Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Migrating your IdM environment from RHEL 9 servers to RHEL 10 servers

To upgrade a RHEL 9 IdM environment to RHEL 10, you must first add new RHEL 10 IdM replicas to your RHEL 9 IdM environment, and then retire the RHEL 9 servers. The migration involves moving all Identity Management (IdM) data and configuration from a Red Hat Enterprise Linux (RHEL) 9 server to a RHEL 10 server.

Important

Migrate all servers in an IdM deployment as quickly as possible. Mixing different IdM versions in the same deployment for extended periods of time can lead to incompatibilities or possibly even unrecoverable data corruption.

Warning
  • Performing an in-place upgrade of RHEL 9 IdM servers and IdM server nodes to RHEL 10 is not supported.
  • For more information about adding a RHEL 10 IdM replica in FIPS mode to a RHEL 9 IdM deployment in FIPS mode, see the Identity Management section in Considerations in adopting RHEL 10.

  • Migrating directly to RHEL 10 from RHEL 8 or earlier versions is not supported. To properly update your IdM data, you must perform incremental migrations.

    For example, to migrate a RHEL 8 IdM environment to RHEL 10:

    1. Migrate from RHEL 8 servers to RHEL 9 servers. See Migrating to Identity Management on RHEL 9.
    2. Migrate from RHEL 9 servers to RHEL 10 servers, as described in this section.

In the following procedures:

  • rhel10.example.com is the RHEL 10 system that will become the new CA renewal server.

  • rhel9.example.com is the original RHEL 9 CA renewal server. To identify which Red Hat Enterprise Linux 9 server is the CA renewal server, run the following command on any IdM server:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# ipa config-show | grep "CA renewal"
IPA CA renewal master: rhel9.example.com

    If your IdM deployment does not use an IdM CA, any IdM server running on RHEL 9 can be rhel9.example.com.

Note

Complete the steps in the following sections only if your IdM deployment uses an embedded certificate authority (CA):

1.1. Prerequisites for migrating IdM from RHEL 9 to 10

Note

If you want to use hardware security modules (HSMs) to store your CA and KRA keys and certificates, you cannot upgrade an existing installation where the keys were not generated on an HSM to an HSM-based install.

On rhel9.example.com:

  1. Upgrade the system to the latest RHEL 9 version.

  2. Update the ipa-* packages to their latest version:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# dnf update ipa-*
    Warning

    When upgrading multiple Identity Management (IdM) servers, wait at least 10 minutes between each upgrade.

    When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.

On rhel10.example.com:

  1. Install the latest version of Red Hat Enterprise Linux on the system. For more information, see Interactively installing RHEL from installation media.
  2. Ensure the system is an IdM client enrolled into the domain for which rhel9.example.com IdM server is authoritative. For more information, see Installing an IdM client: Basic scenario.
  3. Ensure the system meets the requirements for IdM server installation. See Preparing the system for IdM server installation.

  4. Ensure you know the time server rhel9.example.com is synchronized with:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# ntpstat
synchronised to NTP server (ntp.example.com) at stratum 3
   time correct to within 42 ms
   polling server every 1024 s
  5. Ensure the system is authorized for the installation of an IdM replica. See Authorizing the installation of a replica on an IdM client.

  6. Update the ipa-* packages to their latest version:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# dnf update ipa-*

Additional resources

1.2. Installing the RHEL 10 replica

  1. List which server roles are present in your RHEL 9 environment:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# ipa server-role-find --status enabled --server rhel9.example.com
----------------------
3 server roles matched
----------------------
  Server name: rhel9.example.com
  Role name: CA server
  Role status: enabled

  Server name: rhel9.example.com
  Role name: DNS server
  Role status: enabled
[... output truncated ...]

  2. Optional: If you want to use the same per-server forwarders for rhel10.example.com that rhel9.example.com is using, view the per-server forwarders for rhel9.example.com:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# ipa dnsserver-show rhel9.example.com
-----------------------------
1 DNS server matched
-----------------------------
  Server name: rhel9.example.com
  SOA mname: rhel9.example.com.
  Forwarders: 192.0.2.20
  Forward policy: only
--------------------------------------------------
Number of entries returned 1
--------------------------------------------------
  1. Review the replication agreements topology using the steps in either Viewing replication topology using the WebUI or Viewing topology suffixes using the CLI and Viewing topology segments using the CLI.

  2. Install the IdM server software on rhel10.example.com to configure it as a replica of the RHEL 9 IdM server, including all the server roles present on rhel9.example.com. To install the roles from the example above, use these options with the ipa-replica-install command:

    • --setup-ca to set up the Certificate System component

    • --setup-dns and --forwarder to configure an integrated DNS server and set a per-server forwarder to take care of DNS queries that go outside the IdM domain

      Note

      Additionally, if your IdM deployment is in a trust relationship with {AD} (AD), add the --setup-adtrust option to the ipa-replica-install command to configure AD trust capability on rhel10.example.com.

    • --ntp-server to specify an NTP server or --ntp-pool to specify a pool of NTP servers

      To set up an IdM server with the IP address of 192.0.2.1 that uses a per-server forwarder with the IP address of 192.0.2.20 and synchronizes with the ntp.example.com NTP server:

      Copy to Clipboard Toggle word wrap 
      [root@rhel10 ~]# ipa-replica-install --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20 --ntp-server ntp.example.com

      You do not need to specify the RHEL 9 IdM server itself because if DNS is working correctly, rhel10.example.com will find it using DNS autodiscovery.

  3. Optional: Add an _ntp._udp service (SRV) record for your external NTP time server to the DNS of the newly-installed IdM server, rhel10.example.com. The presence of the SRV record for the time server in IdM DNS ensures that future RHEL 10 replica and client installations are automatically configured to synchronize with the time server used by rhel10.example.com. This is because ipa-client-install looks for the _ntp._udp DNS entry unless --ntp-server or --ntp-pool options are provided on the install command-line interface (CLI).
  4. Create any replication agreements needed to re-create the previous topology using the steps in Setting up replication between two servers using the Web UI or Setting up replication between two servers using the CLI.

Verification

  1. Verify that the IdM services are running on rhel10.example.com:

    Copy to Clipboard Toggle word wrap 
    [root@rhel10 ~]# ipactl status
Directory Service: RUNNING
[... output truncated ...]
ipa: INFO: The ipactl command was successful

  2. Verify that server roles for rhel10.example.com are the same as for rhel9.example.com:

    Copy to Clipboard Toggle word wrap 
    [root@rhel10 ~]# kinit admin
[root@rhel10 ~]# ipa server-role-find --status enabled --server rhel10.example.com
----------------------
2 server roles matched
----------------------
  Server name: rhel10.example.com
  Role name: CA server
  Role status: enabled

  Server name: rhel10.example.com
  Role name: DNS server
  Role status: enabled

  3. Optional: Display details about the replication agreement between rhel9.example.com and rhel10.example.com:

    Copy to Clipboard Toggle word wrap 
    [root@rhel10 ~]# ipa-csreplica-manage list --verbose rhel10.example.com
Directory Manager password:

rhel9.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2019-02-13 13:55:13+00:00

  4. Optional: If your IdM deployment is in a trust relationship with AD, verify that it is working:

    1. Verify the Kerberos configuration

    2. Attempt to resolve an AD user on rhel10.example.com:

      Copy to Clipboard Toggle word wrap 
      [root@rhel10 ~]# id aduser@ad.domain

  5. Verify that rhel10.example.com is synchronized with the NTP server:

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# chronyc tracking
Reference ID    : CB00710F (ntp.example.com)
Stratum         : 3
Ref time (UTC)  : Wed Feb 16 09:49:17 2022
[... output truncated ...]

Additional resources

1.3. Assigning the CA renewal server role to the RHEL 10 IdM server

If your IdM deployment uses an embedded certificate authority (CA), assign the CA renewal server role to the Red Hat Enterprise Linux (RHEL) 10 IdM server.

On rhel10.example.com, configure rhel10.example.com as the new CA renewal server:

  1. Configure rhel10.example.com to handle CA subsystem certificate renewal:

    Copy to Clipboard Toggle word wrap 
    [root@rhel10 ~]# ipa config-mod --ca-renewal-master-server rhel10.example.com
  ...
  IPA masters: rhel9.example.com, rhel10.example.com
  IPA CA servers: rhel9.example.com, rhel10.example.com
  IPA CA renewal master: rhel10.example.com

    The output confirms that the update was successful.

  2. On rhel10.example.com, enable the certificate updater task:

    1. Open the /etc/pki/pki-tomcat/ca/CS.cfg configuration file for editing.
    2. Remove the ca.certStatusUpdateInterval entry, or set it to the desired interval in seconds. The default value is 600.
    3. Save and close the /etc/pki/pki-tomcat/ca/CS.cfg configuration file.

    4. Restart IdM services:

      Copy to Clipboard Toggle word wrap 
      [user@rhel10 ~]$ ipactl restart

  3. On rhel9.example.com, disable the certificate updater task:

    1. Open the /etc/pki/pki-tomcat/ca/CS.cfg configuration file for editing.

    2. Change ca.certStatusUpdateInterval to 0, or add the following entry if it does not exist:

      Copy to Clipboard Toggle word wrap 
      ca.certStatusUpdateInterval=0
    3. Save and close the /etc/pki/pki-tomcat/ca/CS.cfg configuration file.

    4. Restart IdM services:

      Copy to Clipboard Toggle word wrap 
      [user@rhel9 ~]$ ipactl restart

1.4. Stopping CRL generation on an IdM server

To stop generating the Certificate Revocation List (CRL) on the IdM CRL publisher server, use the ipa-crlgen-manage command. Before you disable the generation, verify that the server really generates CRL. You can then disable it.

Prerequisites

  • You must be logged in as root.

Procedure

  1. Check if your server is generating the CRL:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# ipa-crlgen-manage status
CRL generation: enabled
Last CRL update: 2019-10-31 12:00:00
Last CRL Number: 6
The ipa-crlgen-manage command was successful

  2. Stop generating the CRL on the server:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# ipa-crlgen-manage disable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable.
The ipa-crlgen-manage command was successful

  3. Check if the server stopped generating CRL:

    Copy to Clipboard Toggle word wrap 
    [root@server ~]# ipa-crlgen-manage status

The server stopped generating the CRL. The next step is to enable CRL generation on the IdM replica.

1.5. Starting CRL generation on the new RHEL 10 IdM CA server

If your IdM deployment uses an embedded certificate authority (CA), start Certificate Revocation List (CRL) generation on the new Red Hat Enterprise Linux (RHEL) 10 IdM CA server.

Prerequisites

  • You must be logged in as root on the rhel10.example.com machine.

Procedure

  1. To start generating the CRL on rhel10.example.com, use the ipa-crlgen-manage enable command:

    Copy to Clipboard Toggle word wrap 
    [root@rhel10 ~]# ipa-crlgen-manage enable
Stopping pki-tomcatd
Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg
Starting pki-tomcatd
Editing /etc/httpd/conf.d/ipa-pki-proxy.conf
Restarting httpd
Forcing CRL update
CRL generation enabled on the local host. Please make sure to have only a single CRL generation master.
The ipa-crlgen-manage command was successful

Verification

  • To check if CRL generation is enabled, use the ipa-crlgen-manage status command:

    Copy to Clipboard Toggle word wrap 
    [root@rhel10 ~]# ipa-crlgen-manage status
CRL generation: enabled
Last CRL update: 2021-10-31 12:10:00
Last CRL Number: 7
The ipa-crlgen-manage command was successful

1.6. Stopping and decommissioning the RHEL 9 server

  1. Make sure that all data, including the latest changes, have been correctly migrated from rhel9.example.com to rhel10.example.com. For example:

    1. Add a new user on rhel9.example.com:

      Copy to Clipboard Toggle word wrap 
      [root@rhel9 ~]# ipa user-add random_user
First name: random
Last name: user

    2. Check that the user has been replicated to rhel10.example.com:

      Copy to Clipboard Toggle word wrap 
      [root@rhel10 ~]# ipa user-find random_user
--------------
1 user matched
--------------
  User login: random_user
  First name: random
  Last name: user

  2. Ensure that a Distributed Numeric Assignment (DNA) ID range is allocated to rhel10.example.com. Use one of the following methods:

    • Activate the DNA plug-in on rhel10.example.com directly by creating another test user:

      Copy to Clipboard Toggle word wrap 
      [root@rhel10 ~]# ipa user-add another_random_user
First name: another
Last name: random_user

    • Assign a specific DNA ID range to rhel10.example.com:

      1. On rhel9.example.com, display the IdM ID range:

        Copy to Clipboard Toggle word wrap 
        [root@rhel9 ~]# ipa idrange-find
----------------
3 ranges matched
----------------
  Range name: EXAMPLE.COM_id_range
  First Posix ID of the range: 196600000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000
  Range type: local domain range

      2. On rhel9.example.com, display the allocated DNA ID ranges:

        Copy to Clipboard Toggle word wrap 
        [root@rhel9 ~]# ipa-replica-manage dnarange-show
rhel9.example.com: 196600026-196799999
rhel10.example.com: No range set

      3. Reduce the DNA ID range allocated to rhel9.example.com so that a section becomes available to rhel10.example.com:

        Copy to Clipboard Toggle word wrap 
        [root@rhel9 ~]# ipa-replica-manage dnarange-set rhel9.example.com 196600026-196699999

      4. Assign the remaining part of the IdM ID range to rhel10.example.com:

        Copy to Clipboard Toggle word wrap 
        [root@rhel9 ~]# ipa-replica-manage dnarange-set rhel10.example.com 196700000-196799999

  3. Stop all IdM services on rhel9.example.com to force domain discovery to the new rhel10.example.com server.

    Copy to Clipboard Toggle word wrap 
    [root@rhel9 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named:                                            [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]

    After this, the ipa utility will contact the new server through a remote procedure call (RPC).

  4. Remove the RHEL 9 server from the topology by executing the removal commands on the RHEL 10 server. For details, see Uninstalling an IdM server.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.