Signing Databases Using AdminP

Have issues with ECL errors when people are making changes to databases.  I wish to write a bit of lotusscript that will sign the database with the server id.  The databases that need to be signed will reside on various servers but will all need signing with ONE server id.  I have tried the following code:

Sub Initialize
      Dim session As New NotesSession    
      Dim adminp As NotesAdministrationProcess    
      Set adminp = session.CreateAdministrationProcess("servera")    'server that needs to be used to sign the database
      noteID$ = adminp.SignDatabaseWithServerID(dbserver,dbname,False) ' path to the database that needs signing
      
End Sub

This doesn't seem to be working.  Can anyone help?

We are using R6 - 6.0.3
androgyny7Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sjef BosmanGroupware ConsultantCommented:
What isn't working? Nothing happens? Error messages? Info in log.nsf??

You checked the return value in noteID$ ? Where did you put your code? If in an agent, did you use the debugger?
SysExpertCommented:
WHy work so hard ? Use the Notes Admin client to sign the database with the Server ID that you need, on one Server, and it will replicate to al the others.

I hope this helps !
Sjef BosmanGroupware ConsultantCommented:
I assumed a repeated task...
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

androgyny7Author Commented:
sjef you assumed correct that it is a repeated task.  Plus the people who will need to use this code do not have access to use the admin client to sign the database with the server id.

Want to set it up as a scheduled agent so that the users can create a document with the dataabase details and it will sign the database.

With regards to it not working - Nothing seems to happen.  I first tried it as a manual agent using debugger and nothing was set for noteID$???  Tried it as a scheduled agent and the log.nsf shows that it ran with no errors.  Both as a manual agent and scheduled the agent was signed by the server.
SysExpertCommented:
I am not sure that AdminpP can sign using any ID but the server it is running on.

For anything else, it needs access to the ID itself, probably.

You may need to schedule your agent accordingly.

I hope this helps !
Sjef BosmanGroupware ConsultantCommented:
And another question: is the call to CreateAdministrationProcess successful?

About
According to the Help documentation, adminp will have a non-Nothing value when an AdminP document has successfully been created. I assume Author-access is required to the adminp-database:
    "The parameter to CreateAdministrationProcess must be the name of the server
    containing the Administration Requests database (ADMIN4.NSF). An empty string
    means the local computer. The server must contain a replica of the Certification
    Log. You must have access privileges to the Domino Directory on the server for
    Administration Process requests that use it."

The SignDatabaseWithServerID method will return the NoteID of the document created in the AdminP-database. If it returns the empty string, no document is created.

Questions are:
- is there a replica of the Certification Log on the server?
- do you have sufficient access rights to the Domino Directory (NAB)?
marilyngCommented:
Hi androgyny7,
Forgive, but I have a slight problem with automatically signing anything with any id.  If people are making changes to databases that are not tested, signing with the server ID will make it possible for people to create invasive agents and run them without recourse.  Causing much damage... :)

Instead, create a few signing ID's.. some with restricted ability to run agents, some with full unrestricted rights, and add those to the setup profiles.  Once you configure the setup profiles and change them, the ECL's will update on the clients.

Then invest in Signez from ytria.com, there you can store your "signing" id's and decide WHO can use WHICH id to sign databases, and they won't need or know the password for the id.  If someone misuses the signing, then remove them from the list.  If they sign invasive stuff, easy enough to know who did it, because ytria doesn't remove the last updated by values like adminp does, it just signs, and you'll always know who made the last update.

If they are competent enough to make design changes, then they need to take on the responsibility of signing without you compromising the ECL security of Notes.

In my opinion, it's a mistake to pursue any automatic signing.  



Regards!
androgyny7Author Commented:
marilyng we are not "automatically" signinng databases.  When developers make changes the get tested on our development servers.  When they are ready to be moved to production that is when they need signing.

What I want to happen is that these developers log a request in the database and then a scheduled agent will pick up that request and sign the database with a server id.
androgyny7Author Commented:
sjef

- there is a replica of the Certfication Log on the server - however I don't have access to that.
- I have author access to the NAB.

The call to CreateAdministrationProcess returns the following:

AdminP     [False, "", "", "", False]
UserCertificateAuthority - False
CertificateAuthorityOrg - ""
CertifierFile - ""
CertifierPassword - ""
CertificateExpiration - ["24/03/2008 08:43:39 GMT",...]
IsCertifcateAuthorityAvailable - False



As the noteID$ is returning an empty string then no document is being created in the AdminP db.
Sjef BosmanGroupware ConsultantCommented:
I suppose you need Author access to the AdminP db as well. By the way, I never tried these calls myself...
androgyny7Author Commented:
First time for everything :)

I have checked the AdminP database and I have depositor access.

Might not be possible to do what I want then to sign a database using AdminP.  AdminP uses server "A" and I want to sign the databases on server "B"

Sjef BosmanGroupware ConsultantCommented:
Normally, AFAIK, admin.nsf is replicated to all servers in the same domain.
marilyngCommented:
That is if you have one administration server for the NAB, so if A is the administration server for all of xyzdomain, then all adminp requests go to this server who then replicates the requests to other servers.

1. Databases to be signed must have an administration server assigned to them in the ACL.
2. The agent signer must have manager rights to the Database to be signed, and permission to run unrestricted agents on the server.
3. All users should have author access to the adminp database so that can send name change requests and password change requests with permission to create documents.
4. this agent must run with full administration rights, therefore whoever saves it must have full administration rights.
5. If the request is to another server, B, then this will create document in A, and A should send the request to B.   In all cases the request should be done on the Administration server for the NAB. (I think)

As sjef says, requests to adminp are replicated to other adminp databases, so if a name change occurs, the request goes from the hub and then all servers in xyzdomain act on the request, checking all their databases in their control and sending back a "done" message.

This is tested on one server, fill in your email address to receive a log, the target server and the target database PATH

Sub Initialize
      'CONSTANTS TO SET BEFORE YOU RUN THIS AGENT......................."
      Const strTARGETSERVER = "TARGETSERVER/OU/O"      
      'Enter an email address for agent log report........... LEAVE BLANK FOR NO NOTIFICATION
      Const strEMAILADDRESS = "YOUREMAILADDRESS/OU/O"            
      Const strDBNAME = "PATH\TARGETDB.NSF"
      
      Dim session As New NotesSession      
      Dim curDB As NotesDatabase
      Set curDB = session.CurrentDatabase
      Dim curUser As New NotesName(session.UserName)
      Dim curServer As NotesName
      Dim targetServer As New NotesName(strTARGETSERVER)
      Dim agentLog As NotesLog
      Dim logFlag As Boolean
      'Turn on agent log here..............................................................................
      If strEMAILADDRESS = "" Then logFlag = False Else logFlag = True
      
      Dim msg As String      
      msg = "Starting the Sign Database for: " + strDBNAME + " using permission of: " + curUser.abbreviated
      If logFlag Then
            Set agentLog = New NotesLog("Sign Database")
            Call agentLog.OpenMailLog(strEMAILADDRESS,"Results of Sign Database")
            Call agentLog.LogAction(msg)
      End If
      
      On Error Goto Handle_Error
      
      'Set current calling server........................
      If curDB.server <>"" Then
            Set curServer = New NotesName(curdb.Server)
      Else
            'Running on a local client, so find the mail db server...............
            Dim tmpVar As Variant
            Set tmpvar = Evaluate({@Subset(@MaildbName;1)})
            If Len(tmpVar(0))>0 Then
                  Set curServer = New NotesName(tmpVar(0))
            Else
                  msg = "This agent is running on a local client...can't proceed without server name"
                  Print msg
                  If logFlag Then
                        Call agentLog.LogAction(msg)
                        Call agentLog.close
                  End If
                  Exit Sub            
            End If
      End If
      
      msg = "Running sign database for database: " + strDBName + " on server: " + targetServer.Common
      If logFlag Then Call agentLog.LogAction(msg)
      
      msg = "Sending adminp request to adminp.nsf on: " + curServer.Common
      If logFlag Then Call agentLog.LogAction(msg)
      
      Dim adminp As NotesAdministrationProcess      
      Set adminp = session.CreateAdministrationProcess(curServer.Abbreviated)
      If adminp Is Nothing Then
            msg = "Sorry unable to instantiate the adminp process.."
            If logflag Then Call agentLog.LogAction(msg)
            If logflag Then Call agentLog.Close            
            Print msg
            Exit Sub
      End If
      
      Dim noteid As String
      noteid = adminp.SignDatabaseWithServerID(targetServer.Abbreviated,strDBName)
      Select Case noteid
      Case Is = ""
            msg="Unable to create the adminp request.. action failed"            
      Case Else
            msg="The adminp request was successfully created on Note: " + noteid
      End Select      
      
      Print msg      
      If logflag Then Call agentLog.LogAction(msg)
      msg = "Finished processing the adminp request at: " + Format(Now)
      If logflag Then Call agentlog.logaction(msg)
      If logflag Then Call agentlog.close      
      Print msg
      If Not adminp Is Nothing Then Set adminp = Nothing
      Exit Sub
      
Handle_Error:      
      msg = "There was an error processing this request: " + Error$ + "-" + Str(Err)
      On Error Goto 0
      If logflag Then
            Call agentlog.logaction(Msg)
            Call agentlog.close
      End If
      Exit Sub
End Sub

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
androgyny7Author Commented:
Thanks for all your help guys.

I have now managed to get the agent to sign a database.  The only negative I can see at the moment is that if I want the database to be signed with Server A's ID, the database itself has to have a replica on Server A.  Which isn't always the case in our organisation.

When I try and sign a database with Server A's ID I get returned a NoteID however the database is never signed.

SysExpertCommented:
That's pretty much what I said in my 2nd comment.

marilyngCommented:
Which agent?  If you are running adminp with an administration server, then you send the request to the adminp server but request that ServerA sign serverA's database.   Adminp should route the request to the server, I think  :)
marilyngCommented:
Glad it worked..!
androgyny7Author Commented:
Thanks for you help - it didn't work as I hoped.  To sign DB1 with ServerA's ID then DB1 has to be on Server A.  Which is a shame.  Would have liked to have DB1 be signed with Server A's ID when the DB was only on Server B.
marilyngCommented:
Ah, yes,
The only way that could have happened is, MAYBE if Server A was listed as the administration server for the database sitting on server B.
 Or a replica of the database sat on Server A.

Server can only sign stuff on it's server
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.