Overview #NICI is Novell International Cryptographic Infrastructure (NICI) is Novell's solution to a cross-platform, policy-driven, independently certified, and extensible cryptography service. NICI is the cryptography module that provides keys, algorithms, various key storage and usage mechanisms, and a large-scale key management system.
NICI controls the introduction of algorithms and the generation and use of keys. NICI allows a single commodity version of security products to be produced for worldwide consumption that supports strong cryptography and multiple cryptographic technologies. Initial services built on this infrastructure are Directory Services (Novell eDirectoryTM), Novell Modular Authentication Service (NAMS), Novell Certificate ServerTM, Novell SecretStore®, and TLS/SSL.
NICI first shipped with NetWare® 5.0. This document is provided to help resolve NICI issues found in the field or during testing of various Novell or third-party products. A particular product may use NICI directly or indirectly via another module (NLMTM, DLL, so, etc.).
WARNING#If certain NICI keys are irrecoverably lost, even backed-up data might be useless, because it can’t be de-crypted.
The private key of the certificates is wrapped by NICI. Therefore if the NICI Configuration Files are lost or corrupted the certificates can no longer be used. These certificates can be backed up as well. This task is performed by exporting the certificates to a PKCS#12 file (PFX). Detailed information on the procedure can be found in the Certificate Server Administration Guide.
Though the certificates are held in the eDirectory database and can be restored by restoring the database they are still tied to the server's NICI files. As an added protection, the exporting and safekeeping the certificates in a PFX file so the certificates can be restored to the server even if the NICI files are different or to another server altogether since the private key is stored in the PFX file. The certificates would no longer wrapped by NICI, the certificate is now protected by a password.
What is or can be effected If NICI is lost and there is no backup of NICI or the certificates
- Encrypted Replication policy - Novell Technical Support can be engaged to remote in and remove the Encrypted Replication policy.
- Encrypted attributes are wrapped via NICI in a server specific database key which is in turn wrapped in a server specific storage key both of which are held in the eDirectory database within FLAIM. If a server's NICI files are lost not only are these attributes' data lost but the database itself cannot be opened. Since the database storage key is generated when the server is upgraded to or installed with eDirectory 8.8 SP1 or higher the database cannot be opened regardless of whether the encrypted attribute functionality is being used or not.
- Add no servers to the Tree
- No passwords can be used or recovered.
NICI and Licensing#The NICI Configuration Files are signed and partially encrypted. An invalid license file (NICIFK) renders NICI nonfunctional.
NICI Installation#Note that, NICI does not require a special user to run, except during the installation.
For NICI installation a privileged user who can install setuid programs must install NICI.
Multiple Instances #We recommend running each instance of eDirectory on the same host with different user IDs to separate their cryptographic materials using the host system's security mechanisms.
Otherwise, the server based Security Domain Infrastructure private key will be the same for all instances.
NICISDI#NICISDI stands for NICI Security Domain Infrastructure. This module is responsible for managing domain keys, where a domain is typically defined as the whole tree. In the future, a directory partition or custom domains will be able to be defined.
Up to NICI version 1.5.x, NICI supports one single partition key, the partition being the whole tree. Starting with NICI version 2.0.1, NICI can manage multiple partition keys of varying strengths and algorithms. Such keys are called Security Domain keys.On NetWare®, Windows, and libniciext.so on UNIX platforms, the module manages security domain keys in coordination with NICI. Various other services rely on the availability on security domain keys, including but not limited to:
NOTE: The NICISDI module has nothing to do with the SASDFM module. SASDFM manages session keys between two boxes, typically between a client and a server. The modules are both loaded during autoexec.ncf processing on NetWare.
Security domain servers manage security domain keys. Any server can be configured as a security domain server. There can be multiple security domain servers in a tree. Security domain keys are not intended for clients. One tree key is installed by an eDirectory installation. The tree key is created or retrieved from the security domain key server during the server installation.
More Information#There might be more information for this subject on one of the following:
- Glossary Of LDAP And Directory Terminology
- NDSD Loadable Module
- NICI Backup Procedures
- NICI Configuration Files
- NICI File Locations
- Novell International Cryptographic Infrastructure
- Security Domain Infrastructure
- Universal Password
- Using dsbk on Windows