Chapter 21. Upgrading the Database

21.1. Upgrading the Database from 9.0 to 9.1

After you upgraded the packages and configuration files, you must manually upgrade the database schema and subsystem databases for every Certificate System instance.

21.1.1. Upgrading the Database Schema

To upgrade the Certificate System database schema in Directory Server: 
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify
 $ requestState $ requestResult $ requestOwner $ requestAgentGroup
 $ requestSourceId $ requestType $ requestFlag $ requestError
 $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify
 $ requestState $ requestResult $ requestOwner $ requestAgentGroup
 $ requestSourceId $ requestType $ requestFlag $ requestError
 $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user defined' )

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( authorityID-oid NAME 'authorityID' DESC 'Authority ID'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN
 'user defined' )
attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname'
 DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
 SINGLE-VALUE X-ORIGIN 'user-defined' )
attributeTypes: ( authorityParentID-oid NAME 'authorityParentID' DESC
 'Authority Parent ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
 X-ORIGIN 'user defined' )
attributeTypes: ( authorityEnabled-oid NAME 'authorityEnabled' DESC
 'Authority Enabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
 X-ORIGIN 'user defined' )
attributeTypes: ( authorityDN-oid NAME 'authorityDN' DESC 'Authority DN'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN
 'user defined' )
attributeTypes: ( authoritySerial-oid NAME 'authoritySerial' DESC
 'Authority certificate serial number' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( authorityParentDN-oid
 NAME 'authorityParentDN' DESC 'Authority Parent DN' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( authorityKeyHost-oid NAME 'authorityKeyHost' DESC
 'Authority Key Hosts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'user defined' )

dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC
 'Certificate Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
 $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
 ( authoritySerial $ authorityParentID $ authorityParentDN
 $ authorityKeyHost $ description ) X-ORIGIN 'user defined' )

21.1.2. Upgrading the CA Database

To upgrade the certificate authority (CA) database:
  1. Upgrade the container entries: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: ou=authorities,ou=ca,CA_base_DN
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: authorities
  2. Upgrade the access control list (ACL) entries: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=aclResources,CA_base_DN
changetype: modify
add: resourceACLS
resourceACLS: certServer.ca.authorities:list,read:allow (list,read)
  user="anybody":Anybody may list and read lightweight authorities
resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify)
  group="Administrators":Administrators may create and modify lightweight authorities
resourceACLS: certServer.ca.authorities:delete:allow (delete)
  group="Administrators":Administrators may delete lightweight authorities
  3. Upgrade the database indexes: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=issuername,cn=index,cn=CA_database_name,cn=ldbm database,
 cn=plugins, cn=config
changetype: add
objectClass: top
objectClass: nsIndex
nsindexType: eq
nsindexType: pres
nsindexType: sub
nsSystemindex: false
cn: issuername
  4. Add the realm attribute: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
 defined' )
  5. Remove the certificate validity delay:
    1. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set: 
      policyset.signingCertSet.2.default.params.startTime=0
    2. In the /var/lib/pki/instance_name/ca/profiles/ca/caECDualCert.cfg file, set: 
      policyset.signingCertSet.2.default.params.startTime=0
    3. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set: 
      policyset.signingCertSet.2.default.params.startTime=0
    4. In the /var/lib/pki/instance_name/ca/profiles/ca/caJarSigningCert.cfg file, set: 
      policyset.caJarSigningSet.2.default.params.startTime=0
    5. In the /var/lib/pki/instance_name/ca/profiles/ca/caSignedLogCert.cfg file, set: 
      policyset.caLogSigningSet.2.default.params.startTime=0
  6. Add the issuerName attribute to certificate records: 
    # pki-server db-upgrade
  7. Update the attribute syntax to allow underscores in instance names: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate
 Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
 $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
 ( authoritySerial $ authorityParentID $ authorityParentDN $
 authorityKeyHost $ description ) X-ORIGIN 'user defined' )

delete: attributeTypes
attributeTypes: ( authorityKeyNickname-oid NAME
 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN
 'user-defined' )

add: attributeTypes
attributeTypes: ( authorityKeyNickname-oid NAME
 'authorityKeyNickname' DESC 'Authority key nickname'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
 X-ORIGIN 'user-defined' )

add: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC
 'Certificate Authority' SUP top STRUCTURAL MUST ( cn
 $ authorityID $ authorityKeyNickname $ authorityEnabled
 $ authorityDN ) MAY ( authoritySerial $ authorityParentID
 $ authorityParentDN $ authorityKeyHost $ description )
 X-ORIGIN 'user defined' )

21.1.3. Upgrading the KRA database

To update the key recovery authority (KRA) database:
  1. Upgrade the database indexes: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=realm,cn=index,cn=KRA_database_name,cn=ldbm database,
 cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: nsIndex
nsindexType: eq
nsindexType: pres
nsSystemindex: false
cn: realm
  2. Add the realm attribute: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
 objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
 defined' )

delete: objectClasses
objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined
 class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $
 dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $
 metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $
 publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $
 status ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined
 class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $
 dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $
 metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $
 publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $
 status $ realm ) X-ORIGIN 'user defined' )
  3. Update and re-index the virtual list views (VLV):
    1. Delete the existing indexes: 
      # pki-server kra-db-vlv-del -i CS_instance_name -D DS_bind_DN \
     -w DS_bind_password
    2. Add the new indexes: 
      # pki-server kra-db-vlv-add -i CS_instance_name -D DS_bind_DN \
     -w DS_bind_password
    3. Restart the Directory Server instance: 
      # systemctl restart dirsrv@DS_instance_name
    4. Re-index the database: 
      # pki-server kra-db-vlv-reindex -i CS_instance_name -D DS_bind_DN \
     -w DS_bind_password

21.1.4. Upgrading the TPS database

The token processing system (TPS) was a technology preview in Certificate System 9.0. Therefore, upgrading the TPS from this version is not supported.