How to recreate KAP and W0 objects if they have been deleted

  • 3032354
  • 13-Apr-2007
  • 27-Apr-2012

Environment

Novell Certificate Server (PKIS)
Novell eDirectory on all Platforms
Novell NetWare 6.5
Novell Open Enterprise Server (OES)

Situation

For an overview of the Security Domain Infrastructure,
Please see How does Novell implement a Security Domain Infrastructure? - TID# 3611186

To check the health and synchronization of your tree keys, see KB 3455150 - Using SDIDiag to gather specific SDKey information from servers



Resolution

What to do if the KAP and W0 have been deleted?

If KAP and W0 have been deleted, the extent of the damage depends on whether you have done subsequent eDirectory and/or NetWare installations. Each time eDirectory and/or NetWare is installed, the install checks and verifies the KAP and W0 objects are present. If they are not, the install will create them and create a new SDI Key (or Treekey).

How to recreate KAP and W0 objects after if deleted?

If you have not done any subsequent installs of eDirectory and/or NetWare after KAP and W0 were deleted (or the tree doesn't have the KAP and W0 objects), do the following:

1. Find a server on which NICISDI.KEY exists. Usually the server hosting the Organizational CA is a good choice. The file is located in the SYS:SYSTEM\NICI directory on NetWare, /var/opt/novell/nici/0 on Unix and SYSTEM32\novell\nici on Windows.
2. Using ConsoleOne create a new object of type NDSPKI:SD Key Access Partition and name it "KAP". (if one already exist, skip this step.)
3. In the KAP container, create an NDSPKI:SD Key List object, being sure to name it W0 (that's a zero, not an O.).
4. Open the properties of the W0 object and go to the Other tab.
5. Click the Add button and add an attribute named NDSPKI:SD Key Server DN. Using the Browse button, select the server you identified in step 1. This server will become your "W0 Server".
6. Proper rights must be granted to each server in the tree. The"W0 Server" server (from step 5 above) must have write rights to the object, and all other servers must have read rights.

The server listed in the NDSPKI:SD Key Server DN attribute needs two ACLs granted on the W0.KAP.Security object:

1) Trustee: Attribute: [Entry Rights] Privilege: Browse
2) Trustee: Attribute: [All Attribute Rights] Privileges: Compare, Read, Write, Self

All other servers need two ACLs granted on the W0.KAP.Security object:
1) Trustee: Attribute: [Entry Rights] Privilege: Browse
2) Trustee: Attribute: [All Attribute Rights] Privilege: Read

If you are concerned or have questions about any of the steps above, you should open a Service Request with Novell Technical Support to help you restore your Security Domain Infrastructure properly.

Additional Information

Formerly known as TID# 10053572

Feedback service temporarily unavailable. For content questions or problems, please contact Support.