NetWare servers are still running in customer data centers. Usually they need minimum maintenance effort so people forget watching for expiring certificates. As a result one day some services stop working.
While there are a few tools for seeking for expiring certificates, those tools have drawbacks in case you have the pure-NetWare environment:
- tools are started manually and controlled interactively;
- tools require Windows or Linux workstation;
- to automate checking of certificates, a Linux or Windows system that is always on is necessary besides NetWare servers.
On the other hand, Novell NetWare has reach scripting capabilities that makes it self-sufficient in terms of routine task automation.
A simple script (ncert.zip ) runs on NetWare server to check existing certificates. It could be started manually on the server console or with the scheduler you prefer (NRM, cron). Actually, the solution consists of two interacting parts: NCF and Bash. NCF part with conditional scripting is used to set configuration variables and run LDAP query. BASH part is called from within NCF script to parse the ICE output.
For mail notification, the “SMTP Mail Sender (c)2005 Looney Enterprises” is used (see https://www.novell.com/coolsolutions/tools/14317.html).
Expired certificates are listed in the output file sys:/var/lib/ncert/ncert.exp.
Certificates expiring soon are listed in the output file sys:/var/lib/ncert/ncert.soo.
Also, those certificates are listed on the server console.
If you have CONLOG.NLM loaded, notifications about expired certificates are logged into the file sys:/etc/console.log.
Besides that, a mail notification is sent.
Configuration variables are set in the file ncert.ncf. Meaning of variables is easy understandable.
The variables are set only once at the first start of the NCF-file after the server bootup. So if you’ve changed settings in the ncert.ncf file, you need to clear changed variable with the console command so that the new value take effect:
Also, for troubleshooting purposes, you might change configuration variable directly in the server memory and then check its value:
%env variable=”newvalue” %env variable
Default trustee rights ([All Attributes Rights]=Compare,Read; [Entry Rights]=Browse) are enough to get this script working. A good idea is to create a dedicated account for LDAP search and restrict its rights at the level that contains server certificate objects. In addition you might allow logging in from the specified IP-address only (IP-address of NetWare server).
Ensure that only administrators have access to the directory sys:/usr/lib/ncert/.
- Ensure an account you use for LDAP query has enough rights in eDirectory tree.
- Download and extract the file ncert.zip , then place its contents into the directory sys:/usr/lib/ncert/
- If you use Secure LDAP connection, export eDirectory tree certificate to a file ncert.der and place it into the directory sys:/usr/lib/ncert/
- Set configuration variables in the file sys:/usr/lib/ncert/ncert.ncf
- Add a record for your SMTP server to the file SYS:/ETC/HOSTS:
172.30.0.30 smtp.org.com smtp
- On the server console, start the script sys:/usr/lib/ncert/ncert.ncf to ensure it works as expected.
- Schedule launching of the sys:/usr/lib/ncert/ncert.ncf script on a monthly basis with NRM or CRON scheduler.
If you prefer CRON, you should add the following string to the file sys:/etc/crontab
0 0 1 * * sys:/usr/lib/ncert/ncert.ncf
Issues and troubleshooting
Last symbols of long NetWare environment values (longer than ~20 symbols) could be lost or damaged when being set (i.e. instead of the value “cn=nldap,ou=srv,o=org” it might be set equal to “cn=nldap,ou=srv,o=or” or “cn=nldap,ou=srv,o=or%!” or something else). That is why some settings in the ncert.ncf are split into two parts (%nLDAPusr and %nLDAPctx, %nToBox and %nToDom)
- Check sys:/var/lib/ncert/ncert.log file for details.
- Enter console command %env to ensure environment variables are correct.
NetWare server console prompt disappears.
Quick solution: pressing Enter gets console prompt back.
Long term solution: use NRM scheduler.
The script output appears on the Logger Screen instead of the System Console.
Solution: use NRM scheduler.