Solved

Users with expired certificates in Domino Directory

Posted on 2011-03-01
16
1,377 Views
Last Modified: 2013-12-18
Hi,

In Lotus Notes, when I go to the NAB, People -> Certificate Expiration view, I see users with Expired certificates. But what I don't understand is that those people are connected to Sametime! Please refer to the image attached.

I thought that when the certificate is expired then the user cannot connect to the server.

Can somebody shed some light on this?

Thanks!
certificate-expiration-view.png
0
Comment
Question by:ralmada
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 6

Expert Comment

by:bluemeln
ID: 35012522
Do the Sametime users also have newer certificates listed under "Expires in the next 90 days" or "Expires in the next 120 days" or under "Expires after more than 120 days?"
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35015243
Maybe the certificates were updated on users' ID files (not through Person document in address book) using another server, which does not replicate Certlog.nsf, which then wouldn't be reflected in that view on your server.

When you certify user ID file, you need to supply a certifier ID by first selecting the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors.
That is the server on which CERTLOG.NSF is updated.

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_MANAGING_CERTIFIER_IDS_7302_MIDTOPIC_293171126429240767.html
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 35017850
     Hi there ralmada,,,,

Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .
Secondly, May I suggest that you just have the time to contact one or two of these users with the "Expired Certificates" and check what is really going on  in there Lotus notes client and Lotus Sametime client .
Finally,  I am attaching a procedure of how same time can be connected  to give you more information about it . ( it is from the information center of the sametime )
http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v851.doc/welcome_851.html





           procedure.txt
Image.JPG
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35018088
> Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .

That's because some "phenomenal" Domino admin registered users with expiration date somewhere in year 2100.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018248
Thanks guy for the fast responses.

@bluemeln, unfortunately not. they only show in the expired section.

I will read the other comments and get back to you shortly.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018518
@mbonaci,

Thanks for your comment. so basically what you're saying is that the users certificates aren't expired, but the new recertification is not reflecting in NAB?

Also regarding your last comment, in my company certificates are set to expire in 50 years or so. Do you see this as a bad practice?
0
 
LVL 22

Accepted Solution

by:
mbonaci earned 500 total points
ID: 35025459
If the circumstances are as I described, yes, it's possible.

What would you do if an admin's ID file becomes compromised/lost/its password revealed to users?
Since you cannot simply change the password (password is inside ID file), you'd have to (if you're lucky enough to find out about it) place that user in Deny access group and register the him again with a different name.

On the other hand, if your ID expiration dates are one or two years, the lost ID file would soon cease to function.
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 35025549
Note that simply puttimng him in a Deny access group will often be just a beginning.  If the admin id in question has been used to enable agents or used to sign any code (very likely) all these signatures need to be found and it has to be resigned with the new ID to prevent problems.

Please read the admin documentation!  Also, a fine strategy is to prepare yourself for certification (Certfx has excellent products, and is not expensive, especially if you take advantage of the volume deals.) How I use it: even if you do not intend to take the exam, proper preparation wil show you what knowledge you currently miss.  Using the exam software you can prove you have an allround understanding, and you get pointers into which subjects you need to study more.  This save you from studying the admin manual about stuff you already know.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 41

Author Closing Comment

by:ralmada
ID: 35026848
Thanks
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35026966
I do not understand how the accepted solution explains that the users showing under expired certificates are live on the system. The solution only addresses the best practice of short certification times.
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 35027374
quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027482
Although it would be better that the first post was accepted, I don't completely agree with the two of you. I mean, it's not that big of a deal.

Ralmada wanted the final confirmation that he understood the problem, so in the accepted post, I say "If the circumstances are as I described, yes, it's possible."

Because of that comment, if someone searches for a solution to the same problem and finds this accepted post, he would normally look above to see what circumstances I'm talking about.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35027611
A good solution is self-contained, self-explanatory and complete. It should not require inference or additional research because many threads on this site contain falls leads, which is why there is the Accepted Solution. When a solution refers to a previous post, it should briefly restate the content of that post. It's good form.

If I was new to this discussion, I would have to read through the entire thread to figure out which explanation made the most sense. In addition, the solution is not really a solution but a probable explanation, which makes it harder to identify.

I am not disputing the assigned points, but for this support system to work, we need to stick to form.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027891
I have to agree with this, it sure would've been better if the initial explanation was accepted.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35028341
Thank you all for your time in trying to solve this issue. I really appreciate it.

@larsberntrop >>quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.<<

That's indeed what has happened and that's what mbonaci indicated by agreeing to my last comment http:#a35018518. Probably I should have accepted my own comment as the answer and give him an assist, but that still doesn't change the fact that he was the only one that lead me to the solution.
I hope this clarify the reason for me accepting his comment.

Have a good day.

0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35028371
Their point was that you should've accepted my first comment (35015243), with the detailed explanation of what happened, not yours, in which you ask for the confirmation.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now