Discovery Architecture
Whimzical!
Twitter: Doing & Did
geeDavid's PC?
Search
Feeds
Links
Recent Posts
Feedback
My Flickr Stuff
Categories
Old Postings
- February 2010 (2)
- January 2010 (1)
- September 2009 (4)
- July 2009 (1)
- January 2009 (3)
- December 2008 (3)
- October 2008 (3)
- September 2008 (1)
- August 2008 (9)
- July 2008 (8)
- June 2008 (2)
- May 2008 (4)
- April 2008 (5)
- March 2008 (8)
- February 2008 (2)
- January 2008 (4)
- December 2007 (1)
- November 2007 (3)
- October 2007 (4)
- September 2007 (11)
- August 2007 (13)
- July 2007 (5)
- June 2007 (2)
- May 2007 (3)
- April 2007 (10)
- March 2007 (13)
- February 2007 (21)
- January 2007 (1)
BookMarking
Working with the IBM Lotus Domino ID Vault: A Cautionary Tale
There are numerous articles describing the basic approach to implementation of the ID Vault facility for management of Notes ID files. This management pertains to both the capacity to securely reset a user’s password as well as recover a user’s lost or corrupted ID file. This article describes a trouble shooting scenario derived from failure to create an ID Vault.
Recently I had an opportunity to demonstrate this facility in during a training session delivered to support staff and administrators employed by a public utility company. As is often the case in such venues, I chose to work ad hoc. I to explained to my clients that doing so in a non-production environment presents a good chance that something will break. To my delight and, perhaps to their satisfaction, the vault creation process failed.
In this article I provide a high level review the process up to the point of the failure.
Then, in more detail, I describe the initial steps taken to resolve the issue. I also describe how next we proceeded when the initial steps failed to resolve the problem.
The process began with the Domino Administrator client. After selecting the Configuration tab I chose the ID Vault task section, expanded it, and selected “Create”.
This launched the ID Vault creation wizard.
The initial screen is a summary of the steps executed during creation and initial configuration of the ID Vault.After choosing “Next”, the wizard prompts for a vault name.
The vault name should be meaningfully related to the organization(s) contained in the vault but it cannot be the same as the name of a Domino Organization (O) or organizational Unit (OU).
Next I provided a password for the vault ID. I made no changes to the default Vault ID replica server of the vault administrator. Additionally I made ‘typical’ changes to the organization / organizational unit selection of users whose IDs would be stored in the new vault and also selected users to be responsible for resetting passwords for IDs stored in the vault.
I chose the option to create a new policy for assignment to an organization and selected the target organization. Once the summary was presented I proceeded to attempt vault creation.
The attempt failed with an error, “THE CREATION OF THE NOTES ID VAULT ’CORP’ FAILED WITH ERRORS” An examination of security events in the local (to the administrator’s client) log file showed, “Error: File not found: Entry not found in index on remote server”
My first thought was that there might be a problem with a view index. I first did a manual rebuild of all views using Ctrl+Shift+F9. The error persisted. Next I attempted to resolve the problem with Fixup and Compact. This was equally unsuccessful.
Realizing that some research needed to be applied to the effort I deferred additional attempts. My research took me to two resources. The first is a wonderful article in the Lotus Notes and Domino Wiki. The article, http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-logging-for-8.5-faq , was initially created by Bastian Wieczorek. It is a great compendium of log entries on both the client and server side as they relate to ID Vault interaction. This gave me some thought as to what else I might learn from the log. Sadly, there was not a smoking gun but the article helped me to eliminate other possible causes and focus better on other plausible causes.
Next I visited the forums, http://www-10.lotus.com/ldd/nd85forum.nsf/4d33daaa03bb930385256a0700727b3b/c35d9a943ae831b98525757c005b1049?OpenDocument, where Brian P. Ahearn posted the exact message I encountered. As I read the thread I recalled that prior to a similar demo earlier this week I had run the design task on my server prior to any attempt to create a vault. The reason for running the task was related to this issue in this sense: I was using ’canned databases’ from Lotus Education for construction of the 8.5 environment in which the mail files, person documents, and IDs for a sample user population had already been created. The problem was that those files were created in an 8.0.x environment.
The problem was crystal clear. I could not create an ID Vault when the Domino Directory lacks the design elements to support the ID Vault documents, thus the ’truth’ of the error message that “the entry was not found in the index”. Indeed!
What this scenario establishes for users are the following points:
1. Domino specific Wikis offer significant resources for understanding the working environment of various components.
2. Forums offer invaluable insight on a recurring basis by capturing the experience of some for the benefit of many and the collaboration inherent in the threads is helpful even when the exact problem or its resolution are not reflected in the content.
3. The log files of both the client and server are indispensable for identifying root cause and resolution of feature failures.
Once the root cause had been identified and resolved, I loaded the design task and refreshed the design of the Domino directory, the effort to create the vault was simple and straightforward.
David Wilkerson February 10th, 2010 10:00:25 PM