Existing ID files not updated after moving to new certifier

HCL Domino Domino Forum
1

Good morning.

My department’s Domino expert has left the company after 10 years and his replacement, a newcomer to Notes/Domino has now left the company after just a couple of months. I’m now trying to fix a serious problem with our certification.

Since moving all of our European accounts & to a new certifier a couple of months ago, new accounts are created with no problems and their ID files are created on a server share. The ID files on the client machines of users whose accounts were active during the move seem to be OK. The rest are denied access to the server when trying to open their mail files, with error messages saying their certificate has expired. Recertifying them through the address book doesn’t seem to modify the ID file on their users’ machine.

The big problem is users whose IDs were created in the last few years but were not in use around the time of the move - in most cases, the only copies we have of these are from the server share and the files may be years old. Many of these users simply didn’t use their email or only logged on to webmail while sharing a PC at work, but as the importance of their working roles increases, they may be required to move into their own office and begin to use the Notes client. Another problem occured when a PC’s hard disk failed and the working ID file went with it. The only other copy we had of the file was years old and still attached to the old certifier. In the end I had to delete the user’s account, re-create her and modify the ACLs of the databases she uses to include her new account - not a very streamlined method.

Is there a way to manually move an ID file onto the new certifier? Prior to the move, we had a mail-in database which recieved updated copies of ID files whenever the password was updated - could something similar be set up so that we can have a single point for the updated files?

I’m sure that I have missed out some important details so if anybody requires more information in assisting me I will be happy to help.

Thanks in advance,

Tom Banks

2

Subject: Existing ID files not updated after moving to new certifier

I don’t know if this is something I can adequately explain in a short space, but here goes:

To update the certifier on those ID files that were “left behind”: Usually, I would recommend doing this via the admin client, actions>recertify selected people. The next time the user attempts to connect to the server, their ID file should be updated automatically. Sometimes this takes a few hours to a day to kick in though.

The “delete and recreate the person” method is the old-school way to do it, and does work. You can make it easier by deleting the person document only, not using adminp. When you recreate her, use exactly the same name, different mailfile name. Then change the person doc to point to the old mailfile, and delete the new mailfile. Because you didn’t use adminp, her name is still in all the ACLs of her databases, and works.

To help a user update the certificate on the file they already have, read the client help document “Sending and receiving Notes certificates to establish trust”. This should get you started figuring out how to provide them the certificate information outside of the normal update process.

With regards to your question about a mail-in database to receive copies of the ID files: Read in the Admin Help “Setting Up ID Recovery”.

3

Subject: RE: Existing ID files not updated after moving to new certifier

Thanks for the reply but I managed to figure out a fix. The method you describe is what I was doing - creating new mail file, deleting and giving ‘new’ account access to old mail file.

Here’s my procedure

  1. Open Notes on the client PC, switch to the user ID and cancel the numerous ‘access denied’ messages.

  2. Open File > Security > User Security

  3. Expand Your Identity and click Your Certificates. Click Other Actions and open Mail, Copy certificate. Click Copy Certificate on the window that appears.

  4. Open the user’s person record on the Domino address book and delete all references to new certifier. Should just be in the User Name field and in the Owners field on the Administration tab.

  5. Click the Certificates tab, delete the Notes Certified Public Key and paste in the one that was copied from the User Security window on the client PC.

  6. Recertify using old certifier.

  7. Run tell admin proc new, and replicate admin4 and names if necessary.

  8. Check that the process has completed in the administrative requests view. If so, you should be all set to open the mail file on the client PC. The whole process for me now takes about 15 mins.