User manual REDHAT SYSTEM 8.0 MIGRATION GUIDE 7.X TO 8.0

[. . . ] Red Hat Certificate System 8. 0 Migration Guide 7. x to 8. 0 Publication date: July 22, 2009, updated on March 22, 2010 Matthew Harmsen Migration Guide Red Hat Certificate System 8. 0 Migration Guide 7. x to 8. 0 Edition 8. 0. 7 Author Editor Copyright © 2009 Red Hat, Inc. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution­Share Alike 3. 0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons. org/licenses/by-sa/3. 0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. [. . . ] For example: new_HSM_slot_name:Server-Cert cert-old_DRM_instance 5. 2. Migrating Subsystem Password Stores The password information for the Certificate System subsystems are saved in a special password file. In Certificate System 7. 1, these were kept in the pwcache. db file. The contents of the password file must be decrypted and listed using the PasswordCache tool in the 7. x subsystem instance. Then, this information must be used to build the contents of the 8. 0 password. conf file. In Certificate System 7. 2, passwords were kept in the password. conf file in the / etc/subsystem_name directory, the same file that is used in Certificate System 8. 0. This file contains the passwords for both internal database and the password for the key3. db file. The 7. 2 or 7. 3 password. conf file just needs to be copied over to the 8. 0 conf directory. 5. 2. 1. Log into the 7. x server as the Certificate System user for that machine, and open the config/ directory. cd old_server_root/cert-old_instance/config/ 2. Run the PasswordCache tool from the tools directory to retrieve the passwords from the database. old_server_root/bin/cert/tools/PasswordCache old_passwordcache_password d old_server_root/alias -P cert-old_instance-old_hostname- -c pwcache. db list This lists the information stored in the password cache. cert/key prefix = cert-old_instance-old_hostnamepath = old_server_root/alias about to read password cache ----- Password Cache Content ----internal : password Internal LDAP Database : passwordldap 3. Use the listed tags and passwords to create the password. conf file. For example: 54 Migrating Passwords from 7. 2 and 7. 3 internal=password Internal LDAP Database=passwordldap 4. If the 7. x server instance used the password. conf file to start the server instance automatically, then this file must also be migrated to the 8. 0 server instance. cp old_server_root/cert-old_instance/config/password. conf /var/lib/new_DRM_instance/conf/ password. conf 5. Log into the 8. 0 server as the Certificate System user, and open the Certificate System conf/ directory. cd /var/lib/new_DRM_instance/conf/ 6. Log in as root, and set the file user and group to the Certificate System user and group. chown user:group password. conf 7. As the Certificate System user, change the permissions on the password file. chmod 00600 password. conf 8. Copy the tags and passwords that were listed from the 7. x pwdcache. db file into the password. conf file. The password cache dump from the pwdcache. db file looks like the following: internal : password Internal LDAP Database : password The password. conf file has the following format: internal=310062130979 internaldb=password internaldb in 8. 0 is the same as Internal LDAP Database in 7. x. 5. 2. 2. Migrating Passwords from 7. 2 and 7. 3 Versions 7. 2, 7. 3, and 8. 0 all store passwords in a text file, password. conf, in the conf/ directory. To migrate the passwords, simply copy the password. conf file to the 8. 0 instance directory. NOTE Make sure that the permissions and ownership for the password. conf file are set properly so that it can be accessed by the migrated instance. Log in as root, and set the file user and group to the Certificate System user and group. 55 Chapter 5. Migrating a DRM Instance to Certificate System 8. 0 # chown user:group password. conf 2. [. . . ] As the Certificate System user, change the permissions on the files. chmod 00600 ServerCert. p12 chmod 00600 caSigningCert. b64 9. Register the new HSM in the new token database. modutil -nocertdb -dbdir . -add new_HSM_token_name -libfile new_HSM_library_path/new_HSM_library 10. Identify the new HSM slot name. modutil -dbdir . [. . . ]