9.12. Migrating Internal Databases for 7.2
Log into the Directory Server for the new Certificate System instance, and export the new internal database content to LDIF. The internal database name for the Certificate System instance is in the internaldb.database parameter in the CS.cfg file. For example:
cd /opt/redhat-ds/slapd-DS-instance/db db2ldif -n server.example.com-rhpki-ca
The location and name of the LDIF file is shown once the conversion from the database to LDIF is complete.
ldif file: /opt/redhat-ds/slapd-DS-instance/ldif/dated_#_file.ldif
Open the given LDIF location, and rename the LDIF file new.ldif.
cd /opt/redhat-ds/slapd-DS-instance/ldif mv dated_#_file.ldif new.ldif
Copy the newest version of the migration utility to the old Certificate System. The migration utility is available as an independent RPM, which can be downloaded through the Certificate System Red Hat Network channel. The migration utilities are installed in the directory /usr/share/rhpki/migrate.
Open the migration directory.
cd /usr/share/rhpki
Package the latest version of the migration utility using zip or tar.
tar -cvf migrate.tar migrate
Regardless of the packaging tool used, the corresponding tool must be present on the platform where the old server resides. If the platforms are identical and the zip utility is used, copy the unzip tool from the new server to the old server so that the zip and unzip versions match.
Copy the package from the new server to the old server, and remove the package from the new server.
cp /us/share/rhpki/migrate.tar old_server_root/bin/cert rm /usr/share/rhpki/migrate.tar
Log into the old server as the Certificate System user for that machine, and open the Certificate System bin/cert/ directory.
cd old_server_root/bin/cert
Log in as root, and set the file user and group to the Certificate System user and group.
su chown user:group migrate.tar
Log out as root. As the Certificate System user, change the permissions on the file.
chmod 00600 migrate.tar
Unpackage the latest version of the migration utility using unzip or tar.
tar -xvf migrate.tar
Run the db2ldif command to export the database contents to LDIF.
cd old_server_root/slapd-old_instance-db db2ldif -n userRoot
The location and name of the LDIF file is shown once the conversion from the database to LDIF is complete.
ldif file: old_server_root/slapd-old_instance-db/ldif/dated_#_file.ldif
Open the given LDIF location, and rename the LDIF file old.ldif.
cd old_server_root/slapd-old_instance-db/ldif mv dated_#_file.ldif old.ldif
Adjust the LDIF content of old.ldif.
When using a text editor to perform the substitution instead of a script, use an editor that supports file sizes greater than 2 to 4 Gb such as vim because the LDIF files may be larger than 2 Gb in some deployments.
Open the old Certificate System LDIF directory.
cd old_server_root/slapd-old_instance-db/ldif
Replace the following entry with the value for internaldb.basedn parameter in the CS.cfg file. For example:
cn=aclResources,dc=server.example.com-rhpki-ca
Add new groups for the the security domains.
cn=Security Domain Administrators,ou=groups,basedn cn=Enterprise CA Administrators,ou=groups, basedn cn=Enterprise KRA Administrators,ou=groups, basedn cn=Enterprise OCSP Administrators,ou=groups, basedn cn=Enterprise TKS Administrators,ou=groups, basedn cn=Enterprise TPS Administrators,ou=groups, basedn
Convert the old.ldif file to a text file.
Open the version to text directory in the old Certificate System migration directory.
cd /usr/share/rhpki/migrate/71ToTxt
Edit the run.sh script by uncommenting and setting the values for the following lines. For example:
SERVER_ROOT=old_server_root
export SERVER_ROOT
INSTANCE=old_instance
export INSTANCE
Run the run.sh to use the old.ldif file to create a text file.
run.sh old_server_root/slapd-old_instance-db/ldif/old.ldif > old_server_root/slapd-old_instance-db/ldif/old.txt
Open to the old Certificate System LDIF directory, and copy the old.txt file to the new Certificate System server instance's internal database LDIF directory.
cd old_server_root/slapd-old_instance-db/ldif cp old_server_root/slapd-old_instance-db/ldif/old.txt /opt/redhat-ds/slapd-DS-instance/ldif
Log into the new server as the Certificate System user, and open the Certificate System ldif/ directory.
cd /opt/redhat-ds/slapd-DS-instance/ldif
Log in as root, and set the file user and group to the Certificate System user and group.
su chown user:group old.txt
Log out as root. As the Certificate System user, change the permissions on the file.
chmod 00600 old.txt
Convert the old.txtfile to LDIF.
Open the text to version directory in the new Certificate System migration directory.
cd /usr/share/rhpki/migrate/TxtTo73
Edit the run.sh script by uncommenting and setting the values for the following lines. For example:
SERVER_ROOT=/var/lib
export SERVER_ROOT
INSTANCE=rhpki-ca
export INSTANCE
Run run.sh to use old.txt to create an LDIF file.
run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old.txt > /opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
Import the old.ldif LDIF file into this new Certificate System server instance's internal database.
Open the new Certificate System database directory.
cd /opt/redhat-ds/slapd-DS-instance/db
Run the ldif2db command to import the LDIF file into the Certificate System database. The internal database name for the Certificate System instance is in the internaldb.database parameter in the CS.cfg file. For example:
ldif2db -n server.example.com-rhpki-ca -i /opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
Force the virtual list views (VLV) indexes to be re-indexed.
db2index