Solved

Corrupt CA on Novell OES2 SLES10

Posted on 2013-11-22
3
137 Views
Last Modified: 2016-07-04
A client of mine has a 2 server NDS Tree.  Both servers running OES2 sp3 on SLES 10 Linux.
NDS health checks fine - replicas fully sync'ed, time is in sync, no stuck obituaries.
Server 1 has master replica.  Server 2 has read-write replica.
Server 1 holds the CA, iPrint and most services.  Server 2 is primarily for NDS redundancy

Server certificates expired this week.  Just using default certificates (SSL CertificateDNS and SSL CertificateIP on both servers.
Unable to administer certain services, i.e. iPrint due to invalid/expired certificate.

Deleted SSL CertificateDNS and SSL CertificateIP in iManager for Server 1 (the server running the CA).
Then ran NDSConfig upgrade on this server.  It failed on the SAS object with -601 error no such attribute.  NDSConfig returned error 74.
I then returned to iManager, verified no certificates had been created, and then deleted the SAS object for this server.  
Re-ran NDSConfig upgrade with the same results.
i.e. http://wiki.novell.com/index.php/Linux_pkidiag

CA self-signed certificate as well as organizational certificate both report as valid on Validate in iManager.

Thought about moving the CA object to Server 2 in the tree, the other server in the tree.
i.e. http://www.novell.com/support/kb/doc.php?id=3618399
When trying to export the self-signed certificate of the CA, this fails with NICI error -1418 or -1411.

Consequently I cannot move the CA to the other server.

a) Any suggestions on how to resolve this issue?

b) Even though the CA certificates appear valid, the NICI errors might suggest otherwise.  What are the consequences of deleting the CA? And the process of creating a new one, then recreating and associating SAS objects and new server certificates? What other services would be affected & need to be updated besides LUM (namconfig -k) ?

thanks
first on the server running the CA, in order to
0
Comment
Question by:ENET-RAM
3 Comments
 
LVL 18

Accepted Solution

by:
ZENandEmailguy earned 500 total points
ID: 39671713
I've seen this problem many times.  And the only way to fix it is to delete the CA object using ConsoleOne or perhaps iManager if you can get it to run.  Using Consoleone is the easiest to delete and re-create with a slightly different name for the CA object.

Once that is successfully created, I typically delete each of the SAS objects and all of the Key Material Objects that are created by default.  Since you're serve(rs are both OES2 powered by Linux, you must use either ndsconfig upgrade or better yet iManager (if it will run) and choose the Novell Certificate Server role and the Repair Default Certificates task.

Assuming the Repair Default Certificates is successfully for each server, you'll need to restart nldap (/opt/novell/eDirectory/sbin/nldap -u and follow that with -l (as in load).  I follow that with /opt/novell/eDirectory/sbin/nldap_check to make sure that eDirectory is listening on both TCP and TLS.  Lastly, I run namconfig -cache_refresh to refresh LUM and its LDAP connection.

Since you're managing iPrint, you'll need to restart tomcat by typing rcnovell-tom (then press tab to get it to fill out "cat and a number) and also apache (rcapache2 restart).  You'll need to accept new certificates for managing iPrint by selecting one of the tasks under the iPrint role.

Hope some of that helps...btw, if you use Consoleone, you'll need the security snapins to recreate the CA object.

Scott
0
 

Author Comment

by:ENET-RAM
ID: 39703511
These instructions helped thanks.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 39739674
http://www.novell.com/support/kb/doc.php?id=3618399

Ultimately, if the version of NICI that was in use for the existing certificates is "too old", you can't "move" the CA server. You have to instead make a new one and start minting new certs. This is fine as the existing certs that are still good will continue to work.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now