Environment
Novell Certificate Server (PKIS)
Novell eDirectory on all Platforms
Novell NetWare 6.5
Novell Open Enterprise Server (OES)
Novell eDirectory on all Platforms
Novell NetWare 6.5
Novell Open Enterprise Server (OES)
Situation
For an overview of the Security Domain Infrastructure,
Please see How does Novell implement a Security Domain Infrastructure? - TID# 3611186
To check the health and synchronization of your tree keys, see KB 3455150 - Using SDIDiag to gather specific SDKey information from servers
Please see How does Novell implement a Security Domain Infrastructure? - TID# 3611186
To check the health and synchronization of your tree keys, see KB 3455150 - Using SDIDiag to gather specific SDKey information from servers
Resolution
What to do if the KAP and W0 have
been deleted?
If KAP and W0 have been deleted, the extent of the damage depends on whether you have done subsequent eDirectory and/or NetWare installations. Each time eDirectory and/or NetWare is installed, the install checks and verifies the KAP and W0 objects are present. If they are not, the install will create them and create a new SDI Key (or Treekey).
How to recreate KAP and W0 objects after if deleted?
If you have not done any subsequent installs of eDirectory and/or NetWare after KAP and W0 were deleted (or the tree doesn't have the KAP and W0 objects), do the following:
1. Find a server on which NICISDI.KEY exists. Usually the server hosting the Organizational CA is a good choice. The file is located in the SYS:SYSTEM\NICI directory on NetWare, /var/opt/novell/nici/0 on Unix and SYSTEM32\novell\nici on Windows.
2. Using ConsoleOne create a new object of type NDSPKI:SD Key Access Partition and name it "KAP". (if one already exist, skip this step.)
3. In the KAP container, create an NDSPKI:SD Key List object, being sure to name it W0 (that's a zero, not an O.).
4. Open the properties of the W0 object and go to the Other tab.
5. Click the Add button and add an attribute named NDSPKI:SD Key Server DN. Using the Browse button, select the server you identified in step 1. This server will become your "W0 Server".
6. Proper rights must be granted to each server in the tree. The"W0 Server" server (from step 5 above) must have write rights to the object, and all other servers must have read rights.
If KAP and W0 have been deleted, the extent of the damage depends on whether you have done subsequent eDirectory and/or NetWare installations. Each time eDirectory and/or NetWare is installed, the install checks and verifies the KAP and W0 objects are present. If they are not, the install will create them and create a new SDI Key (or Treekey).
How to recreate KAP and W0 objects after if deleted?
If you have not done any subsequent installs of eDirectory and/or NetWare after KAP and W0 were deleted (or the tree doesn't have the KAP and W0 objects), do the following:
1. Find a server on which NICISDI.KEY exists. Usually the server hosting the Organizational CA is a good choice. The file is located in the SYS:SYSTEM\NICI directory on NetWare, /var/opt/novell/nici/0 on Unix and SYSTEM32\novell\nici on Windows.
2. Using ConsoleOne create a new object of type NDSPKI:SD Key Access Partition and name it "KAP". (if one already exist, skip this step.)
3. In the KAP container, create an NDSPKI:SD Key List object, being sure to name it W0 (that's a zero, not an O.).
4. Open the properties of the W0 object and go to the Other tab.
5. Click the Add button and add an attribute named NDSPKI:SD Key Server DN. Using the Browse button, select the server you identified in step 1. This server will become your "W0 Server".
6. Proper rights must be granted to each server in the tree. The"W0 Server" server (from step 5 above) must have write rights to the object, and all other servers must have read rights.
The server listed in the NDSPKI:SD Key Server DN attribute needs two ACLs granted on the W0.KAP.Security object:
1) Trustee:
2) Trustee:
All other servers need two ACLs granted on the W0.KAP.Security
object:
1) Trustee:
2) Trustee:
Additional Information
Formerly known as TID# 10053572