Chapter 21. Upgrading the Database

21.1. Upgrading the Database from 9.0 to 9.1

After you upgraded the packages and configuration files, you must manually upgrade the database schema and subsystem databases for every Certificate System instance.

21.1.1. Upgrading the Database Schema

To upgrade the Certificate System database schema in Directory Server:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify
 $ requestState $ requestResult $ requestOwner $ requestAgentGroup
 $ requestSourceId $ requestType $ requestFlag $ requestError
 $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify
 $ requestState $ requestResult $ requestOwner $ requestAgentGroup
 $ requestSourceId $ requestType $ requestFlag $ requestError
 $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user defined' )

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( authorityID-oid NAME 'authorityID' DESC 'Authority ID'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN
 'user defined' )
attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname'
 DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
 SINGLE-VALUE X-ORIGIN 'user-defined' )
attributeTypes: ( authorityParentID-oid NAME 'authorityParentID' DESC
 'Authority Parent ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
 X-ORIGIN 'user defined' )
attributeTypes: ( authorityEnabled-oid NAME 'authorityEnabled' DESC
 'Authority Enabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
 X-ORIGIN 'user defined' )
attributeTypes: ( authorityDN-oid NAME 'authorityDN' DESC 'Authority DN'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN
 'user defined' )
attributeTypes: ( authoritySerial-oid NAME 'authoritySerial' DESC
 'Authority certificate serial number' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( authorityParentDN-oid
 NAME 'authorityParentDN' DESC 'Authority Parent DN' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( authorityKeyHost-oid NAME 'authorityKeyHost' DESC
 'Authority Key Hosts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'user defined' )

dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC
 'Certificate Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
 $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
 ( authoritySerial $ authorityParentID $ authorityParentDN
 $ authorityKeyHost $ description ) X-ORIGIN 'user defined' )

21.1.2. Upgrading the CA Database

To upgrade the certificate authority (CA) database:
  1. Upgrade the container entries:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: ou=authorities,ou=ca,CA_base_DN
    changetype: add
    objectClass: top
    objectClass: organizationalUnit
    ou: authorities
  2. Upgrade the access control list (ACL) entries:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=aclResources,CA_base_DN
    changetype: modify
    add: resourceACLS
    resourceACLS: certServer.ca.authorities:list,read:allow (list,read)
      user="anybody":Anybody may list and read lightweight authorities
    resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify)
      group="Administrators":Administrators may create and modify lightweight authorities
    resourceACLS: certServer.ca.authorities:delete:allow (delete)
      group="Administrators":Administrators may delete lightweight authorities
  3. Upgrade the database indexes:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=issuername,cn=index,cn=CA_database_name,cn=ldbm database,
     cn=plugins, cn=config
    changetype: add
    objectClass: top
    objectClass: nsIndex
    nsindexType: eq
    nsindexType: pres
    nsindexType: sub
    nsSystemindex: false
    cn: issuername
  4. Add the realm attribute:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=schema
    changetype: modify
    add: attributeTypes
    attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
    
    delete: objectClasses
    objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
     SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
     dateOfModify $ requestState $ requestResult $ requestOwner $
     requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
     requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )
    
    add: objectClasses
    objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
     SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
     dateOfModify $ requestState $ requestResult $ requestOwner $
     requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
     requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
     defined' )
  5. Remove the certificate validity delay:
    1. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set:
      policyset.signingCertSet.2.default.params.startTime=0
    2. In the /var/lib/pki/instance_name/ca/profiles/ca/caECDualCert.cfg file, set:
      policyset.signingCertSet.2.default.params.startTime=0
    3. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set:
      policyset.signingCertSet.2.default.params.startTime=0
    4. In the /var/lib/pki/instance_name/ca/profiles/ca/caJarSigningCert.cfg file, set:
      policyset.caJarSigningSet.2.default.params.startTime=0
    5. In the /var/lib/pki/instance_name/ca/profiles/ca/caSignedLogCert.cfg file, set:
      policyset.caLogSigningSet.2.default.params.startTime=0
  6. Add the issuerName attribute to certificate records:
    # pki-server db-upgrade
  7. Update the attribute syntax to allow underscores in instance names:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=schema
    changetype: modify
    delete: objectClasses
    objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate
     Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
     $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
     ( authoritySerial $ authorityParentID $ authorityParentDN $
     authorityKeyHost $ description ) X-ORIGIN 'user defined' )
    
    delete: attributeTypes
    attributeTypes: ( authorityKeyNickname-oid NAME
     'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX
     1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN
     'user-defined' )
    
    add: attributeTypes
    attributeTypes: ( authorityKeyNickname-oid NAME
     'authorityKeyNickname' DESC 'Authority key nickname'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
     X-ORIGIN 'user-defined' )
    
    add: objectClasses
    objectClasses: ( authority-oid NAME 'authority' DESC
     'Certificate Authority' SUP top STRUCTURAL MUST ( cn
     $ authorityID $ authorityKeyNickname $ authorityEnabled
     $ authorityDN ) MAY ( authoritySerial $ authorityParentID
     $ authorityParentDN $ authorityKeyHost $ description )
     X-ORIGIN 'user defined' )

21.1.3. Upgrading the KRA database

To update the key recovery authority (KRA) database:
  1. Upgrade the database indexes:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=realm,cn=index,cn=KRA_database_name,cn=ldbm database,
     cn=plugins,cn=config
    changetype: add
    objectClass: top
    objectClass: nsIndex
    nsindexType: eq
    nsindexType: pres
    nsSystemindex: false
    cn: realm
  2. Add the realm attribute:
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
    dn: cn=schema
    changetype: modify
    add: attributeTypes
    attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
    
    delete: objectClasses
    objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
     SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
     dateOfModify $ requestState $ requestResult $ requestOwner $
     requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
     requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )
    
    add: objectClasses
     objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
     SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
     dateOfModify $ requestState $ requestResult $ requestOwner $
     requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
     requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
     defined' )
    
    delete: objectClasses
    objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined
     class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $
     dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $
     metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $
     publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $
     status ) X-ORIGIN 'user defined' )
    
    add: objectClasses
    objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined
     class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $
     dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $
     metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $
     publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $
     status $ realm ) X-ORIGIN 'user defined' )
  3. Update and re-index the virtual list views (VLV):
    1. Delete the existing indexes:
      # pki-server kra-db-vlv-del -i CS_instance_name -D DS_bind_DN \
           -w DS_bind_password
    2. Add the new indexes:
      # pki-server kra-db-vlv-add -i CS_instance_name -D DS_bind_DN \
           -w DS_bind_password
    3. Restart the Directory Server instance:
      # systemctl restart dirsrv@DS_instance_name
    4. Re-index the database:
      # pki-server kra-db-vlv-reindex -i CS_instance_name -D DS_bind_DN \
           -w DS_bind_password

21.1.4. Upgrading the TPS database

The token processing system (TPS) was a technology preview in Certificate System 9.0. Therefore, upgrading the TPS from this version is not supported.