Using SDIDiag to gather specific SDKey information from servers

  • Document ID:3455150
  • Creation Date:19-Sep-2007
  • Modified Date:03-Nov-2017
    • Micro Focus Products:
      eDirectory

Environment

eDirectory - All versions
SDIDIAG.EXE Version 2.1 Jun 26 2003
SDIDIAG.EXE 2.2

Situation

Error: NICI 1418 when communicating.
Error -1423
Error -1411
Error: 1416
Using SDIDiag to gather specific SDKey information from servers

Resolution

SDIDIAG is a tool that will evaluate the servers tree keys on the Network to help you determine whether or not everything is synchronized.  It is located with the eDirectory patches and can be downloaded from there.   Follow the steps below to verify that your tree keys are synchronized:

1) Copy the SDIDIAG.EXE to a workstation or run it directly from a NetWare servers system console. SDIDIAG can be downloaded from https://download.novell.com. In the case where you run SDIDiag from the workstation you will create output files and reference input files locally as shown in the examples below. In the case where you run SDIDiag directly on a server you will output the files to one of the server volumes, for example: SYS:\LIST.TXT. SDIDIAG.NLM should already be on a NetWare 6.5 server by default.

2) Go to a windows command prompt and change to the directory where SDIDIAG.EXE is located and type SDIDIAG


3) SDIDiag, Security Domain Infrastructure Diagnostic Utility
Version 2.1 Jun 26 2003
Copyright 2003 Novell, Inc. All rights reserved.
Server IP Addr : 192.168.100.10
User Name (Full DN): admin.novell
Password : *******
SDIDIAG>

*** If the TREE and ORGANIZATION names are the same (ie. Tree name is NOVELL and Organization is NOVELL) you need to specify the whole Full DN, including the TREE NAME or will get errors when trying to get authenticated. So, in this case it would be :

User Name (Full DN): admin.novell.NOVELL

4) SDIDIAG> LK -O C:\LIST.TXT
This will show the list of keys for all the servers in the W0 object and send this information to the C:\LIST.TXT file. Another way to gather this information is to open Console One and go to the W0 object in the Security Container. Select the "Other" tab on the W0 object and view the values of the "NDSPKI:SD Key Server DN" attribute.

5) SDIDIAG> FS -A -O C:\SERVER.TXT
This will create a file on the local workstation called SERVER.TXT which will hold a list of all servers in the tree. The "-A" switch will mean that SDIDiag will access servers regardless of their eDir or NICI versions. This will be necessary if you have some servers which are not running eDirectory 8.7.1 or later and you still wish to see which keys are on each of the servers.

6) SDIDIAG> LK -I C:\SERVER.TXT -O C:\PROCESS.TXT
This will show a list of all the servers in the tree and their SDI key(s)

*** It's important to understand that, that's ("-I" as in"Information" and NOT "-l" as in "lima", which will cause the Error -6.
.

Additional Information

These errors can occur because tree keys are not synchronized throughout the tree.

Below is an example output of the C:\PROCESS.TXT generated from the steps above.

Server : .SERVERA.NOVELL.TEST-TREE.

SDKey : 1

Object Class : Secret Key

Key Size : 168 bits

Key Usage : 0x4400C0

Key Format : DES-EDE3-CBC-IV8

Key Id : 9C 44 68 B6 4C BD 54 F5 5B 57 FB 88 61 2F E2 E2

Validity : Sun Aug 1921:05:092003 - Sun Feb 323:59:002036

Server : .SERVERB.NOVELL.TEST-TREE.

SDKey : 1

Object Class : Secret Key

Key Size : 168 bits

Key Usage : 0x4400C0

Key Format : DES-EDE3-CBC-IV8

Key Id : 9C 44 68 B6 4C BD 54 F5 5B 57 FB 88 61 2F E2 E2

Validity : Sun Aug 1921:05:092003 - Sun Feb 323:59:002036

Server : .SERVERC.NOVELL.TEST-TREE.

SDKey : 1

Object Class : Secret Key

Key Size : 168 bits

Key Usage : 0x4400C0

Key Format : DES-EDE3-CBC-IV8

Key Id : 9C 44 68 B6 4C BD 54 F5 5B 57 FB 88 61 2F E2 E2

Validity : Sun Aug 1921:05:092003 - Sun Feb 323:59:002036

To resolve issues with Tree Keys, refer to TID 3092072 - Verifying and Resolving Tree Key Inconsistencies

Formerly known as TID# 10088626