Overview#

Importance of The Security Domain Infrastructure #

NICI and PKI are often overlooked because they are not always used. However NICI has become critical to Universal Password and the new encryption features in eDirectory 8.7.1 and later. Problems with NICI can lead to permanent data loss. PKI problems such as the loss of the tree Certificate Authority are more easy to recover from, but could involve a lot of work since it can effect every server in the tree.

The first server in a tree (8.7x) play special roles for both NICI and PKI that are related but separate:

  • NICITreeKeyProvider (NICI based)
  • Tree CA (PKI based)
In both cases, be sure that the customer updates server and disaster recovery processes to identify if the "lost server" in question was either or both the tree CA or the NICI tree key provider.

NICI Directory Objects #

In the directory, the Security.KAP.W0 container off the root has a list of attributes to aid in security domain key management. These attributes are described below:

NDSPKISDKeyServerDN #

This multi-valued attribute contains the list of Security Domain Infrastructure key servers in the NDS Tree-name. There must be at least one server in this list. NICI 2.0.1 and newer versions, which are distributed with NetWare 6 or later, make use of this attribute. NICISDI Tree Key Provider Fault Tolerance may be implemented to maintain Fault Tolerance.

NICISDI or NICIEXT reads this attribute on each loading (typically server boot). Then NICISDI or NICIEXT connects to each server in this list, and requests any new Security Domain Infrastructure keys from each server in this list. Existing security keys are also checked for revocation.

However, deletion of a Security Domain Infrastructure key is not automatically done.

  • Only new key retrieval (not creation)
  • existing security keys are also checked for revocation.
  • key revocation are automatically done on every loading of NICISDI or NICIEXT, or periodically as configured by the NICISDI sync period.
  • deletion of a security domain key/s is NOT automatically done.

For a EDirectory Tree Merge, add the name of the new SD key server’s name to this list after trees are merged, and reboot all the servers in the tree unless periodic synchronization is enabled. The final list must contain the names of SD key servers in all trees. We strongly recommend that NICI version 2.0.1 or newer be installed on servers.

More Information #

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-11) was last changed on 29-Dec-2016 15:50 by jim