Powered by Algolia

    Migrating OpenIAM from on-premises installation to a cloud-based infrastructure

    Organizations typically migrate OpenIAM from on-premises to the cloud to improve scalability, reduce infrastructure overhead, and take advantage of built-in high availability and disaster recovery capabilities. Cloud environments also simplify integration with modern SaaS and cloud-native applications while enhancing security and operational efficiency. In many cases, migration is part of a broader modernization or data center exit strategy aimed at improving long-term flexibility and maintainability.

    In case this is a case for your business needs, the guide below describes the process of migrating an existing OpenIAM deployment from an on-premises environment to a cloud-based infrastructure using the RPM installation model. The approach follows a lift-and-shift strategy, ensuring that the target environment mirrors the source environment in terms of version, configuration, and system layout.

    The goal of this migration is to preserve system integrity, minimize downtime, and ensure a seamless transition without introducing version-related or configuration inconsistencies.

    Prerequisites

    Before proceeding, ensure that the following prerequisites are met:

    • The target cloud environment uses a supported Linux distribution for RPM-based installation (e.g., RHEL, CentOS, Rocky Linux, AlmaLinux). You can check the compatibility in the installation document.
    • Administrative (root or sudo) access is available for both environments.
    • The same OpenIAM RPM version is available for installation in the cloud.
    • Verified backups are created for:
      • Database
      • Elasticsearch / OpenSearch
      • Vault and/or ETCD
      • Java keystore (cacerts)
    • A maintenance window is defined to minimize user impact.

    Migration process

    1. Provision cloud infrastructure. Create virtual machines in the cloud environment that replicate the architecture of the on-premises RPM deployment.

    Key considerations:

    • Match compute resources (CPU, memory, storage).
    • Replicate network topology (subnets, firewalls, load balancers).
    • Configure DNS records for all OpenIAM endpoints.
    • Ensure secure connectivity between components.
    1. Install OpenIAM and infrastructure components. Install all required infrastructure and OpenIAM services using RPM packages. The respective procedure is given in the this section of the documents.

    Typical installation includes:

    • Database server (external or dedicated VM)
    • Elasticsearch / OpenSearch
    • Vault and/or ETCD
    • RabbitMQ
    • OpenIAM RPM packages:
      • openiam-core
      • openiam-webconsole
      • openiam-esb
      • openiam-connectors (if applicable)

    Ensure that:

    • The installed OpenIAM version matches the on-premises version.
    • Configuration files are aligned with the source environment.
    • Services are installed but not yet started or exposed to users.
    1. Migrate database data. The database contains core identity data, configuration, and transactional records.
    Note that the database migration depends on database type used (use corresponding DB utility). It is not always required, especially if a you will use the same external database. In case need to use a new database, take snapshot and restore it in new database, as described below.
    • Stop OpenIAM services on the on-premises system.
    • Create a database backup using native tools (e.g., pg_dump, Oracle expdp, or MSSQL backup).
    • Transfer the backup securely to the cloud environment.
    • Restore the database into the target system.
    • Validate data integrity by checking:
      • Schema consistency
      • Record counts
      • Key entities such as users, roles, and policies.

    1. Migrate ElasticSearch / OpenSearch data. Search indexes must be migrated to maintain reporting and search capabilities. The exact procedure is described in the respective document.

    2. Migrate Vault / ETCD data. Secrets management data is critical for system functionality and security. The procedure for copying the Vault / ETCD data is given here.

    3. Migrate Java keystore (cacerts). The Java truststore must be consistent across environments to ensure secure communication.

    Use the command below.

    cd /usr/local/openiam/jdk/lib/security/
    tar -cvf cacerts-from-rpm.tar.gz cacerts

    Copy cacerts-from-rpm.tar.gz file to the newly installed cloud environment.

    Post-migration

    Start all services in the appropriate order

    • Database
    • Search engine
    • Vault / etcd
    • Messaging system
    • OpenIAM services

    Perform comprehensive validation:

    • Access the OpenIAM Webconsole.
    • Verify user accounts and roles.
    • Test authentication and authorization flows.
    • Execute provisioning and synchronization tasks.
    • Review system logs for errors or warnings.
    Previous
    Configuration options in RPM
    Next
    r-Proxy installation in RPM