1. Manuals
  2. Brands
  3. Red Hat Manuals
  4. Software
  5. SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0
  6. Manual

Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0 Manual

Migration guide 7.x to 8.0
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Red Hat Certificate
System 8.0
Migration Guide
7.x to 8.0
Matthew Harmsen
Publication date: July 22, 2009, updated on March 22, 2010

Advertisement

Table of Contents
loading

Related Manuals for Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0

Summary of Contents for Red Hat SYSTEM 8.0 - MIGRATION GUIDE 7.X TO 8.0

  • Page 1 Red Hat Certificate System 8.0 Migration Guide 7.x to 8.0 Matthew Harmsen Publication date: July 22, 2009, updated on March 22, 2010...
  • Page 2 Migration Guide Red Hat Certificate System 8.0 Migration Guide 7.x to 8.0 Edition 8.0.7 Author Matthew Harmsen Editor Ella Deon Lackey Copyright © 2009 Red Hat, Inc. Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA").

  • Page 3: Table Of Contents

    About This Guide 1. Recommended Knowledge ..................... vii 2. Examples and Formatting ....................vii 2.1. Formatting for Examples and Commands ............. vii 2.2. Tool Locations ....................viii 2.3. Guide Formatting ....................viii 3. Additional Reading ......................viii 4. Giving Feedback ......................ix 5.
  • Page 4 Migration Guide 5.1. Migrating the Security Databases ................43 5.1.1. Option 1: Security Databases to Security Databases Migration ......43 5.1.2. Option 2: Security Databases to HSM Migration ..........45 5.1.3. Option 3: HSM to Security Databases Migration ..........48 5.1.4.
  • Page 5 8.6. Verifying the TPS Migration ..................114...

  • Page 7: About This Guide

    About This Guide This guide explains how to migrate a Red Hat Certificate System 7.1, 7.2, and 7.3 deployment to a Red Hat Certificate System 8.0. Installation and administration topics are covered in the Red Hat Certificate System Administrator's Guide, while processing certificate requests and other aspects of managing the certificate lifecycle is covered in Certificate System Agent's Guide and using smart cards is covered in the Managing Smart Cards with the Enterprise Security Client.

  • Page 8: Tool Locations

    About This Guide 2.2. Tool Locations All of the tools for Red Hat Certificate System are located in the /usr/bin directory. These tools can be run from any location without specifying the tool location. 2.3. Guide Formatting Certain words are represented in different fonts, styles, and weights. Different character formatting is used to indicate the function or purpose of the phrase being highlighted.

  • Page 9: Giving Feedback

    If there is any error in this Migration Guide: 7.x to 8.0 or there is any way to improve the documentation, please let us know. Bugs can be filed against the documentation for Red Hat Certificate System through Bugzilla, http://bugzilla.redhat.com/bugzilla. Make the bug report as specific as possible, so we can be more effective in correcting any issues:...

  • Page 10: Document History

    We appreciate receiving any feedback — requests for new sections, corrections, improvements, enhancements, even new ways of delivering the documentation or new styles of docs. You are welcome to contact Red Hat Content Services directly at docs@redhat.com. 5. Document History Revision 8.0.7...

  • Page 11: Introduction To Red Hat Certificate System Migration

    Chapter 1. Introduction to Red Hat Certificate System Migration Red Hat Certificate System 7.1, 7.2, and 7.3 can be migrated to Red Hat Certificate System version 8.0 using the Red Hat Certificate System migration utility. These migration scripts can extract data from the installation of a previous version and migrate this data to 8.0.

  • Page 12: Certificate System Subsystems

    Chapter 1. Introduction to Red Hat Certificate System Migration program to convert the normalized LDIF text file into an LDIF data file that can be imported into the newer Certificate System. NOTE The major version number of the migration export/import package is applied to all service packs for that version.

  • Page 13: Considerations Before Migration

    Considerations Before Migration • Online Certificate Status Protocol (OCSP) Manager • Registration Authority (RA) • Token Key Service (TKS) • Token Processing System (TPS) Table 1.2, “Certificate System Subsystem Types and Platforms” defines the platforms and subsystems supported by different versions of Certificate System: Product (including service packs and hot-fixes) Red Hat Certificate System 7.1 Red Hat Certificate System 7.2...
  • Page 14 Chapter 1. Introduction to Red Hat Certificate System Migration Directory Names, Directory Locations, and FHS In Certificate System 7.2, the Certificate System instance directories were changed from a single server root to follow Filesystem Hierarchy Standards. The configuration files were then stored, for example, in /var/lib while the log files were moved to /var/log, and the tools are located in / usr/bin.
  • Page 15 Considerations Before Migration • An SSL port for the administrative console or admin services • A web server port (Tomcat for CA, DRM, OCSP, and TKS subsystems, Apache for the TPS and RA subsystems) However, Certificate System versions older than 8.0 used only three ports, a web server port, an unsecure port, and a single SSL port.

  • Page 17: Setting Up Certificate System 8.0 Subsystems

    Chapter 2. Setting up Certificate System 8.0 Subsystems For every Certificate System 7.x subsystem which will be migrated, there must be a new Certificate System 8.0 subsystem installed and properly configured. 2.1. Installing New Certificate System Subsystem Instances The configuration of the new Certificate System 8.0 instances is extremely important. As mentioned Section 1.2, “Considerations Before Migration”, the instance names, directory locations, and port numbers in Certificate System 8.0 are different than those in the Certificate System 7.x versions.
  • Page 18 Chapter 2. Setting up Certificate System 8.0 Subsystems yum install redhat-ds 3. Install Apache if it is not already available. For example: yum install httpd 4. Install mod_nss. yum install mod_nss 5. Before installing any Red Hat Certificate System 8.0 packages, set an environment variable which prevents the installation program from automatically creating the default instances.
  • Page 19 Installing New Certificate System Subsystem Instances Installing the DRM, OCSP, and TKS subsystems are similar to installing the CA, except for the subsystem type and instance-specific settings, like the name and port numbers. To install an RA with the 7.2 and 7.3 instance name of rhpki-ra: pkicreate -pki_instance_root=/var/lib -pki_instance_name=rhpki-ra -subsystem_type=ra - secure_port=12889 -non_clientauth_secure_port=12890 -unsecure_port=12888 -redirect conf=/ etc/rhpki-ra -redirect logs=/var/log/rhpki-ra...
  • Page 20 Chapter 2. Setting up Certificate System 8.0 Subsystems service new_CA_instance restart 12. Run pkicreate, configure, and restart every new instance which will be migrated on the server. 13. Once every instance has been created and configured, stop all of the new instances. The new instance cannot be running when the migration process is started.

  • Page 21: Default File And Directory Locations For Certificate System Subsystems

    Default File and Directory Locations for Certificate System Subsystems 2.2. Default File and Directory Locations for Certificate System Subsystems Certificate System servers consist of subsystems (which are types of servers) and instances. Server subsystems are servers for a specific type of PKI function and are installed by the Certificate System RPMs.

  • Page 22: Default Ra Instance Information

    Chapter 2. Setting up Certificate System 8.0 Subsystems The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate. Table 2.1. Default CA Instance Information 2.2.2. Default RA Instance Information Table 2.2, “Default RA Instance Information”.

  • Page 23: Default Ocsp Instance Information

    Default OCSP Instance Information Setting Value Main Directory /var/lib/new_DRM_instance Configuration Directory /etc/new_DRM_instance Configuration File /etc/new_DRM_instance/CS.cfg /etc/new_DRM_instance/password.conf Subsystem Certificates Transport certificate Storage certificate SSL server certificate Audit log signing certificate Subsystem certificate Security Databases /var/lib/new_DRM_instance/alias Log Files /var/log/new_DRM_instance Install Logs /var/log/new_DRM_instance-install.log Process File /var/run/pki-kra.pid Web Services Files...

  • Page 24: Default Tks Instance Information

    Chapter 2. Setting up Certificate System 8.0 Subsystems Setting Value Install Logs /var/log/new_OCSP_instance-install.log Process File /var/run/pki-ocspocsp.pid Web Services Files /var/lib/new_OCSP_instance/webapps Running service instance_name status lists all of the configured ports and URLs (interfaces) for the subsystem instance. The subsystem certificate is always issued by the security domain so that domain-level operations that require client authentication are based on this subsystem certificate.
  • Page 25 Default TPS Instance Information Setting Value Standard Port (for End Users) 7888 SSL Port (for agents and administrators) 7889 Instance Name pki-tps Main Directory /var/lib/new_TPS_instance Configuration Directory /etc/new_TPS_instance Configuration File /etc/new_TPS_instance/CS.cfg /etc/new_TPS_instance/nss.conf /etc/new_TPS_instance/password.conf Subsystem Certificates SSL server certificate Subsystem certificate Security Databases /var/lib/new_TPS_instance/alias Log Files...

  • Page 26: Shared Certificate System Subsystem File Locations

    Chapter 2. Setting up Certificate System 8.0 Subsystems The Phone Home URL configured in the Enterprise Security Client's esc-prefs.js configuration file determines which URL to access. Setting the Phone Home URL is described in the Managing Smart Cards with the Enterprise Security Client guide. 2.2.7.

  • Page 27: Migrating A Ca Instance To Certificate System

    Chapter 3. Migrating a CA Instance to Certificate System 8.0 Migrating a 7.x version of the Certificate Manager to the 8.0 requires migrating individual areas of data — the certificate and key databases for the subsystem, its internal LDAP database, its subsystem password stores —...
  • Page 28 Chapter 3. Migrating a CA Instance to Certificate System 8.0 rm /var/lib/new_CA_instance/alias/key3.db 2. Copy the certificate and key security databases from the 7.x server to the 8.0 server. cp old_server_root/alias/cert-old_instance-cert8.db /var/lib/new_CA_instance/alias/ cert8.db cp old_server_root/alias/cert-old_instance-key3.db /var/lib/new_CA_instance/alias/key3.db WARNING Changing either the instance name or the fully-qualified domain name is not supported for migration.

  • Page 29: Option 2: Security Databases To Hsm Migration

    Option 2: Security Databases to HSM Migration 10. Edit the ca.signing.cacertnickname and ca.ocsp_signing.cacertnickaname attributes to reflect the 8.0 CA instance. ca.signing.cacertnickname=caSigningCert cert-old_CA_instance ca.ocsp_signing.cacertnickname=ocspSigningCert cert-old_CA_instance 11. If there is CA-DRM connectivity, then also modify the ca.connector.KRA.nickname attribute. ca.connector.KRA.nickname=caSigningCert cert-old_CA_instance 12. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname.
  • Page 30 Chapter 3. Migrating a CA Instance to Certificate System 8.0 # chown user:group key3.db 6. Log out as root. As the Certificate System user, set the file permissions. chmod 00600 cert8.db chmod 00600 key3.db 7. List the certificates stored in the 7.x security databases by using the certutil command; -L lists the certificates.
  • Page 31 Option 2: Security Databases to HSM Migration rm key3.db 10. Register the new HSM in the 8.0 token database. modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/ new_HSM_library 11. Identify the new HSM slot name. modutil -dbdir . -nocertdb -list 12.

  • Page 32: Option 3: Hsm To Security Databases Migration

    Chapter 3. Migrating a CA Instance to Certificate System 8.0 certutil -M -n "new_HSM_slot_name:ocspSigningCert cert-old_CA_instance" -t "CTu,Cu,Cu" - d . -h new_HSM_token_name certutil -M -n "new_HSM_slot_name:subsystemCert cert-old_CA_instance" -t "cu,cu,cu" -d . - h new_HSM_token_name 16. Open the CS.cfg configuration file in the /var/lib/instance_ID/conf/ directory. 17.
  • Page 33 Option 3: HSM to Security Databases Migration The instance and domain information has to be the same for both instances because the certificate and key material — among other instance and database information — has to be the same. 3. Open the Certificate System /alias directory. cd /var/lib/new_CA_instance/alias/ 4.

  • Page 34: Option 4: Hsm To Hsm Migration

    Chapter 3. Migrating a CA Instance to Certificate System 8.0 9. Optionally, delete the PKCS #12 files. rm ServerCert.p12 rm caSigningCert.p12 rm ocspSigningCert.p12 rm subsystemCert.p12 10. Set the trust bits on the public/private key pairs that were imported into the 8.0 security databases. certutil -M -n "Server-Cert cert-old_CA_instance"...
  • Page 35 Option 4: HSM to HSM Migration cp old_server_root/alias/ocspSigningCert.p12 /var/lib/new_CA_instance/alias/ ocspSigningCert.p12 cp old_server_root/alias/subsystemCert.p12 /var/lib/new_CA_instance/alias/ subsystemCert.p12 WARNING Changing either the instance name or the fully-qualified domain name is not supported for migration. The fully-qualified domain name of the host machine for the new instance must be the same as the fully-qualified domain name of the original instance.
  • Page 36 Chapter 3. Migrating a CA Instance to Certificate System 8.0 10. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM. pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name Enter Password or Pin for "new_HSM_slot_name":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL pk12util -i caSigningCert.p12 -d .

  • Page 37: Migrating Subsystem Password Stores

    Migrating Subsystem Password Stores 16. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: new_HSM_slot_name:Server-Cert cert-old_CA_instance 3.3. Migrating Subsystem Password Stores The password information for the Certificate System subsystems are saved in a special password file. In Certificate System 7.1, these were kept in the pwcache.db file.

  • Page 38: Migrating Passwords From 7.2 And 7.3

    Chapter 3. Migrating a CA Instance to Certificate System 8.0 cd /var/lib/new_CA_instance/conf/ 6. Log in as root, and set the file user and group to the Certificate System user and group. chown user:group password.conf 7. Log out as root. As the Certificate System user, change the permissions on the password file. chmod 00600 password.conf 8.

  • Page 39: Migrating The Ldap Database

    Migrating the LDAP Database 3.4. Migrating the LDAP Database Every 7.x CA subsystem contains LDIF data in an associated internal database which must be migrated to the corresponding Red Hat Certificate System 8.0 subsystem internal database. The only difference between Certificate System 7.x versions is which import and export utility to use; these are version specific.
  • Page 40 13. Log into the 7.x Certificate System instance, and export the database contents to LDIF. Name the output file old-old_CA_instance.ldif. For example: /opt/redhat-ds/slapd-DS-instance/db/db2ldif -U -n server.example.com-old_CA_instance -a / opt/redhat-ds/slapd-DS-instance/ldif/old-old_CA_instance.ldif 14. Convert the old-old_CA_instance.ldif file to a text file. a. Open the version-to-text directory in the migration directory copied to the Certificate System 7.x server.
  • Page 41 JRE_ROOT=/usr/lib/jvm/jre-1.5.0-ibm export JRE_ROOT c. Run the run.sh to use the old-old_CA_instance.ldif file to create a text file. run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old-old_CA_instance.ldif > /opt/redhat- ds/slapd-DS-instance/ldif/old-old_CA_instance.txt 15. Open the Certificate System 7.x LDIF directory, and copy the old-old_CA_instance.txt file into the Certificate System 8.0 server instance's internal database LDIF directory.
  • Page 42 Chapter 3. Migrating a CA Instance to Certificate System 8.0 NOTE When using a text editor to perform the substitution instead of a script, use an editor that supports file sizes greater than 4 gigabytes, such as vim, because the LDIF files may be larger than 2 gigabytes and even 4 gigabytes in some deployments.
  • Page 43 Migrating the LDAP Database h. Add new groups for the the security domains to the rhcs80-new_CA_instance.ldif file. Security domains were not a feature in 7.1 versions of Certificate System, so it is necessary to add all of the group entries; for 7.2, it is only necessary to add the RA group entry; for 7.3, it is not necessary to add any groups at all.
  • Page 44 Chapter 3. Migrating a CA Instance to Certificate System 8.0 securitydomain.name=ms2cs8264ca1from71on20100128 Create the security domain container entry in the rhcs80-new_CA_instance.ldif file, with the name attribute set to the value of the old securitydomain.name parameter. dn: ou=Security Domain,dc=server.example.com-new_CA_instance objectClass: top objectClass: pkiSecurityDomain ou: Security Domain name: securitydomain.name=ms2cs8264ca1from71on20100128 Add the PKI subsystem lists for the the security domains to the...

  • Page 45: Migrating Custom Cs.cfg Settings And Other Data

    Migrating Custom CS.cfg Settings and Other Data SecureAgentPort: 9443 SecureAdminPort: 9445 UnSecurePort: 9180 Clone: false SubsystemName: Certificate Authority cn: server.example.com:9445 DomainManager: true Each domain record will have the pkiSubsystem object class. Make sure that every domain record is copied into the rhcs80-new_CA_instance.ldif file. If the subsystem instance is a cloned instance, add a group entry to maintain a list of users who can create clones.

  • Page 46: Restarting The Ca Instance

    Chapter 3. Migrating a CA Instance to Certificate System 8.0 1. Log into the 7.x server as the Certificate Management System user for that machine, and open the Certificate Management System profiles/ca/ directory. 2. Copy the p1 policy set in the caTokenUserEncryptionKeyEnrollment.cfg file, as shown: policyset.set1.p1.constraint.class_id=noConstraintImpl policyset.set1.p1.constraint.name=No Constraint policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl...

  • Page 47: Setting Custom Configuration In The Console

    Setting Custom Configuration in the Console service new_CA_instance start 3.7. Setting Custom Configuration in the Console Use the Console to configure any custom behavior of the different subsystems, such as customized plug-ins, logging, and auditing. A subsystem may have to be restarted once all configuration changes have been applied.

  • Page 49: Migrating An Ra To 8.0

    Chapter 4. Migrating an RA to 8.0 Although the original Certificate System RA subsystem was deprecated and removed in Red Hat Certificate System 7.1, it was reintroduced in Red Hat Certificate System 7.3. This 7.3 RA subsystem can be migrated to Certificate System 8.0. The migration process for the RA differs from that of the other subsystems in several important ways: •...

  • Page 50: Importing The 7.3 Sql Database Information Into The 8.0 Sql Database

    Chapter 4. Migrating an RA to 8.0 There are three databases in this directory: • cert8.db • key3.db • secmod.db To migrate these databases to the new 8.0 RA, zip the alias/ directory and copy it to the 8.0 RA's alias/ directory or to the 8.0 host machine.

  • Page 51: Migrating The 7.3 Security Databases To The 8.0 Ra

    Migrating the 7.3 Security Databases to the 8.0 RA sqlite dbfile < old_dbfile.sql 4.4. Migrating the 7.3 Security Databases to the 8.0 RA WARNING Changing either the instance name or the fully-qualified domain name is not supported for migration. The fully-qualified domain name of the host machine for the new instance must be the same as the fully-qualified domain name of the original instance.

  • Page 52: Migrating Passwords

    Chapter 4. Migrating an RA to 8.0 4.5. Migrating Passwords Versions 7.3 and 8.0 of the RA both store passwords in a text file, password.conf, in the conf/ directory. To migrate the passwords, simply copy the password.conf file to the 8.0 instance directory. NOTE Make sure that the permissions and ownership for the password.conf file are set properly so that it can be accessed by the migrated instance.

  • Page 53: Migrating A Drm Instance To Certificate System

    Chapter 5. Migrating a DRM Instance to Certificate System 8.0 Migrating a 7.x version of the Data Recovery Manager to the 8.0 requires migrating individual areas of data — the certificate and key databases for the subsystem, its internal LDAP database, its subsystem password stores —...
  • Page 54 Chapter 5. Migrating a DRM Instance to Certificate System 8.0 WARNING Changing either the instance name or the fully-qualified domain name is not supported for migration. The fully-qualified domain name of the host machine for the new instance must be the same as the fully-qualified domain name of the original instance.

  • Page 55: Option 2: Security Databases To Hsm Migration

    Option 2: Security Databases to HSM Migration NOTE The caSigningCert is not referenced in the CS.cfg file. 11. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: Server-Cert cert-old_DRM_instance 5.1.2. Option 2: Security Databases to HSM Migration 1.
  • Page 56 Chapter 5. Migrating a DRM Instance to Certificate System 8.0 7. Set the file permissions. chmod 00600 cert8.db chmod 00600 key3.db 8. List the certificates stored in the 7.x security databases by using the certutil command; -L lists the certificates. certutil -L -d .
  • Page 57 Option 2: Security Databases to HSM Migration 11. Delete the 7.x security databases. rm cert8.db rm key3.db 12. Register the new HSM in the 8.0 token database. modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/ new_HSM_library 13. Identify the new HSM slot name. modutil -dbdir .

  • Page 58: Option 3: Hsm To Security Databases Migration

    Chapter 5. Migrating a DRM Instance to Certificate System 8.0 18. Import the public key from the base-64 file into the new HSM, and set the trust bits. certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_DRM_instance" -t "CT,c," -d . -h new_HSM_token_name -i caSigningCert.b64 19.
  • Page 59 Option 3: HSM to Security Databases Migration cp old_server_root/alias/ServerCert.p12 /var/lib/instance_ID/alias/ServerCert.p12 cp old_server_root/alias/kraStorageCert.p12 /var/lib/instance_ID/alias/kraStorageCert.p12 cp old_server_root/alias/kraTransportCert.p12 /var/lib/instance_ID/alias/ kraTransportCert.p12 3. Extract the public key of the CA signing certificate from the 7.x security databases and save the base-64 encoded output to a file called caSigningCert.b64. a.
  • Page 60 Chapter 5. Migrating a DRM Instance to Certificate System 8.0 8. Set the file permissions. chmod 00600 ServerCert.p12 chmod 00600 kraStorageCert.p12 chmod 00600 kraTransportCert.p12 chmod 00600 caSigningCert.b64 9. Import the public/private key pairs of each entry from the PKCS #12 files into the 8.0 security databases.

  • Page 61: Option 4: Hsm To Hsm Migration

    Option 4: HSM to HSM Migration kra.storageUnit.nickname=kraStorageCert cert-old_DRM_instance kra.transportUnit.nickname=kraTransportCert cert-old_DRM_instance NOTE The caSigningCert is not referenced in the CS.cfg file. 16. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: Server-Cert cert-old_DRM_instance 5.1.4. Option 4: HSM to HSM Migration 1.
  • Page 62 Chapter 5. Migrating a DRM Instance to Certificate System 8.0 cd old_server_root/alias b. Set the LD_LIBRARY_PATH environment variable to search the Certificate System libraries. LD_LIBRARY_PATH=old_server_root/bin/cert/lib export LD_LIBRARY_PATH c. Use the Certificate Management System 7.x certutil tool to identify the old HSM slot name. old_server_root/bin/cert/tools/certutil -U -d .
  • Page 63 Option 4: HSM to HSM Migration modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/ new_HSM_library 10. Identify the new HSM slot name. modutil -dbdir . -nocertdb -list 11. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM. pk12util -i ServerCert.p12 -d .

  • Page 64: Migrating Passwords From 7.1

    Chapter 5. Migrating a DRM Instance to Certificate System 8.0 17. Edit the kra.storageUnit.nickname and kra.transportUnit.nickname attributes to reflect the 8.0 DRM information. kra.storageUnit.nickname=new_HSM_slot_name:kraStorageCert cert-old_DRM_instance kra.transportUnit.nickname=new_HSM_slot_name:kraTransportCert cert-old_DRM_instance NOTE The caSigningCert is not referenced in the CS.cfg file. 18. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname.
  • Page 65 Migrating Passwords from 7.2 and 7.3 internal=password Internal LDAP Database=passwordldap 4. If the 7.x server instance used the password.conf file to start the server instance automatically, then this file must also be migrated to the 8.0 server instance. cp old_server_root/cert-old_instance/config/password.conf /var/lib/new_DRM_instance/conf/ password.conf 5.

  • Page 66: Migrating The Ldap Database

    Chapter 5. Migrating a DRM Instance to Certificate System 8.0 # chown user:group password.conf 2. Log out as root. As the Certificate System user, change the permissions on the file. chmod 00600 password.conf 5.3. Migrating the LDAP Database Every Red Hat Certificate System 7.x subsystem contains LDIF data in an associated internal database which must be migrated to the corresponding Red Hat Certificate System 8.0 subsystem internal database.
  • Page 67 13. Log into the 7.x Certificate System instance, and export the database contents to LDIF. Name the output file old-old_DRM_instance.ldif. For example: /opt/redhat-ds/slapd-DS-instance/db/db2ldif -U -n server.example.com-old_DRM_instance -a / opt/redhat-ds/slapd-DS-instance/ldif/old-old_DRM_instance.ldif 14. Convert the old-old_DRM_instance.ldif file to a text file. a. Open the version-to-text directory in the migration directory copied to the Certificate System 7.x server.
  • Page 68 JRE_ROOT=/usr/lib/jvm/jre-1.5.0-ibm export JRE_ROOT c. Run the run.sh to use the old-old_DRM_instance.ldif file to create a text file. run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old-old_DRM_instance.ldif > /opt/redhat- ds/slapd-DS-instance/ldif/old-old_DRM_instance.txt 15. Open the Certificate System 7.x LDIF directory, and copy the old-old_DRM_instance.txt file into the Certificate System 8.0 server instance's internal database LDIF directory.
  • Page 69 Migrating the LDAP Database 20. Modify the content of rhcs80-new_DRM_instance.ldif so that the LDIF files contain the required ACLs and other settings that were created with the new 8.0 instances. NOTE When using a text editor to perform the substitution instead of a script, use an editor that supports file sizes greater than 4 gigabytes, such as vim, because the LDIF files may be larger than 2 gigabytes and even 4 gigabytes in some deployments.

  • Page 70: Migrating Custom Cs.cfg And Other Data Settings

    Chapter 5. Migrating a DRM Instance to Certificate System 8.0 h. If the subsystem instance is a cloned instance, add a group entry to maintain a list of users who can create clones. dn: cn=ClonedSubsystems,ou=groups,dc=server.example.com-new_CA_instance description: People who can clone the master subsystem objectClass: top objectClass: groupOfUniqueNames cn: ClonedSubsystems...

  • Page 71: Restarting The Drm Instance

    Restarting the DRM Instance 5.5. Restarting the DRM Instance 1. Restart the Directory Server and Administration Server for the Certificate System 8.0 instance. service dirsrv start service dirsrv-admin start 2. Start the DRM instance. service new_DRM_instance start 5.6. Setting Custom Configuration in the Console Use the Console to configure any custom behavior of the different subsystems, such as customized plug-ins, logging, and auditing.
  • Page 73 Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 Migrating a 7.x version of the OCSP Manager to the 8.0 requires migrating individual areas of data — the certificate and key databases for the subsystem, its internal LDAP database, its subsystem password stores —...
  • Page 74 Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 WARNING Changing either the instance name or the fully-qualified domain name is not supported for migration. The fully-qualified domain name of the host machine for the new instance must be the same as the fully-qualified domain name of the original instance.

  • Page 75: Option 2: Security Databases To Hsm Migration

    Option 2: Security Databases to HSM Migration 10. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: Server-Cert cert-old_OCSP_instance 6.1.2. Option 2: Security Databases to HSM Migration 1. Remove all the security databases in the Certificate System 8.0 server which will receive migrated data.
  • Page 76 Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 7. List the certificates in the 7.x security databases using the certutil command; -L lists the certificates. certutil -L -d . Server-Cert cert-old_OCSP_instance cu,cu,cu caSigningCert cert-old_OCSP_instance CT,c, ocspSigningCert cert-old_OCSP_instance cu,cu,cu 8.
  • Page 77 Option 2: Security Databases to HSM Migration modutil -dbdir . -nocertdb -list 13. Create new security databases. certutil -N -d . 14. Import the public/private key pairs of each entry from the PKCS #12 files into the new HSM. pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name Enter Password or Pin for "new_HSM_slot_name":******** Enter password for PKCS12 file: ********...

  • Page 78: Option 3: Hsm To Security Databases Migration

    Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 NOTE The caSigningCert is not referenced in the CS.cfg file. 21. In the same directory, edit the serverCertNick.conf file to contain the old certificate nickname. For example: new_HSM_slot_name:Server-Cert cert-old_OCSP_instance 6.1.3. Option 3: HSM to Security Databases Migration 1.
  • Page 79 Option 3: HSM to Security Databases Migration export LD_LIBRARY_PATH c. Use the Certificate Management System 7.x certutil tool to identify the old HSM slot name. old_server_root/bin/cert/tools/certutil -U -d . d. Use the Certificate Management System 7.x certutil tool to extract the public key from the security databases and save the base-64 output to a file.

  • Page 80: Option 4: Hsm To Hsm Migration

    Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 rm ServerCert.p12 rm ocspSigningCert.p12 10. Set the trust bits on the public/private key pairs that were imported into the 8.0 security databases. certutil -M -n "Server-Cert cert-old_OCSP_instance" -t "cu,cu,cu" -d . certutil -M -n "ocspSigningCert cert-old_OCSP_instance"...
  • Page 81 Option 4: HSM to HSM Migration The instance and domain information has to be the same for both instances because the certificate and key material — among other instance and database information — has to be the same. The pk12util tool provided by Certificate System cannot extract public/private key pairs from an HSM because of requirements in the FIPS 140-1 standard which protect the private key.
  • Page 82 Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 6. Set the file user and group to the Certificate System user and group. # chown user:group ServerCert.p12 # chown user:group ocspSigningCert.p12 # chown user:group caSigningCert.b64 7. Log out as root. As the Certificate System user, set the file permissions. chmod 00600 ServerCert.p12 chmod 00600 ocspSigningCert.p12 chmod 00600 caSigningCert.b64...

  • Page 83: Migrating Passwords From 7.1

    Migrating Subsystem Password Stores 14. Optionally, delete the base-64 file. rm caSigningCert.b64 15. Open the CS.cfg configuration file in the /var/lib/instance_ID/conf/ directory. 16. Edit the ocsp.signing.certnickname attribute to reflect the 8.0 subsystem information. ocsp.signing.certnickname=new_HSM_slot_name:ocspSigningCert cert-old_OCSP_instance NOTE The caSigningCert is not referenced in the CS.cfg file. 17.
  • Page 84 Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 internal : password Internal LDAP Database : passwordldap 3. Use the listed tags and passwords to create the password.conf file. For example: internal=password Internal LDAP Database=passwordldap 4. If the 7.x server instance used the password.conf file to start the server instance automatically, then this file must also be migrated to the 8.0 server instance.

  • Page 85: Migrating The Ldap Database

    Migrating the LDAP Database 1. Log in as root, and set the file user and group to the Certificate System user and group. # chown user:group password.conf 2. Log out as root. As the Certificate System user, change the permissions on the file. chmod 00600 password.conf 6.3.
  • Page 86 13. Log into the 7.x Certificate System instance, and export the database contents to LDIF. Name the output file old-old_OCSP_instance.ldif. For example: /opt/redhat-ds/slapd-DS-instance/db/db2ldif -U -n server.example.com-old_OCSP_instance - a /opt/redhat-ds/slapd-DS-instance/ldif/old-old_OCSP_instance.ldif 14. Convert the old-old_OCSP_instance.ldif file to a text file. a. Open the version-to-text directory in the migration directory copied to the Certificate System 7.x server.
  • Page 87 JRE_ROOT=/usr/lib/jvm/jre-1.5.0-ibm export JRE_ROOT c. Run the run.sh to use the old-old_OCSP_instance.ldif file to create a text file. run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old-old_OCSP_instance.ldif > /opt/redhat- ds/slapd-DS-instance/ldif/old-old_OCSP_instance.txt 15. Open the Certificate System 7.x LDIF directory, and copy the old-old_OCSP_instance.txt file into the Certificate System 8.0 server instance's internal database LDIF directory.
  • Page 88 Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 run.sh /var/lib/dirsrv/slapd-example/ldif/old-old_OCSP_instance.txt > /var/lib/dirsrv/ slapd-example/ldif/rhcs80-new_OCSP_instance.ldif 20. Modify the content of rhcs80-new_OCSP_instance.ldif so that the LDIF files contain the required ACLs and other settings that were created with the new 8.0 instances. NOTE When using a text editor to perform the substitution instead of a script, use an editor that supports file sizes greater than 4 gigabytes, such as vim, because the LDIF files...

  • Page 89: Migrating Custom Data And Settings

    Migrating Custom Data and Settings ... list of ACLs ... objectClass: top objectClass: CertACLS cn: aclResources h. If the subsystem instance is a cloned instance, add a group entry to maintain a list of users who can create clones. dn: cn=ClonedSubsystems,ou=groups,dc=server.example.com-new_CA_instance description: People who can clone the master subsystem objectClass: top objectClass: groupOfUniqueNames...

  • Page 90: Verifying The Ocsp Migration

    Chapter 6. Migrating a OCSP Instance to Certificate System 8.0 6.7. Verifying the OCSP Migration After migrating the 7.x OCSP instance, open the OCSP agent services pages for the 8.0 instance to ensure that everything is working properly. For example: https://server.example.com:11443/ocsp/agent/ocsp Then log into the Certificate System Console and verify that the new server can be managed through the Console.
  • Page 91 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 Migrating a 7.x version of the TKS to the 8.0 requires migrating individual areas of data — the certificate and key databases for the subsystem, its internal LDAP database, its subsystem password stores —...
  • Page 92 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 tks.mk_mappings.#tks_master_key_version_number#01=internal:tks_master_key_version_name A tks.mk_mappings value looks like the following: tks.mk_mappings.#02#01=internal:tks_master_key_v2 In this example, 02 is the tks_master_key_version_ number, and tks_master_key_v2 is the tks_master_key_version_name. 4. Copy the certificate and key security databases from the 7.x server to the 8.0 server. cp old_server_root/alias/cert-old_instance-cert8.db /var/lib/new_TKS_instance/alias/ cert8.db cp old_server_root/alias/cert-old_instance-key3.db /var/lib/new_TKS_instance/alias/key3.db...

  • Page 93: Option 2: Security Databases To Hsm Migration

    Option 2: Security Databases to HSM Migration Server-Cert cert-old_TKS_instance cu,cu,cu caSigningCert cert-old_TKS_instance CT,c, tksTransportCert cert-old_TKS_instance CT,C, 10. Open the CS.cfg configuration file in the /var/lib/instance_ID/conf/. 11. If server-side keygen has been enabled, edit the tks.drm_transport_cert_nickname attribute to reflect the new TKS instance. tks.drm_transport_cert_nickname=tksTransportCert cert-old_TKS_instance 12.
  • Page 94 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 A tks.mk_mappings value looks like the following example: tks.mk_mappings.#02#01=internal:tks_master_key_v2 In this example, 02 is the tks_master_key_version_ number, and tks_master_key_v2 is the tks_master_key_version_name. 4. Migrate symmetric keys from a 7.x TKS instance. Two things are necessary: •...
  • Page 95 Option 2: Security Databases to HSM Migration # chown user:group key3.db 9. Log out as root. As the Certificate System user, change the permissions on the files. chmod 00600 cert8.db chmod 00600 key3.db 10. List the certificates stored in the 7.x security databases by using the certutil command. In this example, -L lists the certificates.
  • Page 96 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 17. Import the public/private key pair from the PKCS #12 file into the new HSM. pk12util -i ServerCert.p12 -d . -h new_HSM_slot_name Enter Password or Pin for "new_HSM_slot_name":******** Enter password for PKCS12 file: ******** pk12util: PKCS12 IMPORT SUCCESSFUL 18.

  • Page 97: Option 3: Hsm To Security Databases Migration

    Option 3: HSM to Security Databases Migration tks.drm_transport_cert_nickname=new_HSM_slot_name:tksTransportCert Cert cert-old_TKS_instance 29. If a master key was migrated from the 7.x TKS instance, then also insert the tks.mk_mappings.# tks_master_key_version_number #01=< new_HSM_slot_name:tks_master_key_version_name line at the end of the CS.cfg. Be certain that the proper values for tks_master_key_version_number, new_HSM_slot_name, and tks_master_key_version_name are set.
  • Page 98 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 • If the migration is from Certificate System 7.2 or 7.3, open the CS.cfg file in the Certificate System /etc/subsystem_name directory. b. Write down the exact name-value pair for the tks.mk_mappings.# tks_master_key_version_number #01= old_HSM_slot_name:tks_master_key_version_name line.
  • Page 99 Option 3: HSM to Security Databases Migration -d . -h old_HSM_token_name -a > caSigningCert.b64 old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:tksTransportCert cert-old_TKS_instance" -d . -h old_HSM_token_name -a > tksTransportCert.b64 e. Copy the key data from the 7.x server to the 8.0 server. cp old_server_root/alias/caSigningCert.b64 /var/lib/new_TKS_instance/alias/ caSigningCert.b64 cp old_server_root/alias/tksTransportCert.b64 /var/lib/new_TKS_instance/alias/ tksTransportCert.b64...
  • Page 100 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 certutil -A -n "caSigningCert cert-old_TKS_instance" -t "CT,c," -d . -i caSigningCert.b64 certutil -A -n "tksTransportCert cert-old_TKS_instance" -t "CT,C,C" -d . -i tksTransportCert.b64 15. Optionally, delete the base-64 files. rm caSigningCert.b64 rm tksTransportCert.b64 16.

  • Page 101: System /Etc/Subsystem_Name Directory

    Option 4: HSM to HSM Migration Server-Cert cert-old_TKS_instance 7.1.4. Option 4: HSM to HSM Migration 1. Extract the public/private key pairs from the HSM. The format for the extracted key pairs should be portable, such as a PKCS #12 file. WARNING Changing either the instance name or the fully-qualified domain name is not supported for migration.

  • Page 102: Copies Of All Files (There Is At Least One) Containing The Wrapped Master Keys On The Old Hsm; For Example, Tks_Master_Key_V2.Txt

    Chapter 7. Migrating a TKS Instance to Certificate System 8.0 • Copies of all files (there is at least one) containing the wrapped master keys on the old HSM; for example, tks_master_key_v2.txt. NOTE These files are created whenever the user generated a new master key using the tkstool -W option.
  • Page 103 Option 4: HSM to HSM Migration cd /var/lib/new_TKS_instance/alias/ 8. Log in as root. 9. Set the file user and group to the Certificate System user and group. # chown user:group ServerCert.p12 # chown user:group caSigningCert.b64 # chown user:group tksTransportCert.b64 10. Log out as root. As the Certificate System user, change the permissions on the files. chmod 00600 ServerCert.p12 chmod 00600 caSigningCert.b64 chmod 00600 tksTransportCert.b64...
  • Page 104 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 17. Optionally, delete the base-64 files. rm caSigningCert.b64 rm tksTransportCert.b64 18. Import the original symmetric transport key into the new HSM. tkstool -I -d . -h new_HSM_token_name -n tks_transport_key_name 19. Type in the original three key session key shares (as prompted) to recreate the original transport key on the new HSM.

  • Page 105: Migrating Passwords From 7.1

    Migrating Subsystem Password Stores 7.2. Migrating Subsystem Password Stores The password information for the Certificate System subsystems are saved in a special password file. In Certificate System 7.1, these were kept in the pwcache.db file. The contents of the password file must be decrypted and listed using the PasswordCache tool in the 7.x subsystem instance.

  • Page 106: Migrating The Ldap Database

    Chapter 7. Migrating a TKS Instance to Certificate System 8.0 chown user:group password.conf 7. Log out as root. As the Certificate System user, change the permissions on the password file. chmod 00600 password.conf 8. Copy the tags and passwords that were listed from the 7.x pwdcache.db file into the password.conf file.
  • Page 107 Migrating the LDAP Database instance is in the internaldb.database parameter in the CS.cfg file. Name the output file new-new_TKS_instance.ldif. For example: /usr/lib/dirsrv/slapd-example/db2ldif -U -n server.example.com-new_TKS_instance -a /var/ lib/dirsrv/slapd-example/ldif/new-new_TKS_instance.ldif 2. If they are not already installed, download and install the Certificate System migration utilities. For example: yum install pki-migrate 3.
  • Page 108 13. Log into the 7.x Certificate System instance, and export the database contents to LDIF. Name the output file old-old_TKS_instance.ldif. For example: /opt/redhat-ds/slapd-DS-instance/db/db2ldif -U -n server.example.com-old_TKS_instance -a / opt/redhat-ds/slapd-DS-instance/ldif/old-old_TKS_instance.ldif 14. Convert the old-old_TKS_instance.ldif file to a text file. a. Open the version-to-text directory in the migration directory copied to the Certificate System 7.x server.
  • Page 109 Migrating the LDAP Database run.sh /opt/redhat-ds/slapd-DS-instance/ldif/old-old_TKS_instance.ldif > /opt/redhat- ds/slapd-DS-instance/ldif/old-old_TKS_instance.txt 15. Open the Certificate System 7.x LDIF directory, and copy the old-old_TKS_instance.txt file into the Certificate System 8.0 server instance's internal database LDIF directory. cd /opt/redhat-ds/slapd-DS-instance/ldif cp /opt/redhat-ds/slapd-DS-instance/ldif/old-old_TKS_instance.txt /var/lib/dirsrv/slapd- example/ldif 16. Open the Certificate System ldif/ directory.
  • Page 110 Chapter 7. Migrating a TKS Instance to Certificate System 8.0 view new-new_TKS_instance.ldif c. Open the rhcs80-new_TKS_instance.ldif file. vi rhcs80-new_TKS_instance.ldif d. Delete the entries for o=hostname-db,o=netscapeCertificateServer and o=netscapeCertificateServer. e. Add a new entry for the base DN used in the 8.0 database (something like dc=server.example.com-new_TKS_instance).

  • Page 111: Restarting The Tks Instance

    Migrating Custom CS.cfg Settings and Other Data cn: ClonedSubsystems 21. Set the file permissions and ownership for the rhcs80-new_TKS_instance.ldif file. chown nobody:nobody rhcs80-new_TKS_instance.ldif chmod 00644 rhcs80-new_TKS_instance.ldif 22. Import the rhcs80-new_TKS_instance.ldif LDIF file into the Certificate System 8.0 server instance's internal database using the Directory Server ldif2db tool. The internal database name for the Certificate System instance is in the internaldb.database parameter in the CS.cfg file.
  • Page 113 Chapter 8. Migrating a TPS Instance to 8.0 The Token Processing System (TPS) can be migrated from 7.1, 7.2, or 7.3 to 8.0 by carrying over the data in the security databases and internal LDAP database and configuration in its configuration files. IMPORTANT Every new Red Hat Certificate System 8.0 instance which will be installed on the host must be installed and fully configured, as described in...
  • Page 114 The user and group database name is stored in the auth.instance.0.baseDN parameter in the CS.cfg file. For example: cd /opt/redhat-ds/slapd-DS-instance/db/db2ldif -U -s "dc=example,dc=com" -a /opt/redhat- ds/slapd-DS-instance/ldif/users-old_TPS_instance.ldif 6. Copy the old-old_TPS_instance.ldif and users-old_TPS_instance.ldif files to the Certificate System 8.0 instance's internal database LDIF directory.

  • Page 115: Migrating The Security Databases

    Migrating the Security Databases For example, on 32-bit machines: /usr/share/pki/migrate/TpsTo80/linux/migrateTpsData.i386 old-old_TPS_instance.ldif rhcs80-new_TPS_instance.ldif 8. Update the schema for the user entries in the users-old_TPS_instance.ldif file by running the migrateTpsData command. For example, on 32-bit machines: /usr/share/pki/migrate/TpsTo80/linux/migrateTpsData.i386 users-old_TPS_instance.ldif users80-new_TPS_instance.ldif 9. Import the rhcs80-new_TPS_instance.ldif LDIF file into the Certificate System 8.0 server instance's internal database.
  • Page 116 Chapter 8. Migrating a TPS Instance to 8.0 rm /var/lib/new_TPS_instance/alias/key3.db 2. Log into the 7.x server as the Certificate System user for that machine. 3. Copy the certificate and key security databases from the 7.x server to the 8.0 server. cp old_server_root/alias/cert-old_instance-cert8.db /var/lib/new_TPS_instance/alias/ cert8.db cp old_server_root/alias/cert-old_instance-key3.db /var/lib/new_TPS_instance/alias/key3.db...

  • Page 117: Option 2: Security Databases To Hsm Migration

    Option 2: Security Databases to HSM Migration 8.2.2. Option 2: Security Databases to HSM Migration 1. Remove all the security databases in the new Certificate System which will receive migrated data. rm /var/lib/new_TPS_instance/alias/cert8.db rm /var/lib/new_TPS_instance/alias/key3.db 2. Log into the 7.x server as the Certificate System user for that machine. 3.
  • Page 118 Chapter 8. Migrating a TPS Instance to 8.0 Server-Cert cert-old_TPS_instance cu,cu,cu caSigningCert cert-old_TPS_instance CT,c, 9. Export the public/private key pairs of each entry in the Certificate System databases using the pk12util tool; -o exports the key pairs to a PKCS #12 file, and -n sets the name of the certificate and the old database prefix.

  • Page 119: Option 3: Hsm To Security Databases Migration

    Option 3: HSM to Security Databases Migration certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_TPS_instance" -t "cu,cu,cu" -d . -h <new_HSM_token_name 18. Import the public keys from the base-64 files into the new HSM, and set the trust bits. certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_TPS_instance" t "CT,c," -d . - h new_HSM_token_name -i caSigningCert.b64 19.
  • Page 120 Chapter 8. Migrating a TPS Instance to 8.0 c. Use the Certificate System 7.x certutil tool to identify the old HSM slot name. old_server_root/bin/cert/tools/certutil -U -d . d. Use the Certificate System 7.x certutil tool to extract the public key of the following entries from the security databases and save each base-64 output to a separate file.

  • Page 121: Option 4: Hsm To Hsm Migration

    Option 4: HSM to HSM Migration 12. Import the public keys from the base-64 files, and set the trust bits. certutil -A -n "caSigningCert cert-old_TPS_instance" -t "CT,c," -d . -i caSigningCert.b64 13. Optionally, delete the base-64 files. rm caSigningCert.b64 8.2.4. Option 4: HSM to HSM Migration 1.
  • Page 122 Chapter 8. Migrating a TPS Instance to 8.0 old_server_root/bin/cert/tools/certutil -U -d . d. Use the Certificate System 7.x certutil tool to extract the public key of the following entries from the security databases and save each base-64 output to a separate file. old_server_root/bin/cert/tools/certutil -L -n "old_HSM_slot_name:caSigningCert cert-old_TPS_instance"...

  • Page 123: Migrating The Tps Configuration

    Migrating the TPS Configuration rm ServerCert.p12 13. Set the trust bits on the public/private key pair that was imported into the new HSM. certutil -M -n "new_HSM_slot_name:Server-Cert cert-old_TPS_instance" -t "cu,cu,cu" -d . - h new_HSM_token_name 14. Import the public keys from the base-64 files, and set the trust bits. certutil -A -n "new_HSM_slot_name:caSigningCert cert-old_TPS_instance"...

  • Page 124: Restarting The Tps Instance

    Chapter 8. Migrating a TPS Instance to 8.0 8.5. Restarting the TPS Instance 1. Restart the Directory Server and Administration Server for the Certificate System 8.0 instance. service dirsrv restart service dirsrv-admin restart 2. Start the TPS instances. service new_TPS_instance restart 8.6.

This manual is also suitable for:

Certificate system 8.0 - administration

Table of Contents