15.1.6. Step 6: Migrating Internal Databases

NOTE

For more detailed information on migrating internal databases, see Section 9.8, “Migrating Internal Databases for 6.1”.

To migrate the 6.1 (SP4) internal databases to the new Certificate System 7.3 server, do the following:

Log into the new CA server hosting server.example.com as the Certificate System user, and export the new internal database content to LDIF using the db2ldif tool.
```
cd /opt/redhat-ds/slapd-DS-instance/db/server.example.com-rhpki-ca-db

db2ldif -n server.example.com-rhpki-ca
```
The LDIF file location is given when the export from the database is finished.
```
ldif file: /opt/redhat-ds/slapd-DS-instance/ldif/2005_06_07_874021.ldif
```

Open the given LDIF location, and rename the LDIF file new.ldif.

cd /opt/redhat-ds/slapd-DS-instance/ldif

mv 2005_06_07_874021.ldif new.ldif

Copy the latest version of the migration utility from the new Certificate System to the old server.

Since the Certificate System migration utility is platform independent, always use the latest version of the migration utility on both server installations. The latest migration tools are available in the /usr/share/rhpki/migrate directory of the new server instance.
1. Open the migration tools directory.
```
cd /usr/share/rhpki
```
2. Package the latest version of the migration utility using zip or tar.
```
tar -cvf migrate.tar migrate
```
  NOTE
  
  Regardless of the packaging tool used, the corresponding tool must be present on the old server machine. If the platforms are identical and the zip utility is used, copy the unzip utility to the /usr/netscape/servers/bin/cert/ directory so that the zip and unzip versions match.
3. Copy the package from the new server to the old server, then remove the package from the new server.
```
cp /usr/share/rhpki/migrate.tar /usr/netscape/servers/bin/cert

rm /usr/share/rhpki/migrate.tar
```
4. Log into the old server hosting alpha.example.com as the Certificate System user, and open the Certificate System bin/cert/ directory.
```
cd /usr/netscape/servers/bin/cert
```
5. Log into alpha.example.com as root, and set the file user and group to the old Certificate Management System user and group.
```
su
chown cmsuser:cmsgroup migrate.tar
```
6. Log out as root. As the Certificate System user, change the permissions on the file.
```
chmod 00600 migrate.tar
```
7. Since the old Certificate Management System migration utility will not be used, remove the old upgrade/ directory.
```
rm -rf /usr/netscape/servers/bin/cert/upgrade
```
8. Unpackage the latest version of the migration utility using unzip or tar.
```
tar -xvf migrate.tar
```
9. Remove the migration utility package and any additional utilities, such as the unzip utility, that were copied to the old Certificate System server.
```
rm migrate.tar
```
Run the db2ldif command to export the database contents to LDIF.
```
cd /usr/netscape/servers/slapd-ca-db

db2ldif -n userRoot
```
The LDIF file location is shown when the export from the database is complete.
```
ldif file: 
/usr/netscape/servers/slapd-ca-db/ldif/2005_06_07_439837.ldif
```

Open the given LDIF location, and rename the LDIF file old.ldif.

cd /usr/netscape/servers/slapd-ca-db/ldif

mv 2005_06_07_439837.ldif old.ldif

Adjust the LDIF content of old.ldif.

NOTE

In this example, the LDIF file is relatively small, so any text editor works. For large files, use an appropriate program.

Open the 6.1 CA database directory.

cd /usr/netscape/servers/slapd-ca-db/ldif

Replace the following entry with the one in new.ldif.
```
cn=aclResources,o=CertificateServer
```

Add new groups for the the security domains.

cn=Security Domain Administrators,ou=groups,basedn
cn=Enterprise CA Administrators,ou=groups, basedn
cn=Enterprise KRA Administrators,ou=groups, basedn
cn=Enterprise OCSP Administrators,ou=groups, basedn
cn=Enterprise TKS Administrators,ou=groups, basedn
cn=Enterprise TPS Administrators,ou=groups, basedn

Convert the old.ldif file to a text file.
1. Open the version-to-text directory in the 6.1 server's migrate/ directory.
```
cd /usr/netscape/servers/bin/cert/migrate/61ToTxt
```
2. Edit the run.sh script by uncommenting and setting the values for the following lines:
  - SERVER_ROOT=/usr/netscape/servers
  - export SERVER_ROOT
  - INSTANCE=ca
  - export INSTANCE
3. Run the run.sh to use the old.ldif file to create a text file.
```
run.sh /usr/netscape/servers/slapd-ca-db/ldif/old.ldif >
 /usr/netscape/servers/slapd-ca-db/ldif/old.txt
```

Open the old CA LDIF directory, and copy the old.txt file to the new CA server instance's internal database LDIF directory.

cd /usr/netscape/servers/slapd-ca-db/ldif

cp /usr/netscape/servers/slapd-ca-db/ldif/old.txt 
/opt/redhat-ds/slapd-DS-instance/ldif

Log into the new CA server hosting server.example.com as the Certificate System user, and open the Certificate System ldif/ directory.
```
cd /opt/redhat-ds/slapd-DS-instance/ldif
```
Log in as root, and set the file user and group to the Certificate System user and group.
```
su

chown pkiuser:pkiuser old.txt
```
Log out as root. As the Certificate System user, change the permissions on the file.
```
chmod 00600 old.txt
```
Convert the old.txtfile to LDIF.
1. Open the text-to-version directory in the Red Hat Certificate System migration directory.
```
cd /usr/share/rhpki/migrate/TxtTo72
```
2. Edit the run.sh tool by uncommenting and setting the values for the following lines:
  - SERVER_ROOT=/var/lib
  - export SERVER_ROOT
  - INSTANCE=rhpki-ca
  - export INSTANCE
3. Run run.sh to use old.txt to create an LDIF file.
```
run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old.txt > 
/opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
```
Import the old.ldif LDIF file into this new CA server instance's internal database.
1. Open the 7.3 CA database directory.
```
cd /opt/redhat-ds/slapd-DS-instance/db
```
2. Import the 6.1 LDIF file into the 7.3 database.
```
ldif2db -n server.example.com-rhpki-ca
 -i /opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
```
3. Force the virtual list views (VLV) indexes to be re-indexed.
```
db2index
```