How to Use PKIDIAG to avoid issues while Installing Netware 6.5

This document (3640106) is provided subject to the disclaimer at the end of this document.

Environment

Novell NetWare 6.5
PKIDIAG

Situation

How to Use PKIDIAG to avoid issues while Installing Netware 6.5
PROBLEM: The IP address in KMO SSL CertificateIP does not match the default IP address
PROBLEM: The DNS name in KMO SSL CertificateDNS does not match the default DNS name for the server
PROBLEM: Renamed objects are created whenever PKIDIAG is ran
PROBLEM: DNS not setup correctly when creating SSL Certificates

Resolution

If the Security Infractructure is not functioning correctly, the installations and configuration of some of the components of Netware 6.5 will fail. PKIDIAG is a tool that will analyze the system and resolve issues.

The Netware 6.5 Deployment Manager runs PKDIAG in "diagnostic" mode which will identify errors but does not fix them.

If a security error is detected through Deployment Manager, the recommendations below will help you remedy the problem so that the Netware 6.5 installation can continue.

NOTE: The errors can be seen in the sys:/etc/certserv/repair.log file.
NOTE: The PKDIAG utility can be found by going to http://support.novell.com/filefinder and doing a search for PKIDIAG.

Problem:The DNS name in KMO SSL CertificateDNS does not match the default DNS name for the server. DNS is most likely not setup properly.

Solution:By default, it is assumed that DNS is setup on your server. Because of this, PKIDIAG is verifying the DNS certificates. However, since the Netware 6.5 installation will assist you in re-configuring DNS, the error in PKIDIAG can be ignored without ramifications.

Problem:The IP address in KMO SSL CertificateIP does not match the default IP address

Solution:The Novell Certificate Server KMO objects will use the "default" address when generating its keys. If the default is changed (typically the first bound address), this error may occur. This should not prevent Netware 6.5 nor its components from installing correctly. Ignore this error and continue on with the installation. (NOTE: When accessing the server via a browser or other client through SSL, you may get a warning that the server does not match the certificate and ask if you want to continue. If you say yes, you will still create a secured connection.

Problem:Renamed objects are created whenever PKIDIAG is ran (I.E. 0_1 with an object class of SSL Certificates)

Solution:The partition replication had errors and would not synchronize. The server that the KMO was being created on did not have a real copy of its own object. After running PKIDIAG multiple times, an object with the same name was created on different replicas. When synchronization was established, renamed objects were generated. The fix is to remove all renamed KMO objects, fix synchronization and run PKIDIAG in fix mode. (see section "How to Run PKIDIAG in Fix Mode" below)

How to Run PKIDIAG in Fix Mode:By default, PKIDIAG runs in diagnostic mode. This means that problems are identified but not resolved.

To allow PKIDIAG to fix problems, choose option 4 (actions). PKIDIAG will switch to "Actions: Fix Mode". Make any desired changes to options 5 and 6 and then press "0" to start the fixing process.

Achitecture Overview:
The architecture for Novell server certificates and related objects provides four links between all of the objects that are used to identify and store the server certificates. Please note that the server certificate object is often referred to the KMO or Key Material Object (schema definition NDSPKI:Key Material).

In general, the server object has a link (SAS:Service DN) which points to the SAS:Service object. In turn, the SAS:Service object has a link back to the server (Host Server). The SAS:Service object also has a multi-valued link (NDSPKI:Key Material DN) to all of the server certificates (i.e. KMOs). Each of the server certificates have a link back to the server (Host Server). This kind of redundant linking is designed to help make the system hard to break, and make it so that all of the objects can be found by following the links.

The server certificate objects also follow a naming scheme that is designed to help easily identify which objects belong to which server and vise-versa. The naming scheme appends a " – ” to the object, which helps to identify which server the object belongs to. (For example if the server name is "FOO” and the certificate name is "CERTONE”, then the name would be "CERTONE – FOO”.) All of the objects are designed to reside in the same container. Although theoretically the objects do not need to be in the same container, in practice, they usually do need to. In addition, certain rights to the objects are given to other objects. The rights allow the system to work without requiring an administrator to login when the server boots.

PKIDiag Functionality Overview:
The PKIDiag utility is designed to diagnose and (optionally) fix the objects identified above. If a server has been renamed or moved PKIDiag can rename or move the related objects so that they conform to the correct naming and containment schemes. If any of the required objects do not exist, PKIDiag can create them. If any of the objects don’t have the necessary rights to the other objects, PKIDiag can give those rights. If any of the objects are not linked, then PKIDiag can link them. If either the SSL CertificateIP or the SSL CertificateDNS does not exist, has an incorrect name, or is out of date (or close to out of date) PKIDiag can fix them.

The default mode for PKIDiag is to only diagnose problems. You must change the mode to fixing in order to fix any problems.

PKIDiag Options:
PKIDiag allows the user to choose between diagnostic and fixing mode. PKIDiag determines the default IP and DNS addresses of the server and displays prior to starting the diagnostic or fixing process. The user can also enter a different IP and/or DNS address. (Use this method if PKIDiag was unable to determine the default IP and DNS addresses.) In fixing mode, PKIDiag allows the user to determine the default KMO replacement option and update default KMO option (See # 6 below). PKIDiag allows the user to use the command line to enter the options if desired. Use the command "Load PKIDiag /?” to see the command line options.

PKIDiag Diagnostic/Fixing Steps:
1) Verifying the Server's link to the SAS Service Object -- PKIDiag checks the link from the server object to the SAS Service Object if it exists. (If the link does not exist, then it doesn’t do anything.) In fixing mode it can do which ever of the following steps are necessary:
a) Rename an existing SAS Service Object that was previously linked to the server.
b) Link an existing SAS Service Object that previously had the correct naming scheme, but was not previously linked. 2) Verifying the SAS Service object -- PKIDiag checks the link from the SAS:Service to the host server and checks necessary rights. In fixing mode PKIDiag can do one or more of the following steps as needed:
a) Create a new SAS Service Object and link it to the server (adds both forward and backwards links).
b) Create a link from the SAS Service Object to the server.
c) Give the server rights to the SAS Service Object. 3) Verifying the links to the KMO objects – PKIDiag reads all of the KMO objects that are linked to the server and checks that their names are correct. In fixing mode PKIDiag can move or rename the KMO objects when needed. 4) Verifying the KMO objects – PKIDiag reads all of the names of the KMO’s in the same container as the server and puts them in a list. PKIDiag then performs the following tests on each of the KMOs:
a) Checks if [Public] has the appropriate read rights to the appropriate attributes.
b) Checks if the KMO is back-linked to a server. (If the KMO belongs to a different server, then the name is removed from the list and further testing on the KMO is halted.)
c) Reads the private key and tests to see if the key is usable by the server.
5) Re-Verifying the links to the KMO objects – PKIDiag reads all of the KMO objects that are linked to the server and compares them with the list created in step 4. In fixing mode PKIDiag can do one or more of the following steps as needed:
a) Add the link from the SAS Service Object to the KMO.
b) Back-link the KMO to the server.
c) Delete the link from the SAS Object to the KMO if the private key is unusable. (The KMO should probably be deleted if this is the case.) 6) Creating IP and DNS Certificates -- PKIDiag checks to see if 1)"SSL CertificateIP” and "SSL CertificateDNS” exist, 2) the these two certificates have appropriate subject names and 3) if these two certificates have expired or are about to expire. In fixing mode PKIDiag has several options of how to fix these two certificates.
a) Default KMO replacement mode
1) Rename and create new KMO -- rename existing certificates and create new KMOs with the same old name. (Default)
2) Rekey existing KMO -- rekey existing certificates, which replaces the private key and public key certificates with new ones. (This is more dangerous because it cannot be undone.)
b) Update default KMO mode
1) When necessary -- modify the two certificates only when the existing KMOs have some problem. (Default)
2) Always – always update the KMOs. .

Additional Information

Formerly known as TID# 10089099

+ Advanced eDirectory Troubleshooting

Document

Document ID:	3640106
Creation Date:	10-19-2006
Modified Date:	04-30-2012
Novell Product:	eDirectory
Novell Product:	PKIS (Novell Certificate Server)

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.