Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.
Novell NetWare 5.1
Novell NetWare 6.0
Reinstalling Certificate Server
Error: "Can't generate the certificate signing request. Error Code: -603"
SETTREENAME Java errors
Certificate server will not install properly
The certificate server did not create correctly a SAS, CA, KAP, KMO, etc
SSL problems in general
How to uninstall reinstall the Certificate Server
SAS_Register failed. KMO/key=SSL Certificate! (-13)" see also 10025503
SAS failed to initialize with KMO/key=SSL Cdns! "-11" 10025503
Module MOD_JK.NLM (10022) unknown error: Make_Secure_Socket. Address x.x.x.x Port 2200 (SO_SSL_Set_Server)
DS or NICI problems during the install of Certificate Server
Migration to NW 6 does not install certificate server automatically.
See also 10050915
Implications: If have BorderManager, GroupWise, or Webserver configured for SSL then you will need to reconfigure the SSL portion after reinstalling the Certificate server.
Warning Warning Reinstalling Certificate Server should be your last option.
Please review the following before proceeding:
Search for both of these at: https://support.novell.com/filefinder/
4) With NW 6.x you can create a new CA with consoleone provided you have the NICI Snapins.
Select Security OU | create new object | select a host server and object name
Reinstallation of Certificate Server
If the server is the Certificate Authority use SYS:\PUBLIC\MGMT\CONSOLEONE\BIN\CONSOLEONE.EXE to delete the Organizational CA objects from the Security container at the root of the tree. Also delete SAS SERVICE - ServerName, and SSL -ServerName objects from the server's container. Lastly move that server's sys:system\nici\nicisdi.key file to your local workstation. (IF YOU DELETE CERTIFICATE SERVER OFF OF THE CERTIFICATE AUTHORITY SERVER, YOU MUST RUN PKIDIAG ON ALL THE NETWARE 5.x AND LATER SERVERS IN YOUR TREE).
If the server is not the Certificate Authority delete the SAS SERVICE - SERVERNAME, and SSL -SERVERNAME objects from the servers container.
On the server console prompt type UINSTALL PKIS and UINSTALL SAS, to pull the product out of PRODUCTS.DAT (read by NWCONFIG.NLM) This is needed so one can re-install the Certificate Server.
If you are reinstalling via the eDirectory 8.6 or above installation files, then you will need to UINSTALL NDS8 and UINSTALL EDIR at the console prompt.
In order to force the object deletion changes throughout the tree, use the following DSTRACE commands:
SET DSTRACE = +S
Reinstall the Certificate Server by mounting the NetWare CD-ROM. NOTE: It is important to use the correct CD when re-installing Certificate Server. You do not want to use the original NetWare shipping CD's if you have applied any support packs to the server. Take note of the following configurations and choose the correct CD.
If you are installing from the NetWare CD's, load STARTX to get to the GUI and then choose Novell | INSTALL and then Add a new product and point to the PRODUCT.NI file at the root of the NetWare CD.
One can also use the nwdeploy from a workstation to install Certificate Server. Nwdeploy is found on the NetWare OS CD. Only do this if your server configuration matches a case above that requires a NetWare CD to reinstall. Do not use NWDEPLOY if your configuration requires you to reinstall using eDirectory installation files.
NOTE: In some cases after the "Reinstall" procedure you may have to manually do the following:
1. Make SAS Service a trustee of <servername>
2. Assign each SSL certificate as a trustee of SAS Service-servername
3. Edit properties of SAS Service-servername object and create an attribute of "NDSPKI:Key Material DN" with values SSL CertificateIP-servername and SSL CertificateDNS-servername.
To create a KMO for BM you may NEED to LOAD SASI (SASI is no longer recommended, please use PKIDIAG.NLM https://support.novell.com/servlet/filedownload/uns/nsd/pkidiag1.exe/ ) on the BorderManager server. You may also need to promote the 5.1 server as master replica - DSREPAIR | Advanced | Replica Partition Operations | select the Root | Enter | Designate this server as the new master replica |
The LDAP Server object is linked to an SSL certificate. This needs to be cleared out of the properties of the LDAP Server object and then relinked after the new SSL object is created.
This should correctly install and create the objects needed for Certificate Server
This document is for General reinstallation of Certificate Server. For BorderManager please see Invalid KeyId for SSL (KB 10024283)
Additional Note: During the reinstallation of Certificate Server you may get a "SetTreeName" Java error and told to check the NI.LOG file.
In the SYS:NI\DATA\NI.LOG file you see the following fatal errors:
Fatal: Unrecoverable error in driver.mainHallway().
Fatal: java.lang.UnsatisfiedLinkError: SetTreeName
In the first line of the SYS:NI\DATA\NIOUTPUT.TXT file you will the following:
ÂUnsatisfiedLinkError - unable to load PKIWrap.nlmÂ
This is the source of the problem. PKIWRAP.NLM never loaded successfully. When PKIWRAP.NLM tried to load, it would get public symbol error messages. PKIAPI.NLM has conflicting symbols with PKIWRAP.NLM and thus prevents it from loading. To get around this, unload PKIAPI.NLM and then run the install for Certificate Server.
Reinstalling Certificate Server on NW 6.0 with eDirectory 8.7.x Before proceeding, make sure reinstalling the CA is the only option.
Reinstalling Certificate Server on NW 6.0 with eDirectory 8.7.x
Before proceeding, make sure reinstalling the CA is the only option.
Clean up the Security objects by deleting them with Consoleone. Delete
Download the edirectory 8.7.3 for NetWare full install, if you don't
If you already have edir 8.7.3 installed, you need to remove it from
mount the edir 8.7.3 cd by typing CDROM
**To have KMO that are signed by the new CA, pkidiag should be ran on
NOTE: this procedure is not suitable for NW 6.5, as there is currently no easy way to reinstall eDir 8.7.3 on that platform. Should you accidentally do the Uinstall process on NW 6.5, you can use the following installation script to replace the entry in products.dat. Paste it into a text document and save with a .ips extension (eg fred.ips). Use Nwconfig to install that script as if it were a full product.
;This script will install an entry to PRODUCTS.DAT
ProductRecord EDIR, 0, "87.3.0"
ProductRecord EDIR, 1, "eDirectory (tm)"
Display 1, "Edits to PRODUCTS.DAT file are complete.\n\n Please unload NWCONFIG.NLM before installing anything else.