![]() ![]() ![]() |
Migration Steps
An already existing Certifier installation can be migrated from one host to another by performing these steps.
Except when otherwise indicated, the information applies to both Unix and Windows versions of SSH Tectia Certifier.
- Install the new Certifier
On Unix: Install the installation package (
rpm/pkg/depot
) to the new host as described in SSH Tectia Certifier Administrator's Guide, but do not run thessh-ca-setup
script yet.On Windows: Install SSH Tectia Certifier to the new host by running the setup and selecting the Full Installation option.
- Shutdown the old installation
As you definitely do not want to lose any events (revocations, issuances etc.) happening during the migration process, you must first stop your old installation. However, in order to avoid a break in certificate validation, you must ascertain that none of the CRLs are about to expire during the migration. This is done with the administration interface System Shutdown request in the System Configuration Menu.
After shutting down the Certifier Engine with the System Shutdown request, the database and the server must be also stopped. Please run the
ssh-ca-stop
script (see Section Starting and Stopping Certifier Manually). - Disable database log mirroring
If you have enabled Sybase database log mirroring (either with
ssh-ca-backupconf
or manually with the Sybase tools), you must disable mirroring before proceeding with migration and enable it again on the target system after migration.Database mirroring can be disabled with
ssh-ca-backupconf
, see Section Setting up Backup Procedure. - Disable database live backup
If you have enabled Sybase database remote live backupping, you must disable the live backup before proceeding and enable it again on the target system after migration. If you need assistance with this step, please use your your official support e-mail account to contact us.
- Backup the old installation
On Unix: Backup your installation with the
ssh-ca-backup
tool (see ssh-ca-backup).Just run the following command (as the certifier user, not as root):
ssh-ca-backup
By default the backup is stored under
var/bak/ca-backup-current
under the Certifier directory.Note: if you have set up a regular backup routine with
ssh-ca-backupconf
(see Section Setting up Backup Procedure), the result gets stored to the directory specified in the backup configuration.On Windows: Backup your old installation. See Appendix Setting up Backup Procedure for more information.
- Transfer the backup
On Unix: Transfer the fresh backup to the new host. The exact steps depend on your host/network setup. If the new host is accessible with a Secure Shell connection , this might be achieved with the following commands:
cd /opt/certifier/var/bak tar cf - ca-bak-current | ssh root@your-new-host \ "mkdir /opt/certifier/var/migration ; cd /opt/certifier/var/migration; tar xf -"
On Windows: Transfer the old installation (or backup) to the new host:
- Copy the database file and database log to the default location (
C:\sshcertifierdb
) in the new host. - Copy also the files in the
var\pki
directory to the new host. - Change the DBA password to default value in the
ssh_certifier_file_dsn.DSN
file. That is, replace the line containingPWD=<random_password>
withPWD=SQL
.
- Copy the database file and database log to the default location (
- Transfer your hardware crypto modules
If your Certifier installation includes crypto hardware modules, they must be migrated to the new host as well. Please consult your hardware crypto module documentation/support for details.
- Setup the new Certifier
On Unix: Run the
ssh-ca-setup
as described in Section Installing Certifier in the Administrator's Guide../ssh-ca-setup
On Windows: You must manually run following commands in the new host to complete the upgrade and OS migrate operation:
ssh_certifier_db_unload.bat u C:\sshcertifierdb ssh_ca_tool.exe -G
- Subordinate Servers
Subordinate server installations are not migrated, as their configurations live in the main installation database. When migrating old subordinate servers to new hosts, perform the following steps:
- Create a new PSK for each of the old subordinate servers with the admin GUI. See Section Server Entity.
- Install the subordinate server packages as instructed in SSH Tectia Certifier Administrator's Guide.
- Use the new PSKs when setting up the servers.
- Checklist
After migration, please check at least the following details in the Certifier configuration.
- Hostnames in the service configurations
- CN in certificates of TLS enabled web services
- Engine address in subserver configuration file
conf/server.conf
- Your database setup is in desired state with respect to:
- Automated backup routine
- Database log mirroring
- Database live backup
Please note that the Certifier syslog files (
certifier/var/log/engine.log
andcertifier/var/log/server.log
in a default installation) are not transferred from the old host to the new host with this procedure. You should copy or archive those files manually as appropriate. - Cleanup
Unix only: Remove the
var/migration
directory from your new host.


