Autor Thema: Detailfrage zur Cross Zertifizierung  (Gelesen 1695 mal)

cubetoon

  • Gast
Detailfrage zur Cross Zertifizierung
« am: 05.02.07 - 04:21:36 »
Habe heute einen Server gegen eine Domain cross certified. Das war soweit verstaendlich.
Habe ich jedoch versucht mit dem Server gegen die Domain zu replizieren bekam ich folgende Fehlermeldung:
"Your public key was not found in the name and address book"

Und habe diesen Tip im Netz gefunden:
http://72.14.253.104/search?q=cache:A5eL8DcllQ0J:www.experts-exchange.com/Web/Lotus_Domino_Admin/Q_21255690.html

Bei der Gelegenheit habe ich festgestellt, dass andere Server, die gegen unsere Domain cross certified sind jeweils einen Personeneintrag im names.nsf haben um den public key fuer die authentifizierung bereit zu halten.

Das scheint mir etwas seltsam. Sollte das cross-certificate nicht ausreichend sein um einen Server mit einer Domain kommunizieren zu lassen? Sehe weder einen Sinn das Serverdokument in die Zieldomaene zu kopieren als auch ein Personendokument anzulegen. Zuseatzlich finde ich derart informationen in keiner Dokumentation. Was ist richtig?

Sorry fuer das holprige deutsch, verlerne es tatsaechlich so langsam - aber so ein Forumseintrag haelt das hirn ja frisch :-)
« Letzte Änderung: 05.02.07 - 09:29:02 von cubetoon »

Glombi

  • Gast
Re: Detailfrage zur Cross Zertifizierung
« Antwort #1 am: 05.02.07 - 08:11:19 »
Aus der KBASE:


Public key verification does not work from one organization to another
Product:
Lotus Domino  >  Lotus Domino Server  >  Versions 6.5, 6.0, 5.0
Platform(s):
AIX, i5/OS, Linux, OS/390, OS/400, Solaris, Windows, z/OS
Doc Number:
1087840

Published   06.03.2006
Technote

Problem

You are running a Domino server and discover that Public Key verification is not working from one organization to another, as demonstrated in the following example:
Two organizations, /Acme and /ABC are cross certified.  Directory assistance is configured on both servers and is enabled for the other organization's names.nsf.  The administrators for each organization enable the option "Compare Notes public keys against those stored in Directory", which is found in the Server document, Security tab, Security Settings section.   Enabling Public key verification causes the following error to display during any attempt of a user or server to open a session with the cross certified organization:
"Server error : your public key was not found in the name and address book."



Solution
This issue is under investigation by Quality Engineering.  To work around this issue, place copies of the entries or the entire Domino Directory on a server that you are authorized to use when the option is enabled.  This is usually a server within your own organization.
Optionally, to work around this issue, copy the Person and Server documents into the Domino Directory (names.nsf) of the server which has the option "Compare Notes public keys against those stored in Directory" enabled.

To automate this process, you can setup an Extended Directory Catalog (EDC) and integrate it into your primary Domino Directory. This means, that your primary Domino Directory (names.nsf) will also become the EDC. The steps to set this up are documented in the Domino 6.5.1 Admin Help, Document "Setting up an Extended Directory Catalog". Please note the specific instructions about integrating the Extended Directory.

Note: To enable public key checking to work with a secondary address book defined in directory assistance, it is required to enable the "Trusted for Credentials" field on the Naming Contexts (Rules) tab of the directory assistance document for the appropriate domain.

Supporting Information:

The additional information displayed when you click on the "Compare Notes public keys against those stored in Directory" option fully documents the behavior as follows:
Select Yes to require that public keys on client IDs match those stored in the Public Address Book.  Default is No.  If you select Yes, only clients with public keys that match those in the Public Address Book can authenticate with the server.  This helps prevent unauthorized use of IDs.  For example, if an unauthorized person copies an ID and the owner changes the public key on the original as a result, select Yes to prevent the unauthorized user with the original ID and public key from authenticating.  This feature also prevents someone not listed in the Public Address Book from authenticating, for example, someone from another organization or someone who has left the company.

cubetoon

  • Gast
Re: Detailfrage zur Cross Zertifizierung
« Antwort #2 am: 05.02.07 - 09:28:44 »
Hi Glombi,
Vielen Dank! Ich denke das beantwortet meine Frage zu 100%. Manchmal weiss man eben nur nicht wonach man suchen soll *gegendenkopfklopf*
Brauche das Verhalten also nicht mehr mit Domino 6.5.5 or 7.0.2 erwarten?
Cheers,
Christian

 

Impressum Atnotes.de  -  Powered by Syslords Solutions  -  Datenschutz