Contents
About migration from KUMA
This section covers the migration from KUMA standalone to Kaspersky Next XDR Expert. Please note that the provided scenario refers to a situation, where you perform an initial Kaspersky Next XDR Expert installation along with the migration of existing KUMA standalone. If you already have a deployed instance of Kaspersky Next XDR Expert, you will not be able to migrate KUMA standalone with the respective data by following this scenario.
You must migrate data from KUMA 3.4. If you are using an earlier version, you have to update KUMA standalone up to 3.4, and then perform the migration to Kaspersky Next XDR Expert.
You can perform the migration for the following types of KUMA standalone deployment:
- Installation on a single server.
- Distributed installation.
- Distributed installation in a high availability configuration.
Migration implies two stages:
After you complete both stages, the transferred data and services are available. All services of KUMA standalone are configured for operating as a part of Kaspersky Next XDR Expert. Also, the transferred services are restarted.
What is transferred
- The /opt/kaspersky/kuma/core/data directory.
- The encryption key file /opt/kaspersky/kuma/core/encryption/key.
- The MongoDB base backup.
- Hierarchy of Kaspersky Security Center administration servers.
The administration servers that migrate to Kaspersky Next XDR Expert become bound to its root Administration Servers.
- Tenants.
The migrated tenants are registered in Kaspersky Next XDR Expert and become a child of the Root tenant. Each tenant belongs to an administration group in Kaspersky Next XDR Expert.
To migrate Kaspersky Security Center Administration Servers, domain users, and their roles, create a configuration file, and then set necessary parameters in this file.
- Binding of tenants to Kaspersky Security Center Administration Servers.
The secondary administration server of Kaspersky Security Center is registered in the corresponding service of the tenant settings of Kaspersky Security Center.
A link between a tenant and an Administration Server remains the same as it was in KUMA.
You can bind tenants only to physical Administration Servers. Binding tenants to virtual Administration servers is unavailable.
- Domain users.
For each domain with which the KUMA integration is configured, and which users have assigned roles in KUMA tenants, you must run domain controller polling by using Administration Server.
- Roles.
After domain controller polling is finished and the domain users are migrated, these users are assigned XDR roles in Kaspersky Next XDR Expert and the right to connect to Kaspersky Security Center.
If the migrated users had the assigned roles in secondary administration server of Kaspersky Security Center, you have to assign to these users the same roles in the administration group of its root Administration Server.
If you manually assigned XDR roles and/or Kaspersky Security Center roles to the users before running the migrator, after migration is finished, the users are assigned new XDR roles in the tenant specified in the configuration file and the manually assigned XDR roles are deleted. Kaspersky Security Center roles are not overwritten.
- Integration with Kaspersky Security Center.
- Integration with LDAP and third-party systems remain available.
- Events.
- Assets.
- Resources.
- Active services
What is not transferred
- Alerts and incidents are not be available in Kaspersky Next XDR Expert after migration. If you want to have original alerts and incidents at hand, we recommend that you restore KUMA backup on an individual host. This way, you will be able to perform a retrospective scanning.
- Dashboards are not transferred and remain available only in KUMA standalone in the read only mode, you will not be able to go over to the related alerts.
Integration with Active Directory (AD) and Active Directory Federation Services (ADFS).
Migrating KUMA standalone to Kaspersky Next XDR Expert
This article covers transferring data and services from KUMA standalone to Kaspersky Next XDR Expert.
After the migration is complete, all services of KUMA standalone are reconnected to KUMA Core under Kaspersky Next XDR Expert, and then the services are automatically restarted. KUMA standalone Core is not modified during migration, but if any services were installed on the same host as the KUMA standalone Core, the KUMA standalone Core may become unavailable, since the binary files are replaced during the course of the procedure.
To perform the migration from KUMA standalone to Kaspersky Next XDR Expert, complete the following stages:
- Preparing for migration.
- Creating a backup copy.
- Preparing the inventory file for migration.
- Migration.
Preparing for migration
Before you perform the migration, follow the steps:
- In KUMA standalone, generate a new token for a user who has rights to execute the
/api/v1/system/backup
request, and keep the token in a safe place. Later, you specify the new token to create a backup copy for KUMA standalone. - Prepare the hosts for installation of Kaspersky Next XDR Expert:
- Verify that you opened the required ports.
- Verify that you have SSH root access to the target hosts of KUMA standalone and access from Kaspersky Next XDR Expert worker nodes to port TCP 7223 of the deployed KUMA standalone. If necessary, run the following command to grant SSH root access to the target hosts of KUMA standalone:
ssh-copy-id -i /home/xdr/.ssh/id_rsa.pub <user>@<ip_kuma>
The preparing for migration stage is complete.
Creating a backup copy for KUMA standalone
Create a backup for KUMA standalone and keep the backup in a safe place. You will be able to restore the instance of KUMA standalone and repeat the migration all over again. Otherwise, in case of a failure, KUMA Core may be corrupted and you will not be able to perform the migration.
Before you create a backup, verify that KUMA Core in Kaspersky Next XDR Expert has network access to API ports of KUMA standalone services.
Create the backup file for KUMA standalone and upload it on the target host:
curl -sS -k "https://<KUMA_standalone_core_FQDN>:7223/api/v1/system/backup" -H "Authorization: Bearer $(cat standalone_token)" --output kuma_standalone_backup.tar.gz
Where standalone_token is the token that you previously generated in KUMA standalone.. Also, you can specify the token instead of $(cat standalone_token).
Preparing the inventory file for migration
Prepare the inventory file. In the inventory file, list all hosts that you use for services in KUMA standalone. The hosts must match in both inventory files: the one you used for KUMA standalone deployment and the one you are going to use for migration. If necessary, you can get the required information regarding hosts in KUMA standalone, in Resources → Active services section.
If you want to expand the infrastructure and deploy KUMA services while performing the migration, make sure that you specify the additional hosts in the inventory file, and that the designation of hosts that you listed for migration in the inventory file remains unchanged.
Path to the inventory file that you prepared is specified in the multinode.smp_param.yaml or singlenode.smp_param.yaml file in the inventory
parameter.
When preparing the inventory file, verify that you observe the following conditions:
- In the
kuma_utils
group of parameters, specify hosts with services. Also, in this group of parameters, if you want to expand the infrastructure along with the migration, you can specify new hosts where KUMA services are be deployed. - For all hosts, specify both FQDN and IP address.
- Skip the
kuma_core
section. - In the
all
group of parameters, avoid changing theansible_connection
andansible_user
variables, since the variables correspond to the user and the type of connection used for invocation image. - In the
kuma
group of parameters, theansible_connection
andansible_user
variables must correspond to the user who performs the installation on the remote hosts. For details about inventory file, users, and rights, refer to KUMA help. - If DNS resolves all names, you can specify
false
for thegenerate_etc_hosts
parameter or skip thegenerate_etc_hosts
parameter.
Sample of the inventory.yaml with KUMA standalone services installed on a single host
Sample of the inventory.yaml with KUMA standalone services installed on multiple hosts.
Migration
To perform the migration:
- Place the KUMA standalone backup copy on a target host, where you are going to install Kaspersky Next XDR Expert.
- On the administrator host, run the following command with the
kuma_backup_file
parameter. Specify the path to the transport archive with the Kaspersky Next XDR Expert components and the path to the prepared multinode.smp_param.yaml or singlenode.smp_param.yaml file, same as for initial installation../kdt apply -k <
path_to_transport_archive
> -i <
path_to_configuration_file
> --accept-eula -p --if kuma_backup_file=./<
kuma_standalone_backup
>.tar.gz
After migration is complete, all services connect to KUMA Core in Kaspersky Next XDR Expert and become available in KUMA Console under Resources → Active services.
If KUMA standalone Core was installed on an individual host, after you perform the migration, KUMA standalone Core maintains the option to address the services migrated to Kaspersky Next XDR Expert. In this case, service statuses are displayed and you are able to restart the services, change the services configuration, get the service log, and view the events. To avoid such case, use any of the following options:
- Before you perform the migration, disable KUMA standalone Core.
- After you perform the migration, in Kaspersky Next XDR Expert, go to KUMA Console Settings → Common and click Reissue internal CA certificates, and then run the following command and wait till KUMA Core and all services are restarted in Kaspersky Next XDR Expert:
./kdt invoke kuma --action resetServicesCert
Running the migrator to transfer data
After migration from KUMA standalone is complete, you have to run the migrator to transfer data.
You can obtain the migrator through Technical Support.
To transfer Kaspersky Security Center Administration Servers, domain users, and assigned roles:
- Run the installation of KUMA migrator in the command line.
kdt apply --force -k kuma-migrator_
<version>
.tar --accept-eula
- Fetch the data for migration by running the following command:
kdt invoke kuma-migrator --action fetch
- Copy the result of the data fetch, and then create a configuration file in the YAML format.
- Open the configuration file and insert the result of the data fetch.
If necessary, you can delete Kaspersky Security Center Administration Servers or users that you do not want to migrate.
- For Kaspersky Security Center Administration Servers, specify information in the following fields:
Login
.Password
.URL
. You have to specify the full path by adding https://.Thumbprint_sha1_encoded
. You have to specify the SHA1 thumbprint of the Kaspersky Security Center Server certificate.You can get the Administration Server certificate in OSMP Console. To do this, in the main menu, click the settings icon (
) next to the name of the required Administration Server, and then on the General tab click the View Administration Server certificate link to download the certificate.
Insecure_skip_verify
.The
false
value is selected for this parameter by default. In this case, the Administration Server certificate is verified when performing the migration. If you want to disable certificate verification, you can specify thetrue
value in this field.We do not recommend that you disable certificate verification.
- Run the corresponding commands to migrate data.
If you want to migrate all data, run the following command:
kdt invoke kuma-migrator --action migrate-all --param migrationConfigFilePath=
<configuration file name>
.yaml
If you want to migrate only Kaspersky Security Center Administration Servers, run the following command:
kdt invoke kuma-migrator --action migrate-ksc-servers --param migrationConfigFilePath=
<configuration file name>
.yaml
If you want to migrate only users, run the following command:
kdt invoke kuma-migrator --action migrate-users --param migrationConfigFilePath=
<configuration file name>
.yaml