ID Vault trust certificate missing

hcl-bot · April 20, 2009, 12:32pm

I created an ID Vault but I can’t see the vault trust certificates on the primary server. When I replicate the names.nsf to other servers I can see the VT certificates on them but not the primary.

Below is the copy-and-paste from the “Create ID Vault” process.

You have successfully created the Notes ID vault ‘IDVault’.

In the process of creating the vault the following tasks have been run.

Created Notes ID vault Document

Created Notes ID vault Trust Certificates

Created Notes ID vault Password Reset Authorities

Created Notes ID vault ID file (C:\Program Files\lotus\notes\data\ids\vault\idvault.id).

Created Notes ID Vault /IDVault

Vault database path: \IBM_ID_VAULT\IDVault.nsf

Add vault trust certificates to the following organizations:

    /MAYBERRY was successfully added.

Add the following password reset authorities:

    Andy Taylor/MAYBERRY will be able to sign self service password reset agents

Security Events:

Missing or invalid Vault Trust certificate from ‘Barney Fife/MAYBERRY’ to ‘/IDVault’: Entry not found in index.

I’ve deleted and re-created the vault a number of times. Followed Admin help topics. Followed article in Dominowiki.

Any ideas?

Also…

sh idvault

ID Vault /IDVault (E:\Lotus\Domino\Data\IBM_ID_VAULT\IDVault.nsf)

Control Vault Name: /IDVault

Control Vault Servers: NOTES/MAYBERRY

Vault Operations Key: VO-glgt-fmbz/NOTES/IDVault

Servers: NOTES/MAYBERRY

Vault Name: /IDVault

Description: ID Vault

Administrators: Andy Taylor/MAYBERRY

Servers: NOTES/MAYBERRY

Administration Server: NOTES/MAYBERRY

Invalid or nonexistent document: No certifiers found that trust vault /IDVault

Invalid or nonexistent document: No certifiers that trust vault /IDVault trust any password resetters

Setting Vault Settings uses this vault

also…

I am using CA process.

sh server

Lotus Domino (r) Server (Release 8.5 HF211 for Windows/32) 04/20/2009 02:00:59 PM

Here is the vault certificate on one of the other servers (not the primary).

Basics

Certificate type: Notes Cross-Certificate

Issued By: /MAYBERRY

Issued To: /IDVault

Alternate names:

Combined Name: O=MAYBERRY:VT:O=IDVault

Comment:

Organizations: O=MAYBERRY:VT:O=IDVault

Primary key identifier: 1Z5HA D24K9 6D73A 4EC5S KKD8X 5342B

International key identifier: 1Z5HA D24K9 6D73A 4EC5S KKD8X 5342B

Current key strength: Compatible with 7.0 and later (2048 Bits)

hcl-bot · April 21, 2009, 10:39am

Subject: Are you using the latest and greatest directory template on all of the servers?

hcl-bot · April 21, 2009, 11:00am

Subject: Well…I thought so…

I answered “Yes” during the upgrade when it asked me if I wanted to upgrade my directory.

Here is the info from the design tab from the directory properties.

Template name: StdR4PublicAddressBook

Template version is 8.5 (11/02/2008)

All of my address books (admin server and others) have the same design properties. The admin server does not show the Vault Certs but the other servers do.

hcl-bot · April 21, 2009, 1:23pm

Subject: Should I replace design of directory?

It is based on the template StdR4PublicAddressBook. It also says “Template version is 8.5 (11/02/2008)”.

hcl-bot · April 20, 2009, 1:12pm

Subject: I’m sure you’ve looked but…

In your administration client, click on the Configuration tab. Then expand Security. Expand Certificates and then select Certificates. Then you should be able to see Vault Trust Certificates.

hcl-bot · April 20, 2009, 1:47pm

Subject: Yes

I did go to that view on the Config tab. The crazy thing is that when I replicate the names.nsf file over to other servers, the Vault Certs show on the other servers but not the primary server (where the vault was created). Also, the Password Reset Certs show on the other servers but not the primary server.

Seems to me that when I replicate the names.nsf file over to the other servers and the VT and PSR certs show, then they must’ve been in the directory but were being blocked from view on the primary server.

The primary server is my admin server for the directory and is running the CA process. The other servers are not.

hcl-bot · April 23, 2009, 6:58am

Subject: Can’t get Vault Trust Cert to create

Still not working. VT cert shows up on other servers when names.nsf replicates to those servers but does not show on admin server where the ID Vault was created.

Any ideas?

hcl-bot · January 5, 2010, 10:50am

Subject: ID Vault cert trust

Do you still have this issue or did you get it resolved? I have the same issue, but I believe that it is related to the cert ID being set up for the CA process. It should work in Domino 8.5.1, which I’ll be testing this weekend.

hcl-bot · May 13, 2010, 2:12pm

Subject: ID Vault trust cert

So what is the solution??? We upgraded to 8.5.1 recently and I am just trying to get IDVault to work. Getting same errors as posts above.