NICI SDI Tree Key Provider Fault-tolerance #

An easy way to add fault-tolerance to NICI is to designate more than one server as the NICITreeKeyProvider (more precisely a "Security Domain Infrastructure Key Server") for the tree.

With more than one key provider, you eliminate a single point of failure for NICI and anything that relies on the tree key such as Universal Password and SecretStore.

Use Security Domain Infrastructure Diagnostic Utility #

You can and probably should use SDIDIAG to add NICI servers to the Security Domain Infrastructure.

List the existing keys #

To list the existing keys:
 
SDIDIAG> lk 
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP. 
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server2.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 

Add other Servers #

Add All Write Partition Servers as SDI Domain Key Servers
 
SDIDIAG> AP 

*** [Adding SDI Domain Key Servers - BEGIN] *** 
Checking Server .server2.srv.WILLEKE.COM.WILLEKETREE. 
- Currently an SDI Domain Key Server. 
Checking Server .server3.srv.WILLEKE.COM.WILLEKETREE. 
- Added as SDI Domain Key Server. 
Checking Server .server4.srv.WILLEKE.COM.WILLEKETREE. 
- Added as SDI Domain Key Server. 
*** [Adding SDI Domain Key Servers - END] *** 

Check Key or Domain Problems #

 
SDIDIAG> check 
*** [Key Consistency Check - BEGIN] *** 
[Checking SDI Domain] 
SDI Check Domain Configuration... 
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE. 
- Configuration is good. 
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE. 
- Configuration is good. 
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE. 
- Configuration is good. 
*** SDI Check Domain Configuration is [GOOD] 
SDI Check Domain Keys... 
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE. 
- Keys are good. 
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE. 
- Keys are good. 
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE. 
- Keys are good. 
*** SDI Check Domain Keys are [GOOD] 

[Checking SDI Domain: GOOD] 

*** No Problems Found *** 

*** [Key Consistency Check - END] *** 
SDIDIAG> 

List Server Keys #

NOTE: The "Key Size" must be at least 168 bits for Universal Password to operate.
 
SDIDIAG> lk 
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP. 
Displaying keys on .server4.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server4.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 
Displaying keys on .server3.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server3.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server2.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 

From LDAP #

You can see the NDSPKISDKeyList and the NDSPKISDKeyServerDN in the O=Security container in the EDirectory tree.

More Information #

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-6) was last changed on 10-Jun-2013 19:19 by jim