Talk:Recreating Server Certificates on OES Linux

From MicroFocusInternationalWiki
Jump to: navigation, search

IP Address Change

Q:I did change IP on my server coz of a business requirement but then my iFolder3, Netstorage, virtual office wont work anymore. I've followed this procedure but I cant get those services working. Is this procedure applicable to solve my problem? or this is not enough and need to do additional configuration which i dont have idea. Please help me..

A:I suggest you ask in the Novell Forums if you have a specific situation. This procedure only fixes SSL certificates, these products should still work (but possibly present warnings) if you change a server's IP address, unless you bound the services to a particular IP address.

IP Address Change Follow-Up

Q:I'm sure many newbies like me will very much appreciate if you can also create a cool solution regarding OES Linux server that needs to be reconfigured for a new IP address.

Thank you very much in advance and more power!

A:I'll put it on my Todo list, no guarantees though. In the meantime, you may want to look at TID 10097192

R: THANKS! I've already done the TID 10097192 long before on my first try but it didn't help, might be due to vague instructions. I'll wait on your cool solution regarding my request. more power!

Certificate Hierarchy / Path

Q: Hi, done this a few times on a number of servers and found it really useful. I've used both C1 and iManager to create the certificate and to export it. I have enabled the certs to be used with both Apache and NRM. I have noticed though that when you access the site, the Certificate Hierarchy /Path is missing in both IE and Firefox, whereas it always shows the Organization CA as the trusted root for Netware servers. Am I missing something, or is this a quirk of the methodology?


Q: We just migrated our NW 6.5 GroupWise server to OES Linux. It went this way:

NetWare server's orginal IP address 10.1.0.8

Linux server's original IP address 10.1.100.8

After the migration, we wanted the Linux server to have the NW server's original IP address because all the clients, firewalls, spamassassin, etc. pointed to it, so we changed them thus:

NetWare server's new IP address 10.1.200.8

Linux server's new IP address 10.1.0.8

I discovered that I could not run either NoRM or iManager from the Linux server. This error always appears:

You have received an invalid certificate. . . .. .. Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.

No doubt switching the IP addresses caused some confusion regarding who was supposed to have which certificate. In researching this, I came upon this Cool Solution and attempted to go through it. However, I immediately hit a problem. When I run ndsconfig update, everhthihg looks normal till it gets to the end. Here is the last thing written to the screen before it returns to the command prompt:

Novell eDirectory LDAP Server TCP port is not listening. Novell eDirectory LDAP Server TLS port is not listening.

No eDirectory certs are created. Now, this Linux server has a replica on it, but it is not running any LDAP server, as none was installed by default and I have not read anything so far that encouraged me to install one. Is that what I am lacking here?

Richard White Mason County, Washington

New Server in Existing Tree

Bypassed Certificate creation by Yast during install. iManager was not working. Located two articles TID 3911570 and then this link at coolsolutions. I was able to get things to work following this procedure. However, the TID outlines process to create the root certificate that is local to the server rather than from eDir. Any comments of the relationship between these two?


Updating NoRM Certificate

After following faithfully, apache, etc worked, but NoRM still errored out with old Cert.

Steps to correct:

cp serverkey.pem /etc/opt/novell/httpstkd/server.key

cp servercert.pem /etc/opt/novell/httpstkd/server.pem

/etc/init.d/novell-httpstkd restart.

joe a - anonymous location.



Actually, if this is the case, you have missing links in /etc/opt/novell/httpstkd/

Rather than maintaining 2 different locations, I suggest you do the following:

ln -s /etc/ssl/servercerts/servercert.pem /etc/opt/novell/httpstkd/server.pem

ln -s /etc/ssl/servercerts/serverkey.pem /etc/opt/novell/httpstkd/server.key

You will still have to restart your service httpstkd

Hence, next time you create new certificate & key, they will automatically be updated for NoRM

Joffrey Bienvenue, Montreal

name change on sles

I have a sles server that I deployed from a template so there is a name mismatch. I'm trying to configure it as an SMT update server and the clients complain about the names not matching. I'm guessing I need to update the /etc/ssl/servercerts/ but not quite sure how to proceed.

Thanks,

David Brown

Request new Default Certificates with ndsconfig upgrade

Requesting new Default Certificates by issueing the command "ndsconfig upgrade" can output an error with the SAS Object not finding the Key Material Attribute. For this error, you have to use the Novell Certificate Server Plugin within iManager.

Reason:

Within the SAS Service Object there is an Attribute called NDSPKI:Key Material DN refering to the Certificate just deleted. Therefor the ndsconfig upgrade process will fail.

Holger Strickling, Germany


Deleting existing SSL Certificates

Are we talking just the certs within eDir (i.e. through ConsoleOne) and/or all the files listed on the SLES server? This should be made more clearly. Now that I've run through this for the first time, it appears the the process only needs the certs within eDir to be cleaned out as the rest get properly overwritten. Now we just need a pointer to how to make longer lived certs vs the default 2 years that we get in this process.