Certificates - server self provisioning

I have an OES 11 server that is the certificate authority for my tree.
Server self-provisioning is enabled. My ZCM 11 server just reported
that the certificate is due to expire in less than 90 days. Just
trying to be pro-active. I assume that self-provisioning will
recreate the certificate soon, but the only thing I have found is
this:
https://www.netiq.com/documentation/...u.html#b9zmjmu
which makes it look like I need to actually reboot the server or they
will never get re-created. So what needs to happen?
Ken

Hello,
you could trigger the pki health check by unloading and reloading the pkiserver module in edirectory.
If self provisioning is enabled, this will create new server certificates if expired.
(but I don't know how many days before)
And this checks and exports the CA and server certificates from edirectory to files on the server.
I've done this a few times to renew certificates online without restarting the server or edirectory.
But I'm not sure how this affects ZCM!!
ndstrace -c "unload pkiserver"
-> check /var/opt/novell/eDirectory/log/ndsd.log
ndstrace -c "load pkiserver"
-> check /var/opt/novell/eDirectory/log/ndsd.log
and /var/opt/novell/eDirectory/log/PKIHealth.log
Information about creating or exporting certificates will be in PKIHealth.log
Then you need to reload some services:
LDAP:
ndstrace -c "unload nldap"
ndstrace -c "load nldap"
-> check /var/opt/novell/eDirectory/log/ndsd.log if ldap loads again.
For me in some few situations ldap does not load again, so edir must be restarted anyhow
LUM:
namconfig -k
rcnamcd restart
Other:
rcapache2 restart
rcnovell-httpstkd restart
rcnovell-tomcat6 restart
rcsfcb restart
If other oes server using this server as ldap-server you have to do the
namconfig -k
rcnamcd restart
on these servers too.
regards
Matthias
Originally Posted by ab
On 03/27/2014 03:11 PM, KeN Etter wrote:
> On Thu, 27 Mar 2014 19:12:03 GMT, ab <[email protected]>
> wrote:
>
> Thanks for the explanation!
>
>> An eDirectory restart is required, I believe. You may also be able to run
>> 'ndsconfig upgrade' and have it do it, or else you can always use the
>> iManager tools to recreate them. I'm 99% sure, though, that without at
>> least some kind of interaction the certs will not be recreated.
>
> The docs state that the certs will be recreated if they are "about to
> expire". So if I restart eDirectory or the server, how close to the
> expiration date do I need to be for them to be automatically
> recreated? Or should I just manually recreate them? (But then server
> self-provisioning seems a bit useless.)
I believe ninety days is the threshold. If not, definitely thirty. The
self-provisioning, in that case, makes sense if you regularly restart eDir
(monthly, for example, to grab a backup, or apply other patches for eDir
or the OS, etc.). It may also make sense as I believe it causes the cert
to be auto-exported to the filesystem so that other applications can
easily see them and trust them. Maybe this is a different but related
feature, but as I have not looked closely at the docs don't quote me on
it. Either way I agree... it could be more-useful to have something
actually happen in environments with non-microsoft uptimes.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

Similar Messages

  • ISE 1.2 - Self-Provisioned devices still in pending registration status

    Hi everybody,
    I'm on ISE 1.2 patch 2, setting up single-SSID self-provisioning BYOD flow which works as expected except for a couple of issues:
    first PEAP authorization always fails (no server certificate confirmation appears on device and no Endpoint Profile is assigned), second on goes through as expected and self-registration flow is started;
    at the end of the flow, TLS certs are installed, device appears in endpoint database under user's account but "Device Registration Status" stays "pending" and this makes it impossibile to further authorized RegisteredDevices identity group;
    single mobile devices gets different "Endpoint Profile" result at each subsquent access. For example: Android smartphones are profiled as Android or HTC device or HP devices or Samsung randomly.
    I've tried to analyze log files but cannot extract a full dump of the profiling process that could help identify why all this happens.
    Can you please help?
    Regards,
    L

    Hi Kevin,
    I did not find and answer. In subsequent patches the self-registration flow seems to have changed somehow and now I have more device in 'Registered' state, but still most of the time at the end of the process there is no guarantee that the devices will be in this stage. I've moved to more broad policies for authorization (i.e. if you have a valid certificate and login from one of the accepted profiles, we'll let you in).
    Please let me know if you open a TAC case, what is the answer.
    Regards,
    L

  • ISE upgrade 1.2: Self-provisioning portal not working

    Hi all,
    I need help with Self-Provisioning portal flow not showing the agent installation page after upgrade from 1.1.1 to 1.2 on a couple of 3315. I've configured all the pieces as instructed by BYOD SBA guide at http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_SLN_BYOD_InternalCorporateAccessDeploymentGuide-Feb2013.pdf
    Screenshot of page is attached:
    I've checked ise-console.log application log file and found two errors correponding to the first page:
    [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:- com.cisco.cpm.provisioning.exception.ProvisioningException: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
    [portal-http-84431][] SystemConsole -::c0a8a82a000000d7523c70f9::guest:-         at com.cisco.cpm.provisioning.cert.CertProvisioningFactory.initialize(CertProvisioningFactory.java:333)
    and the second (not working) one:
    [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:- java.lang.NullPointerException
    [portal-http-84431][] SystemConsole -:xxxxx@xxxxxxx:c0a8a82a000000d7523c70f9::guest:-  at com.cisco.cpm.provisioning.cache.FlowStateCacheManager.getFlowStateCache(FlowStateCacheManager.java:202)
    Looks like something is wrong with a certification file, but I cannot find what is. I've exported and re-installed current server certificates (as instructed by upgrade guide for 1.2) and nothing changed.
    Can somebody please help?
    Thanks,
    L

    Errors When Adding Devices to My Devices Portal
    Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
    If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
    For more information on self-provisioning.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html Errors When Adding Devices to My Devices Portal
    Employees cannot add a device that is already added if another employee has previously added the device so that it already exists in the Cisco ISE endpoints database.
    If employees are attempting to add a device that supports a native supplicant, recommend that they use that instead. That registration process will overwrite the original registration and switch ownership to the new user.
    If the device is a MAC Authentication Bypass (MAB) device, such as a printer, then you must resolve ownership of the device, and if appropriate, remove the device from the endpoints database so that the new owner can successfully add the device.
    For more information on self-provisioning.
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mydevices.html

  • Cluster utilization and self-provisioning

    I am moving to a cloud infrastructure with VCAC for self-provisioning. How does this impact my target utilization for my HA cluster?  Previously I was targeting running each cluster at 80% utilization of RAM and CPU on each host for average peak utilization.  now I am going to allow vms to be self-provisioned.  I won't control the provisioning process anymore but various clients and tenants can provision VMs at will without my notice.  As a result, I have to be able to have capacity available more quickly to add VMs, and not suddenly run out of cluster capacity.  I want to minimize waste by running my clusters to capacity, but I also need to maximize elasticity.  What are some guidelines on how to do this?  Anyone have experiences to share -
    1. what did you pick as a target utilization figure and why ?
    2. how did you capacity plan / forecast for cluster capacity?
    3. did you use admission control?

    Sounds like a cool project. Keep in mind that from an infrastructure standpoint HA and admission control are still trying to solve the same problem, recover VMs from a host or OS failure as quickly as possible.
    As an example, if your new cluster has 20 hosts and you want to be able to have a host in maintenance mode and still suffer a host failure and you've decided to use % based admission control policy (this is the default recommendation, I would recommend you evaluate your environment and determine if it is the right option for you), you'll want to set the % at 10%. This will ensure that your cluster has sufficient resources to restart all running VMs. Keep in mind that unless VMs have reservations, HA just reserves capacity to start the VM, there is no guarantee of performance.
    As far as your target utilization, that depends on the SLAs you are providing and your tolerance for risk.
    At the last customer I worked for the answers were:
    1. We reserved capacity in a cluster such that we could have a host in maintenance mode and still lose a host and have no VMs experience performance degradation
    2. vCOps
    3. Yes

  • ISE 1.2 WEBAUTH (CWA) + SELF PROVISIONING (NSP)

    I'm trying to achieve the following for our employees, contractors and guest.
    Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
    contractors (ldap contractor group) -> webauth -> internet
    guest (internal ise db via sponsorportal) - webauth -> internet
    Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours. 
    employee (ldap employee group) -> webauth -> nsp -> internet
    In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
    I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated. 
    Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.

    Hi Patrick,
    I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
    for the devices registration , I have set  the Native Supplicant Provisioning Policy Unavailable: to Allow network acces. 
    my authorization rules as follows :
    1- rules name : Vendor-wired  :  identity : registerddevices AND identitygroup: VENDOR  authorization profile: VENDOR-ACCESS
    2-  rules name : WIRED-CWA  :  identity : any  condition: device-type:SWITCH  authorization profile: CWA-PORTAL
    It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
    did you find any hint for this problem ?

  • Getting "certificate server is installed" error when attempting demote of server 2012

    Currently, we are testing server 2012 in our environment and using a 180 day trial version. Wanting to remove the complex password account restriction, I noticed that all removal options are grayed out, as the trial server is listed as a domain controller
    (although no accounts have been setup and no one is logging onto it).
    Using the "remove roles and features" option, I attempted to uninstall the active directory certificate services (after unchecking the box), but received a warning that the server must be demoted. Ok.
    So, now I follow through the process, check the "last domain controller" checkbox (I had previously checked the "force demotion" but that failed) and click the "demote" button.
    Fine.
    One would expect that the server would be demoted, it would reboot and all would be just as requested.
    No such luck.
    Received a "certificate server is installed" error and the demotion will not proceed. Tried it several more times with the same results. Any suggestions?
    Thanks.
    Dan David

    First if you plan on using this in a production environment ever you can't convert a evaluation license to a full license if the Domain controller role is installed.
    domain controllers have their own default policy, for just the opposite of what you are trying to do, it leaves the domain controllers hardened if someone changes the default domain policy, if you still have a stable server you should be able to go
    to the group policy management and adjust the security policy on the "default domain controller" policy.
    It sounds like you may have a server that is in a unstable state not a dc but it thinks it is may be? if that is the case starting over may be a fastest way to correct. 

  • CUCM 10 Self Provisioning Problem with TAGs on Universal Device Template

    Hi friends.
    I've been provisioning IP Phone by Self Povisioning. The phones were provisioned almost perfectly. I notice the TAGs that i filed up on Device Template (look above), are not "translated" on Device Phone.
    Universal Device Template
    The Tags on Universal Line Template comes  perfectly to Line Description.
    Had you ever seen something like this?
    Kind Regards
    Fernando Penteado

    Hi folks. I could identify the problem with Variable and TAG. In order to Self Provisioning works fine, we need to mark Owner User on Universal Device Template.
    Look that.
    Thanks

  • ISE Guest Self-Provisioning Portal

    Hi,
    I  get the Guest portal page and my credentails authenticate correctly and  the device is authenticated using MAB. Then I redirect to Self-Provisioning portal and get this message
    This device has not been registered
    You need to manually configure your device
    Your device configuration is not supported by the setup wizard
    Device ID < MAC of my windows XP PC
    Any idea how to enable self registration for gests?
    My goal is when guest is authenticated in first time it need to enter credentials and to registered MAC address,then when guest come again it need to pass only authentication, without registration MAC address.
    Thanks

    Tarik, where is the mistake in my steps?
    1) I create Authorization Profile for Guest devices registration (see attach AuthProfile)
    2) I create Authorization Profile for Web Registration
    3) I create Authorization Policy (see attach AuthPolicy)
    When user connects to the network, he is redirected to Guest Portal where he needs to aply AUP, after clicking "Accept" error appears (see attach ISE_Error). In ISE I see the folowing errors (see attach ISE_Auth_Error).

  • Java not recognized by Cisco Self-Provisioning Portal on Apple computers

    Have a Mac Mini running that had this problem under OSX 10.8 and is persisting in 10.9.  When this computers reaches the self-provisioning portal, after clicking submit on the MAC address registration, the following screen displays an erroneous error that Java isn't installed.
    Have gone through updating Java from Apple (2013-005) as well as from Oracle/Java (1.7), and applied several variations of uninstalling and reinstalling Java, doesn't seem to make a difference.  From the top, the Mac Mini attaches to Wifi and the self-provisioning page appears with an authentication request.  User authenticates succesfully.  The next page displays the MAC address for the machine and a description field.  Upon filling out the description, the page is submitted.  The following page tha should complete the provisioning process, rather, displays an error that Java isn't installed and the user should go to java.com to complete the installation.  According to the Java.com, Java is installed. According to terminal (by executing the command "java -version"), Java is installed. Running other Java applications, like JDE, run perfectly well.  The self-provisioning page seems to be unaware of Java despite everything else.  Ideas?

    Thanks. No dice. The instructions on that page also appear to be woefully out of date too. In Safari, on the preferences security tab, there is no checkbox for "Enable Java" (I think that is a Safari 6.0.4 thing on OS X 10.8 or thereabouts). In OS X 10.9 there's just the "allow plugins" checkbox and the "manage website settings" button. Assuming this is where it's at now, moving to the Java plugin in the list, they were already "allow". I went a step further and set it for the three websites listed (that include the provisioning portal domain) to "allow always". No luck. Then went to another step further and click "run in unsafe mode" for every item in the Java website list and again it made no difference. The self provisioning portal page still says that Java isn't installed :-(
    For Firefox, the instructions on that page are out of date too. Under what I believe are the correct settings, the Java applet plug-in for 7.45 is set to "always activate". I assume this is the same thing as seeing the "disable" button in previous FF versions, indicating that the job applet plug-in is actively running.
    The chrome instructions on the page are irrelevant because my OS X and hardware are 64-bit and so is Java but not chrome. Therefore Java doesn't run on chrome on this machine in the first place.
    I don't know who's browser the self provisioning portal fires up since it fires up its own window, not a Firefox or Safari specific one. In windows for example the self-provisioning portal fires up a tab in IE. That actually makes it simpler to debug IMO.
    Any more advice? Java seems to be running just fine for every thing else. What am I missing?
    UPDATE (Just another thought)
    Alternatively, could it be a the with WebKit? Or Cisco's implementation of WebKit (as far as whether any changes would have been required for OS X 10.9 in the way with kids is instantiated)? If or example the self provisioning portal is opening up its own "browser" by using the Safari webkit function (as opposed to opening a tab directly in Safari itself) could this be a bug in Safari itself, or a changed API that Cisco has failed to implement (considering the other incompatibilities various Cisco products have with OS X 10.9)? I just hope that the problem is something that I can fix with a workaround rather than waiting for a patch from either Apple or Cisco that may or may not come anytime soon? :-/

  • HELP! how to get or download sun one certificate server 4.7

    I had searched for a long while and had no found!
    can anyone tell me how to buy or download sun one certificate server 4.7 ,netscape certificate server or iplanet CMS 4.2
    thanks!

    The SunOne certificate server was EOLed by Sun some time ago.
    However, RedHat recently purchased Netscape Certificate server which is based on the same iPlanet codebase as SunOne but has numerous additional features including a smartcard and USB token management system.
    Evaluation copies are available from redhat.com

  • EX90 and Self-Provisioning IVR

    I am building a demo and I want users to be able to connect a EX90/60 to it, let auto-register with CUCM, and then use the self-provisioning IVR to setup the device.  I have the Self-Provisioning setup and working with all the phones like 9971/DX650/etc.  When I dial the route point number for the self-provisioning IVR on the EX90 it answers and when I try to put in my self-service user ID to provision the EX, the IVR doesn’t recognize any dtmf tones.    I’ve looked and I’ve looked and can’t find out why the keys aren’t being recognized on the EX90.  I’ve self provisioned this same EX90 device in another demo and it works just fine.  Can anyone clue me in on what this could be?  Thanks in advance!

    Thanks I'll keep an eye out for the new release. I looked up the bug but I saw it was for a C series and not an EX.  Don't know if that makes a difference.  I also tried to do the xcommand and I was able to hear the digits being sent but it had the same results as if i pressed the keys myself on the codec.  I tried other services like calling voicemail and it was able to detect the DTMF being sent to it right away. Just not to the Self-provisioning IVR. 
    Thanks
    Jason

  • New deploy child domain certificate server didn't publish root trust certificate to the client

    Child domain certificate didn't install into child domain workstation.
    https://support.microsoft.com/en-us/kb/281271?wa=wsignin1.0
    Certification Authority configuration to publish certificates in Active Directory of trusted domain
    Any advise?
    Thanks.

    Hi,
    >>New deploy child domain certificate server didn't publish root trust certificate to the client
    Is this an enterprise root CA or standalone CA?
    If it is an enterprise root CA, it will automatically use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. If it is an standalone CA, we can configure GPO
    to distribute the certificate.
    Regarding how to use policy to distribute certificates, the following article can be referred to for more information.
    Use Policy to Distribute Certificates
    https://technet.microsoft.com/en-us/library/cc772491.aspx
    We can run command gpupdate/force to immediately update group policy and then we can refresh the certificates in certmgr.msc to see if the certificate will come up.
    Besides, for certificate questions, we can also ask for suggestions in the following forum.
    Security
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Digital certificate server

    hi,
    We want to set up the x.509 certificate issuing server on windows 2000.
    So how to proceed for it?
    Can anyone help me out?
    It's urgent please.........
    thanks in advance.

    Thanks for reply.
    Do you mean the Microsoft windows 2000 certificate server setup?
    and if yes how to make a request for the cetificate to the same?
    looking fwd for +ve reply.                                                                                                                                                                                                                                                                                                                                                                                                               

  • How many external certificates server does ACS 5.2 support?

    Hi,
    Just wondering how many external certificates server does ACS 5.2 support?
    I failed to find the number in user guide.
    Thanks,
    -Alejin

    Hi,
    There is no known limit number of CAs.
    You go to
    Users and Identity Stores >
    ... >
    Certificate Authorities
    And you can create for sure more than 100 CAs.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Wireless bridge can't access windows certificate server

    We have 10 Cisco 1200 wireless APs. The VLAN 1 use Windows certificate as authentication and VLAN 100 for the public. They work fine. We just bought two 1310 wireless bridges for outdoor use. We contact Cisco support for setup these two bridges. The wireless can receive the signal but can't logon. The IP is 169.254.x.x. The Certificate server receive Event ID 2 as below. The Cisco engineer can't make it work and he said the setup Windows IAS is not his expertise. Any suggestions how can we fix this issue?
    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 4/13/2007
    Time: 7:41:21 PM
    User: N/A
    Computer: DEVICES
    Description:
    User blin was denied access.
    Fully-Qualified-User-Name = chicagotech.net/Users/Bob Lin
    NAS-IP-Address = 10.0.20.54
    NAS-Identifier = Outdoor_1300_2
    Called-Station-Identifier = <not present>
    Calling-Station-Identifier = <not present>
    Client-Friendly-Name = Root Bridge1
    Client-IP-Address = 10.0.20.54
    NAS-Port-Type = Async
    NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = All
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.
    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....

    There are too many variables at play here, and too many unknowns...both on the server and client side...so it would be hard for anyone to offer suggestions other than the face you should talk to your system/network admins.

Maybe you are looking for