Red Hat CERTIFICATE SYSTEM 6.0 - MIGRATION GUIDE, Manual

Page 1: ...Red Hat Certificate System Migration Guide 6 x to 7 3 6 0 Matthew Harmsen ISBN N A Publication date March 12 2008 ...

Page 2: ...provides in depth procedures to migrate subsystems user information and certificate and key materials from Netscape Certificate Management System 6 0 6 1 and 6 2 to Red Hat Certificate System 7 3 Red Hat Certificate System ...

Page 3: ...ibited without the explicit permission of the copyright holder Distribution of the work or derivative of the work in any standard paper book form for commercial purposes is prohibited unless prior permission is obtained from the copyright holder Red Hat and the Red Hat Shadow Man logo are registered trademarks of Red Hat Inc in the United States and other countries All other trademarks referenced ...

Page 4: ...Red Hat Certificate System ...

Page 5: ...ses Migration 24 2 2 Option 2 Security Databases to HSM Migration 26 2 3 Option 3 HSM to Security Databases Migration 30 2 4 Option 4 HSM to HSM Migration 33 3 Online Certificate Status Protocol Manager OCSP Migration 37 3 1 Option 1 Security Databases to Security Databases Migration 37 3 2 Option 2 Security Databases to HSM Migration 39 3 3 Option 3 HSM to Security Databases Migration 43 3 4 Opti...

Page 6: ...vi ...

Page 7: ...on even if the 7 3 installation is on the same machine named delta example com running Red Hat Enterprise Linux This is accomplished simply by supplying a different installation directory for each instance NOTE Throughout this manual all system instances are referred to as Certificate System unless the specific version or product name is required 1 Certificate System Migration Overview The migrati...

Page 8: ...r example migrating from Certificate Management System 6 01 uses the 60ToTxt program to export data Certificate System migration export utilities are files named versionToTxt For migrating 6 0x 6 1 and 6 2 servers to Certificate System 7 3 there are three files which are used depending on your 6 x version 60ToTxt 61ToTxt and 62ToTxt Each export tool contains the following files Two precompiled Jav...

Page 9: ...the comments 1 2 Certificate System Subsystems Certificate System installations may exist on different platforms Additionally each Certificate System installation may contain more than one type of subsystem or more than one instance of a type of subsystem The following subsystems may be present in a Certificate System installation Certificate Authority CA Data Recovery Manager DRM Online Certifica...

Page 10: ... in this table because it is supported on different platforms Table 1 1 Certificate System Subsystem Types and Platforms 2 Considerations before Migration Since all migrations are unique to a deployment it is strongly recommended that the entire migration process be planned in advance Here are some common issues related to migration The Migration Procedure Not all steps in the migration processes ...

Page 11: ...ubsystem Names and Port Numbers It is possible to change the names of migrated Certificate System subsystem instances but greater care must be taken when extracting and renaming certain portions of the data Because port numbers are stored in the server xml file which is unaffected by subsystem migration port numbers can be changed between instances without difficulty About Usage Examples All examp...

Page 12: ...6 ...

Page 13: ...rtificate Management System utility cd usr netscape servers cert instance cmsbackup For more information on using the 6 x backup utility see chapter 8 Backing Up and Restoring Data in the Netscape Certificate Management System 6 x Command Line Tools Guide Additionally RA subsystems in Certificate Management System 6 x cannot be migrated to Certificate System 7 3 The RA subsystem was deprecated in ...

Page 14: ...8 ...

Page 15: ...ion wizard For example http server example com 9080 ca admin console config login pin Yc6EuvuY2OeezKeX7REk The configuration wizard will fully configure the new subsystem instance and will generate all required certificates Make sure to have all necessary information when going through this wizard All subsystems require information to an external Red Hat Directory Server including bind information...

Page 16: ...10 ...

Page 17: ... System Servers 1 First stop all new Certificate System instances etc init d instance_ID stop 2 Then stop the Directory Server instance used by the Certificate System 7 3 servers cd opt redhat ds slapd DS instance stop slapd Chapter 4 11 ...

Page 18: ...12 ...

Page 19: ...uthority CA Migration Section 2 Data Recovery Manager DRM Migration Section 3 Online Certificate Status Protocol Manager OCSP Migration 1 Certificate Authority CA Migration Determine if the migration to be performed involves software security databases an HSM or both and follow the appropriate process for the deployment scenario being migrated Section 1 1 Option 1 Security Databases to Security Da...

Page 20: ...ance_ID alias 4 Log in as root 5 Set the file user and group to the Certificate System user and group chown user group cert8 db chown user group key3 db 6 Log out as root and log back into the system as the Certificate System user 7 Set the file permissions chmod 00600 cert8 db chmod 00600 key3 db 8 List the contents of the certificate database using the certutil tool In this example L lists the c...

Page 21: ...lso modify the ca connector KRA nickname attribute ca connector KRA nickname caSigningCert cert old_CA_instance 12 In the same directory edit the serverCertNick conf file to contain the old certificate nickname For example Server Cert cert old_CA_instance 1 2 Option 2 Security Databases to HSM Migration 1 Remove all the security databases in the Certificate System 7 3 which will receive migrated d...

Page 22: ...ns chmod 00600 cert8 db chmod 00600 key3 db 8 List the certificates stored in the old security databases by using the certutil command L lists the certificates certutil L d Server Cert cert old_CA_instance cu cu cu caSigningCert cert old_CA_instance cu cu cu ocspSigningCert cert old_CA_instance CTu Cu Cu NOTE For Certificate Management System version 6 0x the certificate database is automatically ...

Page 23: ...12 n ocspSigningCert cert old_CA_instance d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file Re enter password pk12util PKCS12 EXPORT SUCCESSFUL NOTE The old security databases may contain additional public private key pairs these can also be extracted using pk12util 10 Delete the old security databases rm cert8 db rm key3 db 11 Register the new HSM in the 7 3 token data...

Page 24: ... trust bits on the public private key pairs that were imported into the new HSM certutil M n new_HSM_slot_name Server Cert cert old_CA_instance t cu cu cu d h new_HSM_token_name certutil M n new_HSM_slot_name caSigningCert cert old_CA_instance t CTu CTu CTu d h new_HSM_token_name certutil M n new_HSM_slot_name ocspSigningCert cert old_CA_instance t CTu Cu Cu d h new_HSM_token_name 17 Open the CS c...

Page 25: ... the private key To extract this information contact the HSM vendor The extracted keys should not have any dependencies such as nickname prefixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_root alias caSigningCert p12 var lib instance_ID alias caSigningCert p12 cp old...

Page 26: ...PORT SUCCESSFUL pk12util i ocspSigningCert p12 d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL 9 Optionally delete the PKCS 12 files rm ServerCert p12 rm caSigningCert p12 rm ocspSigningCert p12 10 Set the trust bits on the public private key pairs that were imported into the 7 3 security databases certutil M n Server Cert cert old_CA...

Page 27: ...he pk12util tool provided by Certificate System cannot extract public private key pairs from an HSM because of requirements in the FIPS 140 1 standard which protect the private key To extract this information contact the HSM vendor The extracted keys should not have any dependencies such as nickname prefixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_ser...

Page 28: ...certdb list 10 Import the public private key pairs of each entry from the PKCS 12 files into the new HSM pk12util i ServerCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL pk12util i caSigningCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKC...

Page 29: ...nce ca signing cacertnickname new_HSM_slot_name caSigningCert cert old_CA_instance ca ocsp_signing cacertnickname new_HSM_slot_name ocspSigningCert cert old_CA_instance 15 If there is CA DRM connectivity then also modify the ca connector KRA nickname attribute ca connector KRA nickname new_HSM_slot_name caSigningCert cert old_CA_instance 16 In the same directory edit the serverCertNick conf file t...

Page 30: ...ration 1 Remove all the security databases in the Certificate System 7 3 server which will receive migrated data rm var lib instance_ID alias cert8 db rm var lib instance_ID alias key3 db NOTE On Certificate Management System 6 0x the certificate database is cert7 db not cert8 db 2 Copy the certificate and key security databases from the 6 x server to the 7 3 server cp old_server_root alias cert o...

Page 31: ...ert old_DRM_instance CT c kraStorageCert cert old_DRM_instance u u u kraTransportCert cert old_DRM_instance u u u NOTE For Certificate Management System version 6 0x the certificate database is automatically converted from cert7 db to cert8 db 9 Open the CS cfg configuration file in the var lib instance_ID conf directory 10 Edit the kra storageUnit nickname and kra transportUnit nickname attribute...

Page 32: ...e is cert7 db not cert8 db 2 Copy the certificate and key security databases from the 6 x server to the 7 3 server cp old_server_root alias cert old_DRM_instance cert8 db var lib instance_ID alias cert8 db cp old_server_root alias cert old_DRM_instance key3 db var lib instance_ID alias key3 db 3 Open the Certificate System alias directory cd var lib instance_ID alias 4 Log in as root 5 Set the fil...

Page 33: ...te System databases using the pk12util tool o exports the key pairs to a PKCS 12 file and n sets the name of the certificate and the old database prefix pk12util o ServerCert p12 n Server Cert cert old_DRM_instance d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file Re enter password pk12util PKCS12 EXPORT SUCCESSFUL pk12util o kraStorageCert p12 n kraStorageCert cert old...

Page 34: ...ty databases may contain additional public keys these can also be extracted using certutil 11 Delete the old security databases rm cert8 db rm key3 db 12 Register the new HSM in the 7 3 token database modutil nocertdb dbdir add new_HSM_token_name libfile new_HSM_library_path new_HSM_library 13 Identify the new HSM slot name modutil dbdir nocertdb list 14 Create new security databases certutil N d ...

Page 35: ...into the new HSM certutil M n new_HSM_slot_name Server Cert cert old_DRM_instance t cu cu cu d h new_HSM_token_name certutil M n new_HSM_slot_name kraStorageCert cert old_DRM_instance t u u u d h new_HSM_token_name certutil M n new_HSM_slot_name kraTransportCert cert old_DRM_instance t u u u d h new_HSM_token_name 18 Import the public key from the base 64 file into the new HSM and set the trust bi...

Page 36: ... from an HSM because of requirements in the FIPS 140 1 standard which protect the private key To extract this information contact the HSM vendor The extracted keys should not have any dependencies such as nickname prefixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_ro...

Page 37: ...HSM_slot_name caSigningCert cert old_DRM_instance d h old_HSM_token_name a caSigningCert b64 e Copy the key information from the 6 x server to the 7 3 server cp old_server_root alias caSigningCert b64 var lib instance_ID alias caSigningCert b64 4 Open the Certificate System alias directory cd var lib instance_ID alias 5 Log in as root 6 Set the file user and group to the Certificate System user an...

Page 38: ...ert p12 d Enter Password or Pin for NSS Certificate DB Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL 10 Optionally delete the PKCS 12 files rm ServerCert p12 rm kraStorageCert p12 rm kraTransportCert p12 11 Set the trust bits on the public private key pairs that were imported into the 7 3 security databases certutil M n Server Cert cert old_DRM_instance t cu cu cu d certutil M n...

Page 39: ...1 Extract the public private key pairs from the HSM The format for the extracted key pairs should be portable such as a PKCS 12 file The pk12util tool provided by Certificate System cannot extract public private key pairs from an HSM because of requirements in the FIPS 140 1 standard which protect the private key To extract this information contact the HSM vendor The extracted keys should not have...

Page 40: ...Certificate Management System 6 x certutil tool to extract the public key from the security databases and save the base 64 output to a file old_server_root bin cert tools certutil L n old_HSM_slot_name caSigningCert cert old_DRM_instance d h old_HSM_token_name a caSigningCert b64 e Copy the key information from the 6 x server to the 7 3 server cp old_server_root alias caSigningCert b64 var lib ins...

Page 41: ...rivate key pairs of each entry from the PKCS 12 files into the new HSM pk12util i ServerCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL pk12util i kraStorageCert p12 d h new_HSM_slot_name Enter Password or Pin for new_HSM_slot_name Enter password for PKCS12 file pk12util PKCS12 IMPORT SUCCESSFUL pk12util i ...

Page 42: ...ce t CT c d h new_HSM_token_name i caSigningCert b64 15 Optionally delete the base 64 file rm caSigningCert b64 16 Open the CS cfg configuration file in the var lib instance_ID conf directory 17 Edit the kra storageUnit nickname and kra transportUnit nickname attributes to reflect the 7 3 DRM information kra storageUnit nickname new_HSM_slot_name kraStorageCert cert old_DRM_instance kra transportU...

Page 43: ... is not possible for Certificate Management System 6 0x versions only Certificate Management System 6 1 or 6 2 3 1 Option 1 Security Databases to Security Databases Migration 1 Remove all the security databases in the Certificate System 7 3 server which will receive migrated data rm var lib instance_ID alias cert8 db rm var lib instance_ID alias key3 db NOTE On Certificate Management System 6 0x t...

Page 44: ...y databases using the certutil command L lists the certificates certutil L d Server Cert cert old_OCSP_instance cu cu cu caSigningCert cert old_OCSP_instance CT c ocspSigningCert cert old_OCSP_instance cu cu cu NOTE For Certificate Management System version 6 0x the certificate database is automatically converted from cert7 db to cert8 db 9 Open the CS cfg configuration file in the var lib instanc...

Page 45: ...ert8 db rm var lib instance_ID alias key3 db NOTE On Certificate Management System 6 0x the certificate database is cert7 db not cert8 db 2 Copy the certificate and key security databases from the 6 x server to the 7 3 server cp old_server_root alias cert old_OCSP_instance cert8 db var lib instance_ID alias cert8 db cp old_server_root alias cert old_OCSP_instance key3 db var lib instance_ID alias ...

Page 46: ...abase is automatically converted from cert7 db to cert8 db 9 Export the public private key pairs of each entry in the Certificate System databases using the pk12util tool o exports the key pairs to a PKCS 12 file and n sets the name of the certificate and the old database prefix pk12util o ServerCert p12 n Server Cert cert old_OCSP_instance d Enter Password or Pin for NSS Certificate DB Enter pass...

Page 47: ...public keys these can also be exported using the certutil tool 11 Delete the old security databases rm cert8 db rm key3 db 12 Register the new HSM in the 7 3 token database modutil nocertdb dbdir add new_HSM_token_name libfile new_HSM_library_path new_HSM_library 13 Identify the new HSM slot name modutil dbdir nocertdb list 14 Create new security databases certutil N d 15 Import the public private...

Page 48: ...name ocspSigningCert cert old_OCSP_instance t cu cu cu d h new_HSM_token_name 18 Import the public key from the base 64 file into the new HSM and set the trust bits certutil A n new_HSM_slot_name caSigningCert cert old_OCSP_instance t CT c d h new_HSM_token_name i caSigningCert b64 19 Optionally delete the base 64 file rm caSigningCert b64 20 Open the CS cfg configuration file in the var lib insta...

Page 49: ...the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_root alias ocspSigningCert p12 var lib instance_ID alias ocspSigningCert p12 3 Extract the public key of the CA signing certificate from the old security databases and save the base 64 encoded output to a file called caSigningCert b64 a Open the Certificate Management Sys...

Page 50: ...user group ocspSigningCert p12 chown user group caSigningCert b64 7 Log out as root and log back into the system as the Certificate System user 8 Set the file permissions chmod 00600 ServerCert p12 chmod 00600 ocspSigningCert p12 chmod 00600 caSigningCert b64 9 Import the public private key pairs of each entry from the PKCS 12 files into the 7 3 security databases pk12util i ServerCert p12 d Enter...

Page 51: ... n caSigningCert cert old_OCSP_instance t CT c d i caSigningCert b64 13 Optionally delete the base 64 file rm caSigningCert b64 14 Open the CS cfg configuration file in the var lib instance_ID conf directory 15 Edit the ocsp signing certnickname attribute to reflect the 7 3 OCSP instance ocsp signing certnickname ocspSigningCert cert old_OCSP_instance NOTE The caSigningCert is not referenced in th...

Page 52: ...refixes on the HSM 2 Copy the extracted key pairs from the 6 x server to the 7 3 server cp old_server_root alias ServerCert p12 var lib instance_ID alias ServerCert p12 cp old_server_root alias ocspSigningCert p12 var lib instance_ID alias ocspSigningCert p12 3 Extract the public key of the CA signing certificate from the old security databases and save the base 64 encoded output to a file called ...

Page 53: ...e Certificate System alias directory cd var lib instance_ID alias 5 Log in as root 6 Set the file user and group to the Certificate System user and group chown user group ServerCert p12 chown user group ocspSigningCert p12 chown user group caSigningCert b64 7 Log out as root As the Certificate System user set the file permissions chmod 00600 ServerCert p12 chmod 00600 ocspSigningCert p12 chmod 006...

Page 54: ...new HSM certutil M n new_HSM_slot_name Server Cert cert old_OCSP_instance t cu cu cu d h new_HSM_token_name certutil M n new_HSM_slot_name ocspSigningCert cert old_OCSP_instance t cu cu cu d h new_HSM_token_name 13 Import the public key from the base 64 file into the new HSM and set the trust bits certutil A n new_HSM_slot_name caSigningCert cert old_OCSP_instance t CT c d h new_HSM_token_name i c...

Page 55: ...ot referenced in the CS cfg file 17 In the same directory edit the serverCertNick conf file to contain the old certificate nickname For example new_HSM_slot_name Server Cert cert old_OCSP_instance Option 4 HSM to HSM Migration 49 ...

Page 56: ...50 ...

Page 57: ...tance config 2 Run the PasswordCache tool from the tools directory to retrieve the passwords from the database old_server_root bin cert tools PasswordCache old_passwordcache_password d old_server_root alias P cert old_instance old_hostname c pwcache db list This lists the information stored in the password cache cert key prefix cert old_instance old_hostname path old_server_root alias about to rea...

Page 58: ...he file user and group to the Certificate System user and group chown user group password conf 7 Log out as root As the Certificate System user change the permissions on the password file chmod 00600 password conf 8 Copy the tags and passwords that were listed from the 6 x pwdcache db file into the password conf file Chapter 6 Step 5 Migrating Password Cache Data 52 ...

Page 59: ...y usr share rhpki migrate a Open the Certificate System instance directory The migration utilities are in the migrate directory cd usr share rhpki b Package the latest version of the Certificate System migration utility using zip or tar tar cvf migrate tar migrate NOTE Regardless of the packaging tool used the corresponding tool must be present on the 6 x server machine If the platforms are identi...

Page 60: ...ity package and any additional utilities such as the unzip utility that were copied to the Certificate Management System 6 x server rm migrate tar 2 Log into the Directory Server for the Certificate System 7 3 instance and export the internal database content to LDIF The internal database name for the Certificate System instance is in the internaldb database parameter in the CS cfg file Name the o...

Page 61: ...n read modify allow read group Administrators group Auditors group Certificate Manager Agents group Registration Manager Agents group Data Recovery Manager Agents group Online Certificate Status Manager Agents allow modify group Administrators Administrators auditors and agents are allowed to read user and group configuration but only administrators are allowed to modify list of ACLs objectClass t...

Page 62: ...strators uniqueMember uid admin ou People basedn dn cn Enterprise TKS Administrators ou groups basedn description People who are the administrators for the security domain for TKS objectClass top objectClass groupOfUniqueNames cn Enterprise TKS Administrators uniqueMember uid admin ou People basedn dn cn Enterprise RA Administrators ou groups basedn description People who are the administrators fo...

Page 63: ...LDIF directory and copy the old txt file into the Certificate System 7 3 server instance s internal database LDIF directory You can use any copy tool such as sftp scp and mv cd old_server_root slapd old_instance db ldif cp old_server_root slapd old_instance db ldif old txt opt redhat ds slapd DS instance ldif 7 Log into the 7 3 server as the Certificate System user and open the Certificate System ...

Page 64: ... into the Certificate System 7 3 server instance s internal database a Open the Certificate System 7 3 database directory cd opt redhat ds slapd DS instance db b Run the ldif2db tool to import the LDIF file into the Certificate System database The internal database name for the Certificate System instance is in the internaldb database parameter in the CS cfg file For example ldif2db n server examp...

Page 65: ...policyset set1 p1 default params ldap enable true policyset set1 p1 default params ldap searchName uid policyset set1 p1 default params ldapStringAttributes uid mail policyset set1 p1 default params ldap basedn dc example dc com policyset set1 p1 default params ldap maxConns 4 policyset set1 p1 default params ldap minConns 1 policyset set1 p1 default params ldap ldapconn Version 2 policyset set1 p...

Page 66: ...et1 p1 default params ldap maxConns 4 policyset set1 p1 default params ldap minConns 1 policyset set1 p1 default params ldap ldapconn Version 2 policyset set1 p1 default params ldap ldapconn host ldaphostA example com policyset set1 p1 default params ldap ldapconn port 389 policyset set1 p1 default params ldap ldapconn secureConn false The altered profile serves certificate requests with S MIME su...

Page 67: ... System 7 3 Instances 1 Restart the Directory Server for the Certificate System 7 3 instance cd opt redhat ds slapd DS instance start slapd 2 Start all of the Certificate System 7 3 instances etc init d instance_ID start Chapter 9 61 ...

Page 68: ...62 ...

Page 69: ... example com 9443 ca 3 Select the Configuration tab 4 Select the System Keys and Certificates option from the menu on the left 5 Select the Local Certificates tab on the right 6 Press the Add Renew button to launch the Certificate Setup Wizard 7 Follow the wizard prompts and fill in the appropriate information a In the Type of Operation panel select the Request a certificate option the default b I...

Page 70: ...tem Console select the Configuration tab 4 In the left menu select the Keys and Certificates option 5 Select the Local Certificates tab on the right 6 Press the Add Renew button to launch the Certificate Setup Wizard 7 Go through the screens in the wizard to request the certificate a In the Type of Operation panel select the Request a Certificate option the default b In the Certificate Selection p...

Page 71: ... select SSL Server Certificate from the pull down menu c Enter in any necessary information in the Location of Certificate panel d Go through the remaining panels in the Certificate Setup Wizard to install the updated SSL server certificate 11 Restart the Certificate System CA instance etc init d rhpki ca restart 3 Generating a New DRM OCSP or TKS SSL Server Certificate 1 Open the subsystem instan...

Page 72: ...ts also e Click through the remaining panels in the Certificate Setup Wizard 7 Obtain the SSL server certificate request and store it in a base 64 file 8 Submit the SSL server certificate request to a CA and wait for approval of the request 9 After the SSL server certificate is approved click the Add Renew button to relaunch the Certificate Setup Wizard a In the Type of Operation panel select the ...

Page 73: ...onsole Use the Console to configure any custom behavior of the different subsystems such as customized plug ins logging and auditing A subsystem may have to be restarted once all configuration changes have been applied Chapter 11 67 ...

Page 74: ...68 ...

Page 75: ...7 3 server to ensure that everything is working properly For example http server example com 9080 ca ee ca https server example com 9443 ca agent ca Then log into the Certificate System Console and verify that the new server can be managed through the Console pkiconsole https server example com ca The port numbers for all the agent services interfaces can be found in the server xml in the conf dir...

Page 76: ...70 ...