Reinstalling Certificate Server

  • 10050254
  • NOVL534
  • 14-Mar-2000
  • 21-Jun-2004

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

Novell NetWare 5.1

Novell NetWare 6.0

Certificate Server

Symptom

Reinstalling Certificate Server

Error: "Can't generate the certificate signing request. Error Code: -603"

SETTREENAME Java errors

Certificate server will not install properly

The certificate server did not create correctly a SAS, CA, KAP, KMO, etc

SSL problems in general

How to uninstall reinstall the Certificate Server

SAS_Register failed. KMO/key=SSL Certificate! (-13)" see also 10025503

SAS failed to initialize with KMO/key=SSL Cdns! "-11"  10025503

Module MOD_JK.NLM (10022) unknown error: Make_Secure_Socket. Address x.x.x.x Port 2200 (SO_SSL_Set_Server)

Cause

DS or NICI problems during the install of Certificate Server

Migration to NW 6 does not install certificate server automatically.

See also 10050915

Implications: If have BorderManager, GroupWise, or Webserver configured for SSL then you will need to reconfigure the SSL portion after reinstalling the Certificate server.

Fix

Warning Warning  Reinstalling Certificate Server should be your last option.
Please review the following before proceeding:
1) https://support.microfocus.com/kb/doc.php?id=10075982
https://support.microfocus.com/kb/doc.php?id=10059197

2) pkidiag
3) sdidiag
Search for both of these at: https://support.novell.com/filefinder/
4) With NW 6.x you can create a new CA with consoleone provided you have the NICI Snapins.
Select Security OU | create new object | select a host server and object name

Reinstallation of Certificate Server

If the server is the Certificate Authority use SYS:\PUBLIC\MGMT\CONSOLEONE\BIN\CONSOLEONE.EXE to delete the Organizational CA objects from the Security container at the root of the tree. Also delete SAS SERVICE - ServerName, and SSL -ServerName objects from the server's container.  Lastly move that server's sys:system\nici\nicisdi.key file to your local workstation.  (IF YOU DELETE CERTIFICATE SERVER OFF OF THE CERTIFICATE AUTHORITY SERVER, YOU MUST RUN PKIDIAG ON ALL THE NETWARE 5.x AND LATER SERVERS IN YOUR TREE).

If the server is not the Certificate Authority delete the SAS SERVICE - SERVERNAME, and SSL -SERVERNAME objects from the servers container.

On the server console prompt type UINSTALL PKIS and UINSTALL SAS, to pull the product out of PRODUCTS.DAT (read by NWCONFIG.NLM) This is needed so one can re-install the Certificate Server.

If you are reinstalling via the eDirectory 8.6 or above installation files, then you will need to UINSTALL NDS8 and UINSTALL EDIR at the console prompt.

In order to force the object deletion changes throughout the tree, use the following DSTRACE commands:

SET DSTRACE = +S
SET DSTRACE = +J
SET DSTRACE = *H
SET DSTRACE = *F

The progress of the deletions can be monitored by running DSREPAIR -A | ADVANCED OPTIONS | CHECK EXTERNAL REFERENCES and looking for obituaries of the objects just deleted, namely the SAS service, the SSL objects, and in the case of the certificate authority, the organizational CA object.  Once these objects no longer appear as obituaries, we can proceed to the installation of certificate server.

Reinstall the Certificate Server by mounting the NetWare CD-ROM.  NOTE:  It is important to use the correct CD when re-installing Certificate Server.  You do not want to use the original NetWare shipping CD's if you have applied any support packs to the server.  Take note of the following configurations and choose the correct CD.

SERVER CONFIGURATIONS:

1.  NetWare 5.1 SP4 or earlier running NDS 7.x or NDS 8.x - Use the NetWare 5.1 shipping CD and immediately reapply the necessary OS support pack once Certificate Server is installed.
2.  NetWare 5.1 SP5 or greater running NDS 7.x or NDS 8.x -  use the NetWare 5.1 SPx OVERLAY CD that corresponds to your support pack level (available from https://support.novell.com/filefinder)
3.  NetWare 5.1 SPx running eDirectory 8.6 or greater - Use the eDirectory full installation software to reinstall Certificate Server (not the NetWare CD)

4.  NetWare 6.0 SPx running eDirectory 8.6 - Use the NetWare 6.0 SPx OVERLAY CD that corresonds to your support pack level.
5.  NetWare 6.0 SPx running eDirectory 8.7 or greater - Use the eDirectory full installation software to reinstall Certificate Server (not the NetWare CD). See Reinstalling Certificate Server on NW 6.0 with eDirectory 8.7.x at the bottom of this document for details.

6.  NetWare 6.5 SPx - Use the NetWare 6.5 SPx OVERLAY CD that corresonds to your support pack level.

If you are installing from the NetWare CD's, load STARTX to get to the GUI and then choose Novell | INSTALL and then Add a new product and point to the PRODUCT.NI file at the root of the NetWare CD.  
If you are installing using the eDirectory installation files, use NWCONFIG | Product Options | Install a Product Not Listed and then point to the .IPS file.

After the installation is complete, reboot the server.

One can also use the nwdeploy from a workstation to install Certificate Server. Nwdeploy is found on the NetWare OS CD.  Only do this if your server configuration matches a case above that requires a NetWare CD to reinstall.  Do not use NWDEPLOY if your configuration requires you to reinstall using eDirectory installation files.

NOTE: In some cases after the "Reinstall" procedure you may have to manually do the following:
1.  Make SAS Service a trustee of <servername>
2.  Assign each SSL certificate as a trustee of SAS Service-servername
3.  Edit properties of SAS Service-servername object and create an attribute of "NDSPKI:Key Material DN" with values SSL CertificateIP-servername and SSL CertificateDNS-servername.

You can also download PKIDIAG from the https://support.novell.com/filefinder and run from the server console, which will check the security objects in the tree as well.

To create a KMO for BM you may NEED to LOAD SASI (SASI is no longer recommended, please use PKIDIAG.NLM https://support.novell.com/servlet/filedownload/uns/nsd/pkidiag1.exe/ ) on the BorderManager server. You may also need to promote the 5.1 server as master replica - DSREPAIR | Advanced | Replica Partition Operations | select the Root | Enter | Designate this server as the new master replica |

The LDAP Server object is linked to an SSL certificate.  This needs to be cleared out of the properties of the LDAP Server object and then relinked after the new SSL object is created.

This should correctly install and create the objects needed for Certificate Server

This document is for General reinstallation of Certificate Server.  For BorderManager please see  Invalid KeyId for SSL (KB 10024283)

.

Additional Note: During the reinstallation of Certificate Server you may get a "SetTreeName" Java error and told to check the NI.LOG file.

In the SYS:NI\DATA\NI.LOG file you see the following fatal errors:
Fatal: Unrecoverable error in driver.mainHallway().
Fatal: SetTreeName
Fatal: java.lang.UnsatisfiedLinkError: SetTreeName

In the first line of the SYS:NI\DATA\NIOUTPUT.TXT file you will the following:
“UnsatisfiedLinkError - unable to load PKIWrap.nlm”     

This is the source of the problem.  PKIWRAP.NLM never loaded successfully. When PKIWRAP.NLM tried to load, it would get public symbol error messages. PKIAPI.NLM has conflicting symbols with PKIWRAP.NLM and thus prevents it from loading.  To get around this, unload PKIAPI.NLM and then run the install for Certificate Server. 

Reinstalling Certificate Server on NW 6.0 with eDirectory 8.7.x

Before proceeding, make sure reinstalling the CA is the only option.
Download and review the readme for pkidiag.nlm and sdidiag.nlm.
Search:
https://support.novell.com/filefinder/ for: sdidiag.nlm and
pkidiag.nlm Most problems can be fixed with these two tools. The
placement of the CA is key. Ideally the CA will be on a static server
that will not be moved or otherwise disturbed.

Clean up the Security objects by deleting them with Consoleone. Delete
the CA (Certificate of Authority), SAS Service - Servername, KMO (Key
material objects). (As of this writing of the TID I would NOT delete
the kap, or w0. Note: The reinstall of edir, did NOT re-create the kap
nor the w0)

Download the edirectory 8.7.3 for NetWare full install, if you don't
have the 8.7.3 CD, from
https://download.novell.com | choose a product
edirectory | platform choose NetWare | submit | download the "8.7.3
Platform-Specific Downloads" | eDir_873_nw_full.exe

If you already have edir 8.7.3 installed, you need to remove it from
the sys:\system\products.dat so you can reinstall it.
Make a backup copy of the sys:\system\products.dat
To remove the edir from products.dat type this command at the console:

UINSTALL EDIR
UINSTALL NICI
UINSTALL NICIU0
UINSTALL PKIS
UINSTALL SAS

mount the edir 8.7.3 cd by typing CDROM
load nwconfig | product options | install products not listed | F3 to
change the path to: NOVELL_EDIR:NW
copy all files again re-auth as admin or equivalent be prepared for the server to reboot (Also, the readme recommends
remarking out services that use edir from the autoexec.ncf)
Select "this is a local install" (not rconj etc) if you can, so you can
see what is being installed (the remote install didn't work for me).
Once the reinstall of edir has completed, unremark the autoexec.ncf
back to normal and reboot the server. One should now have a 'Treename
CA' object along with the SAS, and KMO objects created by the re-install
of edirectory (Certificate server is reinstalled during the install of
edirectory).

**To have KMO that are signed by the new CA, pkidiag should be ran on
all servers in the tree. See the readme for load options to automate
this. Make sure you use the updated pkidiag.nlm for edir 8.7.x(pkidiag2).

 

Note

NOTE: this procedure is not suitable for NW 6.5, as there is currently no easy way to reinstall eDir 8.7.3 on that platform. Should you accidentally do the Uinstall process on NW 6.5, you can use the following installation script to replace the entry in products.dat. Paste it into a text document and save with a .ips extension (eg fred.ips). Use Nwconfig to install that script as if it were a full product.

 

@SyntaxVersion 1.03

;This script will install an entry to PRODUCTS.DAT

Command ICMD

ProductRecord EDIR, 0, "87.3.0"

ProductRecord EDIR, 1, "eDirectory (tm)"

Display 1, "Edits to PRODUCTS.DAT file are complete.\n\n Please unload NWCONFIG.NLM before installing anything else.