April 15 2020 Wednesday
ID Vault Trust Certificates expire after 10 years. AKA that was a stupid decision and breaks ID Vault
No meaningful blog posts in ages, then 257 in the space of 3 days. Yeah, COVID quarantine is a killer.
Anyway, apparently ID Vaults stop working after 10 years. Not the best decision ever made but the head shed at IBM when 8.5 shipped. I only discovered this when trying to reset a vaulted password. What's even worse is the error of this type of failure. It's not something useful like:
(admittedly Domino related IBM-hosted technotes are about as much use as an orange colored President, but meaningful error messages are)
But no. Not useful. All there was this verbal splat of English:
OK. After a few hours of repeatedly hitting my head against a wall checking every certificate under the sun and some Googling that made me start to doubt my ability in seach-fu I hit pay dirt. This article from Fabio Di Paola was the solution. Essentially this, Vault Trust Certificates expire after 10 years. Genius decision by the ID Vault creators. Not. Many 8.5 installs are coming up to, or have passed their 10 year anniversary when initial ID Vaults would have been installed, so this may help some folks.
Fabio also has the steps to fix it, but it's basically this:
First check if your Vault certificate is expired if so manually delete your old Vault Trust Certificates from the NAB (say what now Darren????!!!!) then re-add the Organization back to the vault via the Manage Vault action. Viola, error banished, passwords are resettable. Bird sing, sky blue.
See Fabio's article for more information if you need it.
Anyway, apparently ID Vaults stop working after 10 years. Not the best decision ever made but the head shed at IBM when 8.5 shipped. I only discovered this when trying to reset a vaulted password. What's even worse is the error of this type of failure. It's not something useful like:
Your ID Vault Trust Certificate is expired as it lasts for 10 years, see technote xxxxxx
(admittedly Domino related IBM-hosted technotes are about as much use as an orange colored President, but meaningful error messages are)
But no. Not useful. All there was this verbal splat of English:
Server Error: The address book does not contain a cross certificate capable of validating the public key.
OK. After a few hours of repeatedly hitting my head against a wall checking every certificate under the sun and some Googling that made me start to doubt my ability in seach-fu I hit pay dirt. This article from Fabio Di Paola was the solution. Essentially this, Vault Trust Certificates expire after 10 years. Genius decision by the ID Vault creators. Not. Many 8.5 installs are coming up to, or have passed their 10 year anniversary when initial ID Vaults would have been installed, so this may help some folks.
Fabio also has the steps to fix it, but it's basically this:
First check if your Vault certificate is expired if so manually delete your old Vault Trust Certificates from the NAB (say what now Darren????!!!!) then re-add the Organization back to the vault via the Manage Vault action. Viola, error banished, passwords are resettable. Bird sing, sky blue.
See Fabio's article for more information if you need it.