22.3. Importing the Data into the New CA

After finishing setting up the new CA in Section 22.2, “Setting up the CA on the New Host”, you can import the data to the Directory Server database:
  1. When migrating from a previous version, it can be necessary to manually clean up the LDAP data interchange format (LDIF) file. Before Red Hat Directory Server 10, syntax checking was disabled by default. Therefore, data from a previous version can include entries that are now invalid in Directory Server 10. For example:
    • Values of boolean attributes must be set either to TRUE or FALSE (all capitalized).


      Do not automatically update all occurrences to uppercase by using a search and replace utility. Some attributes in the LDIF file contain these strings, but are not using the boolean type. Updating these attributes' values can cause the import to fail. Typically, boolean attributes are only used in the cn=CAList,ou=Security Domain,CS_instance_name security domain database entries.
    • Empty strings must be removed. The Directory Server syntax validation does not allow to set empty strings.
      Empty strings often appear in userType and userState attributes in cmsUser entries in ou=People,CS_instance_name.
    During the import, other entries can fail, too. It is important to verify the log file after the database import. Optionally, you can import the LDIF file into a temporary, empty database to find out which entries caused the import to fail.
  2. Shut down the CA service:
    # systemctl stop pki-tomcatd@instance_name.service
  3. Optionally, back up the CA database on the new host:
    # db2bak
    The backup is stored in the /var/lib/dirsrv/instance_name/bak/host_name-time_stamp/ directory.
  4. Import the data into the new database. For example:
    # ldapmodify -h <hostname> -x -W -D 'cn=Directory Manager' -a -c -f /tmp/ds_bak/old_ca.ldif | \
         tee /root/import.log
    The ldapmodify utility only adds new entries and does not update existing entries, created when you installed the CA. For example:
    • Top level entries. For example: o=pki-tomcat-CA.
    • Default groups. For example: cn=Certificate Manager Agents,ou=groups,o=pki-tomcat-CA.
      Because the standard groups are not updated, the users are not automatically added to these groups. After the import, you must add members to each default group manually. See Section 22.4, “Reassigning Users to Default Groups”.
    • Default access control lists (ACL) for the CA.
    As mentioned earlier, Directory Server 10 uses syntax validation. Verify the output in the /root/import.log file and search for failed actions, such as ldap_add: Invalid syntax (21). For further details, see Step 1.
  5. Remove the directory entry for the old security domain. For example:
    # ldapmodify -W -x -D "cn=Directory Manager"
    dn: cn=server.example.com:9445,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
    changetype: delete
  6. Enable the CA in the /etc/pki/instance_name/ca/CS.cfg file to act as the certificate revocation list (CRL) master:
  7. Restart the CA service:
    # systemctl start pki-tomcat@instance_name