Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

8009 broke?

28 views
Skip to first unread message

Greg B.

unread,
Jan 13, 2006, 12:08:34 PM1/13/06
to
http://serverIP:8008 loads fine and works properly
https://serverIP:8009 cannot be displayed.

Netware 5.1 upon reboot after power failure downed properly at time of
power outage/.

***:2200 works too

any suggestions?

Thanks
greg

Marcel Cox

unread,
Jan 13, 2006, 3:39:38 PM1/13/06
to
Start by verifying if your certificate hasn't expired by running
PKIDIAG.NLM on your server console.
If PKIDIAG.NLM is not installed on your server, you will find it here:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2967938.htm

--
Marcel Cox (using XanaNews 1.17.6.6)

Niclas Ekstedt

unread,
Aug 12, 2009, 6:55:59 AM8/12/09
to
duwang,

Just go to www.novell.com/download and search for 'pkidiag'


--
_________________________________________
Niclas Ekstedt, CNA/CNE/CNS/CLS
Systems Engineer
Atea Sverige AB

Anders Gustafsson

unread,
Aug 12, 2009, 7:25:58 AM8/12/09
to
Duwang,
> how to install PKIDIAG.NLM in NW 5.1 server? the link is no longer
> available...
>
Just download PKIDIAG and pt it in sys:system

- Anders Gustafsson (Sysop)
The Aaland Islands (N60 E20)


Novell has a new enhancement request system,
or what is now known as the requirement portal.
If customers would like to give input in the upcoming
releases of Novell products then they should go to
http://www.novell.com/rms

Niclas Ekstedt

unread,
Aug 13, 2009, 3:36:03 AM8/13/09
to
duwang,

> System Requirements:
> NetWare 6.5
>
> Installation:
> Copy PKIDIAG.NLM to SYS:\SYSTEM on a NetWare 6.5 server.
>
>
> my system is NW 5.1.....

Yes, but it should still work. As NW 5.1 is no longer supported, Novell
doesn't bother testing against it. Either give this version a try or try
finding an older version.

Anders Gustafsson

unread,
Aug 14, 2009, 3:36:26 AM8/14/09
to
Duwang,
> Step 4 Verifying the KMOs
> ---> Testing KMO 'SSL CertificateDNS - SSA-GZMAC-GW.SSA_GZ'.
> Rights check -- OK.
> ERROR -603 reading host server attributes for KMO 'SSL CertificateDNS -
> SSA-GZMAC-GW.SSA_GZ'.
> Private Key -- Failed.
>
> ---> Testing KMO 'SSL CertificateIP - SSA-GZMAC-GW.SSA_GZ'.
> Rights check -- OK.
> ERROR -603 reading host server attributes for KMO 'SSL CertificateIP -
> SSA-GZMAC-GW.SSA_GZ'.
> Private Key -- Failed.

Rename those two certificates manually and rerun PKIDIAG, alternatively
change to ") Update default KMO mode: Always rename and create " and
rerun.

Massimo Rosen

unread,
Aug 14, 2009, 3:53:22 AM8/14/09
to
Hi,

duwang wrote:
> Step 6 failed -659.

Your time is not in sync in your tree. Repair that.

CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Anders Gustafsson

unread,
Aug 14, 2009, 5:47:28 AM8/14/09
to
Duwang,
> Sorry...can you tell me where they are? :( Thanks for your patient...
>
Look in ConsoleOne. Ie under The SSA_GZ container, there are objects
called 'SSL CertificateIP -SSA-GZMAC-GW.SSA_GZ' etc. But before doing
so, you must make sure time is in sync. Please start DSREPAIR on one
server. Go into "Time Synchronization". Post the results here.

Niclas Ekstedt

unread,
Aug 14, 2009, 5:51:08 AM8/14/09
to
duwang,

>> Rename those two certificates manually and rerun PKIDIAG,
>> alternatively
>> change to ") Update default KMO mode: Always rename and create " and
>> rerun.
>>
>> - Anders Gustafsson (Sysop)
>> The Aaland Islands (N60 E20)
>>
>>
>> Novell has a new enhancement request system,
>> or what is now known as the requirement portal.
>> If customers would like to give input in the upcoming
>> releases of Novell products then they should go to
>> http://www.novell.com/rms
>

> Sorry...can you tell me where they are? :( Thanks for your patient...

Renaming the certificates can be done from within Console One.

Massimo Rosen

unread,
Aug 14, 2009, 7:34:32 AM8/14/09
to
Hi,

duwang wrote:
> SSAN-SH-3.SSAN_SH 7.60a 1 Secondary No

> 0
> SSA-GZ-5.SSA_GZ 8.85c -1 Secondary No
> 0
> ZENITHMEDIA_GW.SSA_GZ 7.60a -1 Secondary No
> 0
> ZM-GZ-3.ZM_GZ 7.60a 1 Secondary No
> 0
> SAATCHI_GW.SSA_GZ 7.60a 1 Secondary No
> 0
> ZM-GZ-1.ZM_GZ 7.60a 1 Secondary No
> 0
> SSA-GZ-1.SSA_GZ 7.60a 0 Reference No
> 0

...

> nothing wrong... all servers synchronized up to time...

Huh? There is about everything wrong. Do you see all these nice "No"
above in your server list? All these servers are not in sync with your
trees time, and that needs to be fixed.

Massimo Rosen

unread,
Aug 14, 2009, 7:36:53 AM8/14/09
to
Hi,

duwang wrote:
> 0
> SSA-GZ-1.SSA_GZ 7.60a 0 Reference No

And this is the core reason why your time isn't in sync throughout your
tree. If the reference server isn't in sync, nothing is. Find out why.
Ignore everything else, as long as your time doesn't show "Yes" on
*every* server, it's all futile.

Anders Gustafsson

unread,
Aug 14, 2009, 7:51:31 AM8/14/09
to
Duwang,
> the attachment is the result, forgive me to hide the server name due to
> security issue, too many ppl can see in this forum, thanks again...
>
OK. Each of these No's need to be adressed before you can proceed, like
Massimo says.

FWIW, for 30 servers and below, an easier setup is to have one SINGLE and
the rest SECONDARY.

Massimo Rosen

unread,
Aug 14, 2009, 8:51:17 AM8/14/09
to
Hi,

duwang wrote:
>
> If sync is the problem...how to fix...

Depends on how it's setup of course. But see my other reply, your core
issue is your reference server being not in timesync.

Massimo Rosen

unread,
Aug 14, 2009, 9:16:04 AM8/14/09
to
Hi,

duwang wrote:
>
> hi, this is the reference server timesync settin, any problem?

Yes. It has configured source on (as it must), but no time sources
specified. A reference server must point to at least three primary
servers.

Massimo Rosen

unread,
Aug 14, 2009, 2:48:27 PM8/14/09
to
Hi,

duwang wrote:
>
> so I just add the specific server source in this file? like this

I would actually use their IP address instead of the name. But
otherwise, yes.

Anders Gustafsson

unread,
Aug 16, 2009, 1:26:30 PM8/16/09
to
Duwang,
> do I need to reboot the server? I run dsrepair after modify the
> file, but the reference server still cant sync...but I will wait
> longer...thanks for your help
>
No. Just unload/load timesync.nlm. But are the REFERENCE time servers in sync now? Do they sync to an external NTP source?

See:
http://www.novell.com/documentation/oes/time_enu/?page=/documentation/oes/time_enu/data/abzawc8.html

Anders Gustafsson

unread,
Aug 17, 2009, 2:35:42 AM8/17/09
to
Duwang,
> All server sync now...thanks for your help..very appreciate...
>
OK. Does PKIDIAG run OK now?

Anders Gustafsson

unread,
Aug 17, 2009, 5:13:28 AM8/17/09
to
Duwang,
> Run in Fixing mode to correct this problem(s).
>
So, please rerun and select "Fix", the default is "Diagnostics"

INFO: kmo SSL CertificateIP - SSA-GZMAC-GWbak.SSA_GZ is not back linked
to any server. It should probably be deleted.
INFO: kmo SSL CertificateDNS - SSA-GZMAC-GWbak.SSA_GZ is not back
linked to any server. It should probably be deleted.
INFO: kmo SSL CertificateDNS - SSA-GZMAC-GW.SSA_GZ is not back linked
to any server. It should probably be deleted.
INFO: kmo SSL CertificateIP - SSA-GZMAC-GW.SSA_GZ is not back linked to
any server. It should probably be deleted.
INFO: kmo SSL CertificateDNS - BM-GZ.SSA_GZ is not back linked to any
server. It should probably be deleted.
INFO: kmo SSL CertificateIP - BM-GZ.SSA_GZ is not back linked to any
server. It should probably be deleted.

If that/those server(s) are gone, then just delete the certs.

Anders Gustafsson

unread,
Aug 17, 2009, 9:04:15 AM8/17/09
to
Duwang,
> Pausing for 5 seconds because of error -1222
> ERROR -1222 creating SSL CertificateDNS.
> Step 6 failed -1222.
>
OK. Does that happen on all servers or just one?

Anders Gustafsson

unread,
Aug 18, 2009, 7:32:03 AM8/18/09
to
Duwang,
> Fixable problems found: 5
> Problems fixed: 3
> Un-fixable problems found: 0
>
OK, and if you rerun? What error remains? On what server? What is the
DS version of that server?

Massimo Rosen

unread,
Aug 18, 2009, 12:13:58 PM8/18/09
to
Hi.

Quite seriously, your whole PKI is completely hosed, and we need to get
the ful story behind this. That second server you just posted about
didn't even have a matching SAS object, and that is a sign of either a
totally failed or incomplete OS installation, or some admin manually
creating havoc on objects they don't understand.

As for your actual -1222 error, this is extremely strange, but judging
by the state of your PKI in your tree, not too surprising either.

At this point, we probably need to start from scratch. First thing,
check your Certificate Authority in your trees security container (*if*
the security container still exists at all). Especially, check if it
verifies ok, and if it still has a host-server asigned, *AND* if that
server physically still exists and is up and running. One possible
reason for the 1222 error can be that you have a CA configured, but it's
not running. For instance, a decomisioned server that has never been
removed from the tree properly (which also seems to be the norm in your
tree, judging from the amount of Certificates and SAS objects for no
longer existing servers).

duwang wrote:
>
> Sorry, cant post today, very slow access today... I run pkidiag in other
> server, error message is similar...
>
> PKIDiag 2.78 -- (compiled Feb 01 2007 17:06:17).
> (Check the end of the log for the last repair results)
> Current Time: Tue Aug 18 13:55:31 2009
> User logged-in as: admin.ssa_gz.
> Fixing mode
> Rename and create mode
> Always Re-key
>
> --> Server Name = 'SSA-GZ-5'
> ---------------------------------------------------------------------------
>
> Step 1 Verifying the Server's link to the SAS Service Object.
> Step 1 failed -601.
>
> Step 2 Verifying the SAS Service Object
> PROBLEM: A SAS Service object was not found.
> FIX: Successfully created and linked SAS Service object 'SAS Service -
> SSA-GZ-5.SSA_GZ' to 'SSA-GZ-5.SSA_GZ'.
> PROBLEM: Server 'SSA-GZ-5.SSA_GZ' does not have Supervisory Entry
> rights to SAS Service object 'SAS Service - SSA-GZ-5.SSA_GZ'
> Fix -->Successfully gave rights to the server object.
> PROBLEM: SAS Service object 'SAS Service - SSA-GZ-5.SSA_GZ' does not
> have Read All Attribute rights to itself.'
> Fix -->Successfully gave rights to the SAS Service object.
> Step 2 succeeded.
>
> Step 3 Verifying the links to the KMOs
> Reading the links for SAS Service object 'SAS Service -
> SSA-GZ-5.SSA_GZ'.
> --> No KMOs are linked to Service object 'SAS Service -
> SSA-GZ-5.SSA_GZ'.
> Step 3 succeeded.


>
> Step 4 Verifying the KMOs

> ---> Testing KMO 'Old1 SSL CertificateDNS - SSA-GZ-1.SSA_GZ'.
> Rights check -- OK.
> Back link -- Belongs to a different server -- Ignoring this KMO.
>
> ---> Testing KMO 'Old1 SSL CertificateIP - SSA-GZ-1.SSA_GZ'.
> Rights check -- OK.
> Back link -- Belongs to a different server -- Ignoring this KMO.
>
> ---> Testing KMO 'SSL CertificateDNS - ZENITHMEDIA_GW.SSA_GZ'.
> Rights check -- OK.
> Back link -- Belongs to a different server -- Ignoring this KMO.
>
> ---> Testing KMO 'SSL CertificateIP - ZENITHMEDIA_GW.SSA_GZ'.
> Rights check -- OK.
> Back link -- Belongs to a different server -- Ignoring this KMO.
>
> ---> Testing KMO 'SSL CerticficateDNS - SAATCHI_GW.SSA_GZ'.
> Rights check -- OK.
> Back link -- Belongs to a different server -- Ignoring this KMO.
>
> ---> Testing KMO 'SSL CertificateIP - SAATCHI_GW.SSA_GZ'.
> Rights check -- OK.
> Back link -- Belongs to a different server -- Ignoring this KMO.
>
> Step 4 succeeded.
>
> Step 5 Re-verifying the links to the KMOs
> Reading the links for SAS Service object 'SAS Service -
> SSA-GZ-5.SSA_GZ'.
> --> No KMOs are linked to Service object 'SAS Service -
> SSA-GZ-5.SSA_GZ'.
> Step 5 succeeded.
>
> Step 6 Creating IP and DNS Certificates if necessary.
> --> Number of Server IP addresses = 3
> --> The default IP address is: 10.143.64.71
> PROBLEM: A SSL CertificateIP does not exist
> FIXING: Creating SSL CertificateIP (10.143.64.71)


> Pausing for 5 seconds because of error -1222

> ERROR -1222 creating SSL CertificateIP.
> WARNING: We could not discover a DNS name.
> PROBLEM: A SSL CertificateDNS does not exist
> WARNING: We cannot find a DNS name to use. Switching to use the
> default IP address as DNS Name.
> --> Setting the default DNS Name to 10.143.64.71.
> FIXING: Creating SSL CertificateDNS (10.143.64.71)


> Pausing for 5 seconds because of error -1222
> ERROR -1222 creating SSL CertificateDNS.
> Step 6 failed -1222.
>

> Note: Occasionally multiple problems will be solved with a single fix.


>
> Fixable problems found: 5
> Problems fixed: 3
> Un-fixable problems found: 0
>

> --
> duwang
> ------------------------------------------------------------------------
> duwang's Profile: http://forums.novell.com/member.php?userid=57366
> View this thread: http://forums.novell.com/showthread.php?t=172494

Anders Gustafsson

unread,
Aug 19, 2009, 12:27:29 PM8/19/09
to
Duwang,
> BTW, do you think the problem will gone If I upgrade to higher version
> of novell? What is the latest version for novell...7?
>
6.5, but you need to fix whatever problems you have with your PKI before
doing any upgrades.

Anders Gustafsson

unread,
Aug 21, 2009, 2:37:44 AM8/21/09
to
Duwang,
> another problem, sometimes novell client can't find tree or server when
> the tree field is GZ_tree, but can login use ip address instead of
> "GZ_tree". Or login as workstation only, after that, select novell icon
> then login...
>
You have a name resolution problem, you need to fix that as well. Please
read up on SLP in the docs

Marcel Cox

unread,
Aug 21, 2009, 4:33:10 PM8/21/09
to
duwang wrote:

>should I Rename those two certificates manually and rerun PKIDIAG,


>alternatively
>change to ") Update default KMO mode: Always rename and create " and
>rerun.

Just run the "default" fix mode. E.g. after starting pkidiag.nlm and
logging in, first select option 4, then option 0.

--
Marcel Cox
http://support.novell.com/forums
------------------------------------------------------------------------
Marcel Cox's Profile: http://forums.novell.com/member.php?userid=8

0 new messages