• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Corrupt CA on Novell OES2 SLES10

A client of mine has a 2 server NDS Tree.  Both servers running OES2 sp3 on SLES 10 Linux.
NDS health checks fine - replicas fully sync'ed, time is in sync, no stuck obituaries.
Server 1 has master replica.  Server 2 has read-write replica.
Server 1 holds the CA, iPrint and most services.  Server 2 is primarily for NDS redundancy

Server certificates expired this week.  Just using default certificates (SSL CertificateDNS and SSL CertificateIP on both servers.
Unable to administer certain services, i.e. iPrint due to invalid/expired certificate.

Deleted SSL CertificateDNS and SSL CertificateIP in iManager for Server 1 (the server running the CA).
Then ran NDSConfig upgrade on this server.  It failed on the SAS object with -601 error no such attribute.  NDSConfig returned error 74.
I then returned to iManager, verified no certificates had been created, and then deleted the SAS object for this server.  
Re-ran NDSConfig upgrade with the same results.
i.e. http://wiki.novell.com/index.php/Linux_pkidiag

CA self-signed certificate as well as organizational certificate both report as valid on Validate in iManager.

Thought about moving the CA object to Server 2 in the tree, the other server in the tree.
i.e. http://www.novell.com/support/kb/doc.php?id=3618399
When trying to export the self-signed certificate of the CA, this fails with NICI error -1418 or -1411.

Consequently I cannot move the CA to the other server.

a) Any suggestions on how to resolve this issue?

b) Even though the CA certificates appear valid, the NICI errors might suggest otherwise.  What are the consequences of deleting the CA? And the process of creating a new one, then recreating and associating SAS objects and new server certificates? What other services would be affected & need to be updated besides LUM (namconfig -k) ?

thanks
first on the server running the CA, in order to
0
ENET-RAM
Asked:
ENET-RAM
1 Solution
 
ZENandEmailguyCommented:
I've seen this problem many times.  And the only way to fix it is to delete the CA object using ConsoleOne or perhaps iManager if you can get it to run.  Using Consoleone is the easiest to delete and re-create with a slightly different name for the CA object.

Once that is successfully created, I typically delete each of the SAS objects and all of the Key Material Objects that are created by default.  Since you're serve(rs are both OES2 powered by Linux, you must use either ndsconfig upgrade or better yet iManager (if it will run) and choose the Novell Certificate Server role and the Repair Default Certificates task.

Assuming the Repair Default Certificates is successfully for each server, you'll need to restart nldap (/opt/novell/eDirectory/sbin/nldap -u and follow that with -l (as in load).  I follow that with /opt/novell/eDirectory/sbin/nldap_check to make sure that eDirectory is listening on both TCP and TLS.  Lastly, I run namconfig -cache_refresh to refresh LUM and its LDAP connection.

Since you're managing iPrint, you'll need to restart tomcat by typing rcnovell-tom (then press tab to get it to fill out "cat and a number) and also apache (rcapache2 restart).  You'll need to accept new certificates for managing iPrint by selecting one of the tasks under the iPrint role.

Hope some of that helps...btw, if you use Consoleone, you'll need the security snapins to recreate the CA object.

Scott
0
 
ENET-RAMAuthor Commented:
These instructions helped thanks.
0
 
mburdickCommented:
http://www.novell.com/support/kb/doc.php?id=3618399

Ultimately, if the version of NICI that was in use for the existing certificates is "too old", you can't "move" the CA server. You have to instead make a new one and start minting new certs. This is fine as the existing certs that are still good will continue to work.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now