NetWare servers are still running in customer data centers. Usually they need minimum maintenance effort so people forget watching for expiring certificates. As a result one day some services stop working.
While there are a few tools for seeking for expiring certificates, those tools have drawbacks in case you have the pure-NetWare environment:
On the other hand, Novell NetWare has reach scripting capabilities that makes it self-sufficient in terms of routine task automation.
A simple script (ncert.zip ) runs on NetWare server to check existing certificates. It could be started manually on the server console or with the scheduler you prefer (NRM, cron). Actually, the solution consists of two interacting parts: NCF and Bash. NCF part with conditional scripting is used to set configuration variables and run LDAP query. BASH part is called from within NCF script to parse the ICE output.
For mail notification, the “SMTP Mail Sender (c)2005 Looney Enterprises” is used (see https://www.novell.com/coolsolutions/tools/14317.html).
Expired certificates are listed in the output file sys:/var/lib/ncert/ncert.exp.
Certificates expiring soon are listed in the output file sys:/var/lib/ncert/ncert.soo.
Also, those certificates are listed on the server console.
If you have CONLOG.NLM loaded, notifications about expired certificates are logged into the file sys:/etc/console.log.
Besides that, a mail notification is sent.
Configuration variables are set in the file ncert.ncf. Meaning of variables is easy understandable.
The variables are set only once at the first start of the NCF-file after the server bootup. So if you’ve changed settings in the ncert.ncf file, you need to clear changed variable with the console command so that the new value take effect:
Also, for troubleshooting purposes, you might change configuration variable directly in the server memory and then check its value:
Default trustee rights ([All Attributes Rights]=Compare,Read; [Entry Rights]=Browse) are enough to get this script working. A good idea is to create a dedicated account for LDAP search and restrict its rights at the level that contains server certificate objects. In addition you might allow logging in from the specified IP-address only (IP-address of NetWare server).
Ensure that only administrators have access to the directory sys:/usr/lib/ncert/.
Last symbols of long NetWare environment values (longer than ~20 symbols) could be lost or damaged when being set (i.e. instead of the value “cn=nldap,ou=srv,o=org” it might be set equal to “cn=nldap,ou=srv,o=or” or “cn=nldap,ou=srv,o=or%!” or something else). That is why some settings in the ncert.ncf are split into two parts (%nLDAPusr and %nLDAPctx, %nToBox and %nToDom)
NetWare server console prompt disappears.
Quick solution: pressing Enter gets console prompt back.
Long term solution: use NRM scheduler.
The script output appears on the Logger Screen instead of the System Console.
Solution: use NRM scheduler.