{"type":"doc","content":[{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"This article is new for Certificate Manager 8.11.0-1.","type":"text"}]}]},{"type":"paragraph","content":[{"text":"This article describes how to migrate an existing ","type":"text"},{"text":"Smart ID Certificate Manager","type":"text","marks":[{"type":"link","attrs":{"href":"https://nexusdoc.atlassian.net/wiki/spaces/PUB/pages/65346056"}}]},{"text":" (CM) installation to Podman using Quadlet. ","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Prerequisites","type":"text","marks":[{"type":"textColor","attrs":{"color":"#172b4d"}}]}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Certificate Manager (CM) is installed with version CM > 8.10.x.","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Earlier CM versions are not supported for migration and must be updated the regular way before a migration can be performed.","type":"text"}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Podman version 4.9.4 or later is installed.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"A valid CM license file","type":"text"}]}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Step-by-step instructions","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Deployment directory setup","type":"text"}]},{"type":"paragraph","content":[{"text":"When deploying using quadlets the name of the directory in which the distributable deployment files are located will be dictated by the user running the container. It will map to the following directory:","type":"text"}]},{"type":"paragraph","content":[{"text":"$HOME/.config/containers/systemd/","type":"text","marks":[{"type":"code"}]},{"text":".","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Load Podman images","type":"text"}]},{"type":"paragraph","content":[{"text":"The Podman images for CM are located in the ","type":"text"},{"text":"images","type":"text","marks":[{"type":"strong"}]},{"text":" directory within the distributable package. ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Load the images using the following commands:","type":"text"},{"type":"hardBreak"},{"text":"podman image load -i images/cf-server-image-.tar ","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"podman image load -i images/pgw-image-.tar","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Perquisition for CF and PGW deployments","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Copy the all the files and folders (*","type":"text"},{"text":".container","type":"text","marks":[{"type":"strong"}]},{"text":", ","type":"text"},{"text":"volumes","type":"text","marks":[{"type":"strong"}]},{"text":" and ","type":"text"},{"text":"network)","type":"text","marks":[{"type":"strong"}]},{"text":" under directory ‘","type":"text"},{"text":"certificate-manager-/","type":"text","marks":[{"type":"em"}]},{"text":"deployment/podman-quadlets’ to ","type":"text"},{"text":"$HOME/.config/containers/systemd","type":"text","marks":[{"type":"code"}]},{"text":" the following location, assuming that the current user is the operator for the container deployment ","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Copy the license file into: ","type":"text"},{"text":"$HOME/.config/containers/systemd/license","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"If outgoing connectivity from the containers is required, edit the ","type":"text"},{"text":"cmnet.network","type":"text","marks":[{"type":"code"}]},{"text":" unit file and make sure the parameter ","type":"text"},{"text":"Internal=no","type":"text","marks":[{"type":"code"}]},{"text":" is set. Additional security hardening may be needed to restrict undesired outgoing connectivity from the container network with firewall rules or by other means.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"CF in Podman container","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Uninstall existing CF server","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Stop the services and make a backup of the following directories in to be utilized later as volumes content for cf-server container:","type":"text"},{"type":"hardBreak"},{"text":"/bin","type":"text"},{"type":"hardBreak"},{"text":"/certs","type":"text"},{"type":"hardBreak"},{"text":"/config","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Backup logs files","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Uninstall the current CF server. See ","type":"text"},{"text":"Uninstall Certificate Manager server components and clients","type":"text","marks":[{"type":"link","attrs":{"href":"https://nexusdoc.atlassian.net/wiki/spaces/PUB/pages/65351280"}}]},{"text":" for more information.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Migrate CF server configuration","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Follow the commands with ","type":"text"},{"text":"standard user","type":"text","marks":[{"type":"strong"}]},{"text":" (no sudo privilege) ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Start the following cf-server volumes:","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user start cf-server-bin-volume","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user start cf-server-certs-volume","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user start cf-server-config-volume","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Start and stop the cf-service","type":"text"},{"type":"hardBreak"},{"text":" ","type":"text"},{"text":"systemctl --user start cf-server","type":"text","marks":[{"type":"code"}]},{"text":" ","type":"text"},{"type":"hardBreak"},{"text":"verify starting the service has logged ","type":"text"},{"text":"Applying runtime configuration","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"systemctl --user stop cf-server","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Copy the content of the backed-up folders you performed in step “","type":"text"},{"text":"Uninstall CF server","type":"text","marks":[{"type":"link","attrs":{"href":"https://nexusdoc.atlassian.net/wiki/spaces/ID/pages/edit-v2/699170817#Uninstall-existing-CF-server"}}]},{"text":"“ to the volumes respectively (this assumes that your current installation is running CF with internal cis):","type":"text"},{"type":"hardBreak"},{"text":"cp /certs/* $HOME/.local/share/containers/storage/volumes/systemd-cf-server-certs/_data","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"cp -r /config/* $HOME/.local/share/containers/storage/volumes/systemd-cf-server-config/_data","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"Note:","type":"text","marks":[{"type":"strong"}]},{"text":" Override the contents of ","type":"text"},{"text":"systemd-cf-server-certs/_data","type":"text","marks":[{"type":"code"}]},{"text":" and ","type":"text"},{"text":"systemd-cf-server-config/_data","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Verify the database connection details under config volume ","type":"text"},{"text":"$HOME/.local/share/containers/storage/volumes/systemd-cf-server-config/_data/cm.conf","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"Database.name = jdbc:://:/","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Change the logging to podman console, edit cm.conf ","type":"text"},{"type":"hardBreak"},{"text":"$HOME/.local/share/containers/storage/volumes/systemd-cf-server-config/_data/cm.conf ","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"for example, under Loggers configurations change to ","type":"text"},{"text":"cm.agent.log.1.type = stdout","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configure HSM with cf-server container","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Copy HSM driver and config files to ","type":"text"},{"text":"$HOME/.local/share/containers/storage/volumes/systemd-cf-server-bin/_data","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"example Utimaco files (not limited to): ","type":"text"},{"text":"libcs_pkcs11_R3.so cs_pkcs11_R3.cfg","type":"text","marks":[{"type":"code"}]},{"text":" ","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Provide the required environment variables via ","type":"text"},{"text":"$HOME.config/containers/systemd/cf-server.container","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"example of Utimaco driver configuration: ","type":"text"},{"text":"Environment=\"CS_PKCS11_R3_CFG=/opt/cm/server/bin/cs_pkcs11_R3.cfg\"","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Note","type":"text","marks":[{"type":"strong"}]},{"text":": verify the connectivity details in HSM driver configuration file. ","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Start CF server container","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Start the CF server container using the following command:","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user start cf-server","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Make sure cf-server is started and is logging:","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user start cf-server; podman logs -f cf-server","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"PGW in Podman container","type":"text","marks":[{"type":"strong"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Uninstall existing PGW","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Make a backup of the following directories in to be utilized later as volumes content for pgw container:","type":"text"},{"type":"hardBreak"},{"text":"Tomcat configuration which contains the TLS and server.xml: ","type":"text"},{"text":"/conf ","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"PGW configuration which contains the conf and certdir: ","type":"text"},{"text":"/conf/ $HOME/.local/share/containers/storage/volumes/systemd-pgw-config-tomcat/_data","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"cp -r /conf/ $HOME/.local/share/containers/storage/volumes/systemd-pgw-config-gw/_data","type":"text","marks":[{"type":"code"}]}]}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Verify the connectivity details toward cf-server container is correct in: ","type":"text"},{"text":"$HOME/.local/share/containers/storage/volumes/systemd-pgw-config-gw/_data/cm-gateway.properties","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"cmhost=","type":"text","marks":[{"type":"code"}]},{"text":", example","type":"text"},{"text":" cmhost=cf-server","type":"text","marks":[{"type":"code"}]},{"text":" ","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Start PGW container","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Start the PGW container using the following command:","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user start pgw","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Make sure PGW is running","type":"text"},{"type":"hardBreak"},{"text":"systemctl --user status pgw; podman logs pgw","type":"text","marks":[{"type":"code"}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Enable PGW container health check","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Follow the instructions in ","type":"text"},{"text":"Enabling health check","type":"text","marks":[{"type":"link","attrs":{"href":"https://nexusdoc.atlassian.net/wiki/spaces/PUB/pages/375652375/Deployment+using+Podman+compose#Enabling-the-pgw-container-health-check"}}]},{"text":".","type":"text"}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Configure HSM with PGW container","type":"text"}]},{"type":"paragraph","content":[{"text":"Configuring HSM with PGW can be performed in a manner similar to the approach outlined in ","type":"text"},{"text":"CM-HSM setup","type":"text","marks":[{"type":"link","attrs":{"href":"https://nexusdoc.atlassian.net/wiki/spaces/ID/pages/edit-v2/699170817#Configure-HSM-with-cf-server-container"}}]},{"text":" ","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Recommendations","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Configuration files and libraries/addons (such as HSM) can be added as volumes to the containers.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Removing volumes can lead to losing data and configurations. Therefor, we recommend keeping updated backup of the configuration.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"It is not recommended to run the database on the same machine of cf-server container, due to network issues.","type":"text"}]}]}]}],"version":1}

Browser not supported