Novell Home

Troubleshooting SSL Certificate Issues with the eDir-eDir Driver

Novell Cool Solutions: Tip
By Heath Tennant

Digg This - Slashdot This

Posted: 20 Dec 2006
 

Problem

I have seen an increasing number of customers who have issues with SSL certificates and the edir2edir driver. There can be several causes for this, but most of the time the resolution is the same. The certificate creation wizard within iManager can be fantastic, or it can fail for one reason or another (come on, we can't all be perfect.) This will very often be the end of the line for standard troubleshooting.

Solution

Simple but effective ...

I just wanted to share the the almost forgotten DirXML 1.1a documentation (back before the days of the wizard). It will guide you through the manual process that the certificate creation wizard performs in the background. I must mention that if you run into certificate problems on NetWare, the first step would be running PKIDiag. Use option 4 then 0 on both sides (how did we live before this tool?), which will often correct issues with expired certificates.

Running through the manual process will fix either the issue - and, like magic, the driver will start up and carry on working - or it will highlight a more significant issue with the CA. Either way, you will no longer be at a dead end and should have a better idea of where to head next.

The instructions for Configuring Secure Data Transfers using ConsoleOne can be found here:
http://www.novell.com/documentation/dirxmldrivers11a/index.html?page=/documentation/dirxmldrivers11a/edirectory/data/agy16jv.html

One gotcha: if you give a new certificate a new name at creation, you will need to update the driver configuration to reflect the change. You can do this by modifing the Authentication ID section to reflect the new certificate name. It should be the same name you entered when you created the certificate, which is NOT the complete name of the KMO object.

The documentation defines it like this:

"The key pair name of a KMO is the part of the eDirectory object name that appears before the dash (-). The part of the object name that appears after the dash is the eDirectory server name to which the KMO belongs. When using the name of a KMO in the driver configuration, always use the key pair name. For example, if the name of the eDirectory object is Driver Cert - SRV1_TAO, the key pair name is Driver Cert."

I know I have not shared anything really new, but I hope this has been helpful and will help get things up and running sooner if you ever run into this problem.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell