此内容没有您所选择的语言版本。

22.3. Importing the Data into the New CA


After finishing setting up the new CA in Section 22.2, “Setting up the CA on the New Host”, you can import the data to the Directory Server database:
  1. When migrating from a previous version, it can be necessary to manually clean up the LDAP data interchange format (LDIF) file. Before Red Hat Directory Server 10, syntax checking was disabled by default. Therefore, data from a previous version can include entries that are now invalid in Directory Server 10. For example:
    • Values of boolean attributes must be set either to TRUE or FALSE (all capitalized).

      Important

      Do not automatically update all occurrences to uppercase by using a search and replace utility. Some attributes in the LDIF file contain these strings, but are not using the boolean type. Updating these attributes' values can cause the import to fail. Typically, boolean attributes are only used in the cn=CAList,ou=Security Domain,CS_instance_name security domain database entries.
    • Empty strings must be removed. The Directory Server syntax validation does not allow to set empty strings.
      Empty strings often appear in userType and userState attributes in cmsUser entries in ou=People,CS_instance_name.
    During the import, other entries can fail, too. It is important to verify the log file after the database import. Optionally, you can import the LDIF file into a temporary, empty database to find out which entries caused the import to fail.
  2. Shut down the CA service:
    # systemctl stop pki-tomcatd@instance_name.service
  3. Optionally, back up the CA database on the new host:
    # db2bak
    The backup is stored in the /var/lib/dirsrv/instance_name/bak/host_name-time_stamp/ directory.
  4. Import the data into the new database. For example:
    # ldapmodify -h <hostname> -x -W -D 'cn=Directory Manager' -a -c -f /tmp/ds_bak/old_ca.ldif | \
         tee /root/import.log
    The ldapmodify utility only adds new entries and does not update existing entries, created when you installed the CA. For example:
    • Top level entries. For example: o=pki-tomcat-CA.
    • Default groups. For example: cn=Certificate Manager Agents,ou=groups,o=pki-tomcat-CA.
      Because the standard groups are not updated, the users are not automatically added to these groups. After the import, you must add members to each default group manually. See Section 22.4, “Reassigning Users to Default Groups”.
    • Default access control lists (ACL) for the CA.
    As mentioned earlier, Directory Server 10 uses syntax validation. Verify the output in the /root/import.log file and search for failed actions, such as ldap_add: Invalid syntax (21). For further details, see Step 1.
  5. Remove the directory entry for the old security domain. For example:
    # ldapmodify -W -x -D "cn=Directory Manager"
    dn: cn=server.example.com:9445,cn=CAList,ou=Security Domain,o=pki-tomcat-CA
    changetype: delete
  6. Enable the CA in the /etc/pki/instance_name/ca/CS.cfg file to act as the certificate revocation list (CRL) master:
    ca.crl.MasterCRL.enable=true
  7. Restart the CA service:
    # systemctl start pki-tomcat@instance_name
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.