Open the file ...SAMMigration\IndeedCM.Migrate.SAM.exe.config as administrator in a text editor (for example, Notepad) and fill in the following sections:

  • samSettings - SAM data storage connection parameters:

    • MsCAConnectorId - identifier of the connector to Microsoft CA. The value of the parameter can be found in the xml file of the connector in the SAM directory. The default value is: {1A30B883-CD69-4cbb-8D61-E72E9697D8B1}.

      Default path C:\Program Files\SafeNet\Authentication\SAM\x64\Bin\MsCAConnectorDescriptor.xml


    • connectionString - path to xml file (in the file name, name of the domain where SAM is deployed) with information for connecting to the SAM server.

      Default path C:\ProgramData\SafeNet\Authentication\SAM\


  • migrateSAMSettings - data migration parameters:
    • ignoreCMCertificateTemplateNotFoundError - card import parameter.
      Two values are possible:
      • true - imports from SAM the card and only those certificates on it, for which there is a template created in the Indeed CM policy.

      • false - card is not imported from SAM, if Indeed CM policy does not have at least one template for a certificate issued in SAM.

        This does not stop the process of importing cards in either case. The attribute is optional, the default value is "false".


    • notIssuedTokenAdminPin - If the card in SAM is in the "registered" state and has never been issued, this parameter specifies the administrator PIN that will be set on the card after transferring it to Indeed CM.
    • issuedTokenAdminPin - if the key-carrier in SAM is in any other state and was issued without initialization, the parameter specifies the administrator PIN, which will be set on the card after migration it to Indeed CM.

    • tokenTypes - a section that should list all cards that need to be migrated from SAM to Indeed CM. You must specify the card model (token, smart card), product name, card color and ATR (Answer To Reset) value.

      The ATR value for each card can be obtained from the manufacturer or with third-party software by contacting Indeed-Id Technical Support.

      If the IndeedCM.Migrate.SAM.exe utility encounters a card with a model and product name that are not specified in the tokenTypes section, such cards will not be migrated to the Indeed CM storage, and the utility will display the corresponding error.


  • adPersistenceSettings - parameters of connection to the Indeed CM data repository located in Active Directory. The contents of this section must be identical to the contents of the same name section of the Indeed CM Management Console configuration file (icm\Web.config).
  • sqlPersistenceSettings - the parameters of connection to the Indeed CM datastore in Microsoft SQL environment. By default this section is commented out with the following characters: <! - - . . . - ->. The contents of the section must be identical to the contents of the same name section of the Indeed CM Management Console configuration file (icm\Web.config).
  • adUserCatalogSettings - parameters of connection to the Indeed CM user catalog, located in Active Directory. The contents of the section must be identical to the contents of the same name section of the Indeed CM Management Console configuration file (icm\Web.config).
  • Save the changes.

An example of the populated sections of the IndeedCM.Migrate.SAM.exe.config file is shown below. In the example, SAM is deployed in the demo.local domain, the SAM repository, Indeed CM, and the user catalog in Active Directory.

<samSettings MsCAConnectorId="{1A30B883-CD69-4cbb-8D61-E72E9697D8B1}"
connectionString="C:\ProgramData\SafeNet\Authentication\SAM\demo.local.xml" />
<migrateSAMSettings ignoreCMCertificateTemplateNotFoundError="true"
notIssuedTokenAdminPin="adminpass"
issuedTokenAdminPin="adminpass2">
<tokenTypes>
<tokenType model="Token 12.0.0.0 12.0.12"
productName="SafeNet eToken 5110"
color="8"
atr="3bd5180081313a7d8073c8211030" />
<tokenType model="Token JC"
productName="eToken PRO Java 72K OS755"
color="4"
atr="3bd518008131fe7d8073c82110f4" />
</migrateSAMSettings>
<adPersistenceSettings path="LDAP://CN=Indeed CM,CN=Indeed Identity,
DC=demo,DC=local" userName="DEMO\cmadmin" password="Password1"
cryptoAlgName="AES"
cryptoKey="11d2f5051684451860ad177ebc39b55cacaf2a0a843b05ddf273b955c93ae015" />
<adUserCatalogSettings>
<rootContainers>
<container path="LDAP://OU=SAM_USERS,DC=demo,DC=local" userName="DEMO\cmadmin"
password="Password1" />
</rootContainers>
</adUserCatalogSettings>