Este contenido no está disponible en el idioma seleccionado.
Chapter 1. Migrating your IdM environment from RHEL 7 servers to RHEL 8 servers
To upgrade a RHEL 7 IdM environment to RHEL 8, you must first add new RHEL 8 IdM replicas to your RHEL 7 IdM environment, and then retire the RHEL 7 servers.
- Performing an in-place upgrade of RHEL 7 IdM servers and IdM server nodes to RHEL 8 is not supported.
Migrating directly to RHEL 8 from RHEL 6 or earlier versions is not supported. To properly update your IdM data, you must perform incremental migrations.
For example, to migrate a RHEL 6 IdM environment to RHEL 8:
- Migrate from RHEL 6 servers to RHEL 7 servers. See Migrating Identity Management from Red Hat Enterprise Linux 6 to Version 7.
- Migrate from RHEL 7 servers to RHEL 8 servers, as described in this section.
RHEL 8 supports SPAKE and IdP pre-authentication, but RHEL 7 does not. Having RHEL 8 servers with SPAKE or IdP enabled in a RHEL 7 IdM deployment may lead to problems such as users not being able to log in. Therefore, migrate all servers in an IdM deployment as quickly as possible.
For more information, see:
This procedure describes how to migrate all Identity Management (IdM) data and configuration from a Red Hat Enterprise Linux (RHEL) 7 server to a RHEL 8 server. You can also use this procedure to migrate from FreeIPA servers on non-RHEL Linux distributions to IdM on RHEL 8 servers.
The migration procedure includes:
- Configuring a RHEL 8 IdM server and adding it as a replica to your current RHEL 7 IdM environment. For details, see Installing the RHEL 8 Replica.
- Making the RHEL 8 server the certificate authority (CA) renewal server. For details, see Assigning the CA renewal server role to the RHEL 8 IdM server.
- Stopping the generation of the certificate revocation list (CRL) on the RHEL 7 server and redirecting CRL requests to RHEL 8. For details, see Stopping CRL generation on a RHEL 7 IdM CA server.
- Starting the generation of the CRL on the RHEL 8 server. For details, see Starting CRL generation on the new RHEL 8 IdM CA server.
- Stopping and decommissioning the original RHEL 7 CA renewal server. For details, see Stopping and decommissioning the RHEL 7 server.
In the following procedures:
-
rhel8.example.com
is the RHEL 8 system that will become the new CA renewal server. rhel7.example.com
is the original RHEL 7 CA renewal server. To identify which Red Hat Enterprise Linux 7 server is the CA renewal server, run the following command on any IdM server:[root@rhel7 ~]# ipa config-show | grep "CA renewal" IPA CA renewal master: rhel7.example.com
If your IdM deployment does not use a certificate authority (CA), any IdM server running on RHEL 7 can be
rhel7.example.com
.
Complete the steps in the following sections only if your IdM deployment uses an embedded CA:
1.1. Preparing for migrating IdM from RHEL 7 to RHEL 8
On rhel7.example.com
:
- Upgrade the system to the latest RHEL 7 version.
- Ensure that the domain level for your domain is set to 1. For more information, see Displaying and Raising the Domain Level in the Linux Domain Identity, Authentication, and Policy Guide for RHEL 7.
Update the ipa-* packages to their latest version:
[root@rhel7 ~]# yum update ipa-*
WarningWhen upgrading multiple Identity Management (IdM) servers, wait at least 10 minutes between each upgrade.
When two or more servers are upgraded simultaneously or with only short intervals between the upgrades, there is not enough time to replicate the post-upgrade data changes throughout the topology, which can result in conflicting replication events.
On rhel8.example.com
:
- Install the latest version of Red Hat Enterprise Linux on the system. For more information, see Interactively installing RHEL from installation media.
Identify the time server
rhel7.example.com
is synchronized with:[root@rhel7 ~]# ntpstat synchronised to NTP server (ntp.example.com) at stratum 3 time correct to within 42 ms polling server every 1024 s
ImportantIn RHEL 8, IdM does not provide its own time server: the installation of IdM on
rhel8.example.com
does not result in the installation of an NTP server on the host. Therefore, you need to use a separate NTP server, for examplentp.example.com
. For more information, see Migrating to chrony and Time service requirements for IdM.While
rhel7.example.com
can be used in an NTP server role, you will decommission the server as part of the migration process. Therefore,rhel8.example.com
needs to be synchronized directly withntp.example.com
instead. You can specify this during the client installation process.Enroll the system as an IdM client into the domain for which
rhel7.example.com
IdM server is authoritative. For more information, see Installing an IdM client. When installing the client, specify the time server from the previous step:[root@rhel8]# ipa-client-install --mkhomedir --ntp-server ntp.example.com
If you are using a pool of NTP servers, use the
--ntp-pool
option.If you do not specify an NTP server manually, it will be automatically set from DNS records. This can lead to
rhel8.example.com
synchronizing withrhel7.example.com
. This will cause issues when the RHEL 7 server is decommissioned.If the RHEL8 system is already properly configured as an NTP client, you can use the
--no-ntp
option when performing the IdM client installation.ImportantDo not use single-label domain names, for example
.company
. Starting with RHEL 8, IDM does not accept single-labeled domain names and the domain name must be composed of one or more subdomains and a top level domain, for exampleexample.com
orcompany.example.com
.If the existing domain is single-labeled, it is not possible to perform the migration using these instructions. In these cases, use Migrating an LDAP Server to Identity Management.
- Prepare the system for IdM server installation. See Preparing the system for IdM server installation.
- Authorize the system for the installation of an IdM replica. See Authorizing the installation of a replica on an IdM client.
Update the ipa-* packages to their latest version:
[root@rhel7 ~]# yum update ipa-*
1.2. Installing the RHEL 8 replica
List which server roles are present in your RHEL 7 environment:
[root@rhel7 ~]# ipa server-role-find --status enabled --server rhel7.example.com ---------------------- 3 server roles matched ---------------------- Server name: rhel7.example.com Role name: CA server Role status: enabled Server name: rhel7.example.com Role name: DNS server Role status: enabled Server name: rhel7.example.com Role name: NTP server Role status: enabled [... output truncated ...]
Optional: If you want to use the same per-server forwarders for
rhel8.example.com
thatrhel7.example.com
is using, view the per-server forwarders forrhel7.example.com
:[root@rhel7 ~]# ipa dnsserver-show rhel7.example.com ----------------------------- 1 DNS server matched ----------------------------- Server name: rhel7.example.com SOA mname: rhel7.example.com. Forwarders: 192.0.2.20 Forward policy: only -------------------------------------------------- Number of entries returned 1 --------------------------------------------------
Install the IdM server on
rhel8.example.com
as a replica of the IdM RHEL 7 server, including all the server roles present on yourrhel7.example.com
except the NTP server role. To install the roles from the example above, use these options with theipa-replica-install
command:-
--setup-ca
to set up the Certificate System component --setup-dns
and--forwarder
to configure an integrated DNS server and set a per-server forwarder to take care of DNS queries that go outside the IdM domainNoteAdditionally, if your IdM deployment is in a trust relationship with Active Directory (AD), add the
--setup-adtrust
option to theipa-replica-install
command to configure AD trust capability onrhel8.example.com
.To set up an IdM server with the IP address of 192.0.2.1 that uses a per-server forwarder with the IP address of 192.0.2.20:
[root@rhel8 ~]# ipa-replica-install --setup-ca --ip-address 192.0.2.1 --setup-dns --forwarder 192.0.2.20
You do not need to specify the RHEL 7 IdM server itself because if DNS is working correctly,
rhel8.example.com
will find it using DNS autodiscovery.
-
-
Optional: Add an
_ntp._udp
service (SRV) record for your externalNTP
time server to the DNS of the newly-installed IdM server, rhel8.example.com. Doing this is recommended because IdM in RHEL 8 does not provide its own time service. The presence of the SRV record for the time server in IdM DNS ensures that future RHEL 8 replica and client installations are automatically configured to synchronize with the time server used by rhel8.example.com. This is becauseipa-client-install
looks for the_ntp._udp
DNS entry unless--ntp-server
or--ntp-pool
options are provided on the install command-line interface (CLI).
Verification
Verify that the IdM services are running on
rhel8.example.com
:[root@rhel8 ~]# ipactl status Directory Service: RUNNING [... output truncated ...] ipa: INFO: The ipactl command was successful
Verify that server roles for
rhel8.example.com
are the same as forrhel7.example.com
except the NTP server role:[root@rhel8 ~]$ kinit admin [root@rhel8 ~]$ ipa server-role-find --status enabled --server rhel8.example.com ---------------------- 2 server roles matched ---------------------- Server name: rhel8.example.com Role name: CA server Role status: enabled Server name: rhel8.example.com Role name: DNS server Role status: enabled
Optional: Display details about the replication agreement between
rhel7.example.com
andrhel8.example.com
:[root@rhel8 ~]# ipa-csreplica-manage list --verbose rhel8.example.com Directory Manager password: rhel7.example.com last init status: None last init ended: 1970-01-01 00:00:00+00:00 last update status: Error (0) Replica acquired successfully: Incremental update succeeded last update ended: 2019-02-13 13:55:13+00:00
Optional: If your IdM deployment is in a trust relationship with AD, verify that it is working:
- link: Verify the Kerberos configuration
Attempt to resolve an AD user on
rhel8.example.com
:[root@rhel8 ~]# id aduser@ad.domain
Verify that
rhel8.example.com
is synchronized with theNTP
server:[root@rhel8 ~]# chronyc tracking Reference ID : CB00710F (ntp.example.com) Stratum : 3 Ref time (UTC) : Tue Nov 16 09:49:17 2021 [... output truncated ...]
Additional resources
1.3. Assigning the CA renewal server role to the RHEL 8 IdM server
Follow this procedure to make the RHEL 8 server the certificate authority (CA) renewal server.
Follow these steps only if your IdM deployment uses an embedded certificate authority (CA).
On rhel8.example.com
, configure rhel8.example.com
as the new CA renewal server:
Configure
rhel8.example.com
to handle CA subsystem certificate renewal:[root@rhel8 ~]# ipa config-mod --ca-renewal-master-server rhel8.example.com ... IPA masters: rhel7.example.com, rhel8.example.com IPA CA servers: rhel7.example.com, rhel8.example.com IPA NTP servers: rhel7.example.com, rhel8.example.com IPA CA renewal master: rhel8.example.com
The output confirms that the update was successful.
On
rhel8.example.com
, enable the certificate updater task:-
Open the
/etc/pki/pki-tomcat/ca/CS.cfg
configuration file for editing. -
Remove the
ca.certStatusUpdateInterval
entry, or set it to the desired interval in seconds. The default value is600
. -
Save and close the
/etc/pki/pki-tomcat/ca/CS.cfg
configuration file. Restart IdM services:
[user@rhel8 ~]$ ipactl restart
-
Open the
On
rhel7.example.com
, disable the certificate updater task:-
Open the
/etc/pki/pki-tomcat/ca/CS.cfg
configuration file for editing. Change
ca.certStatusUpdateInterval
to0
, or add the following entry if it does not exist:ca.certStatusUpdateInterval=0
-
Save and close the
/etc/pki/pki-tomcat/ca/CS.cfg
configuration file. Restart IdM services:
[user@rhel7 ~]$ ipactl restart
-
Open the
1.4. Stopping CRL generation on a RHEL 7 IdM CA server
Follow these steps only if your IdM deployment uses an embedded certificate authority (CA).
Follow this procedure to stop generating the Certificate Revocation List (CRL) on the rhel7.example.com CA server using the ipa-crlgen-manage
command.
Prerequisites
- You must be logged in as root.
Procedure
Optional: Check if rhel7.example.com is generating the CRL:
[root@rhel7 ~]# ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-10-31 12:00:00 Last CRL Number: 6 The ipa-crlgen-manage command was successful
Stop generating the CRL on the rhel7.example.com server:
[root@rhel7 ~]# ipa-crlgen-manage disable Stopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd CRL generation disabled on the local host. Please make sure to configure CRL generation on another master with ipa-crlgen-manage enable. The ipa-crlgen-manage command was successful
Verification
Check if the rhel7.example.com server stopped generating the CRL:
[root@rhel7 ~]# ipa-crlgen-manage status
The rhel7.example.com server stopped generating the CRL. The next step is to enable generating the CRL on rhel8.example.com.
1.5. Starting CRL generation on the new RHEL 8 IdM CA server
Follow these steps only if your IdM deployment uses an embedded certificate authority (CA).
Prerequisites
- You must be logged in as root on the rhel8.example.com machine.
Procedure
To start generating CRL on rhel8.example.com, use the
ipa-crlgen-manage enable
command:[root@rhel8 ~]# ipa-crlgen-manage enable Stopping pki-tomcatd Editing /var/lib/pki/pki-tomcat/conf/ca/CS.cfg Starting pki-tomcatd Editing /etc/httpd/conf.d/ipa-pki-proxy.conf Restarting httpd Forcing CRL update CRL generation enabled on the local host. Please make sure to have only a single CRL generation master. The ipa-crlgen-manage command was successful
To check if CRL generation is enabled, use the
ipa-crlgen-manage status
command:[root@rhel8 ~]# ipa-crlgen-manage status CRL generation: enabled Last CRL update: 2019-10-31 12:10:00 Last CRL Number: 7 The ipa-crlgen-manage command was successful
1.6. Stopping and decommissioning the RHEL 7 server
Ensure that all data, including the latest changes, have been correctly migrated from
rhel7.example.com
torhel8.example.com
. For example:Add a new user on
rhel7.example.com
:[root@rhel7 ~]# ipa user-add random_user First name: random Last name: user
Check that the user has been replicated to
rhel8.example.com
:[root@rhel8 ~]# ipa user-find random_user -------------- 1 user matched -------------- User login: random_user First name: random Last name: user
Ensure that a Distributed Numeric Assignment (DNA) ID range is allocated to
rhel8.example.com
. Use one of the following methods:Activate the DNA plug-in on
rhel8.example.com
directly by creating another test user:[root@rhel8 ~]# ipa user-add another_random_user First name: another Last name: random_user
Assign a specific DNA ID range to
rhel8.example.com
:On
rhel7.example.com
, display the IdM ID range:[root@rhel7 ~]# ipa idrange-find ---------------- 3 ranges matched ---------------- Range name: EXAMPLE.COM_id_range First Posix ID of the range: 196600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
On
rhel7.example.com
, display the allocated DNA ID ranges:[root@rhel7 ~]# ipa-replica-manage dnarange-show rhel7.example.com: 196600026-196799999 rhel8.example.com: No range set
Reduce the DNA ID range allocated to
rhel7.example.com
so that a section becomes available torhel8.example.com
:[root@rhel7 ~]# ipa-replica-manage dnarange-set rhel7.example.com 196600026-196699999
Assign the remaining part of the IdM ID range to
rhel8.example.com
:[root@rhel7 ~]# ipa-replica-manage dnarange-set rhel8.example.com 196700000-196799999
Stop all IdM services on
rhel7.example.com
to force domain discovery to the newrhel8.example.com
server.[root@rhel7 ~]# ipactl stop Stopping CA Service Stopping pki-ca: [ OK ] Stopping HTTP Service Stopping httpd: [ OK ] Stopping MEMCACHE Service Stopping ipa_memcached: [ OK ] Stopping DNS Service Stopping named: . [ OK ] Stopping KPASSWD Service Stopping Kerberos 5 Admin Server: [ OK ] Stopping KDC Service Stopping Kerberos 5 KDC: [ OK ] Stopping Directory Service Shutting down dirsrv: EXAMPLE-COM... [ OK ] PKI-IPA... [ OK ]
After this, the
ipa
utility will contact the new server through a remote procedure call (RPC).- Remove the RHEL 7 server from the topology by executing the removal commands on the RHEL 8 server. For details, see Uninstalling an IdM server.
Additional resources