Certificate Authority Error with Notes 5 client

A few months ago, I posted this
error for sites that still
have R5 on the client and ND6 on the server (there are still many) whom
are using the Certificate Authority process.  Back on a site today,
the admin team have been using CA to recertify users that were due to expire.
 On the ND6 clients, it works a treat.  On the R5 clients, it
was sporadic.  What is supposed to happen?

Well, when you use the CA process to
recertify a user, it is recorded in the administration requests database
(admin4.ns).  This database should be replicating to all your servers
(along with the directory (names.nsf)).  The next time the recertified
user launches Notes and enters their mail file, their hierarchical certificates
should be updated in their id file.  This flashes briefly on the status
bar and the job is done.  With the R5 client, this doesn’t happen.
 The only time the user gets re-certified is when they seem to access
the administration server of the domain.  If they don’t go to this
specific server, they don’t get updated.

After a bit of playing around, I think
I have it sussed.  It goes back to the certlog.nsf database (certification
log).  This usually exists only on the administration server(s) in
a domain.  Only when the R5 client hits a server with this database
on it does the recertification trigger.  

Solution: Replicate the certlog.nsf
database to the mail servers.  With testing this has worked each time
so far.  I haven’t had full time to research the "why" as
yet but will get back with details.  Have the red eye to London to
catch in the morning so it can wait.  If anyone has seen these symptoms
before though, let me know.

February 28, 2005 · Filed under General Admin

4 Comments »

  1. Ben Rose Said,

    March 15, 2005 @ 5:07 pm

    “Solution: Replicate the certlog.nsf database to the mail servers.”

    Day one of setting up a domain that one. It’s ESSENTIAL to have a replica of certlog on all servers and makes life a lot easier too. Lots of tasks depend on access to a certlog and, dependin on the admin’s level of access, this may be one or all servers. I have a lot of users who only have access to their particular spoke server but they have to see a certlog.

    Didn’t actually realise this didn’t seem to be an R6 requirement, just do it through habit now.

  2. Paul Mooney Said,

    March 15, 2005 @ 5:22 pm

    Hi Ben
    Actually, its NOT something I usually do. If you have an administration hub server (or hub cluster), that is where the file resides. Nowhere else. It depends on your topology and this site (3k users) never had a need to have this file on anything but the hub cluster for R4, R5 or ND6 (before this) Why disperse a file with certificate information around all the servers if it aint necessary.

  3. Ben Rose Said,

    March 16, 2005 @ 8:01 am

    “Why disperse a file with certificate information around all the servers if it aint necessary”

    But clearly it is

  4. Paul Mooney Said,

    March 16, 2005 @ 4:52 pm

    “But clearly it is”

    ?

    It’s not necessary depending on the topology you use. In the case of the one above for example, CA and re-certification works fine on ND6 clients WITHOUT certlog available in the local mail server. It seems to only matter in this environment with R5 clients. As for R5 and R4 environments, many of my sites work perfectly well, (including one we both worked on many moons ago) without it.

    The certlog, admin4 and catalog databases are ones I so often see unsecured and in the case of the catalog and certlog, lying around on every server. IMHO. Not necessary and a security breach.

    But then again, tomorrow’s St. Patrick’s day and I am still sober, so I better go resolve that…

Leave a Comment