[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Signing Databases Using AdminP

Posted on 2006-03-23
19
Medium Priority
?
671 Views
Last Modified: 2013-12-18
Have issues with ECL errors when people are making changes to databases.  I wish to write a bit of lotusscript that will sign the database with the server id.  The databases that need to be signed will reside on various servers but will all need signing with ONE server id.  I have tried the following code:

Sub Initialize
      Dim session As New NotesSession    
      Dim adminp As NotesAdministrationProcess    
      Set adminp = session.CreateAdministrationProcess("servera")    'server that needs to be used to sign the database
      noteID$ = adminp.SignDatabaseWithServerID(dbserver,dbname,False) ' path to the database that needs signing
      
End Sub

This doesn't seem to be working.  Can anyone help?

We are using R6 - 6.0.3
0
Comment
Question by:androgyny7
  • 6
  • 5
  • 5
  • +1
19 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16270271
What isn't working? Nothing happens? Error messages? Info in log.nsf??

You checked the return value in noteID$ ? Where did you put your code? If in an agent, did you use the debugger?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 16270947
WHy work so hard ? Use the Notes Admin client to sign the database with the Server ID that you need, on one Server, and it will replicate to al the others.

I hope this helps !
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16271132
I assumed a repeated task...
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:androgyny7
ID: 16271862
sjef you assumed correct that it is a repeated task.  Plus the people who will need to use this code do not have access to use the admin client to sign the database with the server id.

Want to set it up as a scheduled agent so that the users can create a document with the dataabase details and it will sign the database.

With regards to it not working - Nothing seems to happen.  I first tried it as a manual agent using debugger and nothing was set for noteID$???  Tried it as a scheduled agent and the log.nsf shows that it ran with no errors.  Both as a manual agent and scheduled the agent was signed by the server.
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 16272138
I am not sure that AdminpP can sign using any ID but the server it is running on.

For anything else, it needs access to the ID itself, probably.

You may need to schedule your agent accordingly.

I hope this helps !
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16274698
And another question: is the call to CreateAdministrationProcess successful?

About
According to the Help documentation, adminp will have a non-Nothing value when an AdminP document has successfully been created. I assume Author-access is required to the adminp-database:
    "The parameter to CreateAdministrationProcess must be the name of the server
    containing the Administration Requests database (ADMIN4.NSF). An empty string
    means the local computer. The server must contain a replica of the Certification
    Log. You must have access privileges to the Domino Directory on the server for
    Administration Process requests that use it."

The SignDatabaseWithServerID method will return the NoteID of the document created in the AdminP-database. If it returns the empty string, no document is created.

Questions are:
- is there a replica of the Certification Log on the server?
- do you have sufficient access rights to the Domino Directory (NAB)?
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16276512
Hi androgyny7,
Forgive, but I have a slight problem with automatically signing anything with any id.  If people are making changes to databases that are not tested, signing with the server ID will make it possible for people to create invasive agents and run them without recourse.  Causing much damage... :)

Instead, create a few signing ID's.. some with restricted ability to run agents, some with full unrestricted rights, and add those to the setup profiles.  Once you configure the setup profiles and change them, the ECL's will update on the clients.

Then invest in Signez from ytria.com, there you can store your "signing" id's and decide WHO can use WHICH id to sign databases, and they won't need or know the password for the id.  If someone misuses the signing, then remove them from the list.  If they sign invasive stuff, easy enough to know who did it, because ytria doesn't remove the last updated by values like adminp does, it just signs, and you'll always know who made the last update.

If they are competent enough to make design changes, then they need to take on the responsibility of signing without you compromising the ECL security of Notes.

In my opinion, it's a mistake to pursue any automatic signing.  



Regards!
0
 

Author Comment

by:androgyny7
ID: 16278304
marilyng we are not "automatically" signinng databases.  When developers make changes the get tested on our development servers.  When they are ready to be moved to production that is when they need signing.

What I want to happen is that these developers log a request in the database and then a scheduled agent will pick up that request and sign the database with a server id.
0
 

Author Comment

by:androgyny7
ID: 16278383
sjef

- there is a replica of the Certfication Log on the server - however I don't have access to that.
- I have author access to the NAB.

The call to CreateAdministrationProcess returns the following:

AdminP     [False, "", "", "", False]
UserCertificateAuthority - False
CertificateAuthorityOrg - ""
CertifierFile - ""
CertifierPassword - ""
CertificateExpiration - ["24/03/2008 08:43:39 GMT",...]
IsCertifcateAuthorityAvailable - False



As the noteID$ is returning an empty string then no document is being created in the AdminP db.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16278441
I suppose you need Author access to the AdminP db as well. By the way, I never tried these calls myself...
0
 

Author Comment

by:androgyny7
ID: 16278690
First time for everything :)

I have checked the AdminP database and I have depositor access.

Might not be possible to do what I want then to sign a database using AdminP.  AdminP uses server "A" and I want to sign the databases on server "B"

0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16278800
Normally, AFAIK, admin.nsf is replicated to all servers in the same domain.
0
 
LVL 18

Accepted Solution

by:
marilyng earned 1000 total points
ID: 16289121
That is if you have one administration server for the NAB, so if A is the administration server for all of xyzdomain, then all adminp requests go to this server who then replicates the requests to other servers.

1. Databases to be signed must have an administration server assigned to them in the ACL.
2. The agent signer must have manager rights to the Database to be signed, and permission to run unrestricted agents on the server.
3. All users should have author access to the adminp database so that can send name change requests and password change requests with permission to create documents.
4. this agent must run with full administration rights, therefore whoever saves it must have full administration rights.
5. If the request is to another server, B, then this will create document in A, and A should send the request to B.   In all cases the request should be done on the Administration server for the NAB. (I think)

As sjef says, requests to adminp are replicated to other adminp databases, so if a name change occurs, the request goes from the hub and then all servers in xyzdomain act on the request, checking all their databases in their control and sending back a "done" message.

This is tested on one server, fill in your email address to receive a log, the target server and the target database PATH

Sub Initialize
      'CONSTANTS TO SET BEFORE YOU RUN THIS AGENT......................."
      Const strTARGETSERVER = "TARGETSERVER/OU/O"      
      'Enter an email address for agent log report........... LEAVE BLANK FOR NO NOTIFICATION
      Const strEMAILADDRESS = "YOUREMAILADDRESS/OU/O"            
      Const strDBNAME = "PATH\TARGETDB.NSF"
      
      Dim session As New NotesSession      
      Dim curDB As NotesDatabase
      Set curDB = session.CurrentDatabase
      Dim curUser As New NotesName(session.UserName)
      Dim curServer As NotesName
      Dim targetServer As New NotesName(strTARGETSERVER)
      Dim agentLog As NotesLog
      Dim logFlag As Boolean
      'Turn on agent log here..............................................................................
      If strEMAILADDRESS = "" Then logFlag = False Else logFlag = True
      
      Dim msg As String      
      msg = "Starting the Sign Database for: " + strDBNAME + " using permission of: " + curUser.abbreviated
      If logFlag Then
            Set agentLog = New NotesLog("Sign Database")
            Call agentLog.OpenMailLog(strEMAILADDRESS,"Results of Sign Database")
            Call agentLog.LogAction(msg)
      End If
      
      On Error Goto Handle_Error
      
      'Set current calling server........................
      If curDB.server <>"" Then
            Set curServer = New NotesName(curdb.Server)
      Else
            'Running on a local client, so find the mail db server...............
            Dim tmpVar As Variant
            Set tmpvar = Evaluate({@Subset(@MaildbName;1)})
            If Len(tmpVar(0))>0 Then
                  Set curServer = New NotesName(tmpVar(0))
            Else
                  msg = "This agent is running on a local client...can't proceed without server name"
                  Print msg
                  If logFlag Then
                        Call agentLog.LogAction(msg)
                        Call agentLog.close
                  End If
                  Exit Sub            
            End If
      End If
      
      msg = "Running sign database for database: " + strDBName + " on server: " + targetServer.Common
      If logFlag Then Call agentLog.LogAction(msg)
      
      msg = "Sending adminp request to adminp.nsf on: " + curServer.Common
      If logFlag Then Call agentLog.LogAction(msg)
      
      Dim adminp As NotesAdministrationProcess      
      Set adminp = session.CreateAdministrationProcess(curServer.Abbreviated)
      If adminp Is Nothing Then
            msg = "Sorry unable to instantiate the adminp process.."
            If logflag Then Call agentLog.LogAction(msg)
            If logflag Then Call agentLog.Close            
            Print msg
            Exit Sub
      End If
      
      Dim noteid As String
      noteid = adminp.SignDatabaseWithServerID(targetServer.Abbreviated,strDBName)
      Select Case noteid
      Case Is = ""
            msg="Unable to create the adminp request.. action failed"            
      Case Else
            msg="The adminp request was successfully created on Note: " + noteid
      End Select      
      
      Print msg      
      If logflag Then Call agentLog.LogAction(msg)
      msg = "Finished processing the adminp request at: " + Format(Now)
      If logflag Then Call agentlog.logaction(msg)
      If logflag Then Call agentlog.close      
      Print msg
      If Not adminp Is Nothing Then Set adminp = Nothing
      Exit Sub
      
Handle_Error:      
      msg = "There was an error processing this request: " + Error$ + "-" + Str(Err)
      On Error Goto 0
      If logflag Then
            Call agentlog.logaction(Msg)
            Call agentlog.close
      End If
      Exit Sub
End Sub
0
 

Author Comment

by:androgyny7
ID: 16321834
Thanks for all your help guys.

I have now managed to get the agent to sign a database.  The only negative I can see at the moment is that if I want the database to be signed with Server A's ID, the database itself has to have a replica on Server A.  Which isn't always the case in our organisation.

When I try and sign a database with Server A's ID I get returned a NoteID however the database is never signed.

0
 
LVL 63

Expert Comment

by:SysExpert
ID: 16334951
That's pretty much what I said in my 2nd comment.

0
 
LVL 18

Expert Comment

by:marilyng
ID: 16338635
Which agent?  If you are running adminp with an administration server, then you send the request to the adminp server but request that ServerA sign serverA's database.   Adminp should route the request to the server, I think  :)
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16441121
Glad it worked..!
0
 

Author Comment

by:androgyny7
ID: 16444131
Thanks for you help - it didn't work as I hoped.  To sign DB1 with ServerA's ID then DB1 has to be on Server A.  Which is a shame.  Would have liked to have DB1 be signed with Server A's ID when the DB was only on Server B.
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16450869
Ah, yes,
The only way that could have happened is, MAYBE if Server A was listed as the administration server for the database sitting on server B.
 Or a replica of the database sat on Server A.

Server can only sign stuff on it's server
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question