Help Page for link/certificate problems

  • A common problem with links not working is that they are often links to documents in the NOvA Document database (DocDB). Such links can either be certificate links or password links. In the case of certificate links one's browser must have either a DOE Grid certificate or a KCA certificate that is current (in order to access the document referenced by the link). Additionally, if a DOE Grid certificate is being used, the browser must also possess a current Certificate Authority (CA) certificate to match.
  • Many NOνA web pages will have a menu item on the lower left that allows the user to choose which type of DocDB links are in use (either certificate or password). This page has such an item in its left-hand-side menu to illustrate this, since other menu items have DocDB links.
  • Some NOνA DocDB users have multiple DOE grid certificates registered with the NOνA document database. This typically happens when the user doesn't renew his/her certificate in a timely fashion and then asks for a new one--without requesting the same CN. The user then requests to be subscribed again to DocDB with the new certificate number (CN). This leads to several difficulties. One is that user customizations (such as email preferences for notices of document changes) are tied to individual certificate numbers.
  • When documents are "controlled" and require approval signature by the user, only one of the user's multiple certificates is given the ability to apply future approval signatures to a document (the CN that hasn't expired is the correct choice, but the information registered with the DocDB doesn't show administrators which ones are expired). One would think that the user's certificate with the highest id number is the non-expired one, but experience has indicated otherwise for several NOνA users.
  • When a user's DOE grid certificate CN changes, one of the DocDB administrators must carefully update all of the controlled documents that need future approvals by that user--to match the changed CN.
  • A user can keep the same DOE grid certificate number (CN) year after year. Doing this is strongly encouraged. To do this with the least fuss it is important to renew the certificate CN before it expires. Prior to its expiration date the certificate can be used to certify the user for getting a new certificate (good for another year) with the same certificate number (CN). Web page http://security.fnal.gov/pki/Renew-DOEGrids-Pers-Cert.html advises one how to keep the same certificate number (even in the case that the renewal is done after the user's certificate has expired).
  • If a user has any NOvA DocDB customization (e.g. email notifications of changes to documents) registered with an expired certificate CN, he/she will be unable to change such settings. At the administrator level of people in the NOvA Project Office (Halley, Suzanne, Alan), we also can't change these settings. Making such changes requires action by a Super Administrator, who has to go into the MySQL database for the NOvA DocDB and make the changes there.
  • Some users have lost certificates when their hard drives on a laptop have failed. To avoid the loss of a certificate in this example, it is possible to export a certificate (from the browser) to a file on another storage unit. At minimum, users are strongly advised to keep a record of their DOE grid certificate number (CN), so that they can request another certificate with the same CN.
  • DocDB Help has instructions on exporting and importing certificates. See "Importing and Exporting certificates" at Certificate Instructions.
  • On 9/15/09 I made a series of screen snapshots as I renewed my DOE grid certificate in MS Internet Explorer. I put the screen snapshots in a Powerpoint file.