Environment
Novell NetWare 6.5 Support Pack 2
Novell ConsoleOne 1.3.6c
Novell iManager 2
Novell Certificate Server 2.43
Novell ConsoleOne 1.3.6c
Novell iManager 2
Novell Certificate Server 2.43
Situation
ConsoleOne returns a -1 or -601 error when attempting to import a Verisign (or Geo Trust) certificate whose kmo object contains a two dashes (- -) in it.
Imanager reports that the certificate being imported does not match the contents of the kmo.
DSTRACE shows that we are stripping all text from the first space to the dash before the server name. For example, MY - KMO-SERVERNAME gets truncated to MY-SERVERNAME. This results in a 601 error as we cannot find the object.
DSTRACE with the +pki and +pkiapi shows the following on an import for a kmo named delete - me - hvaughansvr:
object name = delete - HVAUGHANSVR-4.EMG
attr name = NDSPKI:Public Key Certificate
PKI_GetRightsForConnection: Got conn authenticated ID 8036
Connect to tcp:x.x.x.x:524 succeeded
PKI_GetRightsForConnection: Got local name admin.EMG
Begin-> DCResolveWithConstraint context = 7662000d
Starting to walk from initial connection
Resolving \HV6PACKTREE\EMG\delete - HVAUGHANSVR-4
Resolving \HV6PACKTREE\EMG\delete - HVAUGHANSVR-4, flags 00004044.
Responding with no such entry for \HV6PACKTREE\EMG\delete - HVAUGHANSVR-4
ResolveName Request failed, no such entry (-601).
------> tag = 0
attr name = NDSPKI:Public Key Certificate
PKI_GetRightsForConnection: Got conn authenticated ID 8036
Connect to tcp:x.x.x.x:524 succeeded
PKI_GetRightsForConnection: Got local name admin.EMG
Begin-> DCResolveWithConstraint context = 7662000d
Starting to walk from initial connection
Resolving \HV6PACKTREE\EMG\delete - HVAUGHANSVR-4
Resolving \HV6PACKTREE\EMG\delete - HVAUGHANSVR-4, flags 00004044.
Responding with no such entry for \HV6PACKTREE\EMG\delete - HVAUGHANSVR-4
ResolveName Request failed, no such entry (-601).
------> tag = 0
----------------------------
Second Example of a Trace of the issue. Certificate object name is WebCertSSL - Mercury - MERCURY, note the name in the trace: WebCertSSL - MERCURY.
Entering PKIWireRequest
Entering PKIVerbHandOff
PKIVerbHandOff calling verb 7
StC: ODNlen-29
sf-x0
nc-2
rc-1
PKI_StoreCertificates: Storing certs on object WebCertSSL - MERCURY.TRUST
PKI_StoreCertificates: Storing object certificate of length 1001
PKI_StoreCertificates: Storing certificate chain of length 664
PKI_GetServerFromKMOInfo: Looking for KMO WebCertSSL - MERCURY.TRUST
Entering PKIVerbHandOff
PKIVerbHandOff calling verb 7
StC: ODNlen-29
sf-x0
nc-2
rc-1
PKI_StoreCertificates: Storing certs on object WebCertSSL - MERCURY.TRUST
PKI_StoreCertificates: Storing object certificate of length 1001
PKI_StoreCertificates: Storing certificate chain of length 664
PKI_GetServerFromKMOInfo: Looking for KMO WebCertSSL - MERCURY.TRUST
PKI_GetServerFromKMOInfo: The last slot used is 1
PKI_GetServerFromKMOInfo: Unable to get server name!
PKI_GetRightsForConnection: Getting rights for connection = 47
object name = WebCertSSL - MERCURY.TRUST
attr name = NDSPKI:Public Key Certificate
PKI_GetRightsForConnection: Got conn authenticated ID 904C
PKI_GetRightsForConnection: Got local name ADMIN.USERS.TRUST
PKI_GetRightsForConnection: DDCResolveName() FAILED returning -601
PKI_StoreCertificates: PKI_GetRightsForConnection() FAILED returning -601
PKIVerbHandOff returned -601
Exiting PKIVerbHandOff rc = -601
Exiting PKIWireRequest err = -601
PKI_GetServerFromKMOInfo: Unable to get server name!
PKI_GetRightsForConnection: Getting rights for connection = 47
object name = WebCertSSL - MERCURY.TRUST
attr name = NDSPKI:Public Key Certificate
PKI_GetRightsForConnection: Got conn authenticated ID 904C
PKI_GetRightsForConnection: Got local name ADMIN.USERS.TRUST
PKI_GetRightsForConnection: DDCResolveName() FAILED returning -601
PKI_StoreCertificates: PKI_GetRightsForConnection() FAILED returning -601
PKIVerbHandOff returned -601
Exiting PKIVerbHandOff rc = -601
Exiting PKIWireRequest err = -601
SEARCH: GEOTRUST GEO TRUST 601 1
Resolution
Workaround:
Rename the Certificate to a name without the double - - and then you should be able to import the certificate. For example if the Certificate name is
"WebCertSSL - Mercury - MERCURY" renaming it to "WebCertSSL - MERCURY" allowed the certificate to be imported.
It is common to want to put the server name after a certificate when you create it. You do not need to do that in ConsoleOne, it will append the servername automatically for you. In this case to your detriment.
Additional Information
Formerly known as TID# 10094700