DirXML and Certificates

I spent the day futzing with DirXML driver settings and certificates in eDirectory.

We have two offices in Saskatchewan and they do a lot of project-collaboration. Lately, they have a sizable job with the staff split half between Saskatoon and Regina. Instead of forcing them to maintain two project document repositories, one in each office, and then trying to merge them at the end of the project, we are trying to give them access to the master repository in Saskatoon, even for workers in Regina.

To make that work the users from the eDirectory in Regina need to be copied to the eDirectory in Saskatoon, so that they can login in Saskatoon and get access to the directories. I have already started synchronizing all users across the company to corporate office, so that we can use a single authentication ID for corporate web-based services, so this was just an extension of what we are already doing.

I started configuring DirXML to replicate users from our enterprise directory to the Saskatoon office (and Regina office for good measure) and discovered that one of the SSL / TLS certificates involved in securing the DirXML synchronization traffic was expired, because I had initially created it with too short of a life span. Crud. I had to re-issue certificates to all the servers running DirXML, because once the drivers stop and are restarted, they refuse to communicate when a certificate is expired. Even though the certificate expired months ago, I just noticed, because most of our NetWare servers never go down, so the DirXML systems were still working.

My punishment for setting the certificates up with too short of a lifespan was to have to connect to all our eDirectories and use ConsoleOne on a super-slow computer over saturated DSL links to reissue certificates for several hours. Bleah. I still have more work to do tomorrow on this.