Synchronize Key Database Instances for r6.x

Synchronize Key Database Instances for r6.x
Previous versions of the Policy Server used a local smkeydatabase to store certificate data. Each Policy Server required its own smkeydatabase. For versions 12.5x and later, a centralized certificate data store (CDS) replaced the smkeydatabase.
Before you upgrade to a new Policy Server, synchronize all smkeydatabase instances. As part of a Policy Server upgrade, the Policy Server installer automatically backs up the local smkeydatabase and migrates to the CDS. You can also manually migrate to the CDS. Regardless of the method, the smkeydatabases must be consistent.
To synchronize all smkeydatabase instances and resolve all data inconsistencies, use the 
 utility. For information about the smkeytool, see Policy Server Tools under the Administrating section.
If the migration of the smkeydatabase fails, do not return the Policy Server to the environment. Returning the Policy Server after a failed migration causes all transactions that require the certificate data to fail.
Verify the following conditions to identify and resolve data consistencies among your smkeydatabases:
  • Each Certificate Authority certificate references certificate revocation lists consistently across instances, such as in an LDAP directory service.
  • The same Certificate Authority certificates map to the same certificate revocation lists.
  • The defaultenterpriseprivatekey alias represents the same private key/certificate pair in all instances.
  • The same alias maps to the same certificate or key/certificate pair.
  • A revoked or expired certificate is not present.
  • All CRL information is valid.
After you resolve all data inconsistencies, we recommended that you do not modify a smkeydatabase until all migrations are complete.