Environment
Novell eDirectory 8.8 SP7
Situation
When does the
PKI Health Check code run?
A) When a server is booted.
B) When eDirectory loads.(unload eDirectory and reload it)
C) When PKI loads.(Unload PKI and reload it)
A) When a server is booted.
B) When eDirectory loads.(unload eDirectory and reload it)
C) When PKI loads.(Unload PKI and reload it)
PKI Health
Check Steps:
Note: The PKI Health Check performs a series of checks, many of which were in the old PKIDiag utility.Steps 2-6 come from the PKIDIAG.NLM.
1) Check if this server should be an SDI Key
Server.
Note: This is not really a PKI function, but it will avoid most SDI (or Tree) key issues. It does this by causing all servers which hold a replica of the Security container to become SDI Master key servers. With more than one SDI master key server, if a server is removed from the tree, it will not cause a new SDI (or Tree) key to be created when a new server is added to the tree.
Note: This is not really a PKI function, but it will avoid most SDI (or Tree) key issues. It does this by causing all servers which hold a replica of the Security container to become SDI Master key servers. With more than one SDI master key server, if a server is removed from the tree, it will not cause a new SDI (or Tree) key to be created when a new server is added to the tree.
2) Verifying the Server's link to the SAS Service Object.
3) Verifying the SAS Service Object
4) Verifying the links to the KMOs
5) Verifying the KMOs
6) Reverifying the links to the KMOs
6) Reverifying the links to the KMOs
7) Create Default Certificates.
(This accomplishes what PKIDiag did, provided that the CA admin had enabled it).
(This accomplishes what PKIDiag did, provided that the CA admin had enabled it).
On NetWare only:
Checks the validity of RootCert.der in
SYS:\\Public
On all Platform except NetWare:
Syncing of certificates for external
services
Checking validity of eDirectory CA
certificates
The capability to replace the default
certificates is in the PKI code, however a CA administrator must
enable Server Self-Provisioning (i.e. the capability is
not enabled by default). To enable Server
Self-Provisioning, use iManager and administer the CA
object.
If enabled, the PKI Health code will replace
the certificates if the certificates have expired or if they are
about to expire (approx 60 days).
This capability must be configured. In OES2, the install can cause this to automatically be configured. On all other platforms, this must be enabled via iManager.
9) Checks that the eDirectory CA certificate
has been exported to the file system.
If the eDirectory CA has changed, it will re-export the certificate.
If the eDirectory CA has changed, it will re-export the certificate.