Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Directory Proxy server Installation Guide



Appendix A   Migration of Configuration

When installing Sun ONE Directory Proxy Server version 5.2 there are migration issues. Migration from iPlanet Directory Access Router 5.0 installation to Directory Proxy Server 5.2 version requires:

  • Both iPlanet Directory Access Router 5.0/SP1 and Directory Proxy Server 5.2 are installed.

  • Running a migration script.

  • If necessary, configuring SSL on the Directory Proxy Server 5.2 server.

The appendix has the following section:

Preparing for Migration

Note the following before starting the migration:

  • Directory Proxy Server must be installed on a separate server root. Do not install it on top of an existing Directory Access Router installation.

  • Port numbers of the old and new instance must be such that they do not conflict during upgrade. If the two services have a conflict with their ports, then be sure to only run one of the two services at any one time after migration.

  • You can continue to use your old server instance after the upgrade or uninstall it.

  • You may migrate from either Directory Access Router version 5.0 or 5.0 SP1.

  • You must use an existing Configuration Directory Server.

  • If you are migrating from one type platform to another (for example a UNIX to Windows platform) your configuration path name may be incorrect. Modify them for the appropriate platform.

  • When you migrate the old SSL configuration, this new configuration is created but the SSL parameters on the client side are cleared. Existing SSL configuration must be re-configured manually. For more information see Configuring SSL. You should record your current SSL configuration prior to migration.

  • If your logging is configured to go to <server root>/idar-<host>/logs/fwd.log in the current configuration, it continues going there after migration. If this is not the desired behavior, change your current configuration before, or after migration.

Migrating to Directory Proxy Server 5.2

  1. Make sure no other application is modifying Directory Access Router/Directory Proxy Server configuration in the Configuration Directory Server. Close both Directory Proxy Server and Directory Access Router consoles. Do not modify configurations while migration is taking place.

  2. Install Directory Proxy Server 5.2 on a different server root than your old installation.


    3. Note

    At this time your Directory Access Router 5.0 console is no longer functional.

  3. The migration utility is located in the Directory Proxy Server directory tree. Execute the migration utility migratefromidar50 by entering:

    4. <install root>/bin/dps_utilities/migratefromidar50 -b <Backup file name> -o <path to tailor.txt file of the Directory Access Router 5.0 Server Instance> -n <path to tailor.txt file of the Directory Proxy Server 5.2 Server Instance>

The following describes migratefromidar50 arguments and their meanings:

Argument

Function

-b

Enter a backup file name. A backup of the "ou=dar-config,o=NetscapeRoot" branch will be made for all configuration directories that appear in the new startup configuration file (specified with the -n flag). A numeric suffix (0..n) will be added to the file name specified to indicate which directory the backup belongs to. The suffix will be '0' for the first entry in the startup configuration file.

-o

Identify the path to the tailor.txt file of the Directory Access Router 5.0 Server Instance.

-n

Identify the path to tailor.txt file of the Directory Proxy Server 5.2 Server Instance.

The configuration is migrated.

  1. If migration fails delete the ou=dar-config, o=NetscapeRoot subtree and replace then with the entries saved with the -b <Backup file name> argument. The Directory Access Router 5.0 console is no longer fully functional at this point.

    2. The migration has failed if any of the following conditions exist:

  2. The last line of the migration output is not "all done."

  3. The console fails to read configuration.

  4. The server fails to start after migration and after all SSL related configuration has been manually migrated.

  5. Restore the backup using ldapadd (ldif format) or via the Directory Server console.

  6. If SSL was not configured in the previous Directory Access Router instance restart the new Directory Proxy Server. If SSL was configured then proceed to "Configuring SSL."

Configuring SSL

If you had SSL configured with previous versions of Directory Access Router use these procedures to migrate your configuration.

If you have an existing installation of Directory Access Router 5.0, you either request and configure a new SSL certificate and key from a Certificate Authority (CA) source or reconfigure your existing SSL certificate and key so that it is recognized by Directory Proxy Server 5.2 software.

  1. Create an SSL certificate database using the Sun ONE Console.

    2. Refer to "Configuring System Parameters" in the Sun ONE Directory Proxy Server Administrator's Guide for more information.

    Note

    If you are converting existing SSL certificates and keys proceed to Step 2. If you are requesting new SSL Certificates and keys skip to Step 4.

  2. In order to insert your old certificate and private key pair into the just created certificate database, you must convert your certificate/key pair into PKS12 format. OpenSSL provides a utility that converts PEM certificate/key pairs to PKCS12 format.


    3. Note

    The conversion of certificates using the openssl utility is not recommended and is not supported by Sun Microsystems. Request new certificates and private key pairs from a Certificate Authority if possible. See the Directory Proxy Server Release Notes for the latest information.

    Find OpenSSL at:

    http://www.openssl.org

    The documentation for OpenSSL is found at:

    http://www.openssl.org/docs/apps/openssl.html

  3. Once you have the certificate/key pair converted to PKCS12 format, use the pk12util software available at the following location to insert them in the certificate database.

    4. <serverroot>/shared/bin

    The documentation for pk12util is found at:

    www.mozilla.org/projects/security/pki/nss/tools/pk12util.html

  4. If you are requesting a new SSL certificate and key use the Sun ONE Directory Proxy Server console to generate a certificate request which you can then submit to a Certificate Authority (CA).

    5. Refer to "Configuring Directory Proxy Server for TLS/SSL-enabled Communication" in the Sun ONE Directory Proxy Server Administrator's Guide for more information.

  5. Once the SSL certificate and key is ready for use with Directory Proxy Server 5.2, configure your system objects as necessary.

    6. Refer to "Configuring System Parameters" in the Sun ONE Directory Proxy Server Administrator's Guide for more information.

  6. To confirm proper SSL Operation stop and then restart the Directory Proxy Server software.

    7. Check the log files for the following entry:

    560212 Now listening on port <port number> and socket <socket nember> for secured connections.

  7. Before making the new Directory Proxy Server 5.2 installation your production server, make sure that SSL is migrated correctly. Make sure that:

  8. The Directory Proxy Server SSL port is set.

  9. That clients can establish SSL connections to Directory Proxy Server.

  10. If applicable, Directory Proxy Server can establish SSL connections to its backend servers.

Previous      Contents      Index      Next     
Copyright 2003 Sun Microsystems, Inc. All rights reserved.