Database Migration - dogtagpki/pki GitHub Wiki

Table of Contents

Exporting PKI Database

Use db2ldif to export PKI database:

$ db2ldif -Z pki-tomcat -U -n ca -a /tmp/ca.ldif

Importing PKI Database

Fixing LDIF file

Newer DS server might have more restrictive attribute syntax. Edit /tmp/ca.ldif and perform the following changes:

  • remove blank attributes (e.g. telephoneNumber)
  • capitalize DomainManager and Clone attributes

Creating DS instance

Use the same settings to create the new DS instance:

$ setup-ds.pl --silent --\
        General.FullMachineName=$HOSTNAME\
        General.SuiteSpotUserID=nobody\
        General.SuiteSpotGroup=nobody\
        slapd.ServerPort=389\
        slapd.ServerIdentifier=pki-tomcat\
        slapd.Suffix=dc=example,dc=com\
        slapd.RootDN="cn=Directory Manager"\
        slapd.RootDNPwd=Secret.123

Importing PKI schema

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 -f /usr/share/pki/server/conf/schema.ldif

Applying PKI configuration changes

$ ldapmodify -x -D "cn=Directory Manager" -w Secret.123 -f /usr/share/pki/server/conf/database.ldif

Creating DS backend

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=ca,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: nsBackendInstance
objectClass: extensibleObject
cn: ca
nsslapd-suffix: dc=ca,dc=example,dc=com
EOF

Creating suffix mapping entry

$ ldapadd -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: cn=dc\3Dca\2Cdc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=ca,dc=example,dc=com
nsslapd-backend: ca
nsslapd-state: backend
EOF

Stopping DS instance

$ systemctl stop [email protected]

Importing PKI database

$ ldif2db -Z pki-tomcat -n ca -i /tmp/ca.ldif

Starting DS instance

$ systemctl start [email protected]

Verification

$ ldapsearch -x -D "cn=Directory Manager" -w Secret.123 -b "dc=ca,dc=example,dc=com"

See Also

⚠️ **GitHub.com Fallback** ⚠️