Regenerate aek.key - Could not connect to docbase using IDQL

JCHall
JCHall Member
in Documentum #1

I've regenerated the aek.key, re-encrypted the dbpasswd.txt and started the docbase back up. All looks fine in the docbase log, however none of the users are able to login using IAPI/IDQL. I recieve the following error when trying to login to IDQL using the install owner:

Could not connect
[DM_SESSION_E_CLIENT_AUTHENTICATION_FAILURE]error: "Failed to authenticate client. Please check server log for more detail."

I've followed the steps in KB0720457 ( https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0720457 ) which involve:

  • Stop Docbase, rename aek.key file
  • Run SQL commands to clear out crypto key
  • Run dm_crypto_create to generate new aek.key (using default password AES_256_CBC algorithm)
  • Run dm_encrypt_password to re-encrpt the database password within dbpasswd.txt

Any ideas?

Tagged:

Best Answer

  • Hicham Bahi
    Hicham Bahi E Member
    #2 Answer ✓

    The details for this message are:

    CLIENT_AUTHENTICATION_FAILURE "Failed to authenticate client. Please check server log for more detail."
    ; CAUSE: The client installation sent a certificate that uniquely identifies
    ; the client instance. The Content Server was unable to successfully
    ; verify this certificate.
    ; ACTION: Check the reason listed in the error message as to why the certificate
    ; failed to verify.
    ;

    I think that this refers to the dfc.keystore used by your client. If you are using iapi or idql, it's probably $DOCUMENTUM/config/dfc.keystore. Try to delete this file and try again (dfc.keystore will be recreated). If it works, you should probably delete all dfc.keystore files you can find. As long as you don't use any privileged client (e.g. Records Client or D2), you should be fine. Otherwise, you will need to grant each client privileges again.

Answers

  • JCHall
    JCHall Member
    #3

    Documentum CS 23.4, although I have also tried with 22.2.

  • Hicham Bahi
    Hicham Bahi E Member
    #4 Answer ✓

    The details for this message are:

    CLIENT_AUTHENTICATION_FAILURE "Failed to authenticate client. Please check server log for more detail."
    ; CAUSE: The client installation sent a certificate that uniquely identifies
    ; the client instance. The Content Server was unable to successfully
    ; verify this certificate.
    ; ACTION: Check the reason listed in the error message as to why the certificate
    ; failed to verify.
    ;

    I think that this refers to the dfc.keystore used by your client. If you are using iapi or idql, it's probably $DOCUMENTUM/config/dfc.keystore. Try to delete this file and try again (dfc.keystore will be recreated). If it works, you should probably delete all dfc.keystore files you can find. As long as you don't use any privileged client (e.g. Records Client or D2), you should be fine. Otherwise, you will need to grant each client privileges again.

  • JCHall
    JCHall Member
    #5

    Hicham,

    Thanks once again for your response. Yes that fixed it! Clearing the dfc.keystore sorted it.

Categories