此内容没有您所选择的语言版本。
Chapter 21. Upgrading the Database
21.1. Upgrading the Database from 9.0 to 9.1
After you upgraded the packages and configuration files, you must manually upgrade the database schema and subsystem databases for every Certificate System instance.
21.1.1. Upgrading the Database Schema
To upgrade the Certificate System database schema in Directory Server:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify delete: objectClasses objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) add: objectClasses objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( authorityID-oid NAME 'authorityID' DESC 'Authority ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN 'user-defined' ) attributeTypes: ( authorityParentID-oid NAME 'authorityParentID' DESC 'Authority Parent ID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( authorityEnabled-oid NAME 'authorityEnabled' DESC 'Authority Enabled' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( authorityDN-oid NAME 'authorityDN' DESC 'Authority DN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( authoritySerial-oid NAME 'authoritySerial' DESC 'Authority certificate serial number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( authorityParentDN-oid NAME 'authorityParentDN' DESC 'Authority Parent DN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'user defined' ) attributeTypes: ( authorityKeyHost-oid NAME 'authorityKeyHost' DESC 'Authority Key Hosts' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify add: objectClasses objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate Authority' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN 'user defined' )
21.1.2. Upgrading the CA Database
To upgrade the certificate authority (CA) database:
- Upgrade the container entries:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: ou=authorities,ou=ca,CA_base_DN changetype: add objectClass: top objectClass: organizationalUnit ou: authorities
- Upgrade the access control list (ACL) entries:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=aclResources,CA_base_DN changetype: modify add: resourceACLS resourceACLS: certServer.ca.authorities:list,read:allow (list,read) user="anybody":Anybody may list and read lightweight authorities resourceACLS: certServer.ca.authorities:create,modify:allow (create,modify) group="Administrators":Administrators may create and modify lightweight authorities resourceACLS: certServer.ca.authorities:delete:allow (delete) group="Administrators":Administrators may delete lightweight authorities
- Upgrade the database indexes:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=issuername,cn=index,cn=CA_database_name,cn=ldbm database, cn=plugins, cn=config changetype: add objectClass: top objectClass: nsIndex nsindexType: eq nsindexType: pres nsindexType: sub nsSystemindex: false cn: issuername
- Add the
realm
attribute:# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) delete: objectClasses objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) add: objectClasses objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user defined' )
- Remove the certificate validity delay:
- In the
/var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg
file, set:policyset.signingCertSet.2.default.params.startTime=0
- In the
/var/lib/pki/instance_name/ca/profiles/ca/caECDualCert.cfg
file, set:policyset.signingCertSet.2.default.params.startTime=0
- In the
/var/lib/pki/instance_name/ca/profiles/ca/caDualCert.cfg
file, set:policyset.signingCertSet.2.default.params.startTime=0
- In the
/var/lib/pki/instance_name/ca/profiles/ca/caJarSigningCert.cfg
file, set:policyset.caJarSigningSet.2.default.params.startTime=0
- In the
/var/lib/pki/instance_name/ca/profiles/ca/caSignedLogCert.cfg
file, set:policyset.caLogSigningSet.2.default.params.startTime=0
- Add the
issuerName
attribute to certificate records:# pki-server db-upgrade
- Update the attribute syntax to allow underscores in instance names:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=schema changetype: modify delete: objectClasses objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate Authority' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN 'user defined' ) delete: attributeTypes attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE X-ORIGIN 'user-defined' ) add: attributeTypes attributeTypes: ( authorityKeyNickname-oid NAME 'authorityKeyNickname' DESC 'Authority key nickname' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'user-defined' ) add: objectClasses objectClasses: ( authority-oid NAME 'authority' DESC 'Certificate Authority' SUP top STRUCTURAL MUST ( cn $ authorityID $ authorityKeyNickname $ authorityEnabled $ authorityDN ) MAY ( authoritySerial $ authorityParentID $ authorityParentDN $ authorityKeyHost $ description ) X-ORIGIN 'user defined' )
21.1.3. Upgrading the KRA database
To update the key recovery authority (KRA) database:
- Upgrade the database indexes:
# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=realm,cn=index,cn=KRA_database_name,cn=ldbm database, cn=plugins,cn=config changetype: add objectClass: top objectClass: nsIndex nsindexType: eq nsindexType: pres nsSystemindex: false cn: realm
- Add the
realm
attribute:# ldapmodify -D "cn=Directory Manager" -W -h server.example.com -p 389 -x dn: cn=schema changetype: modify add: attributeTypes attributeTypes: ( realm-oid NAME 'realm' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' ) delete: objectClasses objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages ) X-ORIGIN 'user defined' ) add: objectClasses objectClasses: ( request-oid NAME 'request' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( requestId $ dateOfCreate $ dateOfModify $ requestState $ requestResult $ requestOwner $ requestAgentGroup $ requestSourceId $ requestType $ requestFlag $ requestError $ userMessages $ adminMessages $ realm ) X-ORIGIN 'user defined' ) delete: objectClasses objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status ) X-ORIGIN 'user defined' ) add: objectClasses objectClasses: ( keyRecord-oid NAME 'keyRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ keyState $ privateKeyData $ ownerName $ keySize $ metaInfo $ dateOfArchival $ dateOfRecovery $ algorithm $ publicKeyFormat $ publicKeyData $ archivedBy $ clientId $ dataType $ status $ realm ) X-ORIGIN 'user defined' )
- Update and re-index the virtual list views (VLV):
- Delete the existing indexes:
# pki-server kra-db-vlv-del -i CS_instance_name -D DS_bind_DN \ -w DS_bind_password
- Add the new indexes:
# pki-server kra-db-vlv-add -i CS_instance_name -D DS_bind_DN \ -w DS_bind_password
- Restart the Directory Server instance:
# systemctl restart dirsrv@DS_instance_name
- Re-index the database:
# pki-server kra-db-vlv-reindex -i CS_instance_name -D DS_bind_DN \ -w DS_bind_password
21.1.4. Upgrading the TPS database
The token processing system (TPS) was a technology preview in Certificate System 9.0. Therefore, upgrading the TPS from this version is not supported.