Certificate Server Issues-Removing a Server from a Tree

  • 3623407
  • 18-Oct-2006
  • 05-Dec-2017

Environment

Novell Certificate Server 2.0 and above.

Situation

If your NDS tree has been set up to use Novell Certificate Server, you should be aware of several issues when removing an NCP Server from the NDS tree. This document describes 3 scenarios in which a server is removed from the NDS tree and how to proceed so that you don't experience problems with your PKI.
Certificate Server Issues-Removing a Server from a Tree

Resolution

Scenario #1 - You are completely deleting the server from the tree.

If the server is going to be completely deleted from the NDS tree and will not be replaced, perform the following steps before or after removing the server from the tree:

1. If the server to be deleted is the Security Domain Key server for the tree:

NOTE: You can tell if the server is the Security Domain Key server for the tree by using ConsoleOne. Open the Properties of the W0 object in the KAP container in the Security container. Click the Other tab. Expand the NDSPKI:SD Key Server DN attribute. The server referenced in this attribute is the Security Domain Key server.

You will need to find which servers in your tree hold a copy of the Security Domain key. Typically, those servers that have rights to the W0 object will have a copy of this key. The key is in the SYS:\SYSTEM\NICI directory in a file called NICISDI.KEY. Note that this key is encrypted in a server specific key and cannot be used by another server.

If at least one such server exists then:

a. Decide one server that will become your Security Domain Key server. As such, it should be a server with which other servers can communicate. Note that, currently, the Security Domain Key server's only function is to distribute the Security Domain key to servers in the tree that do not have it. This distribution happens during the installation of Novell Certificate Server, Novell Modular Authentication Services (NMAS), Single Sign-On, and NetWare 5.1 and later.

b. Using ConsoleOne, open the Properties of the W0 object. Click the Other tab. Modify the NDSPKI:SD Key Server DN to refer to the server selected in step a.

If no other servers have a copy of the Security Domain key then either:

i. Install Novell Certificate Server (version 2.0 or later), NMAS, Single Sign-On, or NetWare 5.1 or later on another server in the tree that can become the Security Domain Key server.
ii. Follow steps a and b above.

Or

i. Delete all user certificates in the NDS tree.
ii. Delete all user NMAS authentication data from the NDS tree.
iii. Delete all user secrets stored by Single Sign-On.
iv. Delete the W0 object.
v. Delete the KAP container.
vi. Delete the NICISDI.KEY file from SYS:\SYSTEM\NICI.

WARNING: You must be absolutely sure that there are no other servers in the tree with a copy of the Security Domain key before deleting the W0 object. Failure to do so will require you to complete steps i-vi again.

2. If the server to be deleted is the Organizational Certificate Authority, delete the Organizational CA object.

NOTE: You can tell if the server is the Organizational CA by using ConsoleOne. Open the Properties of the Organizational CA object in the Security container. The Host Server field on the General tab gives the distinguished name of the server that is the Organizational CA.

3. Delete the server's SAS Service object.

4. Delete any Server Certificates (Key Material objects) associated with the server. Note that Server Certificates currently cannot be transferred to another server.

5. Delete the server from the tree.

6. If you deleted the W0 object in step #1 or if the Organizational CA object was deleted in step #2:

a. Select a new server to be the Security Domain Key server and/or Organizational CA for your tree. This server should be kept in a secure location, available for other servers in the tree to communicate with, and very likely to remain in the tree for at least 6 months.

b. Create the Security Domain Key and/or Organizational CA on the server selected in step 6a. This can be accomplished by installing the latest version of Novell Certificate Server (available from Novell's free download web site) on the server, by installing NetWare 5.1 (or later) on the server, or by post-installing the Novell Certificate Server on an existing NetWare 5.1 (or later) server.

NOTE: If you did not delete the W0 object in step #1, you can create the Organizational CA instead by using ConsoleOne to create an NDSPKI:Certificate Authority object in the Security container. However, if you choose to create the Organizational CA in this manner, it is strongly recommended that you update the version of Novell Certificate Server on the chosen server before creating the CA.

c. If the server was the Security Domain Key server and you did not delete the W0 object in step #1, reset the W0 object such that the Security Domain Key server is the Organizational CA's server. Using ConsoleOne, open the Properties of the W0 object. Click the Other tab. Modify the NDSPKI:SD Key Server DN to refer to the server selected in step 6a.

7. If the Organizational CA was deleted in step #2:

ALTERNATIVE: Steps a-d may be replaced by the steps outlined in the Alternative Method section at the end of this TID.

a. Delete all of the Server Certificates (stored in Key Material objects) that had been signed by the previous Organizational CA.

NOTE: Server Certificates signed by external CAs like VeriSign do not need to be deleted.

b. Create new Server Certificates to replace all Server Certificates that were deleted in step 7a. You can do this by re-installing Novell Certificate Server on each server whose certificates were deleted or by using ConsoleOne. Re-installing Novell Certificate Server will only re-create the certificates named SSLCertificateIP and SSLCertificateNDS - all other certificates must be re-created using ConsoleOne. When using ConsoleOne to create the Server Certificates, be sure to specify a subject name of the new certificate that exactly matches the subject name in the old certificate.

NOTE: The version of Certificate Server will not need to be upgraded on those servers in order to complete this step.

NOTE: Server Certificates that have been signed by an external CA such as VeriSign will continue to be valid and do not need to be replaced.

c. Tell all users who had imported the Organizational CA's certificate into their browsers as a trusted root to delete the certificate. Replace this certificate with the self-signed certificate of the new Organizational CA.

d. Make sure that all services that used the certificates deleted in step 7a are configured to use the new certificates created in step 7b. The most common services are LDAP, Portal Server, Web Server, and Border Manager. However, there may be others.

e. Delete all user certificates (stored in user objects) that had been signed by the previous Organizational CA.

NOTE: These certificates may have already been deleted in step 1i.

NOTE: User certificates signed by external CAs like VeriSign do not need to be deleted.

f. Re-create user certificates as desired.

8. If the W0 object was deleted in step #2:

a. Re-create user certificates as desired.

b. Re-create user NMAS authentication as desired.

c. Re-create user Single Sign-on secrets as desired.

.
Scenario #2 - You are moving the server to a different physical machine

If you are using Novell Migration Wizard 6.0, you don't need to take any additional steps. Novell Migration Wizard 6.0 will copy the NICI configuration files from the old machine to the new one and will maintain all security related NDS objects.

If you are not using Novell Migration Wizard 6.0, there is currently no utility provided to move the NICI configuration files from one physical server machine to another. Therefore, regardless of whether the final server machine will bear the same name as the original server machine, you will need to follow directions that are much the same as those in Scenario #1 because, essentially, you will be removing the server from the tree and installing a new one with the same name. Before beginning the hardware transfer:

1. If the server to be moved is the Security Domain Key server for the tree:

NOTE: You can tell if the server is the Security Domain Key server for the tree by using ConsoleOne. Open the Properties of the W0 object in the KAP container in the Security container. Click the Other tab. Expand the NDSPKI:SD Key Server DN attribute. The server referenced in this attribute is the Security Domain Key server.

You will need to find which servers in your tree hold a copy of the Security Domain key. Typically, those servers that have rights to the W0 object will have a copy of this key. The key is in the SYS:\SYSTEM\NICI directory in a file called NICISDI.KEY. Note that this key is encrypted in a server specific key and cannot be used by another server.

If at least one such server exists then:

a. Select one server that will become your Security Domain Key server. As such, it should be a server that other servers can communicate with. Note that, currently, the Security Domain Key server's only function is to distribute the Security Domain key to servers in the tree that do not have it. This distribution happens during the installation of Novell Certificate Server, Novell Modular Authentication Services (NMAS), Single Sign-On, and NetWare 5.1 and later.

b. Using ConsoleOne, open the Properties of the W0 object. Click the Other tab. Modify the NDSPKI:SD Key Server DN to refer to the server selected in step a.

If no other servers have a copy of the Security Domain key then either:

i. Install the latest version of Novell Certificate Server (version 2.0 or later), NMAS, Single Sign-On, or NetWare 5.1 or later on another server in the tree that can become the Security Domain Key server.
ii. Follow steps a and b above.

Or

iii. Delete all user certificates in the NDS tree.
iv. Delete all user NMAS authentication data from the NDS tree.
v. Delete all user secrets stored by Single Sign-On.
vi. Delete the W0 object.
vii. Delete the KAP container.
viii. Delete the NICISDI.KEY file from SYS:\SYSTEM\NICI.

WARNING: You must be absolutely sure that there are no other servers in the tree with a copy of the Security Domain key before deleting the W0 object. Failure to do so will require you to complete steps i-vi again.

2. If the server to be moved is the Organizational Certificate Authority, delete the Organizational CA object.

NOTE: You can tell if the server is the Organizational CA by using ConsoleOne. Open the Properties of the Organizational CA object in the Security container. The Host Server field on the General tab gives the distinguished name of the server that is the Organizational CA.

3. Delete the server's SAS Service object.

4. Delete any Server Certificates (Key Material objects) associated with the server. Note that Server Certificates currently cannot be transferred to another server.

5. Complete the hardware transfer.

6. If you deleted the W0 object in step #1 or the Organizational CA object in step #2:

a. Select a new server to be the Security Domain Key server and/or Organizational CA for your tree. This server should be kept in a secure location, available for other servers in the tree to communicate with, and very likely to remain in the tree for at least 6 months.

b. Create the Security Domain Key and/or Organizational CA on the server selected in step 6a. This can be accomplished by installing the latest version of Novell Certificate Server (available from Novell's free download web site) on the server, by installing NetWare 5.1 (or later) on the server, or by post-installing the Novell Certificate Server on an existing NetWare 5.1 (or later) server.

NOTE: If you did not delete the W0 object in step #1, you can create the Organizational CA instead by using ConsoleOne to create an NDSPKI:Certificate Authority object in the Security container. However, if you choose to create the Organizational CA in this manner, it is strongly recommended that you update the version of Novell Certificate Server on the chosen server before creating the CA.

c. If the server was the Security Domain Key server and you did not delete the W0 object in step #1, reset the W0 object so that the Security Domain Key server is the Organizational CA's server. Using ConsoleOne, open the Properties of the W0 object. Click the Other tab. Modify the NDSPKI:SD Key Server DN to refer to the server selected in step 6a.

7. If you deleted the Organizational CA in step #2:

ALTERNATIVE: Steps a-d may be replaced by the steps outlined in the Alternative Method section at the end of this TID.

a. Delete all of the Server Certificates (stored in Key Material objects) that were signed by the previous Organizational CA.

NOTE: Server Certificates signed by external CAs like VeriSign do not need to be deleted.

b. Create new Server Certificates to replace all Server Certificates that were deleted in step 7a. This can be done by re-installing Novell Certificate Server on each server whose certificates were deleted or by using ConsoleOne. Re-installing Novell Certificate Server will only re-create the certificates named SSLCertificateIP and SSLCertificateNDS - all other certificates must be re-created using ConsoleOne. When using ConsoleOne to create the Server Certificates, be sure to specify a subject name of the new certificate that exactly matches the subject name in the old certificate.

NOTE: The version of Certificate Server will not need to be upgraded on those servers in order to complete this step.

NOTE: Server Certificates that have been signed by an external CA such as VeriSign will continue to be valid and do not need to be replaced.

c. Instruct all users who have imported the Organizational CA's certificate into their browsers as a trusted root to delete the certificate. Replace this certificate with the self-signed certificate of the new Organizational CA

d. Make sure that all services that used the certificates deleted in step 7a are configured to use the new certificates created in step 7b. The most common services are LDAP, Portal Server, Web Server, and Border Manager. However, there may be others.

e. Delete all user certificates (stored in user objects) that had been signed by the previous Organizational CA.

NOTE: These certificates may have already been deleted in step 1i.

NOTE: User certificates signed by external CAs like VeriSign do not need to be deleted.

f. Re-create user certificates as desired.

8. If the W0 object was deleted in step #2:

a. Re-create user certificates as desired.

b. Re-create user NMAS authentication as desired.

c. Re-create user Single Sign-on secrets as desired.

9. If the server selected in step 6a was not the new server, install the security components on the new server.

a. Install the Novell Certificate Server. This can be accomplished by installing the latest version of Novell Certificate Server (available from Novell's free download web site) on the server, by installing NetWare 5.1 (or later) on the server, or by post-installing the Novell Certificate Server on an existing NetWare 5.1 (or later) server.

b. Install NMAS if it was previously installed on the old server.

c. Install Single Sign-On if it was previously installed on the old server.

.
Scenario #3 - You are removing and then reinstalling NDS on the server

If you remove NDS from a server using NWConfig and then reinstall it, you will need to take some additional steps to make sure that the security of the server is not compromised.

If you remove the NetWare partition on the server during the reinstallation process, you will need to follow the steps in Scenario #2, since all of the NICI configuration files will have been lost.

If you simply removed and reinstalled NDS, the NICI configuration files will remain on the server. However, the links in NDS between the security-related objects will be broken. You will need to fix these links for the services on the server to be able to load and/or establish an SSL connection. Follow the following steps to re-create the necessary links:

NOTE: These directions will only repair the security components. Other services may also need to be repaired.

1. Check whether the Server is the Security Domain Key server

Before deleting NDS from the server, you should check to see if the server is the Security Domain Key server. You can tell if the server is the Security Domain Key server for the tree by using ConsoleOne. Open the Properties of the W0 object in the KAP container in the Security container. Click the Other tab. Expand the NDSPKI:SD Key Server DN attribute. The server referenced in this attribute is the Security Domain Key server.

2. Check whether the Server is the Organizational Certificate Authority

Before deleting NDS from the server, you should check to see if the server is the Organizational CA. You can tell if the server is the Organizational CA by using ConsoleOne. Open the Properties of the Organizational CA object in the Security container. The Host Server field on the General tab gives the distinguished name of the server that is the Organizational CA.

3. Remove NDS from the server

4. Reinstall NDS on the server

5. Unload the Novell Certificate Server snap-in from ConsoleOne

After reinstalling NDS, you will need to use ConsoleOne without the Novell Certificate Server snap-in loaded to edit the security objects directly. To run ConsoleOne without the Novell Certificate Server snap-in:

a. Go to the directory that you run ConsoleOne.exe from. Go up one directory level to see the directories inside the 1.2 directory.
b. Go into the SNAPINS directory.
c. Delete the file REGISTRARS.SER if it exists.
d. Go into the Security directory.
e. Rename the file PKI.JAR to PKI.SAV.
f. Run ConsoleOne.
g. Make sure that the Novell Certificate Server snap-in was not loaded by clicking on Help > About Snapins in ConsoleOne and scrolling through the list of loaded snap-ins. The Novell Certificate Server snap-in should not be in the list.

6. If the server was the Security Domain Key server:

a. Using ConsoleOne, open the Properties of the W0 object.
b. Click the Other tab.
c. If the NDSPKI:SD Key Server DN attribute is present, click Modify. Browse for the new server object. Click Apply.
d. If it does not exist, highlight Attributes at the top of the list. Click Add and select NDSPKI:SD Key Server DN from the list of available attributes. Browse for the new server object. Click Apply.

7. If the server was the Organizational Certificate Authority:

a. Using ConsoleOne (this must be done when the Novell Certificate Server snap-in is not loaded), open the Properties of the Organizational CA object.
b. Click the Other tab.
c. If the Host Server attribute is present, click Modify. Browse for the new server object. Click Apply.
d. If it does not exist, highlight Attributes at the top of the list. Click Add and select Host Server from the list of available attributes. Browse for the new server object. Click Apply.

8. Link the new server object to the SAS Service object:

a. Using ConsoleOne, open the Properties of the new server object.
b. Click the Other tab.
c. If the SAS Service DN attribute is present, click Modify. Browse for the existing SAS Service object. Click Apply.
d. If it does not exist, highlight Attributes at the top of the list. Click Add and select SAS Service DN from the list of available attributes. Browse for the existing SAS Service object. Click Apply.

9. Link the SAS Service object to the new server object:

a. Using ConsoleOne, open the Properties of the SAS Service object for the server.
b. Click the Other tab.
c. If the Host Server attribute is present, click Modify. Browse for the new server object. Click Apply.
d. If it does not exist, highlight Attributes at the top of the list. Click Add and select Host Server from the list of available attributes. Browse for the new server object. Click Apply.

10. Link existing Server Certificates to the new server object:

For each Server Certificate (Key Material) object that belongs to this server, do the following:

a. Using ConsoleOne, open the Properties of one of the Server Certificate objects for the server.
b. Click the Other tab.
c. If the Host Server attribute is present, click Modify. Browse for the new server object. Click Apply.
d. If it does not exist, highlight Attributes at the top of the list. Click Add and select Host Server from the list of available attributes. Browse for the new server object. Click Apply.

11. If the name of the server was changed:

a. Using ConsoleOne, rename the SAS Service object for the server such that the server name following the '-' in the object's name reflects the server's new name. For example, if the server's name was originally SERVER1 and was changed to SERVER2, then the SAS Service object would need to renamed from "SAS Service - SERVER1" to "SAS Service - SERVER2".
b. Using ConsoleOne, rename each Server Certificate object that belongs to the server such that the server name following the '-' in the object's name reflects the server's new name. For example, if the server's name was originally SERVER1 and was changed to SERVER2, then the Server Certificate objects must be renamed from"SSLCertificateIP - SERVER1" to "SSLCertificateIP - SERVER2" and from "SSLCertificateDNS - SERVER1" to "SSLCertificateDNS - SERVER2".

NOTE: Remember that the syntax for these names is - (with a space on either side of the dash).

12. Reload the Novell Certificate Server snap-in for ConsoleOne

After having completed the above steps, you will need to re-load the Novell Certificate Server snap-in for ConsoleOne in order to manage the security objects properly. Follow the following steps to restore the snap-in:

a. Go to the directory from which you run ConsoleOne.exe. Go up one directory level to see the directories inside the 1.2 directory.
b. Go into the SNAPINS directory.
c. Go into the SECURITY directory.
d. Rename the file PKI.SAV to PKI.JAR.
e. Run ConsoleOne.
f. Make sure that the Novell Certificate Server snap-in was loaded by clicking on Help > About Snapins in ConsoleOne and scrolling through the list of loaded snap-ins. The Novell Certificate Server snap-in should be in the list.


ALTERNATIVE METHOD
If it is not feasible to delete all of your Server Certificates at one time, you may instead delete and re-create them more slowly using the following steps:

a. Find all of the Server Certificates (stored in Key Material objects) that were signed by the previous Organizational CA. Change the key pair name for each one to one that has not yet been used for that server. The name of the Key Material object is composed as follows: - . Do not change the server name component of the Key Material object's name.

NOTE: This need not be done for server certificates signed by external CAs like VeriSign.

b. Make sure that all services that used the certificates renamed in step a are configured to use the new names specified. The most common services are LDAP, Portal Server, Web Server, and Border Manager, however there may be others.

c. Create new Server Certificates to replace all Server Certificates that were renamed in step a. This can be done by re-installing Novell Certificate Server on each server whose certificates were renamed or by using ConsoleOne. Re-installing Novell Certificate Server will only re-create the certificates named SSLCertificateIP and SSLCertificateNDS - all other certificates must be re-created using ConsoleOne. When using ConsoleOne to create the Server Certificates, be sure to specify a subject name of the new certificate that exactly matches the subject name in the old certificate.

NOTE: The version of Certificate Server will not need to be upgraded on those servers in order to complete this step.

NOTE: Server Certificates that have been signed by an external CA, such as VeriSign, will continue to be valid and do not need to be replaced.

d. Tell all users who have imported the Organizational CA's certificate into their browsers as a trusted root to delete the certificate. Replace this certificate with the self-signed certificate of the new Organizational CA.

e. Re-configure all services configured in step b to use the new certificates created in step d.

f. Delete all of the Server Certificates that had been signed by the previous Organizational CA (the ones renamed in step a).

NOTE: Server Certificates signed by external CAs like VeriSign do not need to be deleted.
.

Additional Information


Formerly known as TID# 10056795