Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

8.2. Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7

This procedure describes how to migrate all data and configuration from Red Hat Enterprise Linux 6 Identity Management to Red Hat Enterprise Linux 7 servers. The migration procedure includes:
  • Migrating the Red Hat Enterprise Linux 6-based certificate authority (CA) master server to Red Hat Enterprise Linux 7.
  • Transitioning all services to the new Red Hat Enterprise Linux 7 server. These services include CRL and certificate creating, DNS management, or Kerberos KDC administration.
  • Decommissioning the original Red Hat Enterprise Linux 6 CA master.
In the following procedures:
  • rhel7.example.com is the Red Hat Enterprise Linux 7 system that will become the new CA master.
    Important
    The only minor version that is currently supported is RHEL 7.9. Ensure you have RHEL 7.9 installed on your system.
  • rhel6.example.com is the original Red Hat Enterprise Linux 6 CA master.
    Note
    To identify which Red Hat Enterprise Linux 6 server is the master CA server, determine on which server the certmonger service tracks the renew_ca_cert command. Run this command on every Red Hat Enterprise Linux 6 server: 
    [root@rhel6 ~]# getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save
post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
    Copy to Clipboard Toggle word wrap
    The post-save action that executes renew_ca_cert is defined only for the CA master.
  • Update the rhel6.example.com system to the latest Red Hat Enterprise Linux 6 version.
  • On the rhel6.example.com system, upgrade the ipa-* packages: 
    [root@rhel6 ~]# yum update ipa-*
    Copy to Clipboard Toggle word wrap
    This step also makes sure that you have applied the RHBA-2015:0231-2 advisory, which provides the 2.3-6.el6_6 version of the bind-dyndb-ldap package and is available with the Red Hat Enterprise Linux 6.6 Extended Update Support (EUS).
    Warning
    Using an earlier version of bind-dyndb-ldap results in inconsistent behavior in DNS forward zones serving between the Red Hat Enterprise Linux 6.6 DNS servers and Red Hat Enterprise Linux 7 DNS servers.
  • Make sure the rhel7.example.com system meets the requirements in Section 2.1, “Prerequisites for Installing a Server” and Section 4.3, “Prerequisites for Installing a Replica”.
  • On the rhel7.example.com system, install the required packages. See Section 2.2, “Packages Required to Install an IdM Server”.
The copy-schema-to-ca.py schema update script prepares rhel6.example.com for the installation of the rhel7.example.com replica. Updating the schema is necessary due to schema changes between Identity Management version 3.1 and later versions.
  1. Copy the copy-schema-to-ca.py schema update script from the rhel7.example.com system to the rhel6.example.com system. For example: 
    [root@rhel7 ~]# scp /usr/share/ipa/copy-schema-to-ca.py root@rhel6:/root/
    Copy to Clipboard Toggle word wrap
  2. Run the updated copy-schema-to-ca.py script on rhel6.example.com. 
    [root@rhel6 ~]# python copy-schema-to-ca.py
ipa         : INFO     Installed /etc/dirsrv/slapd-PKI-IPA//schema/60kerberos.ldif
[... output truncated ...]
ipa         : INFO     Schema updated successfully
    Copy to Clipboard Toggle word wrap
  3. Repeat the steps on every Red Hat Enterprise Linux 6 IdM replica that runs a certificate authority before connecting to a Red Hat Enterprise Linux 7 replica.
  1. On the rhel6.example.com system, create the replica file you will use to install the rhel7.example.com replica. For example, to create a replica file for rhel7.example.com whose IP address is 192.0.2.1: 
    [root@rhel6 ~]# ipa-replica-prepare rhel7.example.com --ip-address 192.0.2.1

Directory Manager (existing master) password:
Preparing replica for rhel7.example.com from rhel6.example.com
[... output truncated ...]
The ipa-replica-prepare command was successful
    Copy to Clipboard Toggle word wrap
    See also Section D.1, “Replica Information File” and Section D.2, “Creating Replicas”.
  2. Copy the replica information file from rhel6.example.com to rhel7.example.com. 
    [root@rhel6 ~]# scp /var/lib/ipa/replica-info-replica.example.com.gpg root@rhel7:/var/lib/ipa/
    Copy to Clipboard Toggle word wrap
  3. If you install the new replica with an integrated CA on Red Hat Enterprise Linux 7.6 or later, append the following entry to the end of the NSSCipherSuite parameter in the /etc/httpd/conf.d/nss.conf file: 
    +ecdhe_rsa_aes_128_sha,+ecdhe_rsa_aes_256_sha
    Copy to Clipboard Toggle word wrap
    In Red Hat Enterprise Linux 7.6 or later, certain ciphers are no longer enabled by default in the IdM CA. Without adding this entry to the configuration, setting up an IdM server with integrated CA on Red Hat Enterprise Linux 7.6 as a replica of a master running on Red Hat Enterprise Linux 6 fails with a CRITICAL Failed to configure CA instance error.
  4. Install the rhel7.example.com replica using the replica file. For example, the following command uses these options:
    • --setup-ca to set up the Certificate System component
    • --setup-dns and --forwarder to configure an integrated DNS server and set a forwarder
    • --ip-address to specify the IP address of the rhel7.example.com system 
    [root@rhel7 ~]# ipa-replica-install /var/lib/ipa/replica-info-rhel7.example.com.gpg --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20
Directory Manager (existing master) password:

Checking DNS forwarders, please wait ...
Run connection check to master
[... output truncated ...]
Client configuration complete.
    Copy to Clipboard Toggle word wrap
    See also:
  5. Verify that the Identity Management services are running on rhel7.example.com. 
    [root@rhel7 ~]# ipactl status
Directory Service: RUNNING
[... output truncated ...]
ipa: INFO: The ipactl command was successful
    Copy to Clipboard Toggle word wrap
Before you begin:
  • Verify that rhel6.example.com and rhel7.example.com CAs are both configured as master servers. 
    [root@rhel7 ~]$ kinit admin
[root@rhel7 ~]$ ipa-csreplica-manage list
rhel6.example.com: master
rhel7.example.com: master
    Copy to Clipboard Toggle word wrap
    To display details about a replication agreement: 
    [root@rhel7 ~]# ipa-csreplica-manage list --verbose rhel7.example.com
rhel7.example.com
last init status: None
last init ended: 1970-01-01 00:00:00+00:00
last update status: Error (0) Replica acquired successfully: Incremental update succeeded
last update ended: 2017-02-13 13:55:13+00:00
    Copy to Clipboard Toggle word wrap
On the rhel6.example.com original master CA, stop the CA subsystem certificate renewal:
  1. Disable tracking for the original CA certificates. 
    [root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "auditSigningCert cert-pki-ca"
Request "20201127184547" removed.
[root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "ocspSigningCert cert-pki-ca"
Request "20201127184548" removed.
[root@rhel6 ~]# getcert stop-tracking -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
Request "20201127184549" removed.
[root@rhel6 ~]# getcert stop-tracking -d /etc/httpd/alias -n ipaCert
Request "20201127184550" removed.
    Copy to Clipboard Toggle word wrap
  2. Reconfigure rhel6.example.com to retrieve renewed certificates from a new master CA.
    1. Copy the renewal helper script into the certmonger service directory, and set the appropriate permissions. 
      [root@rhel6 ~]# cp /usr/share/ipa/ca_renewal /var/lib/certmonger/cas/
[root@rhel6 ~]# chmod 0600 /var/lib/certmonger/cas/ca_renewal
      Copy to Clipboard Toggle word wrap
    2. Update the SELinux configuration. 
      [root@rhel6 ~]# restorecon /var/lib/certmonger/cas/ca_renewal
      Copy to Clipboard Toggle word wrap
    3. Restart certmonger. 
      [root@rhel6 ~]# service certmonger restart
      Copy to Clipboard Toggle word wrap
    4. Check that the CA is listed to retrieve certificates. 
      [root@rhel6 ~]# getcert list-cas
...
CA 'dogtag-ipa-retrieve-agent-submit':
        is-default: no
        ca-type: EXTERNAL
	helper-location: /usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit
      Copy to Clipboard Toggle word wrap
    5. Obtain the CA certificate database PIN. 
      [root@rhel6 ~]# grep internal= /var/lib/pki-ca/conf/password.conf
      Copy to Clipboard Toggle word wrap
    6. Configure certmonger to track the certificates for external renewal. This requires the database PIN. 
      [root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /var/lib/pki-ca/alias \
    -n "auditSigningCert cert-pki-ca" \
    -B /usr/lib64/ipa/certmonger/stop_pkicad \
    -C '/usr/lib64/ipa/certmonger/restart_pkicad \
    "auditSigningCert cert-pki-ca"' \
    -T "auditSigningCert cert-pki-ca" \
    -P database_pin
New tracking request "20201127184743" added.
[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /var/lib/pki-ca/alias \
    -n "ocspSigningCert cert-pki-ca" \
    -B /usr/lib64/ipa/certmonger/stop_pkicad \
    -C '/usr/lib64/ipa/certmonger/restart_pkicad \
    "ocspSigningCert cert-pki-ca"' \
    -T "ocspSigningCert cert-pki-ca" \
    -P database_pin
New tracking request "20201127184744" added.
[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /var/lib/pki-ca/alias \
    -n "subsystemCert cert-pki-ca" \
    -B /usr/lib64/ipa/certmonger/stop_pkicad \
    -C '/usr/lib64/ipa/certmonger/restart_pkicad \
    "subsystemCert cert-pki-ca"' \
    -T "subsystemCert cert-pki-ca" \
    -P database_pin
New tracking request "20201127184745" added.
[root@rhel6 ~]# getcert start-tracking \
    -c dogtag-ipa-retrieve-agent-submit \
    -d /etc/httpd/alias \
    -n ipaCert \
    -C /usr/lib64/ipa/certmonger/restart_httpd \
    -T ipaCert \
    -p /etc/httpd/alias/pwdfile.txt
New tracking request "20201127184746" added.
      Copy to Clipboard Toggle word wrap
Move CRL generation from the original rhel6.example.com CA master to rhel7.example.com.
  1. On rhel6.example.com, stop CRL generation:
    1. Stop the CA service. 
      [root@rhel6 ~]# service pki-cad stop
      Copy to Clipboard Toggle word wrap
    2. Disable CRL generation on rhel6.example.com. Open the /var/lib/pki-ca/conf/CS.cfg file, and set the values of the ca.crl.MasterCRL.enableCRLCache and ca.crl.MasterCRL.enableCRLUpdates parameters to false. 
      ca.crl.MasterCRL.enableCRLCache=false
ca.crl.MasterCRL.enableCRLUpdates=false
      Copy to Clipboard Toggle word wrap
    3. Start the CA service. 
      [root@rhel6 ~]# service pki-cad start
      Copy to Clipboard Toggle word wrap
  2. On rhel6.example.com, configure Apache to redirect CRL requests:
    1. Open the /etc/httpd/conf.d/ipa-pki-proxy.conf file, and uncomment the RewriteRule entry: 
      RewriteRule ^/ipa/crl/MasterCRL.bin https://rhel6.example.com/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
      Copy to Clipboard Toggle word wrap
      Note
      Do not replace the server host name in the URL. The URL must refer to the local host name.
    2. Restart Apache. 
      [root@rhel6 ~]# service httpd restart
      Copy to Clipboard Toggle word wrap
    IdM obtains now the Certificate Revocation List (CRL) from the local CA instead of from a local file.
  3. On rhel7.example.com, configure rhel7.example.com as the new CA master:
    1. Configure rhel7.example.com to handle CA subsystem certificate renewal, as described in Section D.4.1, “Changing Which Server Handles Certificate Renewal”.
    2. Configure rhel7.example.com to general certificate revocation lists (CRLs), as described in Section 6.5.2.2, “Changing Which Server Generates CRLs”.

Related Information

Stop all service on rhel6.example.com to force domain discovery to the new rhel7.example.com server. 
[root@rhel6 ~]# ipactl stop
Stopping CA Service
Stopping pki-ca:                                           [  OK  ]
Stopping HTTP Service
Stopping httpd:                                            [  OK  ]
Stopping MEMCACHE Service
Stopping ipa_memcached:                                    [  OK  ]
Stopping DNS Service
Stopping named: .                                          [  OK  ]
Stopping KPASSWD Service
Stopping Kerberos 5 Admin Server:                          [  OK  ]
Stopping KDC Service
Stopping Kerberos 5 KDC:                                   [  OK  ]
Stopping Directory Service
Shutting down dirsrv:
    EXAMPLE-COM...                                         [  OK  ]
    PKI-IPA...                                             [  OK  ]
Copy to Clipboard Toggle word wrap
After this, using the ipa utility will contact the new server through a remote procedure call (RPC).
For each Red Hat Enterprise Linux 6 server in your topology:
  1. Create a replica file from rhel7.example.com.
    Note
    After installing a Red Hat Enterprise Linux 7 replica from a Red Hat Enterprise Linux 6 server, the domain level for the Identity Management domain is automatically set to 0.
    Red Hat Enterprise Linux 7.3 introduced an easier way to install and manage replicas. To use these features, your topology must be at domain level 1. See Chapter 7, Displaying and Raising the Domain Level.
  2. Use the replica file to install a new replica on another Red Hat Enterprise Linux 7 system.
See Chapter 4, Installing and Uninstalling Identity Management Replicas.
To decommission a Red Hat Enterprise Linux 6 server:
  • Remove the server from the topology by executing the removal commands on a Red Hat Enterprise Linux 7 server.
See Section 2.4, “Uninstalling an IdM Server”.
Important
Client configurations will not update automatically. If you decommission an IDM server and configured the new server with a different name, you should review the overall client configurations. In particular, you must update the following files manually:
  • /etc/openldap/ldap.conf
  • /etc/ipa/default.conf
  • /etc/sssd/sssd.conf
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat