Cross-ceritification problem

hcl-bot · November 4, 2007, 10:49am

HI there,

I’ve been reading up and verifying the steps I’ve taken, but I’m stuck trying to get two servers in different domains to talk. I’ve :

Created the connection document on server1/DomainA to connect to Server2/Domain2 (specifying server 2’s IP address etc)

Created Safe ID’s for Server1 & Server2

Cross certified Server1 with Server2 & vice versa (but not the OU, just the servers) using the administrator , tools → Cross Certify option

On server1, I can issue a Trace Server2/DomainB and I get

Server Server2/DomainB reported the following problem causing authentication to fail: Your public key was not found in the Name and Address Book.

I can confirm that within the Certificates view of Server2’s NAB, an entry appears under “Notes Cross Certificates” → /DomainB, for Server1/DomainA.

The configuration is as follows :

Server1/DomainA is running 7.0.2FP2 on RHAS 4, and cross-certified the safe id of Server2/DomainB using the certifier ID

Server2/DomainB is running 7.0.3 on RHAS 4, and cross-certified the safe id of Server1/DomainA using the CA process. Server2’s ACL allows access of Server1. Server2 is using Directory Assistance to extend it’s user authentication base, but the cross-certified certificate is in the Primary NAB, which is NOT listed in the DA helper DB.

As a test, I changed the “Compare Public Keys” setting for Server2/DomainB from “Enforce key checking for all Notes users and Domino servers” to “Do not enforce key checking”. This allowed access of Server1 to Server2, but is not ideal and I want to change this back as soon as possible

Can someone give me some hints on how to fix the issue ?

hcl-bot · November 4, 2007, 1:15pm

Subject: Cross-ceritification problem

If I missed something, I apologize - but in both domains that I’ve cross certified I’d had to place a copy of the OTHER domain’s server document(s) in my address book.

I suspect your problem is the same as mine - server 2 can’t find server 1’s certificate - copying server 1’s server doc to server 2’s address book and vice versa will workaround the issue, and you will be able to set “Compare Public Keys” back on.

hcl-bot · November 5, 2007, 5:58am

Subject: RE: Cross-ceritification problem

Hi Mark,

Thanks for the response, it’s something I had read somewhere else and dismissed. I’m confused however, as to the point of cross-certifying if a copy of the server’s server documents are required to complete the job… Anyway, I also found this :

http://www.dominoblog.com/dominoblog/dblog.nsf/dx/improving-the-security-of-new-user-registration?opendocument&comments

which confirms what you’ve said, and I’ve gone the server document copy method (as opposed to disabling the option altogether) which works fine…

Kind regards

Simon Delicata

hcl-bot · November 15, 2007, 9:53am

Subject: RE: Cross-ceritification problem

Hi Guys

I hope you still read this.

I am having the same problem as you do, except that I don´t have one of the O certifier´s passwords and I had to make a O-OU cross certifitication.

I have tried copying all of the certifiers and cross certifiers documents from one server to another but I can only login one way: The server that I dont have the password for the O to the one I do have it.

That is, users from the server I dont have the password, can login to the other server, but the users from the new domain, if they try to login to the other server, where I dont have the pass, they get this error.

I tried to copy the server documents also, but no luck.

I know that cross certifying at O-OU is no good but could you tell me if you did anything else to make it work?

Thanks!