Migrating to another instance with an external database
You can migrate IBM® OpenPages® for IBM Cloud Pak for Data from one instance to another with an external database.
Procedure
- Back up the database encryption keys and secrets in the source environment. Do these steps so that the backup files can be decrypted in the target environment and so that the target environment has the same secrets as the source environment.
- Log in to the database server using
ssh
. - Switch to the database instance owner (
db2inst1
by default):su - db2inst1
- Locate the database encryption keys by running the following command:
gsk8capicmd_64 -cert -list -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed
Look for a result that is similar to the following text:* default, - personal, ! trusted, # secret key # DB2_SYSGEN_db2inst1_OPX_2020-10-19-17.51.55_81D83D47 # DB2_SYSGEN_db2inst1_OPX_2020-10-19-17.56.05_AF8AC2F5
- Extract the keys from the keystore by running the following command:
gsk8capicmd_64 -secretkey -extract -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed -target <label>.sec -format pkcs12 -label <label>
- Note the <label> of each key. You need this information later.
- Log in to the database server using
- In your source environment, log in to your Red Hat®
OpenShift® cluster as a project
administrator:
oc login OpenShift_URL:port
- Run the following commands. Note the secret that is returned by each command. You need
this information later.
oc get secret -n <openpages_project> openpages-instance_name-platform-secret -o jsonpath="{.data.encryption-key-pw}" oc get secret -n <openpages_project> openpages-instance_name-platform-secret -o jsonpath="{.data.keystore-pw}" oc get secret -n <openpages_project> openpages-instance_name-platform-secret -o jsonpath="{.data.opsystem-pw}"
In addition, you can migrate the initial secrets for the out-of-the-box user accounts. Do this, for example, if you did not change the initial password of a user account and you want to migrate the initial secret to your new instance. To get the secret, run the following command for each secret that you want to migrate:oc get secret -n <openpages_project> openpages-instance_name-initialpw-secret -o jsonpath="{.data.<user name>}"
Replace the following values:
Variable Replace with <instance_name> The name of your OpenPages instance. <openpages_project> The name of the OpenShift project where OpenPages is installed.
<user name> A user account. The encoded password of the account is displayed. Save the password. - Back up your source environment by doing an offline backup. See Backing up, restoring, and migrating OpenPages.
- Copy the backup files to the target environment.
- Copy the database backup to the /mnt/backup directory in the database server.
- Copy the extracted encryption key files to the database server.
- Copy the op_backup_<timestamp>.zip file from step 4 to one of the application server pods and place it in the /opt/ibm/OpenPages/openpages-backup-restore directory.
- Move all other op_backup_<timestamp>.zip files to a subfolder under /opt/ibm/OpenPages/openpages-backup-restore.
- Import the encryption keys to the target environment.
- Log in to the database server using
ssh
. - Switch to the database instance owner (
db2inst1
by default):su - db2inst1
- Import the encryption keys by running the following command for each key. Ensure the
<label> matches the <label> from the source
environment.
gsk8capicmd_64 -secretkey -add -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed -label <label> -format pkcs12 -file <key_file_path>
For example:gsk8capicmd_64 -secretkey -add -db /home/db2ext/sqllib/security/keystore/extdb_db.p12 -stashed -label DB2_SYSGEN_db2inst1_OPX_2020-10-12-20.09.20_9F1D9078 -format pkcs12 -file /tmp/seckey/DB2_SYSGEN_db2inst1_OPX_2020-10-12-20.09.20_9F1D9078.sec
- Log in to the database server using
- In your target environment, log in to your Red Hat
OpenShift cluster as a project
administrator:
oc login OpenShift_URL:port
- Scale to 1 replica.
oc scale --replicas=1 sts/openpages-<instance_name>-sts -n <openpages_project>
To find the name of the StatefulSet (
sts
), runoc get sts
and look for a name that starts withopenpages-
. For example,openpages-opinst-sts
- Log in to the application server pod and open a terminal.
oc exec -it openpages-<instance_name>-sts-0 -n <openpages_project> -- /bin/bash
To find the pod name, run
oc get sts -n <openpages_project>
and look for a name that starts withopenpages-
. - Go to the /opt/ibm/OpenPages/openpages-backup-restore directory.
- Locate the op_backup_<timestamp>.zip file that you copied from your source environment. Use this file in step 12.
- Restore the backup by running the following commands:
cd /opt/ibm/OpenPages/aurora/bin ./OPRestore.sh <backup_filename_without_the_file_extension>
For example:cd /opt/ibm/OpenPages/aurora/bin ./OPRestore.sh op_backup_2021_01_20_21_43_04
- Stop the application server pods.
- Scale down to 0 replicas.
oc scale --replicas=0 sts/openpages-<instance_name>-sts -n <openpages_project>
- Wait until all application server pods are deleted.
- Scale down to 0 replicas.
- Log in to the database server using
ssh
. - Restore the database. Do the steps in the following task: Restoring a Db2 database.
- Replace the database name
BLUDB
withOPX
. - Replace
backup_dir
with /mnt/backup
Do the steps in the following task: Restoring a Db2 database.- Replace the database name
BLUDB
withOPX
. - Replace
backup_dir
with /mnt/backup
For more information, see Restoring an encrypted backup image to a different system with a local key manager
- Replace the database name
- Restore the secrets into the target environment.
oc edit secrets -n <openpages_project> openpages-<instance_name>-platform-secret
- Update the values for each secret based on the values in your source
environment. For more information, see Secrets in the Kubernetes documentation.
- If you want to restore the initial secrets for the out-of-the-box user accounts, run
the following command:
oc edit secrets -n <openpages_project> openpages-<instance_name>-initialpw-secret
Do this, for example, if you did not change the initial password of an out-of-the-box user account and you want to migrate the account's initial secret from your old instance to your new instance.
- Update the values for each secret based on the values in your source
environment.
- Scale up to the number of replicas you want to use for the application
server by running the following command:
oc scale --replicas=<#_of_replicas> sts/openpages-<instance_name>-sts
Replace the following values:
Variable Replace with <#_of_replicas> Specify the number of replicas. Can be 1 or more.
<StatefulSet_name> Specify the name of the StatefulSet for the application. To find the name of the StatefulSet, run
oc get sts
and look for a name that starts withopenpages-
.For example,
openpages-opinst-sts