8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7
This procedure describes how to migrate all data and configuration from Red Hat Enterprise Linux 6 Identity Management to Red Hat Enterprise Linux 7 servers. The migration procedure includes:
- Migrating the Red Hat Enterprise Linux 6-based certificate authority (CA) master server to Red Hat Enterprise Linux 7.
- Transitioning all services to the new Red Hat Enterprise Linux 7 server. These services include CRL and certificate creating, DNS management, or Kerberos KDC administration.
- Decommissioning the original Red Hat Enterprise Linux 6 CA master.
In the following procedures:
rhel7.example.com
is the Red Hat Enterprise Linux 7 system that will become the new CA master.ImportantThe only minor version that is currently supported is RHEL 7.9. Ensure you have RHEL 7.9 installed on your system.rhel6.example.com
is the original Red Hat Enterprise Linux 6 CA master.NoteTo identify which Red Hat Enterprise Linux 6 server is the master CA server, determine on which server thecertmonger
service tracks therenew_ca_cert
command. Run this command on every Red Hat Enterprise Linux 6 server:[root@rhel6 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
The post-save action that executes renew_ca_cert is defined only for the CA master.
8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7
- Update the
rhel6.example.com
system to the latest Red Hat Enterprise Linux 6 version. - On the
rhel6.example.com
system, upgrade the ipa-* packages:[root@rhel6 ~]# yum update ipa-*
This step also makes sure that you have applied the RHBA-2015:0231-2 advisory, which provides the2.3-6.el6_6
version of the bind-dyndb-ldap package and is available with the Red Hat Enterprise Linux 6.6 Extended Update Support (EUS).WarningUsing an earlier version of bind-dyndb-ldap results in inconsistent behavior in DNS forward zones serving between the Red Hat Enterprise Linux 6.6 DNS servers and Red Hat Enterprise Linux 7 DNS servers. - Make sure the
rhel7.example.com
system meets the requirements in Section 2.1, “Prerequisites for Installing a Server” and Section 4.3, “Prerequisites for Installing a Replica”. - On the
rhel7.example.com
system, install the required packages. See Section 2.2, “Packages Required to Install an IdM Server”.
8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6
The
copy-schema-to-ca.py
schema update script prepares rhel6.example.com
for the installation of the rhel7.example.com
replica. Updating the schema is necessary due to schema changes between Identity Management version 3.1 and later versions.
- Copy the
copy-schema-to-ca.py
schema update script from therhel7.example.com
system to therhel6.example.com
system. For example:[root@rhel7 ~]# scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6:/root/
- Run the updated
copy-schema-to-ca.py
script onrhel6.example.com
.[root@rhel6 ~]# python copy-schema-to-ca.py ipa : INFO Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif [... output truncated ...] ipa : INFO Schema updated successfully
- Repeat the steps on every Red Hat Enterprise Linux 6 IdM replica that runs a certificate authority before connecting to a Red Hat Enterprise Linux 7 replica.
8.2.3. Installing the Red Hat Enterprise Linux 7 Replica
- On the
rhel6.example.com
system, create the replica file you will use to install therhel7.example.com
replica. For example, to create a replica file forrhel7.example.com
whose IP address is192.0.2.1
:[root@rhel6 ~]# ipa-replica-prepare rhel7.example.com --ip-address 192.0.2.1 Directory Manager (existing master) password: Preparing replica for rhel7.example.com from rhel6.example.com [... output truncated ...] The ipa-replica-prepare command was successful
- Copy the replica information file from
rhel6.example.com
torhel7.example.com
.[root@rhel6 ~]# scp /var/lib/ipa/replica-info-replica.example.com.gpg root@rhel7:/var/lib/ipa/
- If you install the new replica with an integrated CA on Red Hat Enterprise Linux 7.6 or later, append the following entry to the end of the
NSSCipherSuite
parameter in the/etc/httpd/conf.d/nss.conf
file:+ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
In Red Hat Enterprise Linux 7.6 or later, certain ciphers are no longer enabled by default in the IdM CA. Without adding this entry to the configuration, setting up an IdM server with integrated CA on Red Hat Enterprise Linux 7.6 as a replica of a master running on Red Hat Enterprise Linux 6 fails with a CRITICAL Failed to configure CA instance error. - Install the
rhel7.example.com
replica using the replica file. For example, the following command uses these options:--setup-ca
to set up the Certificate System component--setup-dns
and--forwarder
to configure an integrated DNS server and set a forwarder--ip-address
to specify the IP address of therhel7.example.com
system
[root@rhel7 ~]# ipa-replica-install /var/lib/ipa/replica-info-rhel7.example.com.gpg --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20 Directory Manager (existing master) password: Checking DNS forwarders, please wait ... Run connection check to master [... output truncated ...] Client configuration complete.
See also:- Section D.2, “Creating Replicas”, which describes creating replicas using replica information files
- Verify that the Identity Management services are running on
rhel7.example.com
.[root@rhel7 ~]# ipactl status Directory Service: RUNNING [... output truncated ...] ipa: INFO: The ipactl command was successful
8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server
Before you begin:
- Verify that
rhel6.example.com
andrhel7.example.com
CAs are both configured as master servers.[root@rhel7 ~]$ kinit admin [root@rhel7 ~]$ ipa-csreplica-manage list rhel6.example.com: master rhel7.example.com: master
To display details about a replication agreement:[root@rhel7 ~]# ipa-csreplica-manage list --verbose rhel7.example.com rhel7.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2017-02-13 13:55:13+00:00
On the
rhel6.example.com
original master CA, stop the CA subsystem certificate renewal:
- Disable tracking for the original CA certificates.
[root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca" Request "20201127184547" removed. [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca" Request "20201127184548" removed. [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" Request "20201127184549" removed. [root@rhel6 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert Request "20201127184550" removed.
- Reconfigure
rhel6.example.com
to retrieve renewed certificates from a new master CA.- Copy the renewal helper script into the
certmonger
service directory, and set the appropriate permissions.[root@rhel6 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/ [root@rhel6 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal
- Update the SELinux configuration.
[root@rhel6 ~]# restorecon /var/lib/certmonger/cas/ca_renewal
- Restart
certmonger
.[root@rhel6 ~]# service certmonger restart
- Check that the CA is listed to retrieve certificates.
[root@rhel6 ~]# getcert list-cas ... CA 'dogtag-ipa-retrieve-agent-submit': is-default: no ca-type: EXTERNAL helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
- Obtain the CA certificate database PIN.
[root@rhel6 ~]# grep internal= /var/lib/pki-ca/conf/password.conf
- Configure
certmonger
to track the certificates for external renewal. This requires the database PIN.[root@rhel6 ~]# getcert start-tracking \ -c dogtag-ipa-retrieve-agent-submit \ -d /var/lib/pki-ca/alias \ -n "auditSigningCert cert-pki-ca" \ -B /usr/lib64/ipa/certmonger/stop_pkicad \ -C '/usr/lib64/ipa/certmonger/restart_pkicad \ "auditSigningCert cert-pki-ca"' \ -T "auditSigningCert cert-pki-ca" \ -P database_pin New tracking request "20201127184743" added. [root@rhel6 ~]# getcert start-tracking \ -c dogtag-ipa-retrieve-agent-submit \ -d /var/lib/pki-ca/alias \ -n "ocspSigningCert cert-pki-ca" \ -B /usr/lib64/ipa/certmonger/stop_pkicad \ -C '/usr/lib64/ipa/certmonger/restart_pkicad \ "ocspSigningCert cert-pki-ca"' \ -T "ocspSigningCert cert-pki-ca" \ -P database_pin New tracking request "20201127184744" added. [root@rhel6 ~]# getcert start-tracking \ -c dogtag-ipa-retrieve-agent-submit \ -d /var/lib/pki-ca/alias \ -n "subsystemCert cert-pki-ca" \ -B /usr/lib64/ipa/certmonger/stop_pkicad \ -C '/usr/lib64/ipa/certmonger/restart_pkicad \ "subsystemCert cert-pki-ca"' \ -T "subsystemCert cert-pki-ca" \ -P database_pin New tracking request "20201127184745" added. [root@rhel6 ~]# getcert start-tracking \ -c dogtag-ipa-retrieve-agent-submit \ -d /etc/httpd/alias \ -n ipaCert \ -C /usr/lib64/ipa/certmonger/restart_httpd \ -T ipaCert \ -p /etc/httpd/alias/pwdfile.txt New tracking request "20201127184746" added.
Move CRL generation from the original
rhel6.example.com
CA master to rhel7.example.com
.
- On
rhel6.example.com
, stop CRL generation:- Stop the CA service.
[root@rhel6 ~]# service pki-cad stop
- Disable CRL generation on
rhel6.example.com
. Open the/var/lib/pki-ca/conf/CS.cfg
file, and set the values of theca.crl.MasterCRL.enableCRLCache
andca.crl.MasterCRL.enableCRLUpdates
parameters tofalse
.ca.crl.MasterCRL.enableCRLCache=
false
ca.crl.MasterCRL.enableCRLUpdates=false
- Start the CA service.
[root@rhel6 ~]# service pki-cad start
- On
rhel6.example.com
, configure Apache to redirect CRL requests:- Open the
/etc/httpd/conf.d/ipa-pki-proxy.conf
file, and uncomment theRewriteRule
entry:RewriteRule ^/ipa/crl/MasterCRL.bin https://rhel6.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
NoteDo not replace the server host name in the URL. The URL must refer to the local host name. - Restart Apache.
[root@rhel6 ~]# service httpd restart
IdM obtains now the Certificate Revocation List (CRL) from the local CA instead of from a local file. - On
rhel7.example.com
, configurerhel7.example.com
as the new CA master:- Configure
rhel7.example.com
to handle CA subsystem certificate renewal, as described in Section D.4.1, “Changing Which Server Handles Certificate Renewal”. - Configure
rhel7.example.com
to general certificate revocation lists (CRLs), as described in Section 6.5.2.2, “Changing Which Server Generates CRLs”.
Related Information
- See Section 6.5.2, “Promoting a Replica to a Master CA Server” for details on CA subsystem certificate renewal and CRLs.
8.2.5. Stop the Red Hat Enterprise Linux 6 Server
Stop all service on
rhel6.example.com
to force domain discovery to the new rhel7.example.com
server.
[root@rhel6 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca: [ OK ]
Stopping HTTP Service
Stopping httpd: [ OK ]
Stopping MEMCACHE Service
Stopping ipa_memcached: [ OK ]
Stopping DNS Service
Stopping named: . [ OK ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server: [ OK ]
Stopping KDC Service
Stopping Kerberos 5 KDC: [ OK ]
Stopping Directory Service
Shutting down dirsrv:
EXAMPLE-COM... [ OK ]
PKI-IPA... [ OK ]
After this, using the
ipa
utility will contact the new server through a remote procedure call (RPC).
8.2.6. Next Steps After Migrating the Master CA Server
For each Red Hat Enterprise Linux 6 server in your topology:
- Create a replica file from
rhel7.example.com
.NoteAfter installing a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 server, the domain level for the Identity Management domain is automatically set to 0.Red Hat Enterprise Linux 7.3 introduced an easier way to install and manage replicas. To use these features, your topology must be at domain level 1. See Chapter 7, Displaying and Raising the Domain Level. - Use the replica file to install a new replica on another Red Hat Enterprise Linux 7 system.
To decommission a Red Hat Enterprise Linux 6 server:
- Remove the server from the topology by executing the removal commands on a Red Hat Enterprise Linux 7 server.
Important
Client configurations will not update automatically. If you decommission an IDM server and configured the new server with a different name, you should review the overall client configurations. In particular, you must update the following files manually:
/etc/openldap/ldap.conf
/etc/ipa/default.conf
/etc/sssd/sssd.conf