Chapter 15. Detailed Example of a Certificate System Migration

15.1.1. Step 1: Preparing the Old Certificate System
15.1.2. Step 2: Creating a New Certificate System Installation
15.1.3. Step 3: Stopping All New Certificate System Instances
15.1.4. Step 4: Migrating Security Databases
15.1.5. Step 5: Migrating Password Cache Data
15.1.6. Step 6: Migrating Internal Databases
15.1.7. Step 7: Customizing User Data (Non-Console)
15.1.8. Step 8: Starting All New Certificate System Instances
15.1.9. Step 9: Generating New Certificate System Server Certificates
15.1.10. Step 10: Customizing User Data (Console)
15.1.11. Step 11: After Migration

15.2.1. Step 1: Preparing the Old Server
15.2.2. Step 2: Creating a New Certificate System Installation
15.2.3. Step 3: Stopping All New Certificate System Instances
15.2.4. Step 4: Migrating Security Databases
15.2.5. Step 5: Migrating Password Cache Data
15.2.6. Step 6: Migrating Internal Databases
15.2.7. Step 7: Customizing User Data (Non-Console)
15.2.8. Step 8: Starting All New Certificate System Instances
15.2.9. Step 9: Renewing the Certificate System Server Certificates
15.2.10. Step 10: Customizing User Data (Console)
15.2.11. Step 11: Verifying Migration

15.3.1. Step 1: Preparing the Old Server
15.3.2. Step 2: Creating a New Certificate System Installation
15.3.3. Step 3: Stopping All New Certificate System Instances
15.3.4. Step 4: Migrating Security Databases
15.3.5. Step 5: Migrating Password Cache Data
15.3.6. Step 6: Migration of Internal Databases
15.3.7. Step 7: Customizing User Data (Non-Console)
15.3.8. Step 8: Starting All New Certificate System Instances
15.3.9. Step 9: Renewing the Certificate System Server Certificates
15.3.10. Step 10: Customizing User Data (Console)
15.3.11. Step 11: Verifying Migration

This chapter contains a detailed example of a full Certificate System migration.

	OLD INSTALLATION	NEW INSTALLATION
Version	Certificate Management System 6.1 (SP 4), including hot-fixes	Certificate System 7.3
Platform	Solaris 8	Red Hat Enterprise Linux 4 (AS)
Subsystems	CA, DRM, OCSP, RA	CA, DRM, OCSP
Server Instances	admin-serv, slapd-ds, cert-ca, slapd-ca-db, cert-drm, slapd-drm-db, cert-ocsp, slapd-ocsp-db, cert-ra, slapd-ra-db	slapd-DS-instance, rhpki-ca, rhpki-kra, rhpki-ocsp
Machine Name	alpha.example.com	server.example.com
HSM Information	N/A - uses security databases	Epsilon HSM Token Name: `epsilon` Slot Names: `rho` for the CA, `tau` for the DRM, and `phi` for the OCSP library path: `/var/lib` library name: `libepsilon.so`
Server Root	/usr/netscape/servers	/var/lib/instance_id
User	`cmsuser`	`pkiuser`
Group	`cmsgroup`	`pkiuser`
Password Cache passwords	CA: `diamond` DRM: `emerald` OCSP: `sapphire`	CA: `diamond` DRM: `emerald` OCSP: `sapphire`
Password.conf	used by the CA, DRM, and OCSP	used by the CA, DRM, and OCSP
Backup Facility	Professional backup facility	Professional backup facility

Table 15.1. Example System Configurations

NOTE

In this example, all of the Certificate System 6.1 (SP 4) servers are located on a single machine called alpha.example.com and are all migrated to Certificate System 7.3 instances located on a single machine called server.example.com. It is strongly recommended that real deployments separate the subsystems across multiple machines.

Additionally, each subsystem uses a simple password; real deployments should use more robust, cryptographically stronger passwords containing uppercase letters, lowercase letters, numbers, and other special characters.

This example migration follows all migration steps described previously between Certificate Management System 6.1 (SP4) and Certificate System 7.3, based on the configurations in Table 15.1, “Example System Configurations”. The migration of each subsystem must be completed before beginning the next subsystem migration.