Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 21. Upgrading the Database

21.1. Upgrading the Database from 9.0 to 9.1
Copier lien

After you upgraded the packages and configuration files, you must manually upgrade the database schema and subsystem databases for every Certificate System instance.

21.1.1. Upgrading the Database Schema
Copier lien

To upgrade the Certificate System database schema in Directory Server: 
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify
 $ requestState $ requestResult $ requestOwner $ requestAgentGroup
 $ requestSourceId $ requestType $ requestFlag $ requestError
 $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify
 $ requestState $ requestResult $ requestOwner $ requestAgentGroup
 $ requestSourceId $ requestType $ requestFlag $ requestError
 $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user defined' )

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( authorityID-oid NAME 'authorityID' DESC 'Authority ID'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN
 'user defined' )
attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname'
 DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
 SINGLE-VALUE X-ORIGIN 'user-defined' )
attributeTypes: ( authorityParentID-oid NAME 'authorityParentID' DESC
 'Authority Parent ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
 X-ORIGIN 'user defined' )
attributeTypes: ( authorityEnabled-oid NAME 'authorityEnabled' DESC
 'Authority Enabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
 X-ORIGIN 'user defined' )
attributeTypes: ( authorityDN-oid NAME 'authorityDN' DESC 'Authority DN'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN
 'user defined' )
attributeTypes: ( authoritySerial-oid NAME 'authoritySerial' DESC
 'Authority certificate serial number' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( authorityParentDN-oid
 NAME 'authorityParentDN' DESC 'Authority Parent DN' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' )
attributeTypes: ( authorityKeyHost-oid NAME 'authorityKeyHost' DESC
 'Authority Key Hosts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
 'user defined' )

dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC
 'Certificate Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
 $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
 ( authoritySerial $ authorityParentID $ authorityParentDN
 $ authorityKeyHost $ description ) X-ORIGIN 'user defined' )
Copy to Clipboard Toggle word wrap

21.1.2. Upgrading the CA Database
Copier lien

To upgrade the certificate authority (CA) database:
  1. Upgrade the container entries: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: ou=authorities,ou=ca,CA_base_DN
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: authorities
    Copy to Clipboard Toggle word wrap
  2. Upgrade the access control list (ACL) entries: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=aclResources,CA_base_DN
changetype: modify
add: resourceACLS
resourceACLS: certServer.ca.authorities:list,read:allow (list,read)
  user="anybody":Anybody may list and read lightweight authorities
resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify)
  group="Administrators":Administrators may create and modify lightweight authorities
resourceACLS: certServer.ca.authorities:delete:allow (delete)
  group="Administrators":Administrators may delete lightweight authorities
    Copy to Clipboard Toggle word wrap
  3. Upgrade the database indexes: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=issuername,cn=index,cn=CA_database_name,cn=ldbm database,
 cn=plugins, cn=config
changetype: add
objectClass: top
objectClass: nsIndex
nsindexType: eq
nsindexType: pres
nsindexType: sub
nsSystemindex: false
cn: issuername
    Copy to Clipboard Toggle word wrap
  4. Add the realm attribute: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
 defined' )
    Copy to Clipboard Toggle word wrap
  5. Remove the certificate validity delay:
    1. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set: 
      policyset.signingCertSet.2.default.params.startTime=0
      Copy to Clipboard Toggle word wrap
    2. In the /var/lib/pki/instance_name/ca/profiles/ca/caECDualCert.cfg file, set: 
      policyset.signingCertSet.2.default.params.startTime=0
      Copy to Clipboard Toggle word wrap
    3. In the /var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg file, set: 
      policyset.signingCertSet.2.default.params.startTime=0
      Copy to Clipboard Toggle word wrap
    4. In the /var/lib/pki/instance_name/ca/profiles/ca/caJarSigningCert.cfg file, set: 
      policyset.caJarSigningSet.2.default.params.startTime=0
      Copy to Clipboard Toggle word wrap
    5. In the /var/lib/pki/instance_name/ca/profiles/ca/caSignedLogCert.cfg file, set: 
      policyset.caLogSigningSet.2.default.params.startTime=0
      Copy to Clipboard Toggle word wrap
  6. Add the issuerName attribute to certificate records: 
    # pki-server db-upgrade
    Copy to Clipboard Toggle word wrap
  7. Update the attribute syntax to allow underscores in instance names: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate
 Authority' SUP top STRUCTURAL MUST ( cn $ authorityID
 $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY
 ( authoritySerial $ authorityParentID $ authorityParentDN $
 authorityKeyHost $ description ) X-ORIGIN 'user defined' )

delete: attributeTypes
attributeTypes: ( authorityKeyNickname-oid NAME
 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX
 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN
 'user-defined' )

add: attributeTypes
attributeTypes: ( authorityKeyNickname-oid NAME
 'authorityKeyNickname' DESC 'Authority key nickname'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
 X-ORIGIN 'user-defined' )

add: objectClasses
objectClasses: ( authority-oid NAME 'authority' DESC
 'Certificate Authority' SUP top STRUCTURAL MUST ( cn
 $ authorityID $ authorityKeyNickname $ authorityEnabled
 $ authorityDN ) MAY ( authoritySerial $ authorityParentID
 $ authorityParentDN $ authorityKeyHost $ description )
 X-ORIGIN 'user defined' )
    Copy to Clipboard Toggle word wrap

21.1.3. Upgrading the KRA database
Copier lien

To update the key recovery authority (KRA) database:
  1. Upgrade the database indexes: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=realm,cn=index,cn=KRA_database_name,cn=ldbm database,
 cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: nsIndex
nsindexType: eq
nsindexType: pres
nsSystemindex: false
cn: realm
    Copy to Clipboard Toggle word wrap
  2. Add the realm attribute: 
    # ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )

delete: objectClasses
objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' )

add: objectClasses
 objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class'
 SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $
 dateOfModify $ requestState $ requestResult $ requestOwner $
 requestAgentGroup $ requestSourceId $ requestType $ requestFlag $
 requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user
 defined' )

delete: objectClasses
objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined
 class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $
 dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $
 metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $
 publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $
 status ) X-ORIGIN 'user defined' )

add: objectClasses
objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined
 class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $
 dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $
 metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $
 publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $
 status $ realm ) X-ORIGIN 'user defined' )
    Copy to Clipboard Toggle word wrap
  3. Update and re-index the virtual list views (VLV):
    1. Delete the existing indexes: 
      # pki-server kra-db-vlv-del -i CS_instance_name -D DS_bind_DN \
     -w DS_bind_password
      Copy to Clipboard Toggle word wrap
    2. Add the new indexes: 
      # pki-server kra-db-vlv-add -i CS_instance_name -D DS_bind_DN \
     -w DS_bind_password
      Copy to Clipboard Toggle word wrap
    3. Restart the Directory Server instance: 
      # systemctl restart dirsrv@DS_instance_name
      Copy to Clipboard Toggle word wrap
    4. Re-index the database: 
      # pki-server kra-db-vlv-reindex -i CS_instance_name -D DS_bind_DN \
     -w DS_bind_password
      Copy to Clipboard Toggle word wrap

21.1.4. Upgrading the TPS database
Copier lien

The token processing system (TPS) was a technology preview in Certificate System 9.0. Therefore, upgrading the TPS from this version is not supported.
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat