Hi,
we upgraded our server (7.0.4) to version 8.5.1 and everything seems to work fine except the Vault.
I’ve created the vault-db through the admin wizzard, which then created the policies and the password reset authority for the O/OUs
“Old” ID’s are being uploaded to the vault and new registered users can fetch their IDs from the vault without any issues.
The issues we have is that we can not reset the user password and also are not allowed to extract the IDs from the vault, even as a password reset authority.
A vault log analysis shows always the same critical error:
Could not locate certificate for ‘/ADAC/DE’:Entry not found in index
Missing or invalid Password Reset Trust certificate from ‘testuser/ADAC/DE’ to ‘JannisT/ADAC/DE’: Entry not found in index
Even after deleting and recreating the vault-db and vault-certificates the problem still exists.
Any help would be much appreciated.
Regards,
Jannis T
Subject: Check on certs in server directory and Auditor role
Password resettingTake a look at the certificates view in the server directory (Configuration - Security - Certificates.) What do you see?
Are the expected certificates there, such as 1) Notes certifier /ADAC/DE and 2) the password reset certificate issued by /ADAC/DE to JannisT/ADAC/DE?
Make sure those certificates are there.
If the password reset certificate is not there, use the Password Reset Authority tool to add the person as a password resetter.
Extracting an ID file:
A vault administrator must be assigned the Auditor role in the vault database ACL to extract an ID from a vault. Make sure the person attempting to extract the ID file has been assigned the Auditor role.
Also, check that you have not disabled the Auditor role through the server notes.ini setting SECURE_DISABLE_AUDITOR=1.
Subject: The following resolved the issue for me
Hi,
I experienced the exact same issue and after months of Trouble Shooting the below steps resolved the issue.
- From the administration client -Configuration Tab- > Security → Certificates - Notes Certifiers → Choose document YOURDOMAIN. Right click this document and select document properties and select the second tab (Field tab) check the below field value and these field should have the value “/O=YOURDOMAIN”. (Note: Since we already ran agent last time to change value of the field
IssuedTo even if this field shows the value “O=YOURDOMAIN” please continue the below steps).
“FullName” ,“IssuedBy” & “IssuedTo”
- Now create an agent on the names.nsf with the name as Refresh with the below formula code and also in the agent window please select Target as NONE.
@Command([ToolsRefreshSelectedDocs])
-
Save the agent
-
From the administration client → Configuration Tab → Security → Certificates - Notes Certifiers → select document YOURDOMAIN then go to the actions then select the Refresh.
this will run the agent on the document. ( Please note : This will not hamper anything your operation of the domino server ).
-
Now check the document properties of the certifier document for YOURDOMAIN and see what are the value for the below fields if these fields shows “O=YOURDOMAIN” then you should be now able to reset the password using the ID Vault.
“FullName” ,“IssuedBy” & “IssuedTo”
Subject: This would mean the same as saving the /ORG certificate, which indeed solves the issue
Subject: Try this
We had the same sort of problem with our ID Vault setup, and we were able to resolve the issue by removing the leading slash in the Fullname, IssuedBy and IssuedTo fields in the Notes Certifier document via a one-off agent
Subject: Doesn’t work sofar
Hi Chris,
our notes certifier document looks like this:
Certifier type: Notes Certifier
Certifier name: /ADAC/DE
Issued by: /ADAC/DE
Issued to: O=ADAC/C=DE
i’ve removed the leading slashes in “Certifier name” and “Issued by” but the error message still remains.
Removing the slashes also reset the password reset authority settings for the O/OU. I tried to add the admins again to the PRA but failed on a missing cert.id for the new “ADAC/DE” entry. It complains that the cert.id i try to use is made for “/ADAC/DE” and not “ADAC/DE”