user will be displayed a message.
#
Increment ?loopctr
if ?loopctr Gt 10
MessageBox "Backup process has taken too long to complete. Would you like to continue to wait?" -YesNo ?Result
if ?Result Eq "Yes"
Set ?loopctr 0
else
EndScript
Endif
Endif

EndRepeat

# End of Startup script to backup user data

"Restore" start up script

###########
#
# Startup application to restore user data
# Users credential data is stored in the users profile directory
# Data is stored in an encrypted XML file
# Encryption key is derived from ?syspassword with a zero character added. If password is less then
# 8 characters long then additional zeros are added until length equals or exceeds 8 characters in length.
# This script calls restore.cmd which should be placed into the folder c:\program files\novell\securelogin
# This script will only execute if the registry key HKCU\Software\Protocom\SecureLogin\BackupStatus is set to 0 (zero)
# Script version 1.0 - Greg Morris (Novell) - Aug 11th 2011 - initial release
# Script version 1.1 - Greg Morris (Novell) - Aug 14th 2011 - added error processing
# Script version 1.2 - Greg Morris (Novell) - Jan 9th 2013 - Modified for new version of slaptool
#
###########

# Get the status of backup operation from registry
# HKCU/Software/Protocom/SecureLogin
#
# Status codes:
# Not present - No backup has been attempted. Do nothing.
# 0 - Last backup was a success. Perform restore operation.
# Non-Zero value - Last backup failed (exit code of slaptool failure. See file backup.log for details of error.)

GetReg "HKCU\SoftWare\Protocom\SecureLogin\BackupStatus" ?backupstatus
If ?backupstatus Eq <NOTSET>
#MessageBox "No backup to process"
EndScript
Endif
If ?backupstatus Gt 0
MessageBox "The backup process encountered an error. Error Code (" ?backupstatus ") Please contact the helpdesk."
EndScript
Endif

# Check to make sure we are online
GetDirectoryStatus ?status
If ?status eq "offline"
MessageBox "We are offline and cannot perform a restore of the user data. Please login again to re-attempt this operation."
Endscript
Endif

# If we get to here then a successful backup is present and needs to be processed.
# We will first try the current syspassword value, if this fails then the user will be prompted.
Set ?pwd ?syspassword

# Loop so that we can process failed restore session
Repeat

# The backup routine always adds a zero character to the end of the users password
Strcat ?pwd ?pwd "0"

# Password to encrypt must be at least 8 characters long
Repeat
StrLength ?Length ?pwd
if ?Length Gt 7
break
Endif
StrCat ?pwd ?pwd "0"
EndRepeat

# Run slaptool to perform the restore
Run c:\progra~1\novell\securelogin\restore.cmd ?pwd

# Counter for our repeat loop. Need to acquire restore status.
Set ?loopctr 0

Repeat
# Add a little delay to let the restore process complete.
Delay 500

# Check status of the restore process
#
# Not present - No previous restore attempted
# 0 - Last restore successful
# non-zero - Last restore failed

GetReg "HKCU\SoftWare\Protocom\SecureLogin\RestoreStatus" ?restorestatus

# Check for success
If ?restorestatus Eq 0
MessageBox "Restore of user data completed successfully."
Endscript
Endif

# Check for incorrect password to decrypt XML file
If ?restorestatus Eq 4294967295
MessageBox "The last restore attempt failed due to an incorrect password. Would you like to try again?" -YesNo ?tryagain
If ?tryagain Eq "Yes"
# Prompt the user to enter their eDirectory password.
ChangePassword ?pwd "Please enter your network password."
Else
MessageBox "Restore of user data was aborted by user"
Endscript
Endif
Break
Endif

Increment ?loopctr
if ?loopctr Gt 10
MessageBox "Restore process has taken too long to complete. Would you like to continue processing?" -YesNo ?Result
If ?Result Eq "Yes"
Set ?loopctr 0
Else
EndScript
Endif
Endif

EndRepeat

EndRepeat
# End of Startup script to restore user data