Highlighted
agorian Respected Contributor.
Respected Contributor.
131 views

How to recreate EBA CA?

Hi all,

 

I've got a DIB Clone from another environment and trying to recreate a new one. Both are 9.1.4.1 in a SLES 12 SP4. New server has the same name specified as target server.

 

So, I copied NICI folder, the DIB, deleted all server objects, recreated the CA (from cn=security) but I’m unable to execute the ndsconfig upgrade:

 

AH-VL-AP-099:~ # ndsconfig upgrade --configure-eba-now yes

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:  AH-VL-AP-099.OU=CS03.OU=Servers.OU=Sistema.O=acme.ACME-TREE

Upgrading NetIQ eDirectory server with the following parameters, Please wait...
  Tree Name             : ACME-TREE
  Server DN             : AH-VL-AP-099.OU=CS03.OU=Servers.OU=Sistema.O=acme

  Configuration File    : /etc/opt/novell/eDirectory/conf/nds.conf
  Instance Location     : /var/opt/novell/eDirectory/data
  DIB Location          : /var/opt/novell/eDirectory/data/dib

/var/opt/novell/eDirectory/data/nds-http
Current env file will be backed-up in format env.current_date, any customizations done to env file need to be copied back to new env file from backed-up file.

Checking if server is ready to service requests... Done
Enter admin name with context[admin.org]:admin.Servers.Sistema.acme
Enter the password for admin.Servers.Sistema.acme:

Performing eDirectory health check...
ERROR -625: Login failed for user "admin.Servers.Sistema.acme.ACME-TREE"

 

 

With DISABLE_EBA=true:

 

AH-VL-AP-099:~ # ndsconfig upgrade --configure-eba-now yes

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:  AH-VL-AP-099.OU=CS03.OU=Servers.OU=Sistema.O=acme.ACME-TREE

Upgrading NetIQ eDirectory server with the following parameters, Please wait...
  Tree Name             : ACME-TREE
  Server DN             : AH-VL-AP-099.OU=CS03.OU=Servers.OU=Sistema.O=acme

  Configuration File    : /etc/opt/novell/eDirectory/conf/nds.conf
  Instance Location     : /var/opt/novell/eDirectory/data
  DIB Location          : /var/opt/novell/eDirectory/data/dib

/var/opt/novell/eDirectory/data/nds-http
Current env file will be backed-up in format env.current_date, any customizations done to env file need to be copied back to new env file from backed-up file.

Checking if server is ready to service requests... Done
Enter admin name with context[admin.org]:admin.Servers.Sistema.acme
Enter the password for admin.Servers.Sistema.acme:

Performing eDirectory health check... Done
For more details view health check logfile: /var/opt/novell/eDirectory/log/ndscheck.log

Extending schema... Done
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log

Getting updated schema err=-634.
Configuring EBA... Failed

The instance at /etc/opt/novell/eDirectory/conf/nds.conf is upgraded successfully.

ERROR: ndsconfig return value = 105.

 

 

Unable to move the EBACA to this server (off course, the EBACA host server no longer existis):

 

AH-VL-AP-099:~ # ndstrace -c "config ebassl_srv seize_ebaca"

[1] Instance at /etc/opt/novell/eDirectory/conf/nds.conf:  AH-VL-AP-099.OU=CS03.OU=Servers.OU=Sistema.O=acme.ACME-TREE
err=-2201

 

I´m unable to put new server as root to (from ndsrepair -P -Ad):

 

WARNING: Be sure you are doing the right thing.
This option will designate this server as the new master replica.
Type in the words 'I Agree':
I Agree
Administrator name: admin.Servers.Sistema.acme
Password:
 Logging In To Server
Please Wait...

Preparing Log File "/var/opt/novell/eDirectory/log/ndsrepair.log"
Please Wait...
Start:  Thursday, December 05, 2019 15:59:13 Local Time

Getting EBA status of server failed with error: -2209
ERROR: Operation not successful. Error: -2209
Finish:  Thursday, December 05, 2019 15:59:13 Local Time

      Total errors: 0
NDSRepair process completed.

 

In iManager got -625 error.

 

Frequently in ndsd.log got "ERROR: Download of EBACA certificate failed"

a

Executed ndsconfig -U but nothing relevant from there.

 

Is there anything to do?

Labels (2)
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: How to recreate EBA CA?

Short version: You can't. You'll have to open an SR and get support to remove EBA with ndsdump. There is no other way out.

Longer version: I tangled with EBA here, and wrote up what I was able to find here:

https://community.microfocus.com/t5/eDirectory-Tips-Information/An-incomplete-look-at-Enhanced-Background-Authentication/ta-p/1771695

It seems to be very secure, but there are no tools to manage it. So, when it fails, you're stuck. I cannot currently recommend enabling this feature. Maybe if enough people contact support with b0rked trees because EBA has failed, we'll see some enhancements for repairing it and managing it.

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.