Bringing up the TLS port on Unix after a DIB Restore
Novell Cool Solutions: Feature
By Harshwardhan Pradhan
Digg This -
Posted: 10 May 2006
In the following scenario, the TLS port will fail to come up after starting ndsd:
- You back up the DIB folder and nds.conf file, but not the NICI folder.
- You restore the DIB and nds.conf file a) on a different machine, where the NICI folder is different, or b) on the same machine when the NICI folder is changed.
Figure 1 - TLS port not listening
Even if you try to recreate the certificates, in ndstrace you get these messages:
SSL_CTX_use_KMO failed. Error stack: error:1412D0D4:SSL routines:SSL_CTX_use_KMO:read wrong packet type (err = -1418)
The certificate creation fails with a -603 error.
In this scenario, the Organizational Certificate Authority needs to be recreated, and the SAS module needs to be reconfigured.
Here are the steps to bring up the TLS port:
1. Delete the Organizational Certificate Authority object in the Security container "CN=Tree_Name CA.O=Security".
Figure 2 - Deleting the Organizational Certificate Authority object
2. Verify that it was deleted by browsing again in the security container or restarting ndsd.
3. Create the Organizational CA with the same name ("CN=Tree_Name CA") under the Security container.
Figure 3 - Creating the Organizational CA
4. Delete the KMO (Key Material Objects) - SSL Certificate DNS and SSL Certificate IP.
Figure 4 - Deleting the KMO
5. Reconfigure the SAS module:
ndsconfig add -m sas -a admin_context -w pwd
This successfully configures the SAS service and creates the KMO.
Figure 5 - Configuring SAS and creating the KMO
Now when you run /etc/init.d/post_ndsd_start, the TLS port is listening.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com