8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7

download PDF
This procedure describes how to migrate all data and configuration from Red Hat Enterprise Linux 6 Identity Management to Red Hat Enterprise Linux 7 servers. The migration procedure includes:
  • Migrating the Red Hat Enterprise Linux 6-based certificate authority (CA) master server to Red Hat Enterprise Linux 7.
  • Transitioning all services to the new Red Hat Enterprise Linux 7 server. These services include CRL and certificate creating, DNS management, or Kerberos KDC administration.
  • Decommissioning the original Red Hat Enterprise Linux 6 CA master.
In the following procedures:
  • is the Red Hat Enterprise Linux 7 system that will become the new CA master.
    The only minor version that is currently supported is RHEL 7.9. Ensure you have RHEL 7.9 installed on your system.
  • is the original Red Hat Enterprise Linux 6 CA master.
    To identify which Red Hat Enterprise Linux 6 server is the master CA server, determine on which server the certmonger service tracks the renew_ca_cert command. Run this command on every Red Hat Enterprise Linux 6 server:
    [root@rhel6 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
    post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
    The post-save action that executes renew_ca_cert is defined only for the CA master.

8.2.1. Prerequisites for Migrating Identity Management from Red Hat Enterprise Linux 6 to 7

8.2.2. Updating the Identity Management Schema on Red Hat Enterprise Linux 6

The schema update script prepares for the installation of the replica. Updating the schema is necessary due to schema changes between Identity Management version 3.1 and later versions.
  1. Copy the schema update script from the system to the system. For example:
    [root@rhel7 ~]# scp /usr/share/ipa/ root@rhel6:/root/
  2. Run the updated script on
    [root@rhel6 ~]# python
    ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif
    [... output truncated ...]
    ipa         : INFO     Schema updated successfully
  3. Repeat the steps on every Red Hat Enterprise Linux 6 IdM replica that runs a certificate authority before connecting to a Red Hat Enterprise Linux 7 replica.

8.2.3. Installing the Red Hat Enterprise Linux 7 Replica

  1. On the system, create the replica file you will use to install the replica. For example, to create a replica file for whose IP address is
    [root@rhel6 ~]# ipa-replica-prepare --ip-address
    Directory Manager (existing master) password:
    Preparing replica for from
    [... output truncated ...]
    The ipa-replica-prepare command was successful
  2. Copy the replica information file from to
    [root@rhel6 ~]# scp /var/lib/ipa/ root@rhel7:/var/lib/ipa/
  3. If you install the new replica with an integrated CA on Red Hat Enterprise Linux 7.6 or later, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file:
    In Red Hat Enterprise Linux 7.6 or later, certain ciphers are no longer enabled by default in the IdM CA. Without adding this entry to the configuration, setting up an IdM server with integrated CA on Red Hat Enterprise Linux 7.6 as a replica of a master running on Red Hat Enterprise Linux 6 fails with a CRITICAL Failed to configure CA instance error.
  4. Install the replica using the replica file. For example, the following command uses these options:
    • --setup-ca to set up the Certificate System component
    • --setup-dns and --forwarder to configure an integrated DNS server and set a forwarder
    • --ip-address to specify the IP address of the system
    [root@rhel7 ~]# ipa-replica-install /var/lib/ipa/ --setup-ca --ip-address --setup-dns --forwarder
    Directory Manager (existing master) password:
    Checking DNS forwarders, please wait ...
    Run connection check to master
    [... output truncated ...]
    Client configuration complete.
    See also:
  5. Verify that the Identity Management services are running on
    [root@rhel7 ~]# ipactl status
    Directory Service: RUNNING
    [... output truncated ...]
    ipa: INFO: The ipactl command was successful

8.2.4. Transitioning the CA Services to the Red Hat Enterprise Linux 7 Server

Before you begin:
  • Verify that and CAs are both configured as master servers.
    [root@rhel7 ~]$ kinit admin
    [root@rhel7 ~]$ ipa-csreplica-manage list master master
    To display details about a replication agreement:
    [root@rhel7 ~]# ipa-csreplica-manage list --verbose
    last init status: None
    last init ended: 1970-01-01 00:00:00+00:00
    last update status: Error (0) Replica acquired successfully: Incremental update succeeded
    last update ended: 2017-02-13 13:55:13+00:00
On the original master CA, stop the CA subsystem certificate renewal:
  1. Disable tracking for the original CA certificates.
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca"
    Request "20201127184547" removed.
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca"
    Request "20201127184548" removed.
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
    Request "20201127184549" removed.
    [root@rhel6 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert
    Request "20201127184550" removed.
  2. Reconfigure to retrieve renewed certificates from a new master CA.
    1. Copy the renewal helper script into the certmonger service directory, and set the appropriate permissions.
      [root@rhel6 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/
      [root@rhel6 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal
    2. Update the SELinux configuration.
      [root@rhel6 ~]# restorecon /var/lib/certmonger/cas/ca_renewal
    3. Restart certmonger.
      [root@rhel6 ~]# service certmonger restart
    4. Check that the CA is listed to retrieve certificates.
      [root@rhel6 ~]# getcert list-cas
      CA 'dogtag-ipa-retrieve-agent-submit':
              is-default: no
              ca-type: EXTERNAL
      	helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
    5. Obtain the CA certificate database PIN.
      [root@rhel6 ~]# grep internal= /var/lib/pki-ca/conf/password.conf
    6. Configure certmonger to track the certificates for external renewal. This requires the database PIN.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /var/lib/pki-ca/alias \
          -n "auditSigningCert cert-pki-ca" \
          -B /usr/lib64/ipa/certmonger/stop_pkicad \
          -C '/usr/lib64/ipa/certmonger/restart_pkicad \
          "auditSigningCert cert-pki-ca"' \
          -T "auditSigningCert cert-pki-ca" \
          -P database_pin
      New tracking request "20201127184743" added.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /var/lib/pki-ca/alias \
          -n "ocspSigningCert cert-pki-ca" \
          -B /usr/lib64/ipa/certmonger/stop_pkicad \
          -C '/usr/lib64/ipa/certmonger/restart_pkicad \
          "ocspSigningCert cert-pki-ca"' \
          -T "ocspSigningCert cert-pki-ca" \
          -P database_pin
      New tracking request "20201127184744" added.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /var/lib/pki-ca/alias \
          -n "subsystemCert cert-pki-ca" \
          -B /usr/lib64/ipa/certmonger/stop_pkicad \
          -C '/usr/lib64/ipa/certmonger/restart_pkicad \
          "subsystemCert cert-pki-ca"' \
          -T "subsystemCert cert-pki-ca" \
          -P database_pin
      New tracking request "20201127184745" added.
      [root@rhel6 ~]# getcert start-tracking \
          -c dogtag-ipa-retrieve-agent-submit \
          -d /etc/httpd/alias \
          -n ipaCert \
          -C /usr/lib64/ipa/certmonger/restart_httpd \
          -T ipaCert \
          -p /etc/httpd/alias/pwdfile.txt
      New tracking request "20201127184746" added.
Move CRL generation from the original CA master to
  1. On, stop CRL generation:
    1. Stop the CA service.
      [root@rhel6 ~]# service pki-cad stop
    2. Disable CRL generation on Open the /var/lib/pki-ca/conf/CS.cfg file, and set the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false.
    3. Start the CA service.
      [root@rhel6 ~]# service pki-cad start
  2. On, configure Apache to redirect CRL requests:
    1. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file, and uncomment the RewriteRule entry:
      RewriteRule ^/ipa/crl/MasterCRL.bin [L,R=301,NC]
      Do not replace the server host name in the URL. The URL must refer to the local host name.
    2. Restart Apache.
      [root@rhel6 ~]# service httpd restart
    IdM obtains now the Certificate Revocation List (CRL) from the local CA instead of from a local file.
  3. On, configure as the new CA master:
    1. Configure to handle CA subsystem certificate renewal, as described in Section D.4.1, “Changing Which Server Handles Certificate Renewal”.
    2. Configure to general certificate revocation lists (CRLs), as described in Section, “Changing Which Server Generates CRLs”.

Related Information

8.2.5. Stop the Red Hat Enterprise Linux 6 Server

Stop all service on to force domain discovery to the new server.
[root@rhel6 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]
After this, using the ipa utility will contact the new server through a remote procedure call (RPC).

8.2.6. Next Steps After Migrating the Master CA Server

For each Red Hat Enterprise Linux 6 server in your topology:
  1. Create a replica file from
    After installing a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 server, the domain level for the Identity Management domain is automatically set to 0.
    Red Hat Enterprise Linux 7.3 introduced an easier way to install and manage replicas. To use these features, your topology must be at domain level 1. See Chapter 7, Displaying and Raising the Domain Level.
  2. Use the replica file to install a new replica on another Red Hat Enterprise Linux 7 system.
To decommission a Red Hat Enterprise Linux 6 server:
  • Remove the server from the topology by executing the removal commands on a Red Hat Enterprise Linux 7 server.
Client configurations will not update automatically. If you decommission an IDM server and configured the new server with a different name, you should review the overall client configurations. In particular, you must update the following files manually:
  • /etc/openldap/ldap.conf
  • /etc/ipa/default.conf
  • /etc/sssd/sssd.conf
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.