SDIDIG#

SDIDiag allows an administrator to view and perform diagnostic functions for the Security Domain Infrastructure keys within a tree and to ensure that all servers are synchronized with constant keys.

SDIDIG is provided as SDIDIAG.NLM for Netware and SDIDIAG.EXE which can be run from Windows against any other platform. There is also a rpm for Linux, but we could only find one for 32-bit systems. (didiag-2-2.i586.rpm)

SDIDiag is the Security Domain Infrastructure Diagnostic and repair utility. SDIDiag allows an administrator to view the various keys within a tree and to ensure that all servers are synchronized with constant keys.

By default SDIDiag 2.2 references only servers running eDirectory version 8.7.1 or later. To have SDIDiag 2.2 reference servers prior to eDirectory version 8.7.1 it is necessary to use the -A switch.

SDIDiag 2.2 has been tested and works with the eDirectory versions: eDirectory: 8.8 and 8.7.3

Universal Password has issues if the Keys are not at LEAST 168 bits. Using SDIDIAG and the LK (List Keys) command will show the strength of the Security Domain Key.

Server : .SERVERA.NOVELL.ACME-TREE. 
Tree : ACME-TREE 
User Name (Full DN): admin.novell 

Password : ******* 

SDIDIAG> LK
Displaying keys in domain W0, object .W0.KAP.Security.WILLEKE.COM.WILLEKETREE

Displaying keys on .DWN.SRV.CSU.WILLEKE.COM.WILLEKETREE
Server : .DNW1.SRV.CSU.WILLEKE.COM.WILLEKETREE
   SDKey : 1
      Object Class : Secret Key
      Key Size : 168 bits
      Key Usage : 0x4400C0
      Key Format : DES-EDE3-CBC-IV8
      Key Id : 5C 2F 5F 19 4E F3 6E 51 43 E1 5F 0B 93 69 3D A7
      Validity : Sun Jun 27 16:36:27 2005 - Sun Feb 03 23:59:00 2036
   SDKey : 2 (Revoked)
      Object Class : Secret Key
      Key Size : 168 bits
      Key Usage : 0x400080
      Key Format : DES-EDE3-CBC-IV8
      Key Id : 47 D7 AA 81 D9 AC 3F 84 20 98 AA 14 7E 5C F9 D3
      Validity : Sun Mar 04 18:56:17 2005 - Sun Feb 03 23:59:00 2036
   SDKey : 3 (Revoked)
      Object Class : Secret Key
      Key Size : 56 bits
      Key Usage : 0x400080
      Key Format : DES-CBC-IV8
      Key Id : 40 27 67 21 CA AB 76 18 43 1D 92 05 5C 69 8E AC
      Validity : Sun Jan 01 23:59:00 1998 - Sun Feb 03 23:59:00 2036
SDIDIAG>

Using SDIDiag to gather specific SDKey information from servers [1]#

SDIDiag, Security Domain Infrastructure Diagnostic Utility Version 2.1 Jun 26 2003 Copyright 2003 Novell, Inc. All rights reserved. Server IP Addr : 192.168.100.10 User Name (Full DN): admin.novell Password : ******* SDIDIAG>
      • If the TREE and ORGANIZATION names are the same (ie. Tree name is NOVELL and Organization is NOVELL) you need to specify the whole Full DN, including the TREE NAME or will get errors when trying to get authenticated. So, in this case it would be :

User Name (Full DN): admin.novell.NOVELL

SDIDIAG> LK -O C:\LIST.TXT#

This will show the list of keys for all the servers in the W0 object and send this information to the C:\LIST.TXT file. Another way to gather this information is to open Console One and go to the W0 object in the Security Container. Select the "Other" tab on the W0 object and view the values of the "NDSPKI:SD Key Server DN" attribute.

SDIDIAG> FS -A -O C:\SERVER.TXT#

This will create a file on the local workstation called SERVER.TXT which will hold a list of all servers in the tree. The "-A" switch will mean that SDIDiag will access servers regardless of their eDir or NICI versions. This will be necessary if you have some servers which are not running eDirectory 8.7.1 or later and you still wish to see which keys are on each of the servers.

SDIDIAG> LK -I C:\SERVER.TXT -O C:\PROCESS.TXT#

This will show a list of all the servers in the tree and their SDI key(s)

Review the output#

Look at the PROCESS.TXT files.
  • Are there any errors in this file?
  • Do all servers have the same keys?
You should see at least one or more keys on all the servers in the list and they should all have the same exact keys. They do not however, have to be in the same order on each server.

SDIDIAG Switches#

Some more details on other SDIDIAG Switches

More Information#

There might be more information for this subject on one of the following:
[#1] - http://www.novell.com/support/kb/doc.php?id=3455150 2012-09-13

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 13-Sep-2012 12:33 by jim