8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7

This procedure describes how to migrate all data and configuration from Red Hat Enterprise Linux 6 Identity Management to Red Hat Enterprise Linux 7 servers. The migration procedure includes:

Migrating the Red Hat Enterprise Linux 6-based certificate authority (CA) master server to Red Hat Enterprise Linux 7.
Transitioning all services to the new Red Hat Enterprise Linux 7 server. These services include CRL and certificate creating, DNS management, or Kerberos KDC administration.
Decommissioning the original Red Hat Enterprise Linux 6 CA master.

In the following procedures:

rhel7.example.com is the Red Hat Enterprise Linux 7 system that will become the new CA master.
rhel6.example.com is the original Red Hat Enterprise Linux 6 CA master.
Note
To identify which Red Hat Enterprise Linux 6 server is the master CA server, determine on which server the certmonger service tracks the renew_ca_cert command. Run this command on every Red Hat Enterprise Linux 6 server:
```
[root@rhel6 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
```
The post-save action that executes renew_ca_cert is defined only for the CA master.

8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7

Update the rhel6.example.com system to the latest Red Hat Enterprise Linux 6 version.
On the rhel6.example.com system, upgrade the ipa-* packages:
```
[root@rhel6 ~]# yum update ipa-*
```
This step also makes sure that you have applied the RHBA-2015:0231-2 advisory, which provides the 2.3-6.el6_6 version of the bind-dyndb-ldap package and is available with the Red Hat Enterprise Linux 6.6 Extended Update Support (EUS).
Warning
Using an earlier version of bind-dyndb-ldap results in inconsistent behavior in DNS forward zones serving between the Red Hat Enterprise Linux 6.6 DNS servers and Red Hat Enterprise Linux 7 DNS servers.
Make sure the rhel7.example.com system meets the requirements in Section 2.1, “Prerequisites for Installing a Server” and Section 4.3, “Prerequisites for Installing a Replica”.
On the rhel7.example.com system, install the required packages. See Section 2.2, “Packages Required to Install an IdM Server”.

8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6

The copy-schema-to-ca.py schema update script prepares rhel6.example.com for the installation of the rhel7.example.com replica. Updating the schema is necessary due to schema changes between Identity Management version 3.1 and later versions.

Copy the copy-schema-to-ca.py schema update script from the rhel7.example.com system to the rhel6.example.com system. For example:
```
[root@rhel7 ~]# scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6:/root/
```

Run the updated copy-schema-to-ca.py script on rhel6.example.com.

[root@rhel6 ~]# python copy-schema-to-ca.py
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif
[... output truncated ...]
ipa         : INFO     Schema updated successfully

8.2.3. Installing the Red Hat Enterprise Linux 7 Replica

On the rhel6.example.com system, create the replica file you will use to install the rhel7.example.com replica. For example, to create a replica file for rhel7.example.com whose IP address is 192.0.2.1:
```
[root@rhel6 ~]# ipa-replica-prepare rhel7.example.com --ip-address 192.0.2.1

Directory Manager (existing master) password:
Preparing replica for rhel7.example.com from rhel6.example.com
[... output truncated ...]
The ipa-replica-prepare command was successful
```
See also Section D.1, “Replica Information File” and Section D.2, “Creating Replicas”.

Copy the replica information file from rhel6.example.com to rhel7.example.com.

[root@rhel6 ~]# scp /var/lib/ipa/replica-info-replica.example.com.gpg root@rhel7:/var/lib/ipa/

Install the rhel7.example.com replica using the replica file. For example, the following command uses these options:
- --setup-ca to set up the Certificate System component
- --setup-dns and --forwarder to configure an integrated DNS server and set a forwarder
- --ip-address to specify the IP address of the rhel7.example.com system
```
[root@rhel7 ~]# ipa-replica-install /var/lib/ipa/replica-info-rhel7.example.com.gpg --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20
Directory Manager (existing master) password:

Checking DNS forwarders, please wait ...
Run connection check to master
[... output truncated ...]
Client configuration complete.
```
See also:
- Section D.2, “Creating Replicas”, which describes creating replicas using replica information files
- Section 2.3.1, “Determining Whether to Use Integrated DNS” and Section 2.3.2, “Determining What CA Configuration to Use”

Verify that the Identity Management services are running on rhel7.example.com.

[root@rhel7 ~]# ipactl status
Directory Service: RUNNING
[... output truncated ...]
ipa: INFO: The ipactl command was successful

8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server

Before you begin:

Verify that rhel6.example.com and rhel7.example.com CAs are both configured as master servers.

[root@rhel7 ~]$ kinit admin
[root@rhel7 ~]$ ipa-csreplica-manage list
rhel6.example.com: master
rhel7.example.com: master

To display details about a replication agreement:

[root@rhel7 ~]# ipa-csreplica-manage list --verbose rhel7.example.com
rhel7.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2017-02-13 13:55:13+00:00

On the rhel6.example.com original master CA, stop the CA subsystem certificate renewal:

Disable tracking for the original CA certificates.

[root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca"
Request "20181127184547" removed.
[root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca"
Request "20181127184548" removed.
[root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Request "20181127184549" removed.
[root@rhel6 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert
Request "20181127184550" removed.

Reconfigure rhel6.example.com to retrieve renewed certificates from a new master CA.

Copy the renewal helper script into the certmonger service directory, and set the appropriate permissions.

[root@rhel6 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/
[root@rhel6 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal

Update the SELinux configuration.

[root@rhel6 ~]# restorecon /var/lib/certmonger/cas/ca_renewal

Restart certmonger.

[root@rhel6 ~]# service certmonger restart

Check that the CA is listed to retrieve certificates.

[root@rhel6 ~]# getcert list-cas
...
CA 'dogtag-ipa-retrieve-agent-submit':
        is-default: no
        ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit

Obtain the CA certificate database PIN.

[root@rhel6 ~]# grep internal= /var/lib/pki-ca/conf/password.conf

Configure certmonger to track the certificates for external renewal. This requires the database PIN.

[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /var/lib/pki-ca/alias \
    -n "auditSigningCert cert-pki-ca" \
    -B /usr/lib64/ipa/certmonger/stop_pkicad \
    -C '/usr/lib64/ipa/certmonger/restart_pkicad \
    "auditSigningCert cert-pki-ca"' \
    -T "auditSigningCert cert-pki-ca" \
    -P database_pin
New tracking request "20181127184743" added.
[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /var/lib/pki-ca/alias \
    -n "ocspSigningCert cert-pki-ca" \
    -B /usr/lib64/ipa/certmonger/stop_pkicad \
    -C '/usr/lib64/ipa/certmonger/restart_pkicad \
    "ocspSigningCert cert-pki-ca"' \
    -T "ocspSigningCert cert-pki-ca" \
    -P database_pin
New tracking request "20181127184744" added.
[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /var/lib/pki-ca/alias \
    -n "subsystemCert cert-pki-ca" \
    -B /usr/lib64/ipa/certmonger/stop_pkicad \
    -C '/usr/lib64/ipa/certmonger/restart_pkicad \
    "subsystemCert cert-pki-ca"' \
    -T "subsystemCert cert-pki-ca" \
    -P database_pin
New tracking request "20181127184745" added.
[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /etc/httpd/alias \
    -n ipaCert \
    -C /usr/lib64/ipa/certmonger/restart_httpd \
    -T ipaCert \
    -p /etc/httpd/alias/pwdfile.txt
New tracking request "20181127184746" added.

Move CRL generation from the original rhel6.example.com CA master to rhel7.example.com.

On rhel6.example.com, stop CRL generation:
1. Stop the CA service.
```
[root@rhel6 ~]# service pki-cad stop
```
2. Disable CRL generation on rhel6.example.com. Open the /var/lib/pki-ca/conf/CS.cfg file, and set the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false.
```
ca.crl.MasterCRL.enableCRLCache=false
ca.crl.MasterCRL.enableCRLUpdates=false
```
3. Start the CA service.
```
[root@rhel6 ~]# service pki-cad start
```
On rhel6.example.com, configure Apache to redirect CRL requests to the new master, rhel7.example.com.
1. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file. Uncomment the RewriteRule argument, and replace the server host name with the rhel7.example.com host name in the server URL:
```
RewriteRule ^/ipa/crl/MasterCRL.bin https://rhel7.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
```
2. Restart Apache.
```
[root@rhel6 ~]# service httpd restart
```
On rhel7.example.com, configure rhel7.example.com as the new CA master:
1. Configure rhel7.example.com to handle CA subsystem certificate renewal, as described in Section D.4.1, “Changing Which Server Handles Certificate Renewal”.
2. Configure rhel7.example.com to general certificate revocation lists (CRLs), as described in the section called “Configure a Server to Generate CRLs”.

Related Information

See Section 6.5.2, “Promoting a Replica to a Master CA Server” for details on CA subsystem certificate renewal and CRLs.

8.2.5. Stop the Red Hat Enterprise Linux 6 Server

Stop all service on rhel6.example.com to force domain discovery to the new rhel7.example.com server.

[root@rhel6 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]

After this, using the ipa utility will contact the new server through a remote procedure call (RPC).

8.2.6. Next Steps After Migrating the Master CA Server

For each Red Hat Enterprise Linux 6 server in your topology:

Create a replica file from rhel7.example.com.
Note
After installing a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 server, the domain level for the Identity Management domain is automatically set to 0.
Red Hat Enterprise Linux 7.3 introduced an easier way to install and manage replicas. To use these features, your topology must be at domain level 1. See Chapter 7, Displaying and Raising the Domain Level.
Use the replica file to install a new replica on another Red Hat Enterprise Linux 7 system.

See Chapter 4, Installing and Uninstalling Identity Management Replicas.

To decommission a Red Hat Enterprise Linux 6 server:

Remove the server from the topology by executing the removal commands on a Red Hat Enterprise Linux 7 server.

See Section 2.4, “Uninstalling an IdM Server”.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories