Importance of The Security Domain Infrastructure #NICI and PKI are often overlooked because they are not always used. However NICI has become critical to Universal Password and the new encryption features in eDirectory 8.7.1 and later. Problems with NICI can lead to permanent data loss. PKI problems such as the loss of the tree Certificate Authority are more easy to recover from, but could involve a lot of work since it can effect every server in the tree.
The first server in a tree (8.7x) play special roles for both NICI and PKI that are related but separate:
- NICITreeKeyProvider (NICI based)
- Tree CA (PKI based)
NICISDI or NICIEXT reads this attribute on each loading (typically server boot). Then NICISDI or NICIEXT connects to each server in this list, and requests any new Security Domain Infrastructure keys from each server in this list. Existing security keys are also checked for revocation.
However, deletion of a Security Domain Infrastructure key is not automatically done.
- Only new key retrieval (not creation)
- existing security keys are also checked for revocation.
- key revocation are automatically done on every loading of NICISDI or NICIEXT, or periodically as configured by the NICISDI sync period.
- deletion of a security domain key/s is NOT automatically done.
For a EDirectory Tree Merge, add the name of the new SD key server’s name to this list after trees are merged, and reboot all the servers in the tree unless periodic synchronization is enabled. The final list must contain the names of SD key servers in all trees. We strongly recommend that NICI version 2.0.1 or newer be installed on servers.