Upgrade to DS 7: Upgrade In Place

Save this as 2b-upgrade-to-ds-7-in-place-and-cleanup.sh:

#!/usr/bin/env bash
# Copyright 2021 ForgeRock AS. All Rights Reserved
#
# Use of this code requires a commercial software license with ForgeRock AS.
# or with one of its affiliates. All use shall be exclusively subject
# to such license between the licensee and ForgeRock AS.
set -e

# Upgrade two DS/RS replicas from 6.5 to 7.

ZIP=~/Downloads/DS-7.0.1.zip
CURRENT_DIR=$(pwd)
BASE_DIR=/path/to
FQDN=localhost
DEPLOYMENT_KEY=AMdhPkZJxwoEjwx3zV1IGOccAHNvvQ5CBVN1bkVDdmCLA99ueRm6Cg
DEPLOYMENT_PASSWORD=password

cd "${BASE_DIR}"

echo "### Perform rolling upgrade of DS 6.5 servers"
unzip -q ${ZIP}
for server in ds-rs-1 ds-rs-2; do
    echo "#### Stop ${server}"
    ./${server}/bin/stop-ds
    echo "#### Overwrite ${server} software with new version"
    cp -rf opendj/* ${server}/
    echo "#### Update Java version"
    sed "s/java-8-openjdk-amd64/java-11-openjdk-amd64/" ./${server}/config/java.properties >./${server}/config/java.properties.new
    mv ./${server}/config/java.properties.new ./${server}/config/java.properties
    echo "#### Run upgrade"
    ./${server}/upgrade --force --acceptLicense --no-prompt
    echo "#### Start ${server}"
    ./${server}/bin/start-ds
done
rm -rf opendj

echo "### Update schema files"
for server in ds-rs-1 ds-rs-2; do
    ./${server}/bin/stop-ds
    for file in 00-core.ldif 03-pwpolicyextension.ldif; do
        cp ${server}/template/db/schema/${file} ${server}/db/schema/
    done
    ./${server}/bin/start-ds
done

echo "### Use new security model"
for server in ds-rs-1 ds-rs-2; do
    ./${server}/bin/dskeymgr \
        export-master-key-pair \
        --alias master-key \
        --deploymentKey $DEPLOYMENT_KEY \
        --deploymentKeyPassword password \
        --keyStoreFile ${server}/config/keystore \
        --keyStorePassword:file ${server}/config/keystore.pin

    ./${server}/bin/dskeymgr \
        export-ca-cert \
        --deploymentKey $DEPLOYMENT_KEY \
        --deploymentKeyPassword password \
        --keyStoreFile ${server}/config/keystore \
        --keyStorePassword:file ${server}/config/keystore.pin

    ./${server}/bin/dskeymgr \
        create-tls-key-pair \
        --deploymentKey $DEPLOYMENT_KEY \
        --deploymentKeyPassword password \
        --keyStoreFile ${server}/config/keystore \
        --keyStorePassword:file ${server}/config/keystore.pin \
        --subjectDn CN=DS,O=ForgeRock

    ./${server}/bin/stop-ds

    ./${server}/bin/dsconfig \
        create-trust-manager-provider \
        --set enabled:true \
        --set trust-store-file:config/keystore \
        --set trust-store-pin:\&{file:config/keystore.pin} \
        --set trust-store-type:PKCS12 \
        --type file-based \
        --provider-name PKCS12 \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig \
        set-administration-connector-prop \
        --set ssl-cert-nickname:ssl-key-pair \
        --set trust-manager-provider:PKCS12 \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig \
        set-connection-handler-prop \
        --handler-name HTTPS \
        --set ssl-cert-nickname:ssl-key-pair \
        --set trust-manager-provider:PKCS12 \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig \
        set-connection-handler-prop \
        --handler-name LDAP \
        --set ssl-cert-nickname:ssl-key-pair \
        --set trust-manager-provider:PKCS12 \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig \
        set-connection-handler-prop \
        --handler-name LDAPS \
        --set ssl-cert-nickname:ssl-key-pair \
        --set trust-manager-provider:PKCS12 \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig \
        set-synchronization-provider-prop \
        --provider-name Multimaster\ Synchronization \
        --set key-manager-provider:Default\ Key\ Manager \
        --set ssl-cert-nickname:ssl-key-pair \
        --set trust-manager-provider:PKCS12 \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig \
        set-crypto-manager-prop \
        --set master-key-alias:master-key \
        --set key-manager-provider:"Default Key Manager" \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/start-ds
done

echo "### Run cleanup command"
./ds-rs-1/bin/dsrepl \
    cleanup-migrated-pre-7-0-topology \
    --bindDn "cn=Directory Manager" \
    --bindPassword password \
    --hostname localhost \
    --port 14444 \
    --trustAll \
    --no-prompt

echo "### Remove admin data (skip this step if you have encrypted data or passwords)"
for server in ds-rs-1 ds-rs-2; do
    ./${server}/bin/stop-ds
    ./${server}/bin/dsconfig \
        delete-backend \
        --backend-name adminRoot \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig delete-replication-domain \
        --provider-name Multimaster\ Synchronization \
        --domain-name cn=admin\ data \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    ./${server}/bin/dsconfig set-replication-server-prop \
        --provider-name Multimaster\ Synchronization \
        --remove changelog-enabled-excluded-domains:cn=admin\ data \
        --offline \
        --configFile ${BASE_DIR}/${server}/config/config.ldif \
        --no-prompt

    rm -rf ${server}/db/adminRoot
    ./${server}/bin/start-ds
done

echo "### Cleanup is finished."
echo

echo "### Running dsrepl status..."
./ds-rs-1/bin/dsrepl \
    status \
    --hostname localhost \
    --port 14444 \
    --bindDN "cn=Directory Manager" \
    --bindPassword password \
    --trustStorePath ${BASE_DIR}/ds-rs-1/config/keystore \
    --trustStorePassword:file ${BASE_DIR}/ds-rs-1/config/keystore.pin \
    --no-prompt

echo
echo "### Consider deprecating older password storage in favor of PBKDF2-HMAC-SHA256 or better."
echo "### For an example, see https://backstage.forgerock.com/docs/ds/7/security-guide/passwords.html#example-deprecate-storage-scheme"

cd "${CURRENT_DIR}"