Search
SupportConsoleDevelopersStart a trialContact

22.3. Importing the Data into the New CA

download PDF
After finishing setting up the new CA in Section 22.2, “Setting up the CA on the New Host”, you can import the data to the Directory Server database:
  1. When migrating from a previous version, it can be necessary to manually clean up the LDAP data interchange format (LDIF) file. Before Red Hat Directory Server 10, syntax checking was disabled by default. Therefore, data from a previous version can include entries that are now invalid in Directory Server 10. For example:
    • Values of boolean attributes must be set either to TRUE or FALSE (all capitalized).

      Important

      Do not automatically update all occurrences to uppercase by using a search and replace utility. Some attributes in the LDIF file contain these strings, but are not using the boolean type. Updating these attributes' values can cause the import to fail. Typically, boolean attributes are only used in the cn=CAList,ou=Security Domain,CS_instance_name security domain database entries.
    • Empty strings must be removed. The Directory Server syntax validation does not allow to set empty strings.
      Empty strings often appear in userType and userState attributes in cmsUser entries in ou=People,CS_instance_name.
    During the import, other entries can fail, too. It is important to verify the log file after the database import. Optionally, you can import the LDIF file into a temporary, empty database to find out which entries caused the import to fail.
  2. Shut down the CA service: 
    # systemctl stop pki-tomcatd@instance_name.service
  3. Optionally, back up the CA database on the new host: 
    # db2bak
    The backup is stored in the /var/lib/dirsrv/instance_name/bak/host_name-time_stamp/ directory.
  4. Import the data into the new database. For example: 
    # ldapmodify -h <hostname> -x -W -D 'cn=Directory Manager' -a -c -f /tmp/ds_bak/old_ca.ldif | \
     tee /root/import.log
    The ldapmodify utility only adds new entries and does not update existing entries, created when you installed the CA. For example:
    • Top level entries. For example: o=pki-tomcat-CA.
    • Default groups. For example: cn=Certificate Manager Agents,ou=groups,o=pki-tomcat-CA.
      Because the standard groups are not updated, the users are not automatically added to these groups. After the import, you must add members to each default group manually. See Section 22.4, “Reassigning Users to Default Groups”.
    • Default access control lists (ACL) for the CA.
    As mentioned earlier, Directory Server 10 uses syntax validation. Verify the output in the /root/import.log file and search for failed actions, such as ldap_add: Invalid syntax (21). For further details, see Step 1.
  5. Remove the directory entry for the old security domain. For example: 
    # ldapmodify -W -x -D "cn=Directory Manager"
dn: cn=server.example.com:9445,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
changetype: delete
  6. Enable the CA in the /etc/pki/instance_name/ca/CS.cfg file to act as the certificate revocation list (CRL) master: 
    ca.crl.MasterCRL.enable=true
  7. Restart the CA service: 
    # systemctl start pki-tomcat@instance_name
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.