9.2. Migrating Internal Databases for 4.2
Log into the Directory Server for the new Certificate System, and export the new internal database content to LDIF. The internal database name for the Certificate System instance is in the internaldb.database parameter in the CS.cfg file. For example:
cd /opt/redhat-ds/slapd-DS-instance/db db2ldif -n server.example.com-rhpki-ca
The location and name of the LDIF file is shown once the conversion from the database to LDIF is complete.
ldif file: /opt/redhat-ds/slapd-DS-instance/ldif/dated_#_file.ldif
Open the LDIF file directory, and rename the LDIF file new.ldif.
cd /opt/redhat-ds/slapd-DS-instance/ldif mv dated_#_file.ldif new.ldif
The migration utility is available as an independent RPM, which can be downloaded through the Certificate System Red Hat Network channel. The migration utilities are installed in the directory /usr/share/rhpki/migrate.
cd /usr/share/rhpki/migrate
Package the latest version of the migration utility using zip or tar.
tar -cvf migrate.tar migrate
Regardless of the packaging tool used, the corresponding tool must be present on the old server machine. If the platforms are identical and the zip utility is used, copy the unzip utility to the old_server_root/bin/cert/ directory so that the zip and unzip versions match.
Copy the package from the new server to the old server.
cp /usr/share/rhpki/migrate.zip old_server_root/bin/cert cp /usr/share/rhpki/migrate.tar old_server_root/bin/cert rm /usr/share/rhpki/migrate.tar
Log into the old server as the Certificate System user for that machine, and open the Certificate System bin/cert/ directory.
cd old_server_root/bin/cert
Log in as root, and set the file user and group to the Certificate System user and group.
su chown user:group migrate.tar
Log out as root. As the Certificate System user, change the permissions on the files.
chmod 00600 migrate.tar
Unpackage the latest version of the migration utility using unzip or tar.
tar -xvf migrate.tar
Remove the package and any additional utilities, such as the unzip utility, that have been copied to the old Certificate System server.
rm migrate.tar
Run the db2ldif command to export the database contents to LDIF.
cd old_server_root/slapd-old_instance-db db2ldif
The location and name of the LDIF file is shown once the conversion from the database to LDIF is complete.
ldif file: old_server_root/slapd-old_instance-db/ldif/dated_#_file.ldif
Open the given location, and rename the LDIF file old.ldif.
cd old_server_root/slapd-old_instance-db/ldif mv dated_#_file.ldif old.ldif
Adjust the LDIF content of old.ldif.
When using a text editor to perform the substitution instead of a script, use an editor that supports file sizes greater than 2 to 4 Gb such as vim because the LDIF files may be larger than 2 Gb in some deployments.
Delete the first two entries in old.ldif, which give the old machine domain name and the LDAP port number and domain.
Entry 1: dc=cert,dc=redhat,dc=com Entry 2: cn=ldap://:38900,dc=cert,dc=redhat,dc=com
Replace the following entry with the value of the internaldb.basedn parameter in the new.ldif file.
cn=aclResources,dc=server.example.com-rhpki-ca
Add new groups for the the security domains.
cn=Security Domain Administrators,ou=groups,basedn cn=Enterprise CA Administrators,ou=groups, basedn cn=Enterprise KRA Administrators,ou=groups, basedn cn=Enterprise OCSP Administrators,ou=groups, basedn cn=Enterprise TKS Administrators,ou=groups, basedn cn=Enterprise TPS Administrators,ou=groups, basedn
Convert the old.ldif file into a text file using the version to text utility in the migration directory.
Open the version to text directory in the migration directory on the old Certificate System.
cd old_server_root/bin/cert/migrate/42ToTxt
Edit the run.sh script; uncomment and set the values for the following lines:
SERVER_ROOT=old_server_root
export SERVER_ROOT
INSTANCE=old_instance
export INSTANCE
Run run.sh, which converts the LDIF file to a text file.
run.sh old_server_root/slapd-old_instance-db/ldif/old.ldif > old_server_root/slapd-old_instance-db/ldif/old.txt
Open the old LDIF directory, and copy the old.txt file to the new Certificate System server instance internal database LDIF directory.
cd old_server_root/slapd-old_instance-db/ldif cp old_server_root/slapd-old_instance-db/ldif/old.txt /opt/redhat-ds/slapd-DS-instance/ldif
Log into the new server as the Certificate System user, and open the Certificate System ldif/ directory.
cd /opt/redhat-ds/slapd-DS-instance/ldif
Log in as root, and set the file user and group to the Certificate System user and group.
su chown user:group old.txt
Log out as root. As the Certificate System user, change the permissions on the files.
chmod 00600 old.txt
Convert the old.txt file back to LDIF.
Open the text to version directory in the migration directory.
cd /usr/share/rhpki/migrate/TxtTo73
Edit the run.sh script; uncomment and set the values for the following lines. For example:
SERVER_ROOT=/var/lib
export SERVER_ROOT
INSTANCE=rhpki-ca
export INSTANCE
Run the run.sh tool. The old.txt is directed to create old.ldif.
run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old.txt > /opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
Import the old.ldif LDIF file into the new Certificate System instance internal database.
Open the new Certificate System instance database directory.
cd /var/lib/instance_ID/slapd-instance_ID-db
Import the LDIF file into the new database using the ldif2db command. The internal database name for the Certificate System instance is in the internaldb.database parameter in the CS.cfg file. For example:
ldif2db -n server.example.com-rhpki-ca -i /opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
Force the virtual list views (VLV) indexes to be re-indexed.
db2index