Directory Services 7.3.5

After you upgrade

The DS server upgrade process preserves the existing configuration as much as possible. This maintains compatibility, but there are additional steps you must take.

Checklist

Use this checklist to make sure you don’t miss these important post-upgrade tasks:

Task Done?

Back up your directory data.

Backup files are not compatible between versions.

Before starting this task, complete the work to Use the new security model.

Update your scripts to account for incompatible changes.

Plan your move away from deprecated features.

Move to dedicated service accounts for your directory applications.

You would not run all your UNIX applications as root, or all your Windows applications as Administrator. Stop using administrator accounts like cn=Directory Manager as service accounts.

Many DS setup profiles create service accounts for applications to use when authenticating to DS. For examples of AM service accounts, refer to the base-entries.ldif files in setup profiles under the opendj/template/setup-profiles/AM directory.

Manually review and purge the DS server configurations for stale references to old servers.

You can read the opendj/config/config.ldif file to find stale references, but always use the dsconfig command to make changes to the configuration.

After you upgrade by adding new servers, but before you retire old servers, update bootstrap replication server settings to remove the old servers, and add the new, DS 7 servers.

Review what’s new and changed in the intervening releases to identify useful changes, and take advantage of new features and improvements.

Use the new security model (in-place upgrades only, required).

Clean up admin data (required for upgrades from DS 6.5 and earlier).

Before starting this task, complete the work to Use the new security model, and if applicable, to Eliminate outdated password storage.

Activate cloud storage for backup (in-place upgrades only, optional).

If you back up to cloud storage, set the storage endpoint as described.

Many example commands in this page use cn=Directory Manager as the name of the directory superuser account. This was the default before DS 7.

Here, cn=Directory Manager stands for the name of the directory superuser account in DS 6.5 and earlier.

Use the new security model

If you have upgraded DS 6.5 or earlier servers in place, enable upgraded servers to use the new security model. You cannot add new servers using normal procedures until you have completed these steps. Some new features depend on the new model.

If you started by adding DS 7 or later servers, as described in When adding new servers, then the new DS servers already have the keys. In that case, you can skip these steps.

DS release 7 changes the security model to let you configure replication at setup time, to make disaster recovery more straightforward, and to simplify symmetric key distribution:

  • In prior releases, trust and symmetric key distribution in a replication topology depends on the replicated cn=admin data base DN. DS servers prior to release 7 reference each others' instance keys, and use them to protect symmetric keys in cn=admin data entries.

  • DS servers now rely on a deployment ID and password to derive a shared master key, and provide a default PKI to trust each others' certificates. DS servers protect symmetric keys using the shared master key to encrypt and decrypt them. For details, refer to Deployment IDs.

The following examples demonstrate the process of creating keys and updating the configuration for replicas installed with the DS 6.5 evaluation profile:

  1. Make sure you have upgraded all DS servers to version 7 or later.

  2. Generate a deployment ID for the deployment:

    ###
    # Generate a deployment ID for the topology.
    # Do this once and SAVE THE DEPLOYMENT ID:
    $ dskeymgr create-deployment-id --deploymentIdPassword password
    <deployment-id>
    bash

    For more command options, refer to dskeymgr. The default validity for the deployment ID is 10 years.

  3. For each upgraded server, add at least the shared master key generated using the deployment ID:

    Show details
    \###
    # Use the same deployment ID on each server:
    export DEPLOYMENT_ID=<deployment-id>
    
    # Add a shared master key based on the deployment ID:
    dskeymgr \
     export-master-key-pair \
     --alias master-key \
     --deploymentId $DEPLOYMENT_ID \
     --deploymentIdPassword password \
     --keyStoreFile /path/to/opendj/config/keystore \
     --keyStorePassword:file /path/to/opendj/config/keystore.pin
    
    # Deployment ID-based PKI?
    # Add a deployment ID CA certificate:
    dskeymgr \
     export-ca-cert \
     --deploymentId $DEPLOYMENT_ID \
     --deploymentIdPassword password \
     --keyStoreFile /path/to/opendj/config/keystore \
     --keyStorePassword:file /path/to/opendj/config/keystore.pin
    
    # Deployment ID-based PKI?
    # Add a deployment ID-based TLS certificate:
    dskeymgr \
     create-tls-key-pair \
     --deploymentId $DEPLOYMENT_ID \
     --deploymentIdPassword password \
     --keyStoreFile /path/to/opendj/config/keystore \
     --keyStorePassword:file /path/to/opendj/config/keystore.pin \
     --hostname localhost \
     --hostname opendj.example.com \
     --subjectDn CN=DS,O=ForgeRock
    bash

    The default validity for the certificate is one year.

  4. For each upgraded server, start the server, if necessary.

  5. For each upgraded server, update the configuration to use the new keys.

    Show details

    The following example uses the private PKI keys based on the deployment ID and password. At minimum, even if you use your own keys for PKI, update the Crypto Manager to use the shared master key:

    # Copy the keys used to protect secret keys and replication traffic
    # to the default key manager keystore.
    # This makes the keys available for trust and decryption
    # after you switch to the default key and trust managers:
    keytool \
     -importkeystore \
     -srckeystore /path/to/opendj/db/ads-truststore/ads-truststore \
     -srcstorepass:file /path/to/opendj/db/ads-truststore/ads-truststore.pin \
     -destkeystore /path/to/opendj/config/keystore \
     -deststoretype PKCS12 \
     -deststorepass:file /path/to/opendj/config/keystore.pin
    
    # Configure the server to wrap new secret keys
    # using the new shared master key:
    dsconfig \
     set-crypto-manager-prop \
     --set key-manager-provider:"Default Key Manager" \
     --set master-key-alias:master-key \
     --reset digest-algorithm \
     --reset mac-algorithm \
     --reset key-wrapping-transformation \
     --hostname localhost \
     --port 4444 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --trustAll \
     --no-prompt
    
    # Deployment ID-based PKI?
    dsconfig \
     create-trust-manager-provider \
     --set enabled:true \
     --set trust-store-file:config/keystore \
     --set trust-store-pin:\&{file:config/keystore.pin} \
     --set trust-store-type:PKCS12 \
     --type file-based \
     --provider-name PKCS12 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    # Switch to the new keys to secure
    # administrative and replication communications:
    dsconfig \
     set-administration-connector-prop \
     --set ssl-cert-nickname:ssl-key-pair \
     --set trust-manager-provider:PKCS12 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     set-synchronization-provider-prop \
     --provider-name "Multimaster Synchronization" \
     --set key-manager-provider:"Default Key Manager" \
     --set ssl-cert-nickname:ssl-key-pair \
     --set trust-manager-provider:PKCS12 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    # Switch to the new keys for other secure communications:
    dsconfig \
     set-connection-handler-prop \
     --handler-name HTTPS \
     --set ssl-cert-nickname:ssl-key-pair \
     --set trust-manager-provider:PKCS12 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     set-connection-handler-prop \
     --handler-name LDAP \
     --set ssl-cert-nickname:ssl-key-pair \
     --set trust-manager-provider:PKCS12 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     set-connection-handler-prop \
     --handler-name LDAPS \
     --set ssl-cert-nickname:ssl-key-pair \
     --set trust-manager-provider:PKCS12 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    bash
  6. For each upgraded server, restart the server, causing it to generate new secret keys, wrapped using the shared master key:

    stop-ds --restart
    bash

Eliminate outdated password storage

Reversible password storage schemes (3DES, AES, Blowfish, RC4) are deprecated since DS 7.0. Many password storage schemes are no longer enabled by default for new installations.

After upgrading to DS 7 and later, migrate active accounts away from the following deprecated and outdated password storage schemes:

  • 3DES

  • AES

  • Base64

  • Blowfish

  • CRYPT

  • Clear

  • PBKDF2

  • PKCS5S2

  • SHA-1

  • Salted SHA-1

  • Salted SHA-256

  • Salted SHA-384

  • Salted SHA-512

Follow these steps:

  1. On at least one DS replica, add an index for passwords using deprecated or outdated storage schemes.

    The following example creates the index on an upgraded server with data for dc=example,dc=com in a backend called userRoot. The directory superuser account on the upgraded server has DN cn=Directory Manager:

    dsconfig \
     create-backend-index \
     --backend-name userRoot \
     --type generic \
     --index-name userPassword \
     --set index-type:big-extensible \
     --set big-index-included-attribute-value:3DES \
     --set big-index-included-attribute-value:AES \
     --set big-index-included-attribute-value:Base64 \
     --set big-index-included-attribute-value:Blowfish \
     --set big-index-included-attribute-value:CRYPT \
     --set big-index-included-attribute-value:Clear \
     --set big-index-included-attribute-value:PBKDF2 \
     --set big-index-included-attribute-value:PKCS5S2 \
     --set big-index-included-attribute-value:SHA-1 \
     --set big-index-included-attribute-value:Salted\ SHA-1 \
     --set big-index-included-attribute-value:Salted\ SHA-256 \
     --set big-index-included-attribute-value:Salted\ SHA-384 \
     --set big-index-included-attribute-value:Salted\ SHA-512 \
     --set big-index-matching-rule:1.3.6.1.4.1.36733.2.1.4.14 \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --bindPassword password \
     --trustAll \
     --no-prompt
    
    rebuild-index \
     --baseDN dc=example,dc=com \
     --index userPassword \
     --hostname localhost \
     --port 4444 \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --trustAll
    bash

    The ds-evaluation setup profile, described in Install DS for evaluation, includes a userPassword big index for reversible password storage schemes.

  2. Search for accounts using these password storage schemes on the replica where you added the index:

    ldapsearch \
     --hostname localhost \
     --port 1636 \
     --useSSL \
     --bindDN "cn=Directory Manager" \
     --bindPassword password \
     --trustAll \
     --simplePageSize 100 \
     --baseDn dc=example,dc=com \
      "(|(userPassword:1.3.6.1.4.1.36733.2.1.4.14:=3DES)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=AES)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=BASE64)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=BLOWFISH)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=CRYPT)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=CLEAR)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=PBKDF2)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=PKCS5S2)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=RC4)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SHA)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA256)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA384)\
    (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA512))" \
     1.1
    bash

    If the search returns no matches, set enabled: false for the unused storage schemes in each server configuration. You can safely skip to Clean up admin data.

  3. If the search returns any DNs, migrate active accounts to another storage scheme, such as PBKDF2-HMAC-SHA256.

    For details, refer to Deprecate a password storage scheme. When a user binds successfully with their existing password or changes their password, DS stores the password with the new scheme.

  4. Wait for all active accounts to bind or to update their passwords.

    The definition of active depends on the deployment. You decide how long a user can go without binding before you consider their account inactive. For details, refer to Active accounts.

  5. Run the search again, adding a filter to match active accounts.

    After the migration, the search ideally returns no results.

  6. When you are confident active accounts no longer use deprecated or outdated storage schemes, set enabled: false for the unused storage schemes in each server configuration.

    Inactive accounts—​those with no binds during the migration—​must now reset their passwords before they can bind.

Clean up admin data

These steps are required after you upgrade from DS 6.5 and earlier to ensure servers share secret keys according to the new security model. You must follow the upgrade procedures to add new DS 7 servers until you have completed these steps.

If, after cleanup, your deployment still stores secret keys under the replicated cn=admin data base DN, do not disable cn=admin data or remove the adminRoot database.

This applies, for example, to deployments that use (deprecated) reversible password storage schemes (3DES, AES, Blowfish, RC4). It also applies to deployments where servers were set up in production mode, and use keys with automatically generated, self-signed certificates to protect replication connections.

If you do choose to disable cn=admin data and remove the adminRoot database, you must first manually ensure that admin data is no longer used, and then remove references to it from your configuration.

  1. Make sure you have upgraded all DS servers to version 7 or later.

    If you upgraded by adding new servers, and still have DS 6.5 or earlier servers, retire them before continuing.

    As explained in Checklist at the top of this page, this means purging stale references to retired servers from the new servers' configurations, and updating bootstrap replication server settings to reference only the new, DS 7 servers.

  2. If you upgraded in place, make sure you have followed the steps in Use the new security model.

  3. Run the cleanup command.

    For example, run the cleanup command on each server with directory superuser credentials. If the credentials are the same on every server, it is sufficient to run the command once:

    $ dsrepl \
     cleanup-migrated-pre-7-0-topology \
     --bindDn "cn=Directory Manager" \
     --bindPassword password \
     --hostname localhost \
     --port 4444 \
     --trustAll \
     --no-prompt
    bash

    The command is idempotent. You can run it multiple times if the initial run cannot fully complete the cleanup process.

  4. Remove unused configuration settings:

    Show details
    dsconfig \
     delete-key-manager-provider \
     --provider-name "Crypto Manager Key Manager" \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     delete-key-manager-provider \
     --provider-name "Replication Key Manager" \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    dsconfig \
     delete-trust-manager-provider \
     --provider-name "Replication Trust Manager" \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    
    # Skip this command if the deployment has passwords stored
    # with reversible password storage schemes:
    dsconfig \
     delete-backend \
     --backend-name adminRoot \
     --hostname localhost \
     --port 4444 \
     --bindDn "cn=Directory Manager" \
     --trustAll \
     --bindPassword password \
     --no-prompt
    bash
  5. Replace references to Admin Data in the server configuration.

    Find all references to admin data in your configuration:

    $ grep -i "admin data" /path/to/opendj/config/config.ldif
    bash

    How you replace or remove these references depends on your deployment.

  6. Remove unused files:

    # Skip these commands if the deployment has passwords stored
    # with reversible password storage schemes:
    rm -rf /path/to/opendj/db/adminRoot
    rm -rf /path/to/opendj/db/ads-truststore
    bash

Add a monitor user account

The dsrepl status command, and general server monitoring require an account with the monitor-read privilege. Since DS 6, you can create a monitor user account at setup time. However, the setup process does not require that you create such an account, and earlier versions do not offer the option.

If no such account exists, do one of the following:

Use this replicated account when monitoring DS servers, and when running the dsrepl status command.

Update LDAP schema

Update LDAP schema definitions to support new features.

When you upgrade servers, the servers inherit existing LDAP schema definitions. This ensures compatibility between the newer and older servers during upgrade. However, upgrade does not apply changes that new features depend on.

Once all servers run the latest software, add LDAP schema definitions required to use additional features:

  1. Make sure you have upgraded all DS servers to version 7 or later.

  2. Compare current schema definitions with the schema templates.

    The following example summarizes the differences for a new server added to a 6.5 deployment:

    $ cd /path/to/opendj
    $ diff -q db/schema template/db/schema
    Files db/schema/00-core.ldif and template/db/schema/00-core.ldif differ
    Files db/schema/03-pwpolicyextension.ldif and template/db/schema/03-pwpolicyextension.ldif differ
    Files db/schema/04-rfc2307bis.ldif and template/db/schema/04-rfc2307bis.ldif differ
    Only in db/schema: 60-ds-evaluation-schema.ldif
    Only in db/schema: 99-user.ldif
    bash

    The following table summarizes the changes in detail:

    Schema File Notes Action

    00-core.ldif

    An update of the mail attribute to support UTF-8 characters, and cosmetic changes due to schema replication:

    • Each definition in db/schema/00-core.ldif has X-SCHEMA-FILE '00-core.ldif'. No definitions in template/db/schema/00-core.ldif have the X-SCHEMA-FILE extension.

    • Some object classes in db/schema/00-core.ldif are explicitly defined as STRUCTURAL.

    Other minor differences:

    • In 7, some attribute definitions have minimum upper bounds.

    • The schema for collective attributes is extended.

    Replace with template file

    03-pwpolicyextension.ldif

    The new version was rewritten to support fully featured replicated password policies.

    Replace with template file

    04-rfc2307bis.ldif

    In DS 7.2 and later, the new version aligns schema definitions with those of the latest RFC 2703bis Internet-Draft, An Approach for Using LDAP as a Network Information Service.

    Replace with template file

    60-ds-evaluation-schema.ldif

    Added to existing version by the evaluation setup profile.

    Keep existing file

    99-user.ldif

    Contains replication metadata.

    Keep existing file

    Any schema file missing in template/db/schema

    This includes schema from setup profiles, and any custom schema definitions for the deployment.

    Keep existing file

  3. For each upgraded server, update the schema to the latest version.

    The following example updates the schema on a single server. Always stop a server before making changes to its files:

    $ cd /path/to/opendj
    $ ./bin/stop-ds
    $ cp template/db/schema/00-core.ldif db/schema
    $ cp template/db/schema/03-pwpolicyextension.ldif db/schema
    $ cp template/db/schema/04-rfc2307bis.ldif db/schema
    $ ./bin/start-ds
    bash
  4. Rebuild indexes for the following attributes, which DS considers degraded:

    • automountInformation

    • automountKey

    • automountMapName

    • gecos

    • ipHostNumber

    • ipNetworkNumber

    • mail

    • memberNisNetGroup

    • memberUid

    • nisMapEntry

    • nisNetgroupTriple

    For details, refer to Automate index rebuilds.

Tune settings

Major software releases include significant changes that can render existing tuning settings obsolete. When upgrading to a new major release of DS or Java software, revisit the system configuration, server configuration, and Java settings. Adjust the settings appropriately for your deployment as part of the upgrade process.

For information and suggestions on tuning, read the Release notes and Performance tuning.

Use string-based server IDs

After upgrading from earlier releases, you can change server IDs to strings:

  1. Make sure you have upgraded all DS servers to version 7 or later.

  2. For each server, change the global server ID to the desired string.

    The following example shows a command that changes a server’s global ID to a string:

    $ dsconfig \
     set-global-configuration-prop \
     --hostname localhost \
     --port 4444 \
     --bindDN uid=admin \
     --bindPassword password \
     --set server-id:ds-us-west-1 \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --no-prompt
    bash
  3. Restart the server for the change to take effect.

Use the entity tag plugin for ETags

The ETag plugin generates ETag attribute values more efficiently. For compatibility, the plugin is configured by default only on new servers.

After upgrading all servers, you can configure the plugin manually on each server:

  1. Make sure you have upgraded all DS servers.

  2. For each server, configure the plugin:

    $ dsconfig \
     create-plugin \
     --plugin-name "Entity Tag" \
     --type entity-tag \
     --set enabled:true \
     --set invoke-for-internal-operations:true \
     --hostname localhost \
     --port 4444 \
     --bindDN uid=admin \
     --bindPassword password \
     --usePkcs12TrustStore /path/to/opendj/config/keystore \
     --trustStorePassword:file /path/to/opendj/config/keystore.pin \
     --no-prompt
    bash

The plugin generates real ETag attributes for new and updated entries.

Activate cloud storage for backup

When upgrading in place from DS 6.5.x and earlier, the upgrade process does not unpack the libraries required to store backup files in the cloud, and does not configure the plugin used for the feature. You must activate cloud storage for backup if you want to use the feature.

If you started by adding DS 7 or later servers, as described in When adding new servers, then the new DS servers already have the libraries and plugin configuration. In that case, you can skip these steps.

  1. Unpack the libraries required to store backup files in the cloud:

    $ cd /path/to/opendj
    $ unzip -o -q extensions/backup-cloud-extension.zip
    bash
  2. Restart DS.

  3. Configure the cloud storage plugin to use the libraries:

    $ dsconfig \
    create-plugin \
    --plugin-name Cloud\ Storage\ Plugin \
    --type custom \
    --set enabled:true \
    --set java-class:com.forgerock.opendj.server.backup.cloud.CloudStoragePlugin \
    --set plugin-type:initialization \
    --hostname localhost \
    --port 4444 \
    --bindDn "cn=Directory Manager" \
    --trustAll \
    --no-prompt
    bash

Set the cloud storage endpoint for backup

If you back up to cloud storage, set the storage endpoint to control where your backup files go.

Use either of these dsbackup options:

  • --storage-property endpoint:endpoint-url

  • --storage-property endpoint.env.var:environment-variable-for-endpoint-url

For details, refer to Cloud storage endpoint.