diff --git a/REFERENCE.md b/REFERENCE.md
index 9f897504d..38d60c1f6 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -2476,6 +2476,7 @@ The following parameters are available in the `peadm::restore` plan:
 * [`restore_type`](#-peadm--restore--restore_type)
 * [`restore`](#-peadm--restore--restore)
 * [`input_file`](#-peadm--restore--input_file)
+* [`console_password`](#-peadm--restore--console_password)
 
 ##### <a name="-peadm--restore--targets"></a>`targets`
 
@@ -2505,6 +2506,14 @@ Data type: `Pattern[/.*\.tar\.gz$/]`
 
 The file containing the backup to restore from
 
+##### <a name="-peadm--restore--console_password"></a>`console_password`
+
+Data type: `Optional[String]`
+
+
+
+Default value: `undef`
+
 ### <a name="peadm--restore_ca"></a>`peadm::restore_ca`
 
 The peadm::restore_ca class.
diff --git a/functions/migration_opts_default.pp b/functions/migration_opts_default.pp
index a096d9a90..99b57e558 100644
--- a/functions/migration_opts_default.pp
+++ b/functions/migration_opts_default.pp
@@ -7,6 +7,6 @@ function peadm::migration_opts_default () {
     'config'       => false,
     'orchestrator' => true,
     'puppetdb'     => true,
-    'rbac'         => false,
+    'rbac'         => true,
   }
 }
diff --git a/plans/migrate.pp b/plans/migrate.pp
index 020e56876..108d18d89 100644
--- a/plans/migrate.pp
+++ b/plans/migrate.pp
@@ -77,9 +77,10 @@
   })
 
   run_plan('peadm::restore', {
-      targets => $new_primary_host,
-      restore_type => 'migration',
-      input_file => $remote_backup_path,
+      targets          => $new_primary_host,
+      restore_type     => 'migration',
+      input_file       => $remote_backup_path,
+      console_password => $old_primary_password,
   })
 
   $node_types = {
diff --git a/plans/restore.pp b/plans/restore.pp
index bbb8bd95e..b1a83e671 100644
--- a/plans/restore.pp
+++ b/plans/restore.pp
@@ -19,6 +19,9 @@
 
   # Path to the recovery tarball
   Pattern[/.*\.tar\.gz$/] $input_file,
+
+  # Console password for restored system
+  Optional[String] $console_password = undef,
 ) {
   peadm::assert_supported_bolt_version()
 
@@ -194,8 +197,8 @@
   # Restore secrets/keys.json if it exists
   out::message('# Restoring ldap secret key if it exists')
   run_command(@("CMD"/L), $primary_target)
-    test -f ${shellquote($recovery_directory)}/rbac/keys.json \
-      && cp -rp ${shellquote($recovery_directory)}/keys.json /etc/puppetlabs/console-services/conf.d/secrets/ \
+    test -f ${shellquote($recovery_directory)}/rbac/secrets/keys.json \
+      && cp -rp ${shellquote($recovery_directory)}/rbac/secrets/keys.json /etc/puppetlabs/console-services/conf.d/secrets/ \
       || echo secret ldap key doesnt exist
     | CMD
 # lint:ignore:140chars
@@ -296,6 +299,11 @@
   # TODO: consider adding a heuristic to skip when innappropriate due to size
   #       or other factors.
   if getvar('recovery_opts.puppetdb') and $restore_type == 'migration' {
+    # ensure there is a valid token on the new primary host
+    run_task('peadm::rbac_token', $primary_target,
+      password       => $console_password,
+      token_lifetime => '1y',
+    )
     run_command(@("CMD"/L), $primary_target)
       /opt/puppetlabs/bin/puppet-db import \
       --cert=$(/opt/puppetlabs/bin/puppet config print hostcert) \
diff --git a/spec/plans/restore_spec.rb b/spec/plans/restore_spec.rb
index 52754b8eb..f623f5b0b 100644
--- a/spec/plans/restore_spec.rb
+++ b/spec/plans/restore_spec.rb
@@ -64,7 +64,7 @@
     expect_command("umask 0077   && cd /input   && tar -xzf /input/file.tar.gz\n")
     expect_command("/opt/puppetlabs/bin/puppet-backup restore   --scope=certs,code,config   --tempdir=/input/file   --force   /input/file/recovery/pe_backup-*tgz\n")
     expect_command("systemctl stop pe-console-services pe-nginx pxp-agent pe-puppetserver                pe-orchestration-services puppet pe-puppetdb\n")
-    expect_command("test -f /input/file/rbac/keys.json   && cp -rp /input/file/keys.json /etc/puppetlabs/console-services/conf.d/secrets/   || echo secret ldap key doesnt exist\n")
+    expect_command("test -f /input/file/rbac/secrets/keys.json   && cp -rp /input/file/rbac/secrets/keys.json /etc/puppetlabs/console-services/conf.d/secrets/   || echo secret ldap key doesnt exist\n")
     expect_command("su - pe-postgres -s /bin/bash -c   \"/opt/puppetlabs/server/bin/psql      --tuples-only      -d 'pe-puppetdb'      -c 'DROP SCHEMA IF EXISTS pglogical CASCADE;'\"\n").be_called_times(2)
     expect_command("su - pe-postgres -s /bin/bash -c   \"/opt/puppetlabs/server/bin/psql      -d 'pe-puppetdb'      -c 'DROP SCHEMA public CASCADE; CREATE SCHEMA public;'\"\n")
     expect_command('su - pe-postgres -s /bin/bash -c   "/opt/puppetlabs/server/bin/psql      -d \'pe-puppetdb\'      -c \'ALTER USER \\"pe-puppetdb\\" WITH SUPERUSER;\'"' + "\n")