Directory Services 7.4.3

Upgrade from DS 7.4.0

If the deployment includes a DS 7.4.0 server with data encryption using default settings, follow the procedures in this page.

If the deployment has no DS 7.4.0 servers or does not use data encryption, skip this page.

The problem

Due to an issue (OPENDJ-10211) in the way DS 7.4.0 encrypts data on disk when using the default cipher-transformation: AES/GCM/NoPadding setting, the backend or changelog data on disk and encrypted with 7.4.0 is incompatible with all other DS versions.

If the deployment is configured with non-default cipher-transformation settings that do not use the AES algorithm and GCM mode, the problem doesn’t affect the deployment. In this case, skip this page.

Otherwise, the directory data on disk uses incompatible encryption. Any binary backups of the backend data are also affected. You can’t use the upgrade command to upgrade a DS server to 7.4.0 from earlier versions or from 7.4.0 to later versions.

The solution

You can upgrade by adding new DS servers; follow these steps:

  1. Upgrade by adding new servers, leaving existing 7.4.0 servers in operation during the upgrade.

    When initializing new servers, do not use backup files, as they use incompatible encryption. Instead, either initialize data over the network or initialize from plaintext LDIF.

  2. Change the bootstrap replication servers for each server to stop using the DS 7.4.0 servers.

  3. If you use backup files, create them from the new servers with compatible encryption.

  4. Stop directing client application traffic to the DS 7.4.0 servers.

  5. Wait until the replication purge delay has elapsed (default: 3 days) and retire the DS 7.4.0 servers.

Copyright © 2010-2024 ForgeRock, all rights reserved.