fINALLY FOUND AN ERROR IN LOCAL LOG:06/03/2008 04:27:19 PM Server BobFrankCher/bob reported the following problem causing authentication to fail: Missing or invalid Vault Trust certificate. Check the log file for details.
06/03/2008 04:27:29 PM Server BobFrankCher/bob reported the following problem causing authentication to fail: Missing or invalid Vault Trust certificate. Check the log file for details.
SinceI cant findany info on feedback,and no one has repliedto the problem report, I am wondering if anyone has actually gotten IDs to store inthe vault db.
The “sh vaultid” shows allitems filled in;there are no errors or reference in the log.
thx
Subject: Can you check the server’s log under security events?
Sounds like there were problems during creation of the vault, those should be in the log. Please attach here.
Subject: There are only 5 records
Here they are…dont know why this error-SHould I have a local corss certificate ? THe vault seems to have one.CERTIFICATE
Certificate type: Notes Cross-Certificate
Issued By: /bob
Issued To: /vault1
Alternate names:
Combined Name: O=bob:O=vault1
Comment:
Organizations: O=bob:O=vault1
Primary key identifier: 1M76S 88DAU QURYT QA6BV S7ZQS N84BD
International key identifier: 1M76S 88DAU QURYT QA6BV S7ZQS N84BD
Current key strength: Compatible with 7.0 and later (2048 Bits)
ERROR
Events:
06/03/2008 04:53:31 PM Missing or invalid Vault Trust certificate from ‘bob barmack/bob’ to ‘/vault1’: Entry not found in index
06/03/2008 04:53:31 PM ID failed to upload to vault ‘O=vault1’. ‘bob barmack/bob’ (IP Address 192.168.0.11:2983) made request. Error: Missing or invalid Vault Trust certificate. Check the log file for details.
06/03/2008 04:54:28 PM Missing or invalid Vault Trust certificate from ‘bob barmack/bob’ to ‘/vault1’: Entry not found in index
06/03/2008 04:54:28 PM ID failed to upload to vault ‘O=vault1’. ‘bob barmack/bob’ (IP Address 192.168.0.11:2988) made request. Error: Missing or invalid Vault Trust certificate. Check the log file for details.
06/03/2008 05:13:37 PM Missing or invalid Vault Trust certificate from ‘bob barmack/bob’ to ‘/vault1’: Entry not found in index
06/03/2008 05:13:37 PM ID failed to upload to vault ‘O=vault1’. ‘bob barmack/bob’ (IP Address 192.168.0.11:3064) made request. Error: Missing or invalid Vault Trust certificate. Check the log file for details.
Subject: Missing vault trust
Sorry for the trouble you are having. Thanks for posting the certificate and the logs. The log events indicate that the cross certificate from your organization to your vault is either missing or not suitable. And its contents as you display are actually improper.
A vault trust cross certificate must be of the type Vault Trust. Here is what a working cross certificate shows as the Combined Name →
O=RECompany:VT:O=current
Notice the :VT: between the issuer and the subject. That is the code for a vault trust certificate. Yours does not have this.
This could have happened if:
- You upgraded to the beta release and are still using a vault you created on an earlier release. Unfortunately we don’t support this. Between code drops and or beta releases we make too many changes for backwards compatibility.
or
- You created a cross certificate by hand. This is not supported. It must be created by the vault create or manage tools.
or
- Some other bug or magic that I just can’t imagine.
To resolve the issue. delete your current vault, all its cross certificates (vault and password reset), all its policies and settings documents and then create a new vault.
Let us know how it works.
Thanks
Pete Mierswa (IBM)
Subject: Peter, got it working
I guess in the original effort, I thought Ihad to gen a cert and it wasnt a VT one.
One general question, if a company had been using PW recovery via the Notes facility. does the vault replace the old recovery style?
Is it meant to?
thanks
Subject: Great, glad to hear the problem is resolved
And yes, the ID vault is intended to be an “easier to use and deploy” replacement for the ID file and password recovery feature introduced in R5.
ID file and password recovery will still continue to be supported in 8.5, but we believe many customers who currently use it will likely migrate to ID vault over time. We also expect that most, if not all, customers who found it too cumbersome to deploy will be able to use the ID vault instead to replace any homegrown solution they may have implemented to maintain backup copies of ID files.
We’d be interested in feedback on those points.
Thanks again for your testing!
Subject: ID-Vault (and roaming) even better if …
… at the time registering a new user his id-file would be provided via the id-vault.
I just started testing LND 8.5. We are especialy interested in the new possibilities for roaming. We are currently using roaming for our 12.500 Users with LND 7.0.2.
So far I learned that the id-file for the first authentication is provided via the person document in the Notes directory.
There is an additional checkbox in the user registration dialog on the ID Info Tab “In personal adress book”. I belive that is the announced feature providing the id file direct via the personal address book without having to make it for all users available (still password protected of course) in the directory. But in the Beta version it is not possible to register a user only with the id file in the personal adressbook. You have to save it also somewhere else. Is this subject to change?
Do I still have to store the roaming users id file in his personal adressbook?
Are there any recommendations how to configure roaming and id vault?
Thanks.
Subject: ID Vault and Roaming
Yes, when Notes 8.5 ships there will be a new option to create user ID in the Vault in addition to 2 existing options: in Domino directory or on disk.
Store ID in personal address book is only available when registering new roaming users. After user’s Notes client is setup and ID file is downloaded to the data directory, that ID file will be doubly encrypted and attached to user’s personal address book for roaming. Notes 8.5 public Beta has a limitation for File server roaming mode only: ID file can not be detached during new machine setup. It will be fixed in the next Beta refresh.
You will be able to use ID Vault with Roaming. Notes Client will take advantage of having ID file in the Vault, but roaming code will not store ID file in the Vault.
Subject: First login of roaming user retrieves the userid from the idvault instead of person document?
Thank you for the answer.
Did I understood you right? There will be an option in the release version resulting in a behavior described in the subject?
You may also have a look on an other question of mine regarding userid management →
Subject: Same Problem
Hello,
I have the same Problem:
In the fist step I made a ID Vault like it is described in Admin-Help.
Then I created a Security-Policy only for my own.
But there is still no upload of my ID-File.
The Template-Version of the names.nsf is 8.5 (02.11.2008)
Domino-Version is 8.5 HF604
Client-Version is 8.5 HHF114
This is the cross sertificate:
OU=/O=/C=:VT:O=
sh idvaults will give me this Error:
Invalid or nonexistent document: No certifiers found that trust vault /
Invalid or nonexistent document: No certifiers that trust vault / trust any password resetters
This is the entry in log.nsf:
<Date/Time> Missing or invalid Vault Trust certificate from ‘<My NotesUserName’ to ‘’: Entry not found in index
<Date/Time> ID failed to upload to vault ‘O=’. ‘’ (IP Address :3126) made request. Error: Missing or invalid Vault Trust certificate. Check the log file for details.
Hope, you can you help me?
Subject: it works!
After I waited more than 24 h it suddenly works.