Netscape Certificate Management System Installation and Deployment Guide:

About This Guide
Chapter 1 Introduction to Certificate Management System
Chapter 2 Default Demo Installation
Chapter 3 Planning Your Deployment
Chapter 4 Installation Worksheet
Chapter 5 Installation and Configuration
Appendix A Migrating from Certificate Server 1.x
Appendix B Certificate Extensions
Appendix C Certificate Download Specification
Appendix D Using SSL with iPlanet Web Server, Enterprise Edition
Appendix E Export Control Information
Glossary
Index

Contents

Index

Bookshelf

Appendix A Migrating from Certificate Server 1.x

This appendix explains how to use the Migration Tool that comes with Netscape Certificate Management System. This executable command-line script extracts database contents (as stored in the Informix database) and certificate/key data (as stored in flat-file DBM databases) from Certificate Server 1.x and places the data in three platform-independent files that can be transferred by diskette, tape, or FTP to a Certificate Management System 4.x installation area for importing into the new system.

This appendix has the following sections:

Using the Migration Tool

Importing Data to New Databases

Hardware, Operating System, and Version Support

Using the Migration Tool

The Migration Tool is installed when you install CMS. You run the tool after installation and before you run the Installation Wizard to configure your instance (the Installation Wizard will ask for the files generated by the Migration Tool).

Use the migrate command appropriate for the platform on which your Certificate Server 1.x is running. You will probably need to copy the migrate executable from the machine where you installed Certificate Management System 4.x to the Certificate Server machine using FTP, a diskette, or a shared network disk. The migrate executables are located in platform-specific directories:

<server_root>/bin/cert/tools/migrate/<platform>

To begin the migration process, you enter the migrate command and its arguments in a command shell, provide database information and passwords, and monitor the output in the shell window.

Before running the Migration Tool, make sure that the following conditions have been met:

You have processed all pending database requests.

You have stopped the instance of Certificate Server 1.x that you will migrate.

The global variable INFORMIXSQLHOSTS is undefined.

You are able to run the Migration Tool as a user with permission to read magnus.conf, CASigningKey.db, ServerCert.db, and ServerKey.db in the config/ directory of the Certificate Server 1.x instance.

The user running the Migration Tool has read and write permissions in the output directory.

On AIX, the directory containing Informix is /usr/informix (the default). If Informix has not been installed in /usr/informix, you can make a symoblic link from there to the actual installation directory.

On Windows NT, the location of the Informix DLLs is in the PATH environment variable. If not, the Migration Tool will fail because it cannot find ISQLT07C.DLL. For example, if the Informix installation directory is c:\informix, PATH must include c:\informix\bin.

To terminate the execution of the tool at any time, type Control-C on Unix or Control-Break on Windows NT.

Command-Line Syntax

Use the following command in a Unix or DOS command shell:

migrate certsrvroot=<directory> outputdir=<directory>

	dbrootdir=<directory> servername=<name> help

The certsrvroot directory must be the directory that contains the config directory for the server instance. For example, if the Certificate Server 1.x instance config directory is /opt/ns-home/cert-server/config, use / opt/ns-home/cert-server as the certsrvroot parameter.

Arguments

The migrate command takes the following arguments:


certsrvroot	The server root/server identifier, as defined in the Certificate Server 1.x installation documentation. This directory must point to the root of the server instance that will be migrated.
outputdir	A directory that does not currently exist but that will be created and populated with the results of the migrate command.
dbrootdir	The directory in which the Informix database resides--by default, /usr/informix on Unix platforms and c:\informix on Windows NT.
servername	The name of the Informix database server from which to extract data. By default, the database server name is ifmx_online.
help	Optional. Prints a usage string for the command to the command shell.

The Migration Process

There are two stages to the migration process. The Migration Tool first connects to the Informix database, extracts database records, and writes them out to an LDIF file in the specified output directory. It then opens the flat files containing the key and certificate information, and transfers that information to ASCII files in the output directory.

When you issue the migrate command, the tool prompts you to enter login information and passwords for the Certificate Server 1.x Informix database, and performs the first phase of the migration. After migrating the database records, the tool prompts for a transport password to protect the exported data, the password for the existing CA Signing key, and the password for the existing SSL Server key. Using these passwords, the tool migrates the flat file information.

Entering Informix Database Login Information

The tool prompts for the Informix database name and login:

STARTING Informix Data Base migration...

  ENTER the existing "Certificate Server 1.x" Informix Data Base 
Information:

    Informix Data Base name [cmsdb]: <data base name>  

    Informix Data Base login name [cmsdbusr]: <db administrative login> 

    Informix Data Base password: *********

The database name is the name of the Informix database in which the Certificate Server tables t_cert_record, t_seq_num_gen, and t_iss_auth_prop reside.

The default database name and user name are those used for a standard installation of Certificate Server 1.x. Unless you changed the names during the installation, you can accept the defaults by pressing Enter at the prompt.

When you enter the login information, the Migration Tool connects to the database, extracts records, and writes the extracted records to files in the directory specified by the outputdir argument. Text such as the following appears:

  CONNECTED to Informix Data Base...

  MIGRATING certificate records...

    Extracted 1 cert record(s)

    Extracted 2 cert record(s)

    ...

  MIGRATING last serial number...

  MIGRATING certificate revocation list...

SUCCESSFULLY completed Informix Data Base migration;

GENERATED "database_add.ldif" and "database_mod.ldif" files!

If the migration of data from the Informix database fails, the tool describes the Informix error and asks whether to continue or exit. If you choose to continue, certificate and key migration proceeds. See Informix manuals to find the source of the problem, fix it, then run the tool again to extract the Informix data.

For example, if you run the Migration Tool on the wrong computer, and it cannot find the Informix database, you might see the following message referring to the Informix error 461 (file not found):

Starting Database migration... 

CMS -- UNLOGGABLE FAILURE: [VENDORLIB] Vendor Library Error: 

Cannot open file `sql.iem'; Cannot open file `os.iem' (-461)(4)

migrate: error: Could not connect to database!

Continue migration [y|n]: y

In this example, the user chooses to continue with the second phase of the migration, then go back and run the tool on the right machine to migrate the Informix database information to CMS.

Entering Key and Certificate Database Passwords

After the Migration Tool has migrated the records from the Informix database, it converts and exports the SSL server and CA signing certificate chains.

Next, the tool asks you to create a transport password. The transport password is used to encrypt keys as they are extracted from the key database, before they are written out to the keyscerts.dat file.

STARTING Certs and Keys Data Base migration...

  SUCCESSFULLY dumped Server Certificate Chain!

  SUCCESSFULLY dumped CA Signing Certificate Chain!

  ENTER a new "CMS 4.x" Transport password

  used to protect the private key material:

    Transport password: ********

    Verify Transport password: *********

If the transport password and the verify transport password entries are not the same, the following message appears, and the tool exits:

Transport and verify transport passwords are not the same

If the transport password does not conform to the two minimum quality rules, one of the following messages appears:

The transport password must be a minimum of 8 characters

The transport password must contain both alphabetic and numeric 
characters

After this message, the password prompt appears so you can enter a new password.

Next, the tool will ask for the passwords needed to access the existing SSL server certificate and CA signing certificate:

  ENTER the existing "Certificate Server 1.x" password

  used to protect SSL Server Key data:

    SSL Server Key password: ********

  SUCCESSFULLY dumped SSL Server Key!

  ENTER the existing "Certificate Server 1.x" password

  used to protect CA Signing Key data:

    CA Signing Key password: *********

If either password is incorrect, an error message appears and the tool exits. See Exit Codes and Error Messages.

When you enter the passwords, the Migration Tool opens and extracts information from the flat certificate and key database files, writing the information to an ASCII file in the directory specified by the outputdir argument. If the migration is successful, text such as the following appears:

  SUCCESSFULLY dumped CA Signing Key!

SUCCESSFULLY completed Certs and Keys Data Base migration;

GENERATED "keycerts.dat" file!Starting Certs and Keys migration...

Exit Codes and Error Messages

When the Migration Tool exits, it provides an exit code and displays an explanatory message. If the data migration process is successful, the Migration Tool returns the code 0 and prints the success message. If an error occurs, the tool returns one of the error codes and prints an error message. In some cases, you will be asked if you want to continue when an error ocurrs. If you answer `no', the tool exits with the status listed. Table A.1 describes the success and error exit codes and messages.

Table A.1 Exit codes and conditions


Exit codes	Exit message	Reason
0	Successfully created outputdir with Certificate Server 1.x data and the three output files	Indicates successful export of both the key material and database contents.
1	Invalid password; unable to export	One of the three passwords required to access the signing key, server key, or database was incorrect. Check your passwords and try running the Migration Tool again.
2	Could not connect to the Informix Data Base!	A problem occurred opening a connection to the DBMS. Check to make sure the DBMS is running. Use onmonitor or another Informix command to start the DBMS. In most cases this error occurs if a user name or password is incorrect.
3	mkdir of output directory failed -- Either parent directory does not exist OR Not enough disk space or inodes	The tool could not create the output directory. Make sure that the parent directory exists and that the user running the tool has write permission in that directory.
4	Transport and verify transport passwords are not the same	The strings entered for the password and then for verification were not the same.
5	ERROR: encrypting the SSL Server Key Material according to the new transport password. ERROR: can not encrypt the CA Signing Key material according to the new transport password.	The named key could not be encrypted using the transport password provided. The tool may have been unable to allocate memory during encryption or there may be a problem accessing the Certificate Server 1.x key database file.
6	Could not open [outputdir/database_add.ldif \| outputdir/database_mod.ldif] for write	The tool failed to create ldif files in the output directory. Possible permissions problem.
7	failure_location: Out of memory	The tool was unable to allocate more memory at the indicated location.
8	Base 64 Encoding of data failed: Unable to encode	Possible corrupt binary data was found. The tool could not proceed with base-64 encoding of binaries obtained from the database or from the flat database files.
9	could not open full_pathname/magnus.conf	The configuration file needed to find the locations of Certificate Server 1.x flat database files does not exist, cannot be read, or cannot be found.
15	ERROR: Writing key data	The tool could not write a key, certificate, or certificate chain to the keyscerts.dat file. Make sure that the user running the tool has write permission on keyscerts.dat and the output directory where it is stored.
16	Failed to open the Key Data Base: filename.	The tool could not open the named SSL Server key database file for reading. The user running the tool must have read access to the database file (config/ServerKey.db by default).
17	can not open CA Signing Key Data Base: filename	The tool could not open the CA Signing key database file for reading. The user running the tool must have read access to the database file (config/CASigningKey.db by default).
20	lost connection to Informix Data Base while migrating certificate revocation list.	The connection to the Informix database became invalid while the tool was attempting to migrate records. Check to make sure that the database server is still running.
21	Data Base table "t_iss_auth_prop" was not found. CRL migration skipped.	If the t_iss_auth_prop table is not found in the database, CRL migration cannot be completed.
22	Data Base table "t_cert_record" was not found, certificate records migration aborted.	The t_cert_record table is required for migration. If the database you have specified does not include this table, the migration cannot succeed.
23	Data Base table "t_seq_num_gen" was not found, CRL migration aborted.	If the t_seq_num_gen table is not found in the database, the tool cannot determine the new starting serial number for the 4.x installation.
24	No binary found in "t_iss_auth_prop", CRL migration skipped. or No entries were found in "t_iss_auth_prop", CRL migration aborted.	The t_iss_auth_prop table exists, but it either contains no data or the records it contains do not have data in the blob_val field that can be converted to a base-64 encoding.

Generated Files

When you run the Migration Tool, the files database_add.ldif, database_mod.ldif, and keyscerts.dat are generated and placed in the output directory (specified by the outputdir argument):

database_add.ldif

Contents of the 1.x Informix database t_certificate_record table. The entries are in standard ldif format for use with the ldapmodify -a command.

database_mod.ldif

Contents of the 1.x Informix database, from the CRL and last_serial_number tables. The entries are formatted for use with the ldapmodify command.

keyscerts.dat

An ASCII file containing the private keys (RSA only), public-key certificates (X.509 v3 format) for the signing key and certificate, and the SSL key and certificate. The file contains the full certificate chains of these keys and certificates.

Temporary data structures (such as request queues or transactions in process) are not converted. Therefore, before running the Migration Tool, the database administrator should have processed all pending requests.

Using Output Files on Another Platform

This section only applies if you are migrating from any UNIX platform to Windows NT or from Windows NT to any UNIX platform.

The output files from the Migration Tool are all plain ASCII files. UNIX and Windows NT use different line breaks in ASCII files, so when you transfer the output from Windows NT to UNIX (or vice versa) you need to modify the files. ASCII files transferred from Windows NT to UNIX will have an extra Ctrl-M at the end of each line that needs to be removed before the Installation Wizard can import the data in the files. ASCII files transferred from UNIX to Windows NT may not have the Ctrl-M (the whole file will appear as one line in a text editor); you need to insert carriage returns manually to break the file into separate lines.

Most FTP clients will convert the line breaks in the ASCII file to the appropriate native control character, so consider using FTP to transfer the files to the Certificate Management System 4.x machine if it is available.

If you are unsure whether your files need to be converted, or if you have problems during the import phase of the Installation Wizard, convert your files according to the steps in Converting Output Files.

A simple way to convert your files is to use the stream editor sed. Any conversion involves one UNIX machine, and all UNIX machines should have sed installed. Therefore, the instructions should be followed when the files are on the UNIX machine (whether you are transferring to or from UNIX).

Converting Output Files

Move the files to new filenames

The output of the conversion will be overwrite any files with the original names:

# mv database_add.ldif database_add.ldif.orig

# mv database_mod.ldif database_mod.ldif.orig

# mv keyscerts.dat keyscerts.dat.orig

Use sed to convert the files to the appropriate format.

To convert from Windows NT to UNIX, remove the Ctrl-M line breaks:

# sed -e 's/^M//g' database_add.ldif.orig > database_add.ldif

# sed -e 's/^M//g' database_mod.ldif.orig > database_mod.ldif

# sed -e 's/^M//g' keyscerts.dat.orig > keyscerts.dat

To convert from UNIX to Windows NT, add a Ctrl-M to each line break:

# sed -e 's/$/^M/g' database_add.ldif.orig > database_add.ldif

# sed -e 's/$/^M/g' database_mod.ldif.orig > database_mod.ldif

# sed -e 's/$/^M/g' keyscerts.dat.orig > keyscerts.dat

To get the ^M to show up in the shell commands, press Ctrl-V then Ctrl-M. If this does not work in your shell, run the command in the Bourne shell (/ bin/sh).

Importing Data to New Databases

When you are installing Certificate Management System, the Installation Wizard offers you the choice of importing existing certificates and keys. If you select this option, the following screen appears.

Use this screen to enter the following information:

The path to the three generated files. This is the directory you specified in the outputdir argument to the migrate command.

The transport password. This is the password you specified and confirmed during the second phase of the migration process.

The required token passwords. Both of these are for the Certificate Management System installation. Depending on what else you have specified during the configuration, you may not need to provide all of the passwords here; the ones you do not need are inactive.

When you click Next, the Installation Wizard imports the needed certificates and keys that you have exported from Certificate Server 1.x. Depending on how you have configured the installation, the Wizard imports the server SSL certificate, the CA signing certificate, or both.

Once all of the data has been imported, your Certificate Management System 4.0 server will use the original CA Signing certificate and SSL Server certificate. If the new server is running on a different machine than the Certificate Server 1.x instance, you probably will want to issue a new SSL Server Certificate. See Chapter 8 "Keys and Certificates" in Netscape Certificate Management System Administrator's Guide for instructions for replacing the SSL Server certificate.

The administrator's certificate that was used to manage Certificate Server 1.x will no longer work as the administrator certificate. Once the Installation Wizard has finished, continue with Administrator/Agent Certificate Enrollment to issue a new certificate for the administrator.

Hardware, Operating System, and Version Support

Netscape has tested the Migration Tool on the following Certificate Server 1.x platforms and operating systems:

Hewlett-Packard PA, HP-UX 10.10

IBM RS/6000, AIX 4.1, 4.2

Sun Sparc, Solaris 2.4, 2.5.1

Intel Pentium, Windows NT 3.51, 4.0