This appendix explains how to use the Migration Tool that comes with Netscape Certificate Management System. This executable command-line script extracts database contents (as stored in the Informix database) and certificate/key data (as stored in flat-file DBM databases) from Certificate Server 1.x and places the data in three platform-independent files that can be transferred by diskette, tape, or FTP to a Certificate Management System 4.0 installation area for import into the new system. This appendix has the following sections:
The global variable INFORMIXSQLHOSTS is undefined.
The directory in which you will write the exported files has read and write permissions.
Use the following command in a Unix or DOS command shell:
migrate certsrvroot=<directory> outputdir=<directory> dbrootdir=<directory> servername=<name> help
Arguments
The migrate command takes the following arguments:
There are two stages to the migration process. The Migration Tool first connects to the Informix database, extracts database records, and writes them out to an LDIF file in the specified output directory. It then connects to the flat files containing the key and certificate information, and transfers that information to ASCII files in the output directory.
The tool prompts for the Informix database name and login:
database Name [cmsdb]: <data base name> database login name [cmsdbusr]: <data base administrative user name> database password: *********
Starting Database migration... Connected to database! migrating certificate records... extracted 3293 cert record(s) migrating last serial number... migrating Certificate Revocation List... Data Base migration completed, LDIF files generated.
If the migration of data from the Informix database fails, the tool shows the Informix error and asks whether to continue or exit. If you choose to continue, certificate and key migration proceeds. See Informix manuals to find the source of the problem, fix it, then run the tool again to extract the Informix data.
Starting Database migration... CMS -- UNLOGGABLE FAILURE: [VENDORLIB] Vendor Library Error: Cannot open file `sql.iem'; Cannot open file `os.iem' (-461)(4)
migrate: error: Could not connect to database! Continue migration [y|n]: y
In this example, the user chooses to continue with the second phase of the migration, then go back and run the tool on the right machine to perform the Informix database migration.
After it has migrated the records from the Informix database, the tool prompts for the passwords used to open the flat key and certificate database files, as well as a transport password that is used to encrypt data for the migration of certificates and keys.
Enter the passwords used to protect server key data: Server key password : ******* Signing key password : *******
If either password is incorrect, an error message appears and the tool exits. See Exit Codes and Error Messages.
Select a Transport password to protect the private key material: Transport password: ********** Verify Transport password: **********
The transport password is used to encrypt keys as they are extracted from the key database, before they are written out to the keyscerts.dat file. If the transport password and the verify transport password entries are not the same, the following message appears, and the tool exits:
Transport and verify transport passwords are not the same
If the transport password does not conform to the two minimum quality rules, one of the following messages appears, and the password prompt reappears:
The transport password must be a minimum of 8 characters The transport password must contain both alphabetic and numeric characters
When you have entered the passwords, the Migration Tool opens and extracts information from the flat certificate and key database files, writing it out to an ASCII file in the directory specified by the outputdir argument. Text such as the following appears:
Starting Certs and Keys migration... Successfully Dumped Server Certificate Chain Successfully Dumped Signing Cert Successfully dumped ServerKey Successfully dumped Signing Key Certs and Keys migration completed, keyscerts.dat file generated
Exit Codes and Error Messages
If the data migration process is successful, the Migration Tool returns the code 0 and prints the success message. If an error occurs, the tool returns one of the error codes and prints an explanatory message in the command shell window. Table A.1 describes the success and error exit codes and conditions.
Table A.1 Exit codes and conditions
When the migrate command is completed successfully, the following files are generated and placed in the specified output directory:
Contents of the 1.x Informix database t_certificate_record table. The entries are in standard ldif format for use with the ldapmodify -a command. database_mod.ldif
Contents of the 1.x Informix database t_certificate_record table. The entries are in standard ldif format for use with the ldapmodify -a command.
Contents of the 1.x Informix database, from the CRL and last_serial_number tables. The entries are formatted for use with the ldapmodify command. keyscerts.dat
Contents of the 1.x Informix database, from the CRL and last_serial_number tables. The entries are formatted for use with the ldapmodify command.
An ASCII file containing the private keys (RSA only), public-key certificates (X.509 v3 format) for the signing key and certificate, and the SSL key and certificate. The file contains the full certificate chains of these keys and certificates.
The transport password. This is the password you specified and confirmed during the second phase of the migration process.
The required token passwords. Both of these are for the Certificate Management System installation. Depending on what else you have specified during the configuration, you may not need to provide all of the passwords here; the ones you do not need are inactive.
IBM RS/6000, AIX 4.1, 4.2
Sun Sparc, Solaris 2.4, 2.5
Intel Pentium, Windows NT 3.51, 4.0
Previous
