Migrating to another instance with an external database

You can migrate IBM® OpenPages® for IBM Cloud Pak for Data from one instance to another with an external database.

Procedure

  1. Back up the database encryption keys and secrets in the source environment.
    Do these steps so that the backup files can be decrypted in the target environment and so that the target environment has the same secrets as the source environment.
    1. Log in to the database server using ssh.
    2. Switch to the database instance owner (db2inst1 by default):
      su - db2inst1
    3. Locate the database encryption keys by running the following command:
      gsk8capicmd_64 -cert -list -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed
      Look for a result that is similar to the following text:
      * default, - personal, ! trusted, # secret key
      #       DB2_SYSGEN_db2inst1_OPX_2020-10-19-17.51.55_81D83D47
      #       DB2_SYSGEN_db2inst1_OPX_2020-10-19-17.56.05_AF8AC2F5
    4. Extract the keys from the keystore by running the following command:
      gsk8capicmd_64 -secretkey -extract -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed -target <label>.sec -format pkcs12 -label <label>
    5. Note the <label> of each key. You need this information later.
  2. In your source environment, log in to your Red Hat® OpenShift® cluster as a project administrator:
    oc login OpenShift_URL:port
  3. Run the following commands. Note the secret that is returned by each command. You need this information later.
    oc get secret -n <openpages_project> openpages-instance_name-platform-secret -o jsonpath="{.data.encryption-key-pw}"
    oc get secret -n <openpages_project> openpages-instance_name-platform-secret -o jsonpath="{.data.keystore-pw}"
    oc get secret -n <openpages_project> openpages-instance_name-platform-secret -o jsonpath="{.data.opsystem-pw}"
    In addition, you can migrate the initial secrets for the out-of-the-box user accounts. Do this, for example, if you did not change the initial password of a user account and you want to migrate the initial secret to your new instance. To get the secret, run the following command for each secret that you want to migrate:
    oc get secret -n <openpages_project> openpages-instance_name-initialpw-secret -o jsonpath="{.data.<user name>}"

    Replace the following values:

    Variable Replace with
    <instance_name> The name of your OpenPages instance.
    <openpages_project>

    The name of the OpenShift project where OpenPages is installed.

    <user name> A user account.
    The encoded password of the account is displayed. Save the password.
  4. Back up your source environment by doing an offline backup. See Backing up, restoring, and migrating OpenPages.
  5. Copy the backup files to the target environment.
    • Copy the database backup to the /mnt/backup directory in the database server.
    • Copy the extracted encryption key files to the database server.
    • Copy the op_backup_<timestamp>.zip file from step 4 to one of the application server pods and place it in the /opt/ibm/OpenPages/openpages-backup-restore directory.
    • Move all other op_backup_<timestamp>.zip files to a subfolder under /opt/ibm/OpenPages/openpages-backup-restore.
  6. Import the encryption keys to the target environment.
    1. Log in to the database server using ssh.
    2. Switch to the database instance owner (db2inst1 by default):
      su - db2inst1
    3. Import the encryption keys by running the following command for each key. Ensure the <label> matches the <label> from the source environment.
      gsk8capicmd_64 -secretkey -add -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed -label <label> -format pkcs12 -file <key_file_path>
      For example:
      gsk8capicmd_64 -secretkey -add -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed -label DB2_SYSGEN_db2inst1_OPX_2020-10-12-20.09.20_9F1D9078 -format pkcs12 -file /tmp/seckey/DB2_SYSGEN_db2inst1_OPX_2020-10-12-20.09.20_9F1D9078.sec
  7. In your target environment, log in to your Red Hat OpenShift cluster as a project administrator:
    oc login OpenShift_URL:port
  8. Scale to 1 replica.
    oc scale --replicas=1 sts/openpages-<instance_name>-sts -n <openpages_project>

    To find the name of the StatefulSet (sts), run oc get sts and look for a name that starts with openpages-. For example, openpages-opinst-sts

  9. Log in to the application server pod and open a terminal.
    oc exec -it openpages-<instance_name>-sts-0 -n <openpages_project> -- /bin/bash

    To find the pod name, run oc get sts -n <openpages_project> and look for a name that starts with openpages-.

  10. Go to the /opt/ibm/OpenPages/openpages-backup-restore directory.
  11. Locate the op_backup_<timestamp>.zip file that you copied from your source environment. Use this file in step 12.
  12. Restore the backup by running the following commands:
    cd /opt/ibm/OpenPages/aurora/bin
    ./OPRestore.sh <backup_filename_without_the_file_extension> 
    For example:
    cd /opt/ibm/OpenPages/aurora/bin
    ./OPRestore.sh op_backup_2021_01_20_21_43_04
  13. Stop the application server pods.
    1. Scale down to 0 replicas.
      oc scale --replicas=0 sts/openpages-<instance_name>-sts -n <openpages_project>
    2. Wait until all application server pods are deleted.
  14. Log in to the database server using ssh.
  15. Restore the database.
    Do the steps in the following task: Restoring a Db2 database.
    • Replace the database name BLUDB with OPX.
    • Replace backup_dir with /mnt/backup
    Do the steps in the following task: Restoring a Db2 database.
    • Replace the database name BLUDB with OPX.
    • Replace backup_dir with /mnt/backup

    For more information, see Restoring an encrypted backup image to a different system with a local key manager

  16. Restore the secrets into the target environment.
    oc edit secrets -n <openpages_project> openpages-<instance_name>-platform-secret
    1. Update the values for each secret based on the values in your source environment.
      For more information, see Secrets in the Kubernetes documentation.
    2. If you want to restore the initial secrets for the out-of-the-box user accounts, run the following command:
       oc edit secrets -n <openpages_project> openpages-<instance_name>-initialpw-secret

      Do this, for example, if you did not change the initial password of an out-of-the-box user account and you want to migrate the account's initial secret from your old instance to your new instance.

  17. Scale up to the number of replicas you want to use for the application server by running the following command:
    oc scale --replicas=<#_of_replicas> sts/openpages-<instance_name>-sts

    Replace the following values:

    Variable Replace with
    <#_of_replicas> Specify the number of replicas.

    Can be 1 or more.

    <StatefulSet_name> Specify the name of the StatefulSet for the application.

    To find the name of the StatefulSet, run oc get sts and look for a name that starts with openpages-.

    For example, openpages-opinst-sts