[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1143
  • Last Modified:

Cross certification of a domain with a single server outside that domain

We have installed a new 6.5 server and are now trying to get access for the users. For a whole lot of reasons, the server has a separate domain. We had it working on an old 5.01 server but the hardware is failing and we need to go to 6.5 anyway. So we set up a new server.

We had the users accessing the old server without cross certifying the users seperately.

The users are organised as: name/dept/company
The server is dept2/company2

What we want is to cross certify the users to give them access to the server.
The more I read about this, the more I get confused.

What is the step by step process to cross certify the */dept/company on our new server?
I do not remember ever using a safe id of the dept/company  cert.id to cross certify.
I thought we used a subset of an user id file, but that seems not right.

Sorry for the rambling post, but it does need a little detail I think.


0
Lykle
Asked:
Lykle
1 Solution
 
RanjeetRainCommented:
I assume you will be accessing your old domain from your new domain for read only purposes. Do this:

-> Login to the old server as admin
-> Open the old server's address book (global)
-> Go to certificates view
-> Click the Add certifier action button
-> Fill in the details
-> Choose your NEW server's cert.id file as the source and OLD server's id as to be certified

You will need to have the ceritifier passwords. Also reboot your server (I am not sure as to it is required or not).
0
 
LykleAuthor Commented:
Hmm, no not really.

The users have a main id, they use this for all the apps on the dept/Company network.

But this specific server has a different cert.id
But the users still need to access the server as if it is in their domain.
So users with name/dept/company need to fully access the server dept2/company2
I can't seem to figure out, what needs te be corss certified with what.
0
 
Bozzie4Commented:
You can cross certify your 2 organizations, use the Domino Administrator to do that (configuration tab, tools/certification/cross certify)

Create a safe id for the 2 cert.id's , and then cross certify one with the other (in both directions).

You can also open the admin client on the server1, and access server 2 -> you will be prompted if you want to accept the certificate, and which certificate (the root or the server).  Do this for server 2 -> server 1 too, and the result is the same.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Bozzie4Commented:
The reason to create safe.id's and not use the cert.id is that you can safely mail the safe.id around (for instance to another company, if you want to cross certify 2 servers and use Notes RPC between each other), or work with it, it won't affect your cert.id.  
Although I think it's possible to really use both the cert.id files to do the cross certification, I wouldn't recommend it, and I would definitely take the safe route, that is create the safe id's.

cheers,

Tom
0
 
LykleAuthor Commented:
Thanks Bozzie4,
I agree that that is the normal way to do it, using safe.ids.
The strange this is, that I am very sure that we did not use cert.id or a safe id of the dept/company domain. That is one of the reasons we have a separate domain, the company IT admins do not want "wild" servers on their network.

But it has been done, so you are probably right.
0
 
qwaleteeCommented:
There is an easier way, if the 6.5 server has not gone to production yet.  Transition all the files from the 5 box to the 6 box, switch Ip addresses and server IDs, and you are done.  The existing x-cert will apply.
0
 
LykleAuthor Commented:
That's what we tried.
I still can't figure out why that didn't work.
Next option is to put all data on the new server and upgrade the server with all the various upgrades.

Ahwell. I think we have been bouncing it around enough now.
So, who do I give it to?

I think Bozzie
0
 
Bozzie4Commented:
Well, you can cross certify between every id that's available (user.id - server.id, user.id - cert.id, server.id - cert.id , ...) , and it's not always necessary to create a safe id (like the example of cross certifying the servers shows).

If you can, follow Qwaletees advice, of keeping your configuration using the same id's - that's a lot simpeler.

cheers,

Tom
0
 
CRAKCommented:
And we have a 1st entry in Top-15!
Congrats buddy!
0
 
Bozzie4Commented:
The first and already no longer the only one ...  I once ranked number 1 anyway :-)

Tom
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now