Andy Pedisich May 20 2013 08:38:57 PMHad a situation recently where a user kept getting the message that their certificate had expired. But we were using ID vault and had recertified the person doc.
Certificate still expired? I had just two words for that. Im possible.
But it was true. When we downloaded the ID from ID Vault it clearly was expired, in spite of the fact that it looked like we had re-certed successfully. The villain? A public key on the ID file that was not the same as the one in the Domino directory. The recert doesn't happen if the public keys don't match. There's a myriad of stuff that breaks when the keys don't match.
That's not the first time I have seen this occur, although I am not sure of how it actually happens. Let's forget about the "how" for a second and let's just say, "Shoot, it just happens."
More importantly, how can you detect that it happens so you can avoid the repercussions? You can detect it by setting the server document to log key mismatches.
That setting will alert you to the fact that there is a mismatch between the public key in a person document in the address book and the actual public key that's in the ID file. It will log it in the Domino server log like this:
05/15/2013 23:51:07 Jack Torrance/OverlookHotel from host [10.254.138.5:61250] encountered non-fatal problem during authentication: Your public key does not match the one stored in the Address Book
05/15/2013 23:51:07 Opened session for Jack Torrance/OverlookHotel (Release 8.5.2FP2)
05/15/2013 23:51:07 Closed session for Jack Torrance/OverlookHotel Databases accessed: 1 Documents read: 0 Documents written: 0
If you want to comb through the logs looking for the error, then leave it at that. Just walk away from the keyboard. If you just have a couple of servers to worry about, then you're probably good to just search the logs for "public key" occasionally and you'll find it. But if you'd rather be notified via email, create an event handler in the events4.nsf Monitoring Configuration database. Make it look like this:
You'll be notified by email of public key mismatches before it causes a problem. Then all you need to do is fix the problem by making a copy of the user's public key from their ID file:
...and pasting it into the Public Key field of their person document:
Done deal. Take the rest of the day off. And you'll be set to be the caretaker of the domain for another season.
Location: Home after a long day at the keyboard
- Comments