Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 418
  • Last Modified:

Cross certification and server docs - 2 domains / 2 diferent releases

Hi all

I tought I done this in the past, but I'm having trouble repeating the process....

Ok, then :

1 - Cross certify ORG id's (@ org level) - no problems until here
2 - Create connections between 2 servers in different domains - no problems either
3 - Create server documents across domains/pabs ... ok here is the problem...

Copy server document for server1/ORG1 (R5) and paste it in ORG2(R6.5) directory - FAILS
Copy server document for server1/ORG2 (R6.5) and paste it in ORG1(R5) address book - FAILS

ok how do I do this? not copying / pasting ? help?
0
sync957p
Asked:
sync957p
  • 12
  • 7
  • 5
  • +1
3 Solutions
 
Sjef BosmanGroupware ConsultantCommented:
Not copying, indeed. Open the Admin client, go for Certificates and Create Cross-certificate.
0
 
sync957pAuthor Commented:
No, sjef... in cross certification i have no problems.

What I want is to create server documents across diferent domains , so I can
have an entry for server1/ORG1 in ORG2's address book and vice versa.
0
 
Bozzie4Commented:
Why would you want to do that ????

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
sync957pAuthor Commented:
hummmm .... directory assistance across domains?

Let me check this :

2 diferent domains, diferent releases.

1 - cross certify at ORG level
2 - create connection records so servers can "talk"
3 - Create a db based on DA template for each server (lets think in just 1 server per domain to simplify)
4 - Add each server to the other domain address book ACL

Ok, here i'm going to pause to ask - if I don't have an entry for server1/ORG1 in ORG2's address book how
is adminp / ACL / etc know who he is? :)
so ...
5 - Create server documents across domains/pabs
6 - Change setup profile / policies so wrkstations can use DA
0
 
Sjef BosmanGroupware ConsultantCommented:
Did you cross-certify domains or servers?
0
 
sync957pAuthor Commented:
What I cross certified was org.id's
0
 
Sjef BosmanGroupware ConsultantCommented:
Sorry, didn't see nr 1...

Adminp/ACL: it is up to the administrator to define ACL's. You can put anybody in the ACL, but only someone or some server which has been cross-certified can access the this server.
0
 
sync957pAuthor Commented:
well ok, but do I need to copy the server document or not?

the error msg while pasting is :

" Cannot store document; database has too many unique field names. Please ask your adminishtrator to compact the database "

I don't think it has anything to do with the subject in hand, since I already deleted the index and compacted the DB (names.nsf).

0
 
Bozzie4Commented:
No, you don't need to put in the server document.

Just use the NAME of the server (server1/Org2) in ACL  (of names.nsf on server1/Org1), or put it in the group OtherDomainServers (that's what it's for)

You can't create server documents across domains.  You must use the Administrator client to create servers (not only server documents, but also the certificates, and the id file).  So you should create the new server ('register' server) on the administration server for the domain.  Since you can access it (your servers are able to access it), you can too with your administration client.
This doesn't mean you (as a user for Org1) can't create servers in Org2.  But you MUST register them on the Administration server for that domain (well, at least on A server for that domain).
BTW : If your server can access the other, you can create a passtru connection document in your personal addressbook, so you can access the server from your workstation via your server (is that clear ?)

So DON'T put servers (document) from 1 organization in the addressbook of the other - it's not necessary and can only hurt you.

To create setup profiles and stuff, you can create them directly in the addressbook of the other org.  If you have a replica on your server (to use in dir. assistance) and you have specified this, you can do it on your own server, and replicate the changes back.  I would only do this if you do the replication back manually (so don't allow changes in the replica on your server to be replicated back !, if you have changes, replicate them manually, which you are allowed to do as manager (right ?)).  Policies, same thing, although I think it's best to create them from scratch in the other domain - I don't think they will survive being copy-pasted over databases ....

cheers,

Tom


0
 
Bozzie4Commented:
And you forgot 1 step in setting up directory assistance :

- create the dir ass. database on each server
- create REPLICA's of both names.nsf's on each server, and setup replication between the servers
- create the directory assistance documents on each server, using the local replica's.

cheers,

Tom
0
 
qwaleteeCommented:
Go to the database properties, advanced tab, and enable the allow more field option.  Shut down the server, run ncompact -c names.nsf, restart server, and all should be well.
0
 
sync957pAuthor Commented:
wait a sec... qwaletee are you telling that my procedure was correct? bozzie just stated I shouldn't do that.

can you please explain?

0
 
Bozzie4Commented:
No, your procedure is not correct.  Well, it's not correct as long as you are not trying to merge your domains.  But you should still enable that option (it's enabled by default in a new installation, and I think (but I'm not sure) it's enabled when doing an upgrade too.

cheers,

Tom
0
 
sync957pAuthor Commented:
Sorry about the offtopic :

Are you all experts from Portugal / England ?

Just noticed the GMT+00:00 in your posts
0
 
Bozzie4Commented:
Belgium -  not GMT :-)  But I think you see all times displayed in your own timezone/timeformat....

cheers,

Tom
0
 
sync957pAuthor Commented:
Well I tought that cross certification went well, but as it turned it didn't.

When I open the DA database I created in both domains and servers across a domain ( admin.id for DOMAIN 1 opens Directory Assistance DB in server in DOMAIN 2 ) I get a warning that I need to cross certifiy.

What went wrong with cross certification ? I followed the admin client help procedures (cross certify via "postal service")

Created Safe copies, etc.. and I have an Cross certification document, under "certificates" in both domain/orgs.

help?
0
 
Sjef BosmanGroupware ConsultantCommented:
What do your cross-certificates look like? If the Domains are cross-certified, then you should have a Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa. If you cross-certified just id's, then you'll see a Xref-document under the category Notes Cross Certificates\DomainA with the name John Do/DomainB.

Did you get any errormessages in the log databases?
0
 
sync957pAuthor Commented:
Sjef,

They look just like you mentioned in your first description ( Xref-document under the category Notes Cross Certificates\DomainA with the name /DomainB, and vice versa ).

I get no errors in the log ( i looked in log.nsf under miscelanious events and in DOMAIN's certification log )

One thing I noticed is that in the certification log, when I open the cross certification document is that the "license type" for the cross certified domain is "unknow" instead of "north american" or "international" - could this be the problem?
0
 
Sjef BosmanGroupware ConsultantCommented:
Back to the start: how did you create those cross-certificates? Did you copy and paste those documents? Creating a cross-certificate can best be done as follows:
- get (a (safe) copy of) an id-file on DomainA (safe copy is not required)
- get an Admin client on DomainB
- get a certifier-id for DomainB
- run cross-certification for DomainA on DomainB using a server of DomainB
- repeat the lot for DomainB on DomainA, with the certifier-id for DomainA
0
 
sync957pAuthor Commented:
that was exactly it.

I performed the cross certification using the admin client(s), let's not forget the domains use diferent releases (6.5.2 and 5.11)
0
 
Sjef BosmanGroupware ConsultantCommented:
Okay. Different releases: no big deal usually.

What happens when you try to access a server in DomainB with a user-id created for DomainA? From a normal Notes client? So ^O (or File/Database/Open), select or type the server from DomainB, and click Open so it will find the databases on the server. Does it show any database at all? If it does, then certification is indeed successfully completed.

The DA database is the same (replica) database on both systems? From the About in the DA database:
"To set up directory assistance, you create the Directory Assistance database from the DA50.NTF template. In the Directory Assistance database you define naming rules that associate naming hierarchies with each domain--this allows Notes to search only Public Directories of domains associated with those naming hierarchies when resolving the name of a recipient from another domain. You also use the Directory Assistance database to point to one or more strategically-located replicas of each domain's Public Directory. You then create a replica of the Directory Assistance database on all servers in each domain."
0
 
sync957pAuthor Commented:
When I do what you mentioned the notes client sugests I create a cross certificate....

Perhaps I should repeat the entire process ?

What should I do to erase the cross certification I created ? Just delete the cross certification docs ?

Thanks
0
 
Sjef BosmanGroupware ConsultantCommented:
Indeed it might be best to do it again. I must say I never uncrossed a certification, so to make sure you could move those cross-certificate documents out of the way, i.e. cut and paste them into a separate database.

Good luck!
0
 
sync957pAuthor Commented:
Sorry for making this a 2-in-1 question, guys.

Thanks for making me realize my initial stupidity ( trying to paste server documents across domains ).

As for the cross certification issue I just found out that this is really how cross certification works ( while talking to Lotus Support )... what I mean is : don't matter if you cross certified at ORG level... all users will receive a notice to create a cross certificate in their personal address book, when they access a db in the other domain for their first time.

As usual thanks all for pointing me in the right directions.

0
 
sync957pAuthor Commented:
And just a notice for all your Lotus Administrators and/or employees out there :

Shouldn't the administrator's client help include some lines to explain this behaviour ( cross certification dialog boxes to end users) to admins?

I think that at least Rob Kirkland book should include this...
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 12
  • 7
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now