Head in a blender

Visit the new Technotics web site!

When ID Vault seems to stop working properly

Andy Pedisich  June 20 2016 08:38:57 PM
Had a situation recently where a user kept getting the message that their certificate had expired.  But we were using ID vault and had recertified the person doc.

Certificate still expired?  I had just two words for that.  Im possible.

But it was true.  When we downloaded the ID from ID Vault it clearly was expired, in spite of the fact that it looked like we had re-certed successfully.  The villain? A public key on the ID file that was not the same as the one in the Domino directory.  The recert doesn't happen if the public keys don't match.  There's a myriad of stuff that breaks when the keys don't match.

That's not the first time I have seen this occur, although I am not sure of how it actually happens.  Let's forget about the "how" for a second and let's just say, "Shoot, it just happens."

More importantly, how can you detect that it happens so you can avoid the repercussions?  You can detect it by setting the server document to log key mismatches.
Image:When ID Vault seems to stop working properly

That setting will alert you to the fact that there is a mismatch between the public key in a person document in the address book and the actual public key that's in the ID file.  It will log it in the Domino server log like this:

05/15/2013 23:51:07   Jack Torrance/OverlookHotel from host [] encountered non-fatal problem during authentication: Your public key does not match the one stored in the Address Book
05/15/2013 23:51:07   Opened session for Jack Torrance/OverlookHotel (Release 8.5.2FP2)
05/15/2013 23:51:07   Closed session for Jack Torrance/OverlookHotel Databases accessed:     1   Documents read:     0   Documents written:     0

If you want to comb through the logs looking for the error, then leave it at that.  Just walk away from the keyboard.  If you just have a couple of servers to worry about, then you're probably good to just search the logs for "public key" occasionally and you'll find it.  But if you'd rather be notified via email, create an event handler in the events4.nsf Monitoring Configuration database.  Make it look like this:

Image:When ID Vault seems to stop working properlyImage:When ID Vault seems to stop working properlyImage:When ID Vault seems to stop working properly

You'll be notified by email of public key mismatches before it causes a problem. Then all you need to do is fix the problem by making a copy of the user's public key from their ID file:
Image:When ID Vault seems to stop working properly

...and pasting it into the Public Key field of their person document:
Image:When ID Vault seems to stop working properly

Done deal. Take the rest of the day off. And you'll be set to be the caretaker of the domain for another season.  


Location: Home after a long day at the keyboard

Rob’s SAML presentation from MWLUG has been posted

Andy Pedisich  September 7 2015 12:39:57 PM
I had some time over the holiday weekend so I caught up on the stuff that had been lagging behind.

Specifically I posted Rob's SAML presentation from MWLUG.  This is pretty much a step by step deal that explains the ins and outs of putting together a SAML environment.

MWLUG was fantastic!  Lots of great presentations and it was indeed great to see friends and accomplices.



Comments Disabled

SAML Presentation from MWLug

Andy Pedisich  August 24 2015 11:14:36 AM
We should have the presentation available on the blog later today.



We’re going to MWLug 2015 in August

Andy Pedisich  July 24 2015 11:52:24 AM
I am very pleased to be going to Atlanta again.  Last time I was there it was to take some IBM training on the iSeries.

This time, we'll be doing one of Rob's favorite security topics, SA101: AD + SAML + Kerberos + IBM Notes and Domino = SSO!  This topic is unbelievably useful especially since there are a lot of enterprises that are trying to figure out how to piece together the some kind of single sign on process for cloud implementations.  Almost every cloud migration we've done in the last year was preceded by either a major re-working of an existing SSO technology or a replacement of existing SSO technology by something completely different.

Also I've found that putting together SSO can be one of the most cantankerous and fussy processes to work with.  And the more applications there are for SSO to work with, the more moving parts there are.

This conference will be a really nice opportunity to see people I don't get to see very often, share stories and socialize in general.

There will be over 40 sessions.  The sessions and speaker list are impressive.  And they are still taking registrations for the conference, which is from August 19th to the 21st.  Visit www.mwlug.com for details.  There are still inexpensive flights available.

Hope to see you there!