To migrate a CA Directory implementation from version 14.1/sp4 to 14.1/sp5, can we simply copy the config subdirectory from the existing implementation to a new 14.1/sp5 installation and then migrate the Directory data as the next steps.

Release: 14.1/sp4
Component: CA Directory
OS: Linux

In general. customer should refrain from modifying the files in of the $DXHOME/config subdirectoy that came with a standard installation as upgrading an existing CA Directory implementation to a new version has the potential to roll back those modified files to the default content of the new version.

As a general rule, the config subdirectory out of the standard installation should be backed up away, say config.orig, and then replace the config subdirectory using the one comes from the existing implementation. Then using the command

diff -r config.orig  config

to find out the differences between them. What we found out in one case where a config subdirectory taken from an existing working 14.1/sp4 compare to one from 14.1/sp6, other than the custom files exist only for the existing implementation. the following is a sample output excluded the config/ssld/trusted.pem:

diff -r ../config.orig/dxEnc.conf issues/36289056/config/dxEnc.conf
4c4
< master-key-passphrase = "{CADIR}xxxxx"
---
> master-key-passphrase = "{CADIR}yyyyy"
diff -r ../config.orig/ssld/default.dxc issues/36289056/config/ssld/default.dxc
18c18
< #  cipher = "ALL:!EXPORT40:!ADH:!SSLv2:!SSLv3:!TLS:!TLSv1:!TLSv11:!EXP:!LOW:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # default ciphers - syntax on OpenSSL website
---
> #  cipher = "ALL:!EXPORT40:!ADH:!SSLv2:!EXP:!LOW" # default ciphers - syntax on OpenSSL website
20c20
< #  protocol = tlsv12                # enable TLS only (default of fips set)
---
> #  protocol = tls                # enable TLS only (default of fips set)

Here, the dxEnc.conf is the master encryption key passphrase supplied during the installation. The config/ssld/default.dxc from the 14.1/sp6 now suggests different cipher and protocol because of its new requirement to only support tlsv12 and above.

A simple conclusion is that a config subdirectory from 14.1/sp4 can be copied over and used on a 14.1/sp5 and 14.1/sp6 installation. One will only need to pay attention to the new version requirements and adjust those copied-over files if at all.

After the config subdirectoy has been copied over, you will need to run dxnewdb to actually have the required database file created and then load the data using dxloaddb and the ldif file dumped on the existing implementation.