How to use PKIDIAG?

(Last modified: 17Nov2005)

This document (10095905) is provided subject to the disclaimer at the end of this document.

fact

Novell Operating Systems

goal

How to use PKIDIAG?

symptom

SSL certificates (KMO's) invalid or missing

Secure connections to server not working

LDAP over SSL not working

fix

Be sure to use the latest version of PKIDIAG available at http://support.novell.com/filefinder/

PKIDIAG Architecture Overview


The architecture for Novell server certificates and related objects provides for links between all of the objects that are used to identify and store the server certificates. Please note that the server certificate object is often referred to the KMO or Key Material Object (schema definition NDSPKI:Key Material).


In general, the server object has a link (SAS:Service DN) which points to the SAS:Service object. In turn, the SAS:Service object has a link back to the server (Host Server). The SAS:Service object also has a multi-valued link (NDSPKI:Key Material DN) to all of the server certificates (i.e. KMOs). Each of the server certificates have a link back to the server (Host Server). This kind of redundant linking is designed to help make the system hard to break, and make it so that all of the objects can be found by following the links.


The server certificate objects also follow a naming scheme that is designed to help easily identify which objects belong to which server and vise-versa. The naming scheme appends a '– <server name>' to the object, which helps to identify which server the object belongs to. (For example if the server name is 'FOO' and the certificate name is 'CERTONE', then the name would be 'CERTONE – FOO'.)


All of the objects are designed to reside in the same container. Although theoretically the objects do not need to be in the same container, in practice, they usually do need to.


In addition, certain rights to the objects are given to other objects. The rights allow the system to work without requiring an administrator to login when the server boots.


PKIDiag Functionality Overview


The PKIDiag utility is designed to diagnose and (optionally) fix the objects identified above. If a server has been renamed or moved PKIDiag can rename or move the related objects so that they conform to the correct naming and containment schemes. If any of the required objects do not exist, PKIDiag can create them. If any of the objects don't have the necessary rights to the other objects, PKIDiag can give those rights. If any of the objects are not linked, then PKIDiag can link them. If either the SSL CertificateIP or the SSL CertificateDNS does not exist, has an incorrect name, or is out of date (or close to out of date) PKIDiag can fix them.  It is IMPORTANT to note that users running PKIDIAG should have ROOT LEVEL ADMIN RIGHTS to be able to perform these function successfully.


The default mode for PKIDiag is to only diagnose problems. You must change the mode to fixing in order to fix any problems.


PKIDiag Options


PKIDiag allows the user to choose between diagnostic and fixing mode.


PKIDiag determines the default IP and DNS addresses of the server and displays prior to starting the diagnostic or fixing process. The user can also enter a different IP and/or D.NS address. (Use this method if PKIDiag was unable to determine the default IP and DNS addresses.)


In fixing mode, PKIDiag allows the user to determine the default KMO replacement option and update default KMO option (See # 6 below).


PKIDiag allows the user to use the command line to enter the options if desired.

Use the command 'Load PKIDiag /?' to see the command line options.


PKIDiag Diagnostic/Fixing Steps


  1. Verifying the Server's link to the SAS Service Object -- PKIDiag checks the link from the server object to the SAS Service Object if it exists. (If the link does not exist, then it doesn't do anything.) In fixing mode it can do which ever of the following steps are necessary:

  1. Rename an existing SAS Service Object that was previously linked to the server.

  2. Link an existing SAS Service Object that previously had the correct naming scheme, but was not previously linked.


  1. Verifying the SAS Service object -- PKIDiag checks the link from the SAS:Service to the host server and checks necessary rights. In fixing mode PKIDiag can do one or more of the following steps as needed:

  1. Create a new SAS Service Object and link it to the server (adds both forward and backwards links).

  2. Create a link from the SAS Service Object to the server.

  3. Give the server rights to the SAS Service Object.


  1. Verifying the links to the KMO objects -- PKIDiag reads all of the KMO objects that are linked to the server and checks that their names are correct. In fixing mode PKIDiag can move or rename the KMO objects when needed.


  1. Verifying the KMO objects -- PKIDiag reads all of the names of the KMO's in the same container as the server and puts them in a list. PKIDiag then performs the following tests on each of the KMOs:

  1. Checks if [Public] has the appropriate read rights to the appropriate attributes.

  2. Checks if the KMO is back-linked to a server. (If the KMO belongs to a different server, then the name is removed from the list and further testing on the KMO is halted.)

  3. Reads the private key and tests to see if the key is usable by the server.



  1. Re-Verifying the links to the KMO objects -- PKIDiag reads all of the KMO objects that are linked to the server and compares them with the list created in step 4. In fixing mode PKIDiag can do one or more of the following steps as needed:

  1. Add the link from the SAS Service Object to the KMO.

  2. Back-link the KMO to the server.

  3. Delete the link from the SAS Object to the KMO if the private key is unusable. (The KMO should probably be deleted if this is the case.)


  1. Creating IP and DNS Certificates -- PKIDiag checks to see if 1) 'SSL CertificateIP' and 'SSL CertificateDNS' exist, 2) that these two certificates have appropriate subject names and 3) if these two certificates have expired or are about to expire. In fixing mode PKIDiag has several options of how to fix these two certificates.

  1. Default KMO replacement mode

    1. Rename and create new KMO -- rename existing certificates and create new KMOs with the same old name. (Default)

    2. Rekey existing KMO -- rekey existing certificates, which replaces the private key and public key certificates with new ones. (This is more dangerous because it cannot be undone.)

  2. Update default KMO mode

    1. When necessary -- modify the two certificates only when the existing KMOs have some problem. (Default)

    2. Always-- always update the KMOs.




.

document

Document Title: How to use PKIDIAG?
Document ID: 10095905
Solution ID: NOVL100234
Creation Date: 16Dec2004
Modified Date: 17Nov2005
Novell Product Class:Novell Directory Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.