Reinstalling NICI Files - the detailed version
(Last modified: 23Mar2004)
This document (10025666) is provided subject to the disclaimer at the end of this document.
goal
Reinstalling NICI Files - the detailed version
fact
Novell NetWare 5.0
Novell BorderManager Enterprise Edition 3
Novell eDirectory NDS 8
Formerly TID 2945674
symptom
Error: "Cannot connect to a recognized version of PKI Services on this server. Error code: 35232"
NICI CCS: FATAL Initialization error
PMLODR.NLM and POLIMGR.NLM are not loading in stage 3
1497 error when trying to load PKI
Public Symbol Errors loading DS
cause
NICI "errors" are reported if the disk driver fails to load -- NetWare will appear to be loading, the failure message will be hidden behind the new Novell splash screen, then NICI fails to load because the SYS volume is unavailable. Be sure sys is mounted, if not, fix that first before proceeding with the following.
NICI is corrupt
This TID was originally written to specifically address errors creating Certificate Authority Objects in NetWare 5 and was named: "NW5 Certificate Authority Error 35232". The short version of this page How to reinstall NICI the short version
However, the information on recreating the NICI portion of the required files is applicable to problems with all applications dependent upon the Novell International Cryptographic Infrastructure (NICI) technology. For steps to recreate the NICI base files, see the Solutions section of this Technical Information Document.
When implementing PKI, the administrator attempts to create the Certificate Authority by highlighting the Security container in [Root] and selecting Object | Create | Certificate Authority from the menus.
Standard is chosen with the object name of NW5TEST_TREE_CA and Server NW5TEST. When "finish" is clicked, the following error message is generated:
"Cannot connect to a recognized version of PKI Services on this server. Error code: 35232"
The exact cause of the installation failure is not known if the foundation key was copied manually or if a license has been installed. It is possible that the manual installation method described above was not properly implemented. It may be that a file was damaged in the copy process.
fix
Make sure the NICI Foundation key and supporting modules are properly installed and available.
SAS.NLM and PKI.NLM must be loaded and resident in memory. Prior to Service Pack One, PKI will not provide an error message it unloads due to an error. To verify whether or not this module is in memory, execute MODULES PKI.NLM from the console. If it is loaded, the date and version information for this NLM will display. If it is not loaded, the console will simply return to the system console prompt.
PKI will fail to load if the following files are not available:
In the server startup directory (usually C:\NWSERVER), the following files should be present:
CCS.XLM
XIM.XLM
XMGR.XLM
XSUP.XLM
NOVXENG.XLM
The US/Canada CD ships with NOVXENG.XLM, EXPXENG.XLM (export) and DOMXENG.XLM (domestic) or EXPXENG.XLM. The
international CD, to meet US Government security requirements, only ships with NOVXENG.XLM and EXPXENG.XLM.
DOM version is 128-bit encryption
EXP version is 40-bit encryption.
The level of encryption is determined by the software purchased. Note: SoftWare Connection Library versions of NetWare 5 are International only, meaning 128-bit encryption is not included. For details on 128-bit security and Border Manager, see TID 2945530 BorderManager 3 README - Pt 1 of 2.
If this NOVXENG.XLM file is not present, appears to be corrupt or is the wrong size, copy the appropriate file (NUL, DOM or the EXP version of xxxXENG.XLM) present on the distribution media to C:\NWSERVER\NOVXENG.XLM. To see which of these modules was installed, review the SYS:NI\DATA\NI.LOG file which contains data regarding the installation of NetWare. Search in this text file for "XLM". You will find an entry similar to one those listed below, indicating which Cryptographic module was copied to NOVXENG.NLM.
Object: BeDriver@1b6505e5
Informational: NICI Cryptographic Modules installation has completed successfully from "C:\NWSERVER\EXPXENG.XLM".
Object: BeDriver@1b6634d3
Informational: NICI Cryptographic Modules installation has completed successfully from "C:\NWSERVER\DOMXENG.XLM".
Object: BeDriver@1b6436c2
Informational: NICI Cryptographic Modules installation has completed successfully from "C:\NWSERVER\NULXENG.XLM".
NOVXENG.NLM will result in a NOVXENG.XLM file the same size as one of these originating modules on the distribution CD. Thus you can also compare file sizes to get an idea of which file copied.
(Note: A publicly available conversion kit allowing US customers to implement 128-Bit encryption and WorldWide customers to implement 56-bit encryption can be found at: http://www.novell.com/products/cryptography)
On the SYS volume, there are five files which play a part with the installation of NICI
SYS:SYSTEM\NICIFK (a file)
SYS: _NETWARE\XMGRCFG.DA0
SYSTEM\NICI\XMGRCFG.DA1
SYSTEM\NICI\XARCHIVE.000
SYSTEM\NICI\NICICFG.CFG
SYS:SYSTEM\NICIFK - This file is copied from the XXXXXXXX.NFK file on MLA to NICIFK. If an MLA license diskette is not available, it can be obtained from operating system cd. This is located in the License\Demo folder off of the root of the cd. This file must be present for NICI to install with licensing. If the file is not present, the administrator can remove existing licensing and attempt to reinstall licenses or can copy and rename this file manually.
XMGRCFG.DA0, XMRCFG.DA1 and ARCHIVE.000 contain critical Disaster Recovery Information that Novell can use to try and recreate Security configuration in the event of a Disaster. (The must, of course, have been backed up.) NICI will not load if these files are not present. SYSTEM\NICI\NICICFG.CFG contains configuration information created by the GUI installation but is not critical to the operation of NICI.
The SYS:_NETWARE directory is hidden and can only be viewed with tools allowing the examination of this critical system directory. The NDS database files are contained in this directory so great care should be exercised when tampering with files therein. There are a number of tools that will allow the examination and manipulation of the SYS:_NETWARE directory. One source of freeware/shareware tools is: http://www.netwarefiles.com. Check out JCMD at this site. On-Track Data Recovery for NetWare also allows this functionality but provides this capability from a dismounted volume. On-track can be found at:http://www.ontrack.com.
If any of the required files or directories are missing, NICI will not properly load and PKI will not stay resident.
The following steps will guide the administrator through the manual steps of recreating a NICI installation.
NOTE: NICI/PKI/SAS are the only services impacted by manipulation of these files. Assuming their load failure is the reason for consulting this document, you can safely manipulate these files without impacting any other NetWare services.
1.) Delete all files contained in SYS:SYSTEM\NICI. If this directory does not exist, create it.
2.) If SYS:SYSTEM\NICIFK does not exist, copy the A:\LICENSE\XXXXXXXX.NLF file (for Non-MLA licenses on NetWare 5.0) or the
A:\LICENSE\XXXXXXXX.NFK file (for MLA licenses and red box NW 5.1) from the license disk to the destination filename of SYS:SYSTEM\NICIFK. As mentioned above, you can also try reinstalling licenses even if they are already installed. You will received an error that the license is already installed, but the NICIFK (Foundation Key) should be recopied. You can also consider removing licenses and the NLS_LSP_Servername objects with NWadmin.
3.) If you are not installing a license, you may need to create the subdirectory SYS:SYSTEM\NICI.
4.) You can use TOOLBOX.NLM v1.x which can access the SYS:_NETWARE directory to delete the file SYS:_NETWARE\XMGRCFG.DA0. REMINDER: Be extremely careful when deleting anything from SYS:_NETWARE. This hidden directory contains your NDS database. Delete ONLY the SYS:_NETWARE\XMGRCFG.DA0 file.
Note: Do not use TOOLBOX v2.x. This version does not allow you to access SYS:_NETWARE directory.
Note: NREPAIR3.EXE can also be used to delete the NICI files
5.) Down the server.
6.) Change directories to C:\NWSERVER (if the server was not started from this location). Perform DIR *.XLM
The following files should be present:
CCS.XLM
XIM.XLM
XMGR.XLM
XSUP.XLM
NOVXENG.XLM
As previously mentioned, NOVXENG.XLM has been copied from the appropriate DOM, EXP or NUL files.
7.) Restart the server.
8.) Then run SETUPNLS and reinstall licenses.
If you cannot observe all the load messages for NICI, consult TID 2942146 "Problems Mounting SYS after running Server -NS. This will provide details on incrementally loading SERVER.EXE to see how the NICI files are executed.
NICI files are loaded during LOADSTAGE 2 and should display something like the following taken from NetWare 5.00:
NICI XSUP from Novell, Inc.
Version 1.00 June 24, 1998
Copyright 1995-1998, Novell, Inc. All rights reserved. Patent pending.
All Digitally Signed Objects successfully loaded.
NICI XMGR from Novell, Inc.
Version 2.01 August 4, 1998
Copyright 1995-1998, Novell, Inc. All rights reserved. Patent pending.
All Digitally Signed Objects successfully loaded.
NICI NULL XENG from Novell, Inc.
Version 1.00 July 14, 1998
Copyright 1995-1998, Novell, Inc. All rights reserved. Patent pending.
NICI Worldwide XMGR Assistant XENG from Novell, Inc.
Version 1.00 August 28, 1998
Copyright 1995-1998, Novell, Inc. All rights reserved. Patent pending.
All Digitally Signed Objects successfully loaded.
Portions Copyright 1986-1995 RSA Data Security, Inc.
NICI Worldwide XENG from Novell, Inc.
Version 1.00 August 28, 1998
Copyright 1995-1998, Novell, Inc. All rights reserved. Patent pending.
Portions Copyright 1986-1995 RSA Data Security, Inc.
All Digitally Signed Objects successfully loaded.
:
Once NICI loads properly, try typing MODULES PKI.NLM at the console to see if PKI has remained resident. If so, you should be able to complete the Certificate Authority Creation..
document
| Document Title: | Reinstalling NICI Files - the detailed version |
| Document ID: | 10025666 |
| Solution ID: | 1.0.51440661.2510819 |
| Creation Date: | 27Jan2000 |
| Modified Date: | 23Mar2004 |
| Novell Product Class: | End of Life NetWare Novell BorderManager Services Novell eDirectory Web Services |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.