After you upgrade in place
The DS server upgrade process preserves the existing configuration as much as possible. This maintains compatibility, but there are more steps you must take.
Many example commands on this page use Here, |
Checklist
Use this checklist to make sure you don’t miss these important post-upgrade tasks:
-
Use the new security model (for upgrades from DS 6.5 and earlier).
-
Back up your directory data.1
-
Update your scripts to account for incompatible changes.
-
Plan your move away from deprecated features.
-
Move to dedicated service accounts for your directory applications.2
-
Manually review and purge the DS server configurations for stale references to old servers.3
-
Review what’s new and changed and adopt useful improvements.
-
Clean up admin data (for upgrades from DS 6.5 and earlier).4
-
Set the cloud storage endpoint for backup if you back up to cloud storage.
1 Backup files are not compatible between versions. Before starting this task, complete the work to Use the new security model.
2 You would not run all your applications as the Linux root user or the Windows Administrator.
Stop using superuser accounts like cn=Directory Manager
as service accounts.
Many DS setup profiles create service accounts for applications to use when authenticating to DS.
For examples of AM service accounts, refer to the base-entries.ldif
files in setup profiles
under the opendj/template/setup-profiles/AM
directory.
3 You can read the opendj/config/config.ldif
file to find stale references,
but always use the dsconfig command to make changes to the configuration.
4 Before starting this task, complete the work to Use the new security model and to Eliminate outdated password storage.
Use the new security model
If you have upgraded DS 6.5 or earlier servers in place, enable upgraded servers to use the new security model. You can’t add new servers using normal procedures until you have completed these steps. Some new features depend on the new model. |
DS release 7 changes the security model to configure replication at setup time, make disaster recovery more straightforward, and simplify symmetric key distribution:
-
In prior releases, trust and symmetric key distribution in a replication topology depend on the replicated
cn=admin data
base DN. DS servers prior to release 7 reference each others' instance keys and use them to protect symmetric keys incn=admin data
entries. -
DS servers now rely on a deployment ID and password to derive a shared master key and offer a default PKI to trust each others' certificates. DS servers protect symmetric keys using the shared master key to encrypt and decrypt them. For details, refer to Deployment IDs.
The following examples demonstrate the process of creating keys and updating the configuration for replicas installed with the DS 6.5 evaluation profile:
-
Make sure you have upgraded all DS servers to version 7 or later.
-
Generate a deployment ID for the deployment:
### # Generate a deployment ID for the topology. # Do this once and SAVE THE DEPLOYMENT ID: $ dskeymgr create-deployment-id --deploymentIdPassword password <deployment-id>
For more command options, refer to dskeymgr. The default validity for the deployment ID is 10 years.
-
For each upgraded server, add at least the shared master key generated using the deployment ID:
Show details
### # Use the same deployment ID on each server: export DEPLOYMENT_ID=<deployment-id> # Add a shared master key based on the deployment ID: dskeymgr \ export-master-key-pair \ --alias master-key \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin # Deployment ID-based PKI? # Add a deployment ID CA certificate: dskeymgr \ export-ca-cert \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin # Deployment ID-based PKI? # Add a deployment ID-based TLS certificate: dskeymgr \ create-tls-key-pair \ --deploymentId $DEPLOYMENT_ID \ --deploymentIdPassword password \ --keyStoreFile /path/to/opendj/config/keystore \ --keyStorePassword:file /path/to/opendj/config/keystore.pin \ --hostname localhost \ --hostname opendj.example.com \ --subjectDn CN=DS,O=ForgeRock
The default validity for the certificate is one year.
-
For each upgraded server, start the server, if necessary.
-
For each upgraded server, update the configuration to use the new keys.
Show details
The following example uses the private PKI keys based on the deployment ID and password. At minimum, even if you use your own keys for PKI, update the Crypto Manager to use the shared master key:
# Copy the keys used to protect secret keys and replication traffic # to the default key manager keystore. # This makes the keys available for trust and decryption # after you switch to the default key and trust managers: keytool \ -importkeystore \ -srckeystore /path/to/opendj/db/ads-truststore/ads-truststore \ -srcstorepass:file /path/to/opendj/db/ads-truststore/ads-truststore.pin \ -destkeystore /path/to/opendj/config/keystore \ -deststoretype PKCS12 \ -deststorepass:file /path/to/opendj/config/keystore.pin # Configure the server to wrap new secret keys # using the new shared master key: dsconfig \ set-crypto-manager-prop \ --set key-manager-provider:"Default Key Manager" \ --set master-key-alias:master-key \ --reset digest-algorithm \ --reset mac-algorithm \ --reset key-wrapping-transformation \ --hostname localhost \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --trustAll \ --no-prompt # Deployment ID-based PKI? dsconfig \ create-trust-manager-provider \ --set enabled:true \ --set trust-store-file:config/keystore \ --set trust-store-pin:\&{file:config/keystore.pin} \ --set trust-store-type:PKCS12 \ --type file-based \ --provider-name PKCS12 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt # Switch to the new keys to secure # administrative and replication communications: dsconfig \ set-administration-connector-prop \ --set ssl-cert-nickname:ssl-key-pair \ --set trust-manager-provider:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt dsconfig \ set-synchronization-provider-prop \ --provider-name "Multimaster Synchronization" \ --set key-manager-provider:"Default Key Manager" \ --set ssl-cert-nickname:ssl-key-pair \ --set trust-manager-provider:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt # Switch to the new keys for other secure communications: dsconfig \ set-connection-handler-prop \ --handler-name HTTPS \ --set ssl-cert-nickname:ssl-key-pair \ --set trust-manager-provider:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt dsconfig \ set-connection-handler-prop \ --handler-name LDAP \ --set ssl-cert-nickname:ssl-key-pair \ --set trust-manager-provider:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt dsconfig \ set-connection-handler-prop \ --handler-name LDAPS \ --set ssl-cert-nickname:ssl-key-pair \ --set trust-manager-provider:PKCS12 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt
-
For each upgraded server, restart the server, causing it to generate new secret keys, wrapped using the shared master key:
stop-ds --restart
Eliminate outdated password storage
Reversible password storage schemes (3DES, AES, Blowfish, RC4) have been deprecated since DS 7.0. Many password storage schemes are no longer enabled by default for new installations.
After upgrading to DS 7 and later, migrate active accounts away from the following deprecated and outdated password storage schemes:
-
3DES
-
AES
-
Base64
-
Blowfish
-
CRYPT
-
Clear
-
PBKDF2
-
PKCS5S2
-
SHA-1
-
Salted SHA-1
-
Salted SHA-256
-
Salted SHA-384
-
Salted SHA-512
Follow these steps:
-
On at least one DS replica, add an index for passwords using deprecated or outdated storage schemes.
The following example creates the index on an upgraded server with data for
dc=example,dc=com
in a backend calleduserRoot
. The directory superuser account on the upgraded server has DNcn=Directory Manager
:dsconfig \ create-backend-index \ --backend-name userRoot \ --type generic \ --index-name userPassword \ --set index-type:big-extensible \ --set big-index-included-attribute-value:3DES \ --set big-index-included-attribute-value:AES \ --set big-index-included-attribute-value:Base64 \ --set big-index-included-attribute-value:Blowfish \ --set big-index-included-attribute-value:CRYPT \ --set big-index-included-attribute-value:Clear \ --set big-index-included-attribute-value:PBKDF2 \ --set big-index-included-attribute-value:PKCS5S2 \ --set big-index-included-attribute-value:RC4 \ --set big-index-included-attribute-value:SHA-1 \ --set big-index-included-attribute-value:Salted\ SHA-1 \ --set big-index-included-attribute-value:Salted\ SHA-256 \ --set big-index-included-attribute-value:Salted\ SHA-384 \ --set big-index-included-attribute-value:Salted\ SHA-512 \ --set big-index-extensible-matching-rule:1.3.6.1.4.1.36733.2.1.4.14 \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --bindPassword password \ --trustAll \ --no-prompt rebuild-index \ --baseDN dc=example,dc=com \ --index userPassword \ --hostname localhost \ --port 4444 \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --trustAll
The
ds-evaluation
setup profile, described in Install DS for evaluation, includes auserPassword
big index for reversible password storage schemes. -
Search for accounts using these password storage schemes on the replica where you added the index:
ldapsearch \ --hostname localhost \ --port 1636 \ --useSSL \ --bindDN "cn=Directory Manager" \ --bindPassword password \ --trustAll \ --simplePageSize 100 \ --baseDn dc=example,dc=com \ "(|(userPassword:1.3.6.1.4.1.36733.2.1.4.14:=3DES)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=AES)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=BASE64)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=BLOWFISH)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=CRYPT)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=CLEAR)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=PBKDF2)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=PKCS5S2)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=RC4)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SHA)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA256)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA384)\ (userPassword:1.3.6.1.4.1.36733.2.1.4.14:=SSHA512))" \ 1.1
If the search returns no matches, set
enabled: false
for the unused storage schemes in each server configuration. You can skip to the rest of the steps in this procedure. -
If the search returns any DNs, migrate active accounts to another storage scheme, such as
PBKDF2-HMAC-SHA256
.For details, refer to Deprecate a password storage scheme. When a user binds successfully with their existing password or changes their password, DS stores the password with the new scheme.
-
Wait for all active accounts to bind or to update their passwords.
The definition of active depends on the deployment. You decide how long a user can go without binding before you consider their account inactive. For details, refer to Active accounts.
-
Run the search again, adding a filter to match active accounts.
After the migration, the search ideally returns no results.
-
Once you are confident active accounts no longer use deprecated or outdated storage schemes, set
enabled: false
for the unused storage schemes in each server configuration.Inactive accounts—those with no binds during the migration—must now reset their passwords before they can bind.
For additional examples, refer to How do I change a password storage scheme and apply a new password policy to users in DS (All versions)?
Clean up admin data
These steps are required after you upgrade from DS 6.5 and earlier to ensure servers share secret keys according to the new security model.
If, after cleanup, your deployment still stores secret keys under the replicated This applies, for example, to deployments that use (deprecated) reversible password storage schemes (3DES, AES, Blowfish, RC4). It also applies to deployments where servers were set up in production mode, and use keys with automatically generated, self-signed certificates to protect replication connections. If you do choose to disable |
-
Make sure you have upgraded all DS servers to version 7 or later.
As explained in Checklist at the top of this page, this means purging stale references to retired servers from the new servers' configurations, and updating bootstrap replication server settings to reference only the new, DS 7 servers.
-
Make sure you have followed the steps in Use the new security model.
-
Run the cleanup command.
For example, run the cleanup command on each server with directory superuser credentials. If the credentials are the same on every server, it is enough to run the command once.
After upgrading from DS 6.5 or earlier, make sure you set the
--bootstrapServer
option. Target at least two servers for redundancy. The following example uses the servers with IDs1
and2
as the bootstrap servers:$ dsrepl \ cleanup-migrated-pre-7-0-topology \ --bootstrapServer 1 \ --bootstrapServer 2 \ --bindDn "cn=Directory Manager" \ --bindPassword password \ --hostname localhost \ --port 4444 \ --trustAll \ --no-prompt
The command is idempotent. You can run it multiple times if the initial run cannot fully complete the cleanup process.
-
Remove unused configuration settings:
Show details
dsconfig \ delete-key-manager-provider \ --provider-name "Crypto Manager Key Manager" \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt dsconfig \ delete-key-manager-provider \ --provider-name "Replication Key Manager" \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt dsconfig \ delete-trust-manager-provider \ --provider-name "Replication Trust Manager" \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt # Skip this command if the deployment has passwords stored # with reversible password storage schemes: dsconfig \ delete-backend \ --backend-name adminRoot \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --bindPassword password \ --no-prompt
-
Replace references to
Admin Data
in the server configuration.Find all references to admin data in your configuration:
$ grep -i "admin data" /path/to/opendj/config/config.ldif
How you replace or remove these references depends on your deployment.
-
Remove unused files:
# Skip these commands if the deployment has passwords stored # with reversible password storage schemes: $ rm -rf /path/to/opendj/db/adminRoot $ rm -rf /path/to/opendj/db/ads-truststore
Add a monitor user account
The dsrepl status
command, and general server monitoring
require an account with the monitor-read
privilege.
Since DS 6, you can create a monitor user account at setup time;
however, the setup process does not require that you create such an account,
and earlier versions do not offer the option.
If no such account exists, do one of the following:
-
Add the
monitor-read
privilege to an existing, replicated user entry, as demonstrated in Monitor privilege. -
Add a separate, replicated monitor user account, as demonstrated in How do I create a dedicated user for monitoring in PingDS?
Use this replicated account when monitoring DS servers and when running the dsrepl status
command.
Update LDAP schema
Update LDAP schema definitions to support new features.
When you upgrade servers, the servers inherit existing LDAP schema definitions. This ensures compatibility between the newer and older servers during upgrade; however, upgrade does not apply changes that new features depend on.
Once all servers run the latest software, add LDAP schema definitions required to use additional features:
-
Make sure you have upgraded all DS servers to version 7 or later.
-
Compare current schema definitions with the schema templates.
The following example summarizes the differences for a new server added to a 6.5 deployment:
$ cd /path/to/opendj $ diff -q db/schema template/db/schema Files db/schema/00-core.ldif and template/db/schema/00-core.ldif differ Files db/schema/03-pwpolicyextension.ldif and template/db/schema/03-pwpolicyextension.ldif differ Files db/schema/04-rfc2307bis.ldif and template/db/schema/04-rfc2307bis.ldif differ Only in db/schema: 60-ds-evaluation-schema.ldif Only in db/schema: 99-user.ldif
The following table summarizes the changes in detail:
Schema File Notes Action 00-core.ldif
An update of the
mail
attribute to support UTF-8 characters and cosmetic changes due to schema replication:-
Each definition in
db/schema/00-core.ldif
hasX-SCHEMA-FILE '00-core.ldif'
. No definitions intemplate/db/schema/00-core.ldif
have theX-SCHEMA-FILE
extension. -
Some object classes in
db/schema/00-core.ldif
are explicitly defined asSTRUCTURAL
.
Other minor differences:
-
In 7, some attribute definitions have minimum upper bounds.
-
The schema for collective attributes is extended.
Replace with template file
03-pwpolicyextension.ldif
The new version was rewritten to support fully featured replicated password policies.
Replace with template file
04-rfc2307bis.ldif
In DS 7.2 and later, the new version aligns schema definitions with those of the latest RFC 2703bis Internet-Draft, An Approach for Using LDAP as a Network Information Service.
Replace with template file
60-ds-evaluation-schema.ldif
Added to existing version by the evaluation setup profile.
Keep existing file
99-user.ldif
Contains replication metadata.
Keep existing file
Any schema file missing in
template/db/schema
This includes schema from setup profiles and any custom schema definitions for the deployment.
Keep existing file
-
-
For each upgraded server, update the schema to the latest version.
The following example updates the schema on a single server. Always stop a server before making changes to its files:
$ cd /path/to/opendj $ ./bin/stop-ds $ cp template/db/schema/00-core.ldif db/schema $ cp template/db/schema/03-pwpolicyextension.ldif db/schema $ cp template/db/schema/04-rfc2307bis.ldif db/schema $ ./bin/start-ds
-
Rebuild indexes for the following attributes, which DS considers degraded:
-
automountInformation
-
automountKey
-
automountMapName
-
gecos
-
ipHostNumber
-
ipNetworkNumber
-
mail
-
memberNisNetGroup
-
memberUid
-
nisMapEntry
-
nisNetgroupTriple
For details, refer to Automate index rebuilds.
-
Tune settings
Major software releases include significant changes that can render existing tuning settings obsolete. When upgrading to a new major release of DS or Java software, revisit the system configuration, server configuration, and Java settings. As part of the upgrade process, adjust the settings appropriately to align your deployment with the new software version.
For information and suggestions on tuning, read the Release notes and Performance tuning.
Use string-based server IDs
After upgrading from earlier releases, you can change server IDs to strings:
-
Make sure you have upgraded all DS servers to version 7 or later.
-
For each server, change the global server ID to the desired string.
The following example shows a command that changes a server’s global ID to a string:
$ dsconfig \ set-global-configuration-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --set server-id:ds-us-west-1 \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
-
Restart the server for the change to take effect.
Use the entity tag plugin for ETags
The ETag plugin generates ETag attribute values more efficiently. For compatibility, the plugin is configured by default only on new servers.
After upgrading all servers, you can configure the plugin manually on each server:
-
Make sure you have upgraded all DS servers.
-
For each server, configure the plugin:
$ dsconfig \ create-plugin \ --plugin-name "Entity Tag" \ --type entity-tag \ --set enabled:true \ --set invoke-for-internal-operations:true \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt
The plugin generates real ETag attributes for new and updated entries.
Activate cloud storage for backup
When upgrading in place from DS 6.5.x and earlier, the upgrade process does not unpack the libraries required to store backup files in the cloud, and does not configure the plugin used for the feature. You must activate cloud storage for backup if you want to use the feature.
-
Unpack the libraries required to store backup files in the cloud:
$ cd /path/to/opendj $ unzip -o -q extensions/backup-cloud-extension.zip
-
Restart DS.
-
Configure the cloud storage plugin to use the libraries:
$ dsconfig \ create-plugin \ --plugin-name Cloud\ Storage\ Plugin \ --type custom \ --set enabled:true \ --set java-class:com.forgerock.opendj.server.backup.cloud.CloudStoragePlugin \ --set plugin-type:initialization \ --hostname localhost \ --port 4444 \ --bindDn "cn=Directory Manager" \ --trustAll \ --no-prompt
Set the cloud storage endpoint for backup
If you back up to cloud storage, set the storage endpoint to control where your backup files go.
Use one of these dsbackup
options:
-
--storage-property endpoint:endpoint-url
-
--storage-property endpoint.env.var:environment-variable-for-endpoint-url
For details, refer to Cloud storage endpoint.
Upgrade complete
-
Perform these steps before you upgrade
-
Upgrade each:
-
Perform these steps after you upgrade