Cool Solutions

NetWare script for checking certificates in the pure-NetWare environment



By:

August 18, 2015 12:01 pm

Reads:1,876

Comments:0

Score:3

Print/PDF

Download ncert.zip

Background

NetWare servers are still running in customer data centers. Usually they need minimum maintenance effort so people forget watching for expiring certificates. As a result one day some services stop working.

While there are a few tools for seeking for expiring certificates, those tools have drawbacks in case you have the pure-NetWare environment:

  • tools are started manually and controlled interactively;
  • tools require Windows or Linux workstation;
  • to automate checking of certificates, a Linux or Windows system that is always on is necessary besides NetWare servers.

On the other hand, Novell NetWare has reach scripting capabilities that makes it self-sufficient in terms of routine task automation.

Solution

A simple script (ncert.zip ) runs on NetWare server to check existing certificates. It could be started manually on the server console or with the scheduler you prefer (NRM, cron). Actually, the solution consists of two interacting parts: NCF and Bash. NCF part with conditional scripting is used to set configuration variables and run LDAP query. BASH part is called from within NCF script to parse the ICE output.

For mail notification, the “SMTP Mail Sender (c)2005 Looney Enterprises” is used (see https://www.novell.com/coolsolutions/tools/14317.html).

Expired certificates are listed in the output file sys:/var/lib/ncert/ncert.exp.

Certificates expiring soon are listed in the output file sys:/var/lib/ncert/ncert.soo.
Also, those certificates are listed on the server console.
If you have CONLOG.NLM loaded, notifications about expired certificates are logged into the file sys:/etc/console.log.
Besides that, a mail notification is sent.

Configuration variables are set in the file ncert.ncf. Meaning of variables is easy understandable.

The variables are set only once at the first start of the NCF-file after the server bootup. So if you’ve changed settings in the ncert.ncf file, you need to clear changed variable with the console command so that the new value take effect:

%env variable=

Also, for troubleshooting purposes, you might change configuration variable directly in the server memory and then check its value:

%env variable=”newvalue”
%env variable

Security

Default trustee rights ([All Attributes Rights]=Compare,Read; [Entry Rights]=Browse) are enough to get this script working. A good idea is to create a dedicated account for LDAP search and restrict its rights at the level that contains server certificate objects. In addition you might allow logging in from the specified IP-address only (IP-address of NetWare server).

Ensure that only administrators have access to the directory sys:/usr/lib/ncert/.

Usage

  1. Ensure an account you use for LDAP query has enough rights in eDirectory tree.
  2. Download and extract the file ncert.zip , then place its contents into the directory sys:/usr/lib/ncert/
  3. If you use Secure LDAP connection, export eDirectory tree certificate to a file ncert.der and place it into the directory sys:/usr/lib/ncert/
  4. Set configuration variables in the file sys:/usr/lib/ncert/ncert.ncf
  5. Add a record for your SMTP server to the file SYS:/ETC/HOSTS:
    172.30.0.30    smtp.org.com    smtp
  6. On the server console, start the script sys:/usr/lib/ncert/ncert.ncf to ensure it works as expected.
  7. Schedule launching of the sys:/usr/lib/ncert/ncert.ncf script on a monthly basis with NRM or CRON scheduler.
    If you prefer CRON, you should add the following string to the file sys:/etc/crontab
    0 0 1 * * sys:/usr/lib/ncert/ncert.ncf

Issues and troubleshooting

Last symbols of long NetWare environment values (longer than ~20 symbols) could be lost or damaged when being set (i.e. instead of the value “cn=nldap,ou=srv,o=org” it might be set equal to “cn=nldap,ou=srv,o=or” or “cn=nldap,ou=srv,o=or%!” or something else). That is why some settings in the ncert.ncf are split into two parts (%nLDAPusr and %nLDAPctx, %nToBox and %nToDom)

Troubleshooting steps:

  • Check sys:/var/lib/ncert/ncert.log file for details.
  • Enter console command %env to ensure environment variables are correct.

NetWare server console prompt disappears.

Quick solution: pressing Enter gets console prompt back.
Long term solution: use NRM scheduler.

The script output appears on the Logger Screen instead of the System Console.

Solution: use NRM scheduler.

1 vote, average: 3.00 out of 51 vote, average: 3.00 out of 51 vote, average: 3.00 out of 51 vote, average: 3.00 out of 51 vote, average: 3.00 out of 5 (1 votes, average: 3.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Tags: , , , , , ,
Categories: Cool Tools, NetWare, Open Enterprise Server, Technical

Disclaimer: This content is not supported by Micro Focus. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS