Novell Cool Solutions: Feature
By Aaron Burgemeister
Digg This -
Updated: 24 Mar 2005
*Second Update - The newest TKInfo script also detects and addresses problematic servers better.
*Update - A new TKInfo script is available that addresses several issues. The command to run this on NetWare from bash, with script and process.txt file in sys:\tmp, is:*
perl /tmp/tkinfo.pl /tmp/process.txt
About the TKInfo Tool
The TKInfo Tool is a script that creates four reports for monitorng information about keys. The first is a list of which keys are present on (or missing from) which servers. The second is a list of which keys are synchronized consistently (all revoked, all valid, some missing or a mix of these combinations). The third report is a list of valid keys throughout the tree. The final report tells the total number of keys and servers in the environment and the number of servers either turned off or with NICI broken.
The first report tells if a server is missing a tree key. If so, then passwords encrypted with that key cannot be decrypted on that server. Also, if a password is encrypted on that server it may not be encrypted with a key that other servers (with the key that server is missing) can decrypt. Tree key synchronization is important for passwords to be usable on all servers.
The second report tells which keys are synchronized consistently. While all servers may hold any number of keys, if they are not the same then passwords will not encrypt and decrypt consistently. If a server does not have NICI, or NICI is broken, then passwords will not be able to be encrypted or decrypted on that box.
The third report lists tree keys that are valid and synchronized, or less than valid and synchronized. Having a 168-bit tree key in the Valid Keys section is the best. Having other tree keys will not hurt but it is best to have only one key on each server that is valid and to have that one key synchronized to all other servers as valid. This way the passwords are encrypted with the same key and decrypted with that same key. Having extra revoked keys all over does not cause problems at all.
The final report simply gives you a summary of the number of servers and keys. If the number of servers does not match one's internal number of servers then that is something to look into. The script can only tell what is reported from NICI, so if a server is not showing up anywhere for the keys then this script will not report on it at all. This is a fairly rare situation but one you can easily resolve with some basic troubleshooting assisted by Novell's TIDs and online forums.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com