Knowledge Partner
Knowledge Partner
438 views

PKIHealthCheck 64 bit eDirectory incorrectly reporting server doesnot have any SDI keys

Is suspect this is a bug related to filesystem redirection and x64, can
anyone confirm this. Have seen this at two customers running x64 eDirectory.

Scenario:
eDirectory tree with two servers (one 32-bit, the other 64-bit - both
running on windows)

DNs to both servers are listed in the W0 object

Problem:
PKIHealthCheck doesn't show that the eDirectory 64-bit is properly
configured as a SDI Key Server.

----------
PKIHealthCheck log file on x64 server shows:

Step 0 Check if this server should be an SDI Key Server.
Testing for keyfile -- C:\Windows\system32\novell\nici\nicisdi.key.
This server does not have any SDI keys on it.
Step 0 succeeded.

The real path to this file is C:\WINDOWS\syswow64\novel\nici\nicisdi.key
(however it seems that PKIHealthCheck is running as a 64 bit process and
doesn't get redirected to syswow64 like a 32 bit process would when
requesting system32)

PKIHealthCheck log file on x86 server is OK:
Step 0 Check if this server should be an SDI Key Server.
Testing for keyfile -- C:\WINDOWS\system32\novell\nici\nicisdi.key.
keyfile size 247.
This server is already in the list.
Step 0 succeeded.

-

SDIDiag check was OK

SDIDIAG> check
*** [Key Consistency Check - BEGIN] ***
[Checking SDI Domain]
SDI Check Domain Configuration...
SDI Domain Key Server
..x64SERVER-NDS.Servers.Services.ACME.IDV-TREE.
- Configuration is good.
SDI Domain Key Server
..x86SERVER-NDS.Servers.Services.ACME.IDV-TREE.
- Configuration is good.
*** SDI Check Domain Configuration is [GOOD]
SDI Check Domain Keys...
SDI Domain Key Server
..x86SERVER-NDS.Servers.Services.ACME.IDV-TREE.
- Keys are good.
SDI Domain Key Server
..x64SERVER-NDS.Servers.Services.ACME.IDV-TREE.
- Keys are good.
*** SDI Check Domain Keys are [GOOD]

[Checking SDI Domain: GOOD]

*** No Problems Found ***
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: PKIHealthCheck 64 bit eDirectory incorrectly reporting serverdoes not have any SDI keys

On Tue, 17 Apr 2012 07:09:23 +0000, Alex McHugh wrote:

> Is suspect this is a bug related to filesystem redirection and x64, can
> anyone confirm this.


How are you getting to this PKI health check? I have Win64/eDir here, but
haven't had to do anything with PKI on it.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: PKIHealthCheck 64 bit eDirectory incorrectly reporting serverdoes not have any SDI keys

On 19.04.2012 16:30, David Gersic wrote:
> On Tue, 17 Apr 2012 07:09:23 +0000, Alex McHugh wrote:
>
>> Is suspect this is a bug related to filesystem redirection and x64, can
>> anyone confirm this.

>
> How are you getting to this PKI health check? I have Win64/eDir here, but
> haven't had to do anything with PKI on it.


This check is performed automatically (on server restart/eDirectory
startup/after DSRepair) see -
http://www.novell.com/documentation/crt33/crtadmin/data/b9zmjmu.html for
more details.

The log file generated by this automatic check is located at
c:\Novell\NDS\DIBFiles\CertServ\PKIHealth.log
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: PKIHealthCheck 64 bit eDirectory incorrectly reporting serverdoes not have any SDI keys

On Thu, 19 Apr 2012 19:22:32 +0000, Alex McHugh wrote:

> On 19.04.2012 16:30, David Gersic wrote:
>> On Tue, 17 Apr 2012 07:09:23 +0000, Alex McHugh wrote:
>>
>>> Is suspect this is a bug related to filesystem redirection and x64,
>>> can anyone confirm this.

>>
>> How are you getting to this PKI health check? I have Win64/eDir here,
>> but haven't had to do anything with PKI on it.

>
> This check is performed automatically (on server restart/eDirectory
> startup/after DSRepair) see -


Oh, yeah, that. Ok...


> The log file generated by this automatic check is located at
> c:\Novell\NDS\DIBFiles\CertServ\PKIHealth.log


Yeah, I see the same thing here:

_____________________________________________________________________________

PKIHealthCheck -- PKI Server is version 3.34
Compiled Apr 23 2010 at 12:46:31
Run at: Thu Mar 29 08:10:17 2012
_____________________________________________________________________________

Organiztional CA DN: NIU-FLAT CA.Security
Organiztional CA host server: NIUSYNC3-NDS.Servers.NIU

Step 0 Check if this server should be an SDI Key Server.
Testing for keyfile -- C:\Windows\system32\novell\nici\nicisdi.key.
This server does not have any SDI keys on it.
Step 0 succeeded.


IMHO, it's a bug. I'll see if Aaron agrees.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: PKIHealthCheck 64 bit eDirectory incorrectly reporting serverdoes not have any SDI keys

On 20.04.2012 16:00, David Gersic wrote:
> Yeah, I see the same thing here:
>
> _____________________________________________________________________________
>
> PKIHealthCheck -- PKI Server is version 3.34
> Compiled Apr 23 2010 at 12:46:31
> Run at: Thu Mar 29 08:10:17 2012
> _____________________________________________________________________________
>
> Organiztional CA DN: NIU-FLAT CA.Security
> Organiztional CA host server: NIUSYNC3-NDS.Servers.NIU
>
> Step 0 Check if this server should be an SDI Key Server.
> Testing for keyfile -- C:\Windows\system32\novell\nici\nicisdi.key.
> This server does not have any SDI keys on it.
> Step 0 succeeded.
>
>
> IMHO, it's a bug. I'll see if Aaron agrees.


It'd be great if someone could log this as a bug.
I would have logged it as a bug in bugzilla myself but I can't find any
eDirectory/PKI/Certificate services type categories to log this under.

I have reported it via
http://support.novell.com/additional/bugreport.html - but have no idea
if that reporting channel is actively monitored at all.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: PKIHealthCheck 64 bit eDirectory incorrectly reporting serverdoes not have any SDI keys

On Mon, 23 Apr 2012 06:42:42 +0000, Alex McHugh wrote:

> It'd be great if someone could log this as a bug.


Done: https://bugzilla.novell.com/show_bug.cgi?id=758538


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.