Novell is now a part of Micro Focus

Reinstalling Novell Certificate Server

Articles and Tips: qna

01 May 2003


Q.

I am attempting to reinstall the Novell Certificate Server that comes with NetWare 6. I get a real good error:

Error: "Can't generate the certificate signing request. Error Code: -603"

Any help in resolving this problem would be appreciated.

Cherry in Cetificatesville

A.

Dear Cherry: Such a simple question has a horribly complex answer.You will need to do a lot of work to fix this problem. If the server is the Certificate Authority (CA), use SYS:\PUBLIC\MGMT\CONSOLEONE\BIN\CONSOLEONE.EXE to delete the Organizational CA, KAP (Key Access Partition) and W0 (key list) objects from the Security container at the root of the tree. Also delete SAS SERVICE-ServerName and SSL-ServerName objects from the server's container.

Note: If you delete the Certificate Server from the Certificate Authority server, you must reinstall the Certificate Server on all NetWare 5.x and later servers in your tree.

If the server is not the Certificate Authority, simply delete the SAS SERVICE-ServerName and SSL-ServerName objects from the server's container.

At the server console prompt, type UINSTALL PKIS and UINSTALL SAS to remove the product from the PRODUCTS.DAT file (which is read by NWCONFIG.NLM). This is necessary so you can reinstall the Certificate Server. Also, delete the SYS:SYSTEM\NICI\NICISDI.KEY file from each server.

Let these changes to the tree be synchronized out to all applicable replicas in the tree. To speed up the process, these changes can be pushed through by running the following SET DSTRACE commands at the server console prompt:

Set dstrace=*f
Set dstrace=*h

The progress of the deletions can be monitored by running DSRepair | Advanced Options | Check External References and by looking for obituaries of the objects just deleted, namely the SAS service, the SSL objects, and in the case of the Certificate Authority, the organizational CA object. Once these objects no longer appear as obituaries, you can proceed to the installation of Certificate server.

Reinstall the Certificate server by mounting the NetWare CD-ROM | NWCONFIG.NLM | Products | Products Not Listed screen and point to the install IPS file, which will take you to the GUI and select Certificate Server, Web Server, and PKI or SAS if it's available. This should re-create the SAS, CA, KAP and KMO objects. Then reboot the server.

Note: In some cases after the "Reinstall" procedure, you may have to manually perform the following:

Make SAS Service a trustee of <servername> Assign each SSL certificate as a trustee of SAS Service-servername Edit properties of SAS Service-servername object and create an attribute of "NDSPKI:Key Material DN" with values SSL CertificateIP-servername and SSL CertificateDNS-servername.

To create a KMO for BorderManager you may need to LOAD SASI on the BorderManager server.You may also need to promote the NetWare 5.1 server as master replica. To do this, pull up the DSRepair utility and select Advanced | Replica Partition Operations | select the Root | Enter | then select the Designate this server as the new master replica option.

The LDAP Server object is also linked to the certificate. This object needs to be cleared out of the properties then relinked after the new one is created. This should correctly install and create the objects needed for Certificate Server

Note: During the reinstallation of Certificate Server you may get a "SetTreeName" Java error and be told to check the NI.LOG file. In the SYS:NI\DATA\NI.LOG file, you'll see the following fatal errors:

Fatal: Unrecoverable error in driver.mainHallway(). Fatal: SetTreeName Fatal: java.lang.UnsatisfiedLinkError: SetTreeName

In the first line of the SYS:NI\DATA\NIOUTPUT.TXT file, you will see the following:

?UnsatisfiedLinkError - unable to load PKIWrap.nlm?

This is the source of the problem: the PKIWRAP.NLM never loaded successfully. When PKIWRAP.NLM tried to load, it would get public symbol error messages. PKIAPI.NLM has conflicting symbols with PKIWRAP.NLM and this prevents it from loading. To get around this, unload PKIAPI.NLM and then run the install for Certificate Server.

Now, that wasn't so bad, was it?

* Originally published in Novell AppNotes

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates