Sunday, 12 July 2009

Using Domino Web Administrator to register new users

<CAVEAT>

It's worth noting that (a) I'm NOT a Domino guru and (b) this may well
be a work-in-progress.

Therefore, please use extreme caution if you choose to follow this,
and let me know where I've gone wrong :-)

</CAVEAT>

It's been bugging me for a long while that I need to fire up the
Domino Administrator client each time I want to register new users,
when I'd much rather use the Web Administrator ( webadmin.nsf ).

Well, today, I finally managed to achieve my goal, and have documented
my steps as follows: -

a) Open Domino Administrator and log in as admin. user e.g. domadmin/ibm
b) Choose File -> Open Server and choose server to be managed e.g.
voyager/ibm
c) Choose Configuration -> Tools -> Certification -> Migrate Certifier
d) Navigate to server's cert.id on file system ( may need to copy it
from server to client )
e) Enter certifier password ( created when server first installed )
f) Select the server on which the certifier will run e.g. voyager/ibm
g) Note that ICL DB to be created e.g. icl`icl_1926.nsf
h) Choose to encrypt certifier ID with Locking ID and select domadmin/
ibm from the IBM directory
i) Note that the domadmin/ibm user has CAA and RA roles
j) Click Add
k) From IBM directory, choose to add server e.g. voyager/ibm
l) Again, note that voyager/ibm has CAA and RA roles
m) Click on OK
n) Ensure that ADMINP and CA tasks are started/running on Domino server
o) Check admin4.nsf DB for task Modify CA Configuration in Domino
Directory and ensure that it completed without errors

<CAVEAT>

It's worth noting that (a) I'm NOT a Domino guru and (b) this may well
be a work-in-progress.

Therefore, please use extreme caution if you choose to follow this,
and let me know where I've gone wrong :-)

</CAVEAT>

4 comments:

Keith Brooks said...

Nice post and so simple, yet many admins never do it.
Haven't done it in a while so I tested your steps and the only things I would add/change are:

1) Webadmin.nsf needs to have the admin or group in the ACL of course for this to work. And check the roles as well. You can do this before or after you start this process.

2) Include how to MODIFY the Certifier. Bad wording from IBM on these points, migrate/modify but if, as I have done sometimes, you click on the tab to extend the months and inadvertently hit enter or OK. POOF! You got your cert migrated, possibly without naming a server.
So Click on modify cert, pick the one to fix, when it comes up then Add the server.

Dave Hay said...

Thanks for the feedback - will run through the setup a few more times, and amend the posting accordingly.

I'd really really love to have the modify/migrate certificate options from the console, rather than needing to have the Domino Administrator, especially given that I don't want to have a Windows machine hanging around :-)

Mind you, I'd also like to be able to add/modify SSO/LTPA keys without needing the Admin. client.

Unknown said...

Dave!

This is admin 101. I must admit though that whenever I get onsite it has not been done and the usual feeble excuses come out. This should always be the first task to do with a certifier but one tip I would give is to rename the ICL database to something meaningful like the OU of the cert you are migrating. Oh, and I agree the wording is all wrong and that is why Admins don't do it.

Dave Hay said...

@candobetter - agreed re Admin 101, but for me, I need it in words that a Beano reader could understand, as I'm coming from a mainly non-Domino background, although I find that I've been using Domino for over ten years :-)

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...