SECURITY DOMAIN SERVER MANAGEMENT
NameShortcut CommandCommand
Add All Write Partition ServersADDPARTITIONSERVERSAP
Add Domain ServerADDAS
List Domain ServerLISTSERVERSLS
Remove Domain ServerREMOVERS
Sync Domain ServerSYNCDOMAINSD

SERVER MANAGEMENT
NameShortcut CommandCommand
Find Servers in ContainerFINDSERVERSFS
List Server KeysLISTKEYSLK
Resync Keys for ContainerRESYNCRD
Sync Server Keys from DomainSYNCSERVERSS

DIAGNOSTIC
NameShortcut CommandCommand
Check Key or Domain ProblemsCHECKCK

OTHER COMMANDS
NameShortcut CommandCommand
Help on most used commandsHELPHE
Exit SDIDiagEXIT or QUITE or I

ItemDescription
>Redirected output to a file using the '>' redirection switch.
>> Append output to an existing file.
-AAccess servers regardless of their eDirectory or NICI versions. By default SDIDiag Version 2.00 Thursday, May 22, 2003, references only servers running eDirectory version 8.7.1 or higher.
NOTE: It is strongly recommended that all servers be running a minimum of NICI 2.4.2 or higher.
-FForce operation. Depending on the command, the -F switch removes any Security Domain Servers that do not hold a writeable replica of the W0.KAP.Security object.
-GGenerate a new key. When used with the SD command, all Security Domain Servers will be synchronized to hold this new key.
-I fileSpecify an input file of server names to access. This switch specifies a file that holds a list of serverDNs for the command to process. In most cases, the objects are fully qualified dot delimited distinguish names with one server per line. Normally the -O file switch creates this file.
-N containerDN Specifies with a fully qualified dot delimited distinguished name of a container that the command will reference.
-O fileCreate an output file of server names. This switch defines a file to hold output information that may be passed to a command via the -I file switch. Normally, the -O file switch will contain a fully qualified dot delimited distinguished name list of servers.
-RRevoke all keys. The -R switch will implicitly perform a -G switch operation after revoking all the keys.
-S serverDNSpecifies with a fully qualified dot delimited distinguished name a server name.
NOTE: serverDN includes the tree name, for example: -S SERVERA.NOVELL.TEST-TREE
-TTwo pass "Comprehensive" switch for the RD command.
-U fileCreate a file of server with incompatible NICI SDI support. The -U switch creates a file that contains a fully qualified dot delimited distinguished name of servers on which NICI must be upgraded to fully support multiple SDI keys. Server names are not displayed when this switch is omitted.
-VVerbose, display all messages to SDIDiag console.
-XLimit the search for servers to the container specified with the -n containerDN switch.

EXAMPLES OF SDIDiag COMMANDS#

Basics#

Authenticating#

SDIDiag, Security Domain Infrastructure Diagnostic Utility
Version 2.2 (Jan 31 2006)
Copyright (C) 2003-2006 Novell, Inc. All rights reserved.

Server IP Addr (:port)  : 192.168.1.4
   User Name (Full DN)  : cn=admin.ou=administration.dc=willeke.dc=com

Password : ********

Security Domain Infrastructure MANAGEMENT#

Add server -S serverDN as a Security Domain Server.#

AS [-A] [-V] [-S serverDN]  [> file | >> file]

Another way to do this is to open Console One and go to the W0 object in the Security Container. Select the "Other" tab on the W0 object and add an additional server as an attribute value to the "NDSPKI:SD Key Server DN" attribute.

List keys held by the Security Domain Servers.#

LK [-A] [-V] [-S serverDN]  [> file | >> file]

All servers which are listed under the "NDSPKI:SD Key Server DN" attribute on the other tab of the W0 object will be displayed with their associated SD Keys.

SDIDIAG> LK
Displaying keys in domain W0, object .W0.KAP.Security.WILLEKETREE.
Displaying keys on .francis.svr.willeke.com.WILLEKETREE.
Server : .francis.svr.willeke.com.WILLEKETREE.
   SDKey : 1
      Object Class : Secret Key
      Key Size : 168 bits
      Key Usage : 0x4400C0
      Key Format : DES-EDE3-CBC-IV8
      Key Id : AB 4B C7 9C FF 97 8E CE 7A 53 B9 1E 5A 6F DC 37
      Validity : Sun Jan 03 19:06:38 2005 - Sun Feb 03 23:59:00 2036
Displaying keys on .SH.svr.willeke.com.WILLEKETREE.
Server : .SH.svr.willeke.com.WILLEKETREE.
   SDKey : 1
      Object Class : Secret Key
      Key Size : 168 bits
      Key Usage : 0x4400C0
      Key Format : DES-EDE3-CBC-IV8
      Key Id : AB 4B C7 9C FF 97 8E CE 7A 53 B9 1E 5A 6F DC 37
      Validity : Sun Jan 03 19:06:38 2005 - Sun Feb 03 23:59:00 2036
SDIDIAG>

List the current Security Domain Servers.#

LS [-A] [-V] [-S serverDN]  [> file | >> file]

Another way to gather this information is to open Console One and go to the W0 object in the Security Container. Select the "Other" tab on the W0 object and view the values of the "NDSPKI:SD Key Server DN" attribute.

SDIDIAG> LS
.SH.svr.willeke.com.WILLEKETREE.
.francis.svr.willeke.com.WILLEKETREE.

Remove server -S serverDN as a Security Domain Server.#

RS [-A] [-V] [-S serverDN]  [> file | >> file]

This can also been done through Console One by going to the W0 object in the Security Container. Select the "Other" tab on ther W0 object and delete a server shown as an attribute balue to the "NDSPKI:SD Key Server DN" attribute.

Add any server hosting a writeable replica#

Add any server hosting a writeable replica of the .W0.KAP.Security.Tree-Name object as a Security Domain Server.
AP [-A] [-V] [-F] [> file | >> file]

Add any server hosting a writeable replica of the .W0.KAP.Security.Tree-Name object as a Security Domain Server. If the -F switch is given, additionally remove any servers that do not hold a writeable replica.

SDIDIAG> AP
*** [Adding SDI Domain Key Servers - BEGIN] ***
        Checking Server .SH.svr.willeke.com.WILLEKETREE.
         - Currently an SDI Domain Key Server.
        Checking Server .francis.svr.willeke.com.WILLEKETREE.
         - Added as SDI Domain Key Server.

Synchronize the Security Domain Servers. #

 SD [-A] [-V] [-R] [-G] [-S serverDN ] [> file | >> file]

The optional -R switch revokes all existing keys and generates a new SD key for use within the tree. The optional -G switch generates a new SD key.

NOTE: If either the -R or -G switches are used, then the RD command may need to be used to resynchronize the new keys to the other servers in the tree. Revoked keys are retained and used to access any existing items, however, they are not used to manage new keys.

SERVER MANAGEMENT#

Find all servers starting with the -N containerDN#

FS [-N containerDN] [-X] [-O file] [-U file]

Find all servers starting with the -N containerDN and all sub-containers unless the -X switch is given, in which case, limit the search to the -N containerDN only. Output all eDirectory 8.7.1 servers or higher to a file using the -O file while all other server that are listed are outputed to the -U file. The -O file may be used as an input to any commands that the support the -I file switch.

SDIDIAG> FS
*** [Find Servers - BEGIN] ***
        Found: .francis.svr.willeke.com.WILLEKETREE.
          - Checking eDirectory version.
          - Good.
        Found: .SH.svr.willeke.com.WILLEKETREE.
          - Checking eDirectory version.
          - Good.

List keys held by -s serverDN.#

LK [-A] [-V] [-S serverDN ] [> file | >> file]

Example of using LK is:

LK -A -S .servername.org.tree_name

Resynchronize the Security Domain Servers#

RD [-A] [-V] [-T] [-N containerDN] [> file | >> file]

Resynchronize the Security Domain Servers with other servers in the tree.

If the -T switch is given, RD or RESYNC, performs a two pass operation by first ensuring that the Security Domain Servers have a copy of all keys on all referenced servers. Secondly, RD resynchronizes all servers with the updated Security Domain Servers.

If the -N switch is omitted, RD attempts to resync all servers within the tree; whereas when the -N containerDN switch is provided, RD only resynchronizes the Security Domain with all servers holding writeable replicas of the specified containerDN partition. It 1460 persist, then a full RESYNC may be attempted which may take a considerable time as every server will need to be contacted.

Examples of using RD are:

SDIDIAG> RD -T

*** [RESYNC Domain - BEGIN] ***
    [PASS 1 of 2]
    [Looking for All Server Objects]
*** [Find Servers - BEGIN] ***
        Found: .francis.svr.willeke.com.WILLEKETREE.
          - Checking eDirectory version.
          - Good.
        Found: .SH.svr.willeke.com.WILLEKETREE.
          - Checking eDirectory version.
          - Good.

*** [Find Servers - END] ***
    [Processing Server 1 of 2]
       Processing Server .SH.svr.willeke.com.WILLEKETREE.
        - (Domain server) processing complete.
    [Processing Server 2 of 2]
       Processing Server .francis.svr.willeke.com.WILLEKETREE.
        - (Domain server) processing complete.

    [Synchronizing SDI Domain Key Servers]
*** The Security Domain is synchronized.
    [PASS 2 of 2]
    [Synchronizing All Servers from Security Domain]
        Synchronize Server .francis.svr.willeke.com.WILLEKETREE. ...
         - Synchronized.
        Synchronize Server .SH.svr.willeke.com.WILLEKETREE. ...
         - Synchronized.
*** [RESYNC Domain - END] ***

Synchronize all keys on the specified -S serverDN#

SS [-A] [-V] [-R] [-S serverDN] [-I file] [-N containerDN]

Synchronize all keys on the specified -S serverDN, severs in listed in the -I file, or server hosting a writeable replica of the -N containerDN with the Security Domain Servers. The -R switch may optionally be given to revoke all the existing keys on the server before synchronizing with the Security Domain Servers. Example of using SS is:

SDIDIAG> SS -A -R -S .servername.org.tree_name

DIAGNOSTIC#

Check and display possible problems#

CK [-A] [-V] [-N containerDN] [> file | >> file]

Check and display possible problems and display recommendations for the Security Domain Servers. If the -N containerDN is provided, also check the servers hosting a writeable replica of the -N containerDN object for possible problems and provide recommendations. Examples of using CK are:

SDIDIAG> CK
SDIDIAG> CK -N .orgUnit.org.tree-name
SDIDIAG> CK -A -N .orgUnit.org.tree-name >> SYS:\TEMP\OUTPUT.TXT
SDIDIAG> CK
*** [Key Consistency Check - BEGIN] ***
    [Checking SDI Domain]
        SDI Check Domain Configuration...
          SDI Domain Key Server .francis.svr.willeke.com.WILLEKETREE.
           - Configuration is good.
          SDI Domain Key Server .SH.svr.willeke.com.WILLEKETREE.
           - Configuration is good.
        *** SDI Check Domain Configuration is [GOOD]
        SDI Check Domain Keys...
           SDI Domain Key Server .SH.svr.willeke.com.WILLEKETREE.
            - Keys are good.
           SDI Domain Key Server .francis.svr.willeke.com.WILLEKETREE.
            - Keys are good.
        *** SDI Check Domain Keys are [GOOD]

    [Checking SDI Domain: GOOD]

        *** No Problems Found ***
document
Document Title: 	Using SDIDiag - Switches and Options
Document ID: 	10086669
Solution ID: 	NOVL92239
Creation Date: 	02Sep2003
Modified Date: 	23Sep2005
Novell Product Class:	Novell BorderManager Services
Novell eDirectory
Security Components

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-17) was last changed on 06-Aug-2012 12:12 by jim