22.3. Importing the Data into the New CA
- When migrating from a previous version, it can be necessary to manually clean up the LDAP data interchange format (LDIF) file. Before Red Hat Directory Server 10, syntax checking was disabled by default. Therefore, data from a previous version can include entries that are now invalid in Directory Server 10. For example:
During the import, other entries can fail, too. It is important to verify the log file after the database import. Optionally, you can import the LDIF file into a temporary, empty database to find out which entries caused the import to fail.
- Values of boolean attributes must be set either to
ImportantDo not automatically update all occurrences to uppercase by using a search and replace utility. Some attributes in the LDIF file contain these strings, but are not using the boolean type. Updating these attributes' values can cause the import to fail. Typically, boolean attributes are only used in the
cn=CAList,ou=Security Domain,CS_instance_namesecurity domain database entries.
- Empty strings must be removed. The Directory Server syntax validation does not allow to set empty strings.Empty strings often appear in
- Shut down the CA service:
# systemctl stop pki-tomcatd@instance_name.service
- Optionally, back up the CA database on the new host:
# db2bakThe backup is stored in the
- Import the data into the new database. For example:
# ldapmodify -h <hostname> -x -W -D 'cn=Directory Manager' -a -c -f /tmp/ds_bak/old_ca.ldif | \ tee /root/import.logThe
ldapmodifyutility only adds new entries and does not update existing entries, created when you installed the CA. For example:
As mentioned earlier, Directory Server 10 uses syntax validation. Verify the output in the
- Top level entries. For example:
- Default groups. For example:
cn=Certificate Manager Agents,ou=groups,o=pki-tomcat-CA.Because the standard groups are not updated, the users are not automatically added to these groups. After the import, you must add members to each default group manually. See Section 22.4, “Reassigning Users to Default Groups”.
- Default access control lists (ACL) for the CA.
/root/import.logfile and search for failed actions, such as
ldap_add: Invalid syntax (21). For further details, see Step 1.
- Remove the directory entry for the old security domain. For example:
# ldapmodify -W -x -D "cn=Directory Manager" dn: cn=server.example.com:9445,cn=CAList,ou=Security Domain,o=pki-tomcat-CA changetype: delete
- Enable the CA in the
/etc/pki/instance_name/ca/CS.cfgfile to act as the certificate revocation list (CRL) master:
- Restart the CA service:
# systemctl start pki-tomcat@instance_name