So, if someone has a broken install because of the upgrade, he should be able to get his system up as follows:

http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10

Specifically, in the workaround section:
1. install tomcat 6 from f18
2. downgrade tomcatjss to the version from f18
3. Running pki-upgrade to run some d10 upgrade scripts.

He will then have a d9-style instance running on f19. Any functionality based on the restful interfaces will again not work. We added code to return 503 - not supported in case someone tries to access this code.

On the other hand, we need a plan to upgrade d9 style instances.

There are two possibilities.

1. User creates replica. This will be a true d10 instance. Then user can blow away old d9 instance and re-install from the replica.

2. We write some kind of migration script to create the new dogtag 10 instance and migrate the data. Or convert the existing instance to a d10 instance. I'll detail the steps in my next post.

So, as I see it, we are trying to migrate from dogtag 9 style instances which live in /var/lib/pki-ca and which have split databases - to dogtag 10 style instances with combined databases. If there are other combinations, then this needs to be discussed.

A migration procedure could be as follows:
1. shut down the existing d9 dogtag instance.
2. Back up the database using db2ldif or similar.
3. set up a new d10 dogtag instance using the same pkispawn parameters you would ordinarily have used to set up a D10 instance. This instance would point to the IPA database instance, rather than the old separated dogtag DS instance. Add the IPA profile and the IPA specific modifications to CS.cfg, any certmonger setup.
4. Shut down this instance and replace the certificate database with the certificate database from the old instance.
5. Replace the needed directives in CS.cfg with entries from the old CS.cfg. We'd have to get a list, but they are the entries having specific values related to the old system certs.
6. Import the saved data from step 2 into the database.
7. Restart the instance. IPA specific files (default.conf? ipa.conf? proxy config file?) may also need to be updated.

As part of step 4, the password for the cert database needs to be replaced in password.conf

After step 3, we need to do IPA specific setup for the dbuser (ie.modifying the certmap). Basically step 3 is running the IPA install process for a IPA D10 instance.

Working on this one. In FreeIPA devel meeting we agreed that the manual procedure is not really an option, we will stick to the migration procedure instead.

See:

• related FreeIPA.org article: http://www.freeipa.org/page/Howto/Dogtag9ToDogtag10Migration
• related freeipausers post: http://www.redhat.com/archives/freeipa-users/2013-July/msg00286.html

On FreeIPA.org site, I updated affected release notes with a link to this migration page.

Would it be possible before upgrade to clone the dogtag instance 'on the same server', from the separate instance to the integrated IPA instance ?
Would this make things easier ?

From a dogtag point of view, thats certainly possible. We regularly create clone instances on the same server when testing. My guess is that we would run into various port/settings issues with the ipa install scripts - for example, when referencing the default.conf.

Someone would have to try it and see how the install scripts can be modified to work. This would be easier than having to clone to a new server, and then cloned back. It may just be messier.

We do not have capacity to address this issue. It is already clearly documented.

This is really something we won't do now, closing as wontfix instead.