Chapter 26. Migrating IdM from RHEL 7 to 8

This procedure describes how to migrate all Identity Management (IPA) data and configuration from a Red Hat Enterprise Linux (RHEL) 7 server to a RHEL 8 server. The migration procedure includes:

  1. Installing an IdM server on the RHEL 8 system. For details, see Section 26.2, “Installing the RHEL 8 Replica”.
  2. Making the RHEL 8 server the certificate authority (CA) renewal server. For details, see Section 26.3, “Moving the CA renewal server to RHEL 8”.
  3. Stopping the generation of the certificate revocation list (CRL) on the RHEL 7 server and redirecting CRL requests to RHEL 8. For details, see Section 26.4, “Stopping CRL generation on a RHEL 7 IdM CA server”.
  4. Starting the generation of the CRL on the RHEL 8 server. For details, see Section 26.5, “Starting CRL generation on the new RHEL 8 IdM CA server”.
  5. Stopping and decommissioning the RHEL 7 CA server that was the original CA renewal server and CRL generation server. For details, see Section 26.6, “Stopping and decommissioning the RHEL 7 server”.

In the following procedures:

  • rhel8.example.com is the RHEL 8 system that will become the new CA renewal server and the CRL generation server.
  • rhel7.example.com is the original RHEL 7 CA renewal server and the CRL generation server. To identify which Red Hat Enterprise Linux 7 server is the CA renewal server, run the following command on any IdM server:

    [root@rhel7 ~]# ipa config-show | grep "CA renewal master"
    IPA CA renewal master: rhel7.example.com

    If your IdM deployment is CA-less, any IdM server running on RHEL 7 can be rhel7.example.com.

Note

Complete the steps in sections 21.3, 21.4, and 21.5 only if your IdM deployment uses an embedded certificate authority (CA).

26.1. Prerequisites for Migrating IdM from RHEL 7 to 8

On rhel7.example.com:

  1. Upgrade the system to the latest RHEL 7 version.
  2. Update the ipa-* packages to their latest version:

    [root@rhel7 ~]# yum update ipa-*
    Warning

    When upgrading multiple Identity Management (IdM) servers, wait at least 10 minutes between each upgrade.

    When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.

On rhel8.example.com:

  1. Ensure the rhel8.example.com system meets the requirements listed in Chapter 1, Preparing the system for IdM server installation.
  2. Ensure the rhel8.example.com system uses a time server that is synchronized with rhel7.example.com. This is important because in RHEL 8, IdM does not provide its own time server: the installation of IdM on rhel8.example.com does not result in the installation of an NTP server on the host.
  3. Ensure the rhel8.example.com system is part of the domain for which rhel7.example.com is authoritative.
  4. Update the ipa-* packages to their latest version:

    [root@rhel8 ~]# yum update ipa-*

Related information

  • For details on using the yum utility, see the yum(8) manual pages.

26.2. Installing the RHEL 8 Replica

  1. List which server roles are present in your RHEL 7 environment:

    [root@rhel7 ~]# ipa server-role-find --status enabled
    ----------------------
    4 server roles matched
    ----------------------
      Server name: rhel7.example.com
      Role name: CA server
      Role status: enabled
    
      Server name: replica7.example.com
      Role name: DNS server
      Role status: enabled
    
      Server name: rhel7.example.com
      Role name: DNS server
      Role status: enabled
    
      Server name: rhel7.example.com
      Role name: NTP server
      Role status: enabled
    [... output truncated ...]
  2. Install the Identity Management IdM server on rhel8.example.com as a replica of the IdM RHEL 7 server, including all the server roles present on your rhel7.example.com except the NTP server role. To install the roles from the example above, use these options with the ipa-replica-install command:

    • --setup-ca to set up the Certificate System component
    • --setup-dns and --forwarder to configure an integrated DNS server and set a forwarder to take care of DNS queries that go outside the IdM domain

      To set up an IdM server with the ip address of 192.0.2.1 which uses a forwarder with the ip address of 192.0.2.20:

      [root@rhel8 ~]# ipa-replica-install --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20

    You do not need to specify the RHEL 7 IdM server because if DNS is working correctly, rhel8.example.com will find it using DNS autodiscovery.

  3. After the installation completes, verify that the IdM services are running on rhel8.example.com:

    [root@rhel8 ~]# ipactl status
    Directory Service: RUNNING
    [... output truncated ...]
    ipa: INFO: The ipactl command was successful
  4. Verify that rhel7.example.com and rhel8.example.com certificate authorities (CAs) are both configured as primary servers:

    [root@rhel8 ~]$ kinit admin
    [root@rhel8 ~]$ ipa-csreplica-manage list
    rhel7.example.com: master
    rhel8.example.com: master
  5. Optionally, to display details about the replication agreement between rhel7.example.com and rhel8.example.com:

    [root@rhel8 ~]# ipa-csreplica-manage list --verbose rhel8.example.com
    Directory Manager password:
    
    rhel7.example.com
    last init status: None
    last init ended: 1970-01-01 00:00:00+00:00
    last update status: Error (0) Replica acquired successfully: Incremental update succeeded
    last update ended: 2019-02-13 13:55:13+00:00
  6. Optionally, add an _ntp._udp service (SRV) record for the NTP time server to the DNS of the newly-installed IdM server, rhel8.example.com. The presence of the SRV record for the time server of rhel8.example.com in IdM DNS ensures that future replica and client installations are automatically configured to synchronize with the time server used by the new IdM CA server that combines the roles of the CA renewal server and CRL generation server, rhel8.example.com.

26.3. Moving the CA renewal server to RHEL 8

Note

Complete the steps in this section only if your IdM deployment uses an embedded certificate authority (CA).

On rhel8.example.com, configure rhel8.example.com as the new CA renewal server:

  • Configure rhel8.example.com to handle CA subsystem certificate renewal:

    [root@rhel8 ~]# ipa config-mod --ca-renewal-master-server rhel8.example.com
      ...
      IPA masters: rhel7.example.com, rhel8.example.com
      IPA CA servers: rhel7.example.com, rhel8.example.com
      IPA NTP servers: rhel7.example.com
      IPA CA renewal master: rhel8.example.com

    The output confirms that the update was successful. In RHEL 8, IdM does not provide time service. For this reason, rhel8.example.com is not listed among NTP servers.

26.4. Stopping CRL generation on a RHEL 7 IdM CA server

Note

Complete the steps in this section only if your IdM deployment uses an embedded certificate authority (CA).

This section describes how to stop the generation of the Certificate Revocation List (CRL) on the rhel7.example.com CA server using the ipa-crlgen-manage command.

Prerequisites

  • You must be logged in as root.

Procedure

  1. Optionally, check if rhel7.example.com is generating the CRL:

    [root@rhel7 ~]# ipa-crlgen-manage status
    CRL generation: enabled
    Last CRL update: 2019-10-31 12:00:00
    Last CRL Number: 6
    The ipa-crlgen-manage command was successful
  2. Stop generating CRL on the rhel7.example.com server:

    [root@rhel7 ~]# ipa-crlgen-manage disable
    Stopping pki-tomcatd
    Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
    Starting pki-tomcatd
    Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
    Restarting httpd
    CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable.
    The ipa-crlgen-manage command was successful
  3. Optionally, check if the rhel7.example.com server stopped generating CRL:

    [root@rhel7 ~]# ipa-crlgen-manage status

The rhel7.example.com server stopped generating CRL. The next step is to enable CRL generation on rhel8.example.com.

26.5. Starting CRL generation on the new RHEL 8 IdM CA server

Note

Complete the steps in this section only if your IdM deployment uses an embedded certificate authority (CA).

Prerequisites

  • You must be logged in as root on the rhel8.example.com machine.

Procedure

  1. To start generating CRL on rhel8.example.com, use the ipa-crlgen-manage enable command:

    [root@rhel8 ~]# ipa-crlgen-manage enable
    Stopping pki-tomcatd
    Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
    Starting pki-tomcatd
    Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
    Restarting httpd
    Forcing CRL update
    CRL generation enabled on the local host. Please make sure to have only a single CRL generation master.
    The ipa-crlgen-manage command was successful
  2. To check if CRL generation is enabled, use the ipa-crlgen-manage status command:

    [root@rhel8 ~]# ipa-crlgen-manage status
    CRL generation: enabled
    Last CRL update: 2019-10-31 12:10:00
    Last CRL Number: 7
    The ipa-crlgen-manage command was successful

26.6. Stopping and decommissioning the RHEL 7 server

  1. Make sure that all, even the latest data is correctly migrated from rhel7.example.com to rhel8.example.com. For example:

    1. Add a new user on rhel7.example.com:

      [root@rhel7 ~]# ipa user-add random_user
      First name: random
      Last name: user
    2. Check that the user has been replicated to rhel8.example.com:

      [root@rhel8 ~]# ipa user-find random_user
      --------------
      1 user matched
      --------------
        User login: random_user
        First name: random
        Last name: user
  2. Stop all service on rhel7.example.com to force domain discovery to the new rhel8.example.com server.

    [root@rhel7 ~]# ipactl stop
    Stopping CA Service
    Stopping pki-ca:                                           [  OK  ]
    Stopping HTTP Service
    Stopping httpd:                                            [  OK  ]
    Stopping MEMCACHE Service
    Stopping ipa_memcached:                                    [  OK  ]
    Stopping DNS Service
    Stopping named: .                                          [  OK  ]
    Stopping KPASSWD Service
    Stopping Kerberos 5 Admin Server:                          [  OK  ]
    Stopping KDC Service
    Stopping Kerberos 5 KDC:                                   [  OK  ]
    Stopping Directory Service
    Shutting down dirsrv:
        EXAMPLE-COM...                                         [  OK  ]
        PKI-IPA...                                             [  OK  ]

    After this, the ipa utility will contact the new server through a remote procedure call (RPC).

  3. Remove the RHEL 7 server from the topology by executing the removal commands on the RHEL 8 server. For details, see Chapter 8, Uninstalling an IdM server.