Chapter 9. Step 6: Migrating Internal Databases
Every old Certificate System subsystem contains LDIF data in an associated internal database which must be migrated to the corresponding new Certificate System subsystem internal database. The procedure is the same for each subsystem type but is different between Certificate System versions.
Log into the Directory Server for the new Certificate System, and export the new internal database content to LDIF. The database name is in the internaldb.database parameter in the CS.cfg file.
cd /opt/redhat-ds/slapd-DS-instance/db
db2ldif -n server.example.com-rhpki-ca
The location and name of the created LDIF file is given when the database to LDIF conversion is complete.
ldif file: /opt/redhat-ds/slapd-DS-instance/ldif/dated_#_file.ldif
Go to the location listed, and rename the LDIF file new.ldif.
cd /opt/redhat-ds/slapd-DS-instance/ldif mvdated_#_file.ldif new.ldif
Copy the latest version of the migration utility from the new Certificate System to the old Certificate System.
The migration utility is available as an independent RPM, which can be downloaded through the Certificate System Red Hat Network channel. The migration utilities are installed in the directory /usr/share/rhpki/migrate.
cd /usr/share/rhpki
Package the latest version of the Certificate System migration utility zip or tar.
tar -cvf migrate.tar migrate
Regardless of the packaging tool used, the corresponding tool must be present on the old server machine. If the platforms are identical and the zip utility is used, copy the unzip utility to the old_server_root/bin/cert/zip and unzip versions match.
Copy the package from the new server to the old server, and delete the compressed file from the new server.
cp /usr/share/rhpki/migrate.tarold_server_root/bin/cert rm /usr/share/rhpki/migrate.tar
Log into the old server as the Certificate System user for that machine, and open the Certificate System bin/cert/ directory.
cdold_server_root/bin/cert
Log in as root, and set the file user and group to the Certificate System user and group.
su chownuser:groupmigrate.tar
Log out as root. As the Certificate System user, change the permissions on the file.
chmod 00600 migrate.tar
Unpackage the latest version of the Certificate System migration utility unzip or tar.
tar -xvf migrate.tar
Remove the migration utility package and any additional utilities, such as the unzip utility, that were copied to the old Certificate System server.
rm migrate.tar
Export the old internal database content to LDIF.
cdold_server_root/slapd-old_instance-db db2ldif
The location and name of the new LDIF file is shown when the database to LDIF conversion is complete.
ldif file:old_server_root/slapd-old_instance-db/ldif/dated_#_file.ldif
Go to the specified location, and rename the LDIF file old.ldif.
cdold_server_root/slapd-old_instance-db/ldif mvdated_#_file.ldif old.ldif
Adjust the LDIF content of old.ldif.
When using a text editor to perform the substitution, use an editor that supports file sizes greater than 2 to 4 Gb, such as vim, because some LDIF files may be larger that 4 Gb in some deployments.
Delete the first two entries in old.ldif which list the old domain name and the old LDAP port and domain name. For example:
Entry 1: dc=cert,dc=redhat,dc=com Entry 2: cn=ldap://:38900,dc=cert,dc=redhat,dc=com
Replace the following entry with the value for internaldb.basedn parameter in the CS.cfg file. For example:
cn=aclResource,dc=server.example.com-rhpki-ca
Add new groups for the the security domains.
cn=Security Domain Administrators,ou=groups,basedncn=Enterprise CA Administrators,ou=groups,basedncn=Enterprise KRA Administrators,ou=groups,basedncn=Enterprise OCSP Administrators,ou=groups,basedncn=Enterprise TKS Administrators,ou=groups,basedncn=Enterprise TPS Administrators,ou=groups,basedn
Convert the old.ldif file into a text file.
Open the version to text directory in the migration directory.
cdold_server_root/bin/cert/migrate/41ToTxt
In the run.sh file, uncomment and give the values for the following lines:
SERVER_ROOT=
old_server_root
export SERVER_ROOT
INSTANCE=old_instance
export INSTANCE
Run run.sh. The old.ldif file is directed to create the old.txt file.
run.shold_server_root/slapd-old_instance-db/ldif/old.ldif >old_server_root/slapd-old_instance-db/ldif/old.txt
Open the old LDIF directory, and copy the old.txt file into the new Certificate System server instance internal database LDIF directory.
cdold_server_root/slapd-old_instance-db/ldif cpold_server_root/slapd-old_instance-db/ldif/old.txt /opt/redhat-ds/slapd-DS-instance/ldif
Log into the new server as the Certificate System user, and open the Certificate System ldif/ directory.
cd /opt/redhat-ds/slapd-DS-instance/ldif
Log in as root, and set the file user and group to the Certificate System user and group.
su chownuser:groupold.txt
Log out as root. As the Certificate System user, change the permissions on the file.
chmod 00600 old.txt
Convert the old.txt file to an LDIF file compatible with the new server instance.
Open the version to text directory in the migration directory of the new server.
cd /usr/share/rhpki/migrate/TxtTo72
In the run.sh file, uncomment the following lines, and set the new server values. For example:
SERVER_ROOT=/var/lib
export SERVER_ROOT
INSTANCE=rhpki-ca
export INSTANCE
Run the run.sh tool. The old.txt is directed to create old.ldif.
run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old.txt >
/opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
Import the old.ldif LDIF file into the new Certificate System instance internal database.
Open the new Certificate System database directory.
cd /opt/redhat-ds/slapd-DS-instance/db
Run the ldif2db command to import the LDIF file into the database. The internal database name for the Certificate System instance is in the internaldb.database parameter in the CS.cfg file. For example:
ldif2db -n server.example.com-rhpki-ca
-i /opt/redhat-ds/slapd-DS-instance/ldif/old.ldif
Force the virtual list views (VLV) indexes to be re-indexed.
db2index