Solved

Corrupt CA on Novell OES2 SLES10

Posted on 2013-11-22
3
209 Views
Last Modified: 2016-07-04
A client of mine has a 2 server NDS Tree.  Both servers running OES2 sp3 on SLES 10 Linux.
NDS health checks fine - replicas fully sync'ed, time is in sync, no stuck obituaries.
Server 1 has master replica.  Server 2 has read-write replica.
Server 1 holds the CA, iPrint and most services.  Server 2 is primarily for NDS redundancy

Server certificates expired this week.  Just using default certificates (SSL CertificateDNS and SSL CertificateIP on both servers.
Unable to administer certain services, i.e. iPrint due to invalid/expired certificate.

Deleted SSL CertificateDNS and SSL CertificateIP in iManager for Server 1 (the server running the CA).
Then ran NDSConfig upgrade on this server.  It failed on the SAS object with -601 error no such attribute.  NDSConfig returned error 74.
I then returned to iManager, verified no certificates had been created, and then deleted the SAS object for this server.  
Re-ran NDSConfig upgrade with the same results.
i.e. http://wiki.novell.com/index.php/Linux_pkidiag

CA self-signed certificate as well as organizational certificate both report as valid on Validate in iManager.

Thought about moving the CA object to Server 2 in the tree, the other server in the tree.
i.e. http://www.novell.com/support/kb/doc.php?id=3618399
When trying to export the self-signed certificate of the CA, this fails with NICI error -1418 or -1411.

Consequently I cannot move the CA to the other server.

a) Any suggestions on how to resolve this issue?

b) Even though the CA certificates appear valid, the NICI errors might suggest otherwise.  What are the consequences of deleting the CA? And the process of creating a new one, then recreating and associating SAS objects and new server certificates? What other services would be affected & need to be updated besides LUM (namconfig -k) ?

thanks
first on the server running the CA, in order to
0
Comment
Question by:ENET-RAM
3 Comments
 
LVL 18

Accepted Solution

by:
ZENandEmailguy earned 500 total points
ID: 39671713
I've seen this problem many times.  And the only way to fix it is to delete the CA object using ConsoleOne or perhaps iManager if you can get it to run.  Using Consoleone is the easiest to delete and re-create with a slightly different name for the CA object.

Once that is successfully created, I typically delete each of the SAS objects and all of the Key Material Objects that are created by default.  Since you're serve(rs are both OES2 powered by Linux, you must use either ndsconfig upgrade or better yet iManager (if it will run) and choose the Novell Certificate Server role and the Repair Default Certificates task.

Assuming the Repair Default Certificates is successfully for each server, you'll need to restart nldap (/opt/novell/eDirectory/sbin/nldap -u and follow that with -l (as in load).  I follow that with /opt/novell/eDirectory/sbin/nldap_check to make sure that eDirectory is listening on both TCP and TLS.  Lastly, I run namconfig -cache_refresh to refresh LUM and its LDAP connection.

Since you're managing iPrint, you'll need to restart tomcat by typing rcnovell-tom (then press tab to get it to fill out "cat and a number) and also apache (rcapache2 restart).  You'll need to accept new certificates for managing iPrint by selecting one of the tasks under the iPrint role.

Hope some of that helps...btw, if you use Consoleone, you'll need the security snapins to recreate the CA object.

Scott
0
 

Author Comment

by:ENET-RAM
ID: 39703511
These instructions helped thanks.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 39739674
http://www.novell.com/support/kb/doc.php?id=3618399

Ultimately, if the version of NICI that was in use for the existing certificates is "too old", you can't "move" the CA server. You have to instead make a new one and start minting new certs. This is fine as the existing certs that are still good will continue to work.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Quickest way to query Windows Event ID from a Linux Device 3 72
exchange, email gateway 2 56
LogmeIn using Linux Ubuntu 16.04 6 112
CLI command keep running after close 7 56
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question