NICI 1418 Errors

  • 10074694
  • NOVL82374
  • 18-Sep-2002
  • 16-Jan-2004

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Fact

Novell NetWare 5.1

Novell NetWare 6.0

Novell NetWare 6.5

Novell Certificate Server

Novell NetWare Server NICI

Symptom

NICI 1418 Errors

NICI returns the error: "-1418" during the boot process of a given NetWare server

During the process of creating new server certificates (Key Material Objects / KMO) with PKIDIAG or ConsoleOne NICI returns the error "-1418"

Cause

The Security Domain Infrastructure Key (SDI key) is required in order to get access to a private key belonging to a given certificate NMAS or SecretStore credential.

NICI will return the error:  "-1418IDS_T_NICI_E_ENCRYPTED_DATA_INVALID  0xFA76  NICI E ENCRYPTED DATA " under the following conditions:

  1. during the creation of a new certificate:
    • If no SDI key is available in order to get access to a given private key
    • If the private key of the Certificate Authority (CA) has been wrapped
      with a different SDI key which is no longer available.
  2. while trying to export/backup a given certificate into a PKCS#12 envelope:
    • If no SDI key is available in order to get access to a given private key
    • If the available SDI Key is not the key which has been used to encrypt the private key
      (wrong key / original key not longer available)

Fix

  1. Check if your Certificate Authority (CA) is able to issue new Certificates for the server running the CA. This will make sure that the returned "-1418" error is not based on the fact that the CA can not longer access it's own private key. If NICI returns the -1418 error creating a certificate for the CA server and the CA server stores a valid copy of the SDI key you have to re-create the CA object.

  2. Make sure  NICI version 2.4.2  or higher is installed on all servers in the tree.  NICI 2.4.2 or higher willl try to retrieve a missing SDI Key from any assigned SDI Key server during the server boot process

  3. The correct version of NICISDI.XLM is loaded on all servers
    (With NICI 2.4.2 NICISDI.XLM is Version 24212.98.00)

  4. All servers in the tree are assigned as trustee of the "W0.KAP.Security" object with browser, read and compare rights.
    Note: Under normal conditions the installation procedure of Certificate server will make sure that a given server will be assigned as trustee to the W0 object

SDIDIAG.NLM can be used to check or re-synchronize the Security Domain key(s) to all servers in a given tree

There are two different SDIDIAG versions available:

  1. SDIDIAG.NLM (NetWare server based)
  2. SDIDIAG.EXE (Windows workstation based) 
  3. To run SDIDIAG you can use the following steps:

Open a command prompt and type SDIDIAG (you must use the -A switch if you are not on eDirectory)

  1. Login as admin of [Root].
    To login you have to have a leading and trailing period.
    For example:  "admin.novell.treename."
  2. Enter the IP address of the server
  3. Enter the user's password
  4. RD -T ( these are the commands to re-synchronize the domain keys)

Feedback service temporarily unavailable. For content questions or problems, please contact Support.