PKI Health Check

  • 7000654
  • 11-Jun-2008
  • 13-Feb-2017


Novell eDirectory 8.8 SP7


When does the PKI Health Check code run?
A) When a server is booted.
B) When eDirectory loads.
(unload eDirectory and reload it)
C) When PKI loads.
(Unload PKI and reload it)

PKI Health Check Steps:

Note: The PKI Health Check performs a series of checks, many of which were in the old PKIDiag utility.
Steps 2-6 come from the PKIDIAG.NLM.
1) Check if this server should be an SDI Key Server.

Note: This is not really a PKI function, but it will avoid most SDI (or Tree) key issues. It does this by causing all servers which hold a replica of the Security container to become SDI Master key servers. With more than one SDI master key server, if a server is removed from the tree, it will not cause a new SDI (or Tree) key to be created when a new server is added to the tree.

2) Verifying the Server's link to the SAS Service Object.

3) Verifying the SAS Service Object

4) Verifying the links to the KMOs

5) Verifying the KMOs

6) Reverifying the links to the KMOs

7) Create Default Certificates.

(This accomplishes what PKIDiag did, provided that the CA admin had enabled it).
On NetWare only:
Checks the validity of RootCert.der in SYS:\\Public

On all Platform except NetWare:
Syncing of certificates for external services
Checking validity of eDirectory CA certificates

The capability to replace the default certificates is in the PKI code, however a CA administrator must enable Server Self-Provisioning (i.e. the capability is not enabled by default). To enable Server Self-Provisioning, use iManager and administer the CA object.
If enabled, the PKI Health code will replace the certificates if the certificates have expired or if they are about to expire (approx 60 days).

8) On all platforms, except NetWare, provide a mechanism to export certificates from eDirectory to the file system in a format which Tomcat or Apache can use.

This capability must be configured. In OES2, the install can cause this to automatically be configured. On all other platforms, this must be enabled via iManager.
9) Checks that the eDirectory CA certificate has been exported to the file system.

If the eDirectory CA has changed, it will re-export the certificate.