Overview #

Novell International Cryptographic Infrastructure (NICI) is Novell INC's solution to a cross-platform, policy-driven, independently certified, and extensible cryptography service.

Novell International Cryptographic Infrastructure is the cryptographic module that provides keys, algorithms, various key storage and usage mechanisms, and a large-scale key management system.

Novell International Cryptographic Infrastructure controls the introduction of algorithms and the generation and use of keys. Novell International Cryptographic Infrastructure allows a single commodity version of security products to be produced for worldwide consumption that supports strong cryptography and multiple cryptographic technologies. Initial services built on this infrastructure are Directory Services (Novell eDirectoryTM), Novell Modular Authentication Service (NMAS), Novell Certificate ServerTM, Novell SecretStore®, and TLS/SSL.

Novell International Cryptographic Infrastructure first shipped with NetWare® 5.0. This document is provided to help resolve Novell International Cryptographic Infrastructure issues found in the field or during testing of various Novell or third-party products. A particular product may use Novell International Cryptographic Infrastructure directly or indirectly via another module (NLMTM, DLL, so, etc.).

WARNING#

If certain Novell International Cryptographic Infrastructure keys are irrecoverably lost, even backed-up data might be useless, because it can’t be de-crypted.

The private key of the certificates is wrapped by Novell International Cryptographic Infrastructure. Therefore if the NICI Configuration Files are lost or corrupted the certificates can no longer be used. These certificates can be backed up as well. This task is performed by exporting the certificates to a PKCS#12 file (PFX). Detailed information on the procedure can be found in the Certificate Server Administration Guide.

Though the certificates are held in the eDirectory database and can be restored by restoring the database they are still tied to the server's NICI files. As an added protection, the exporting and safekeeping the certificates in a PFX file so the certificates can be restored to the server even if the Novell International Cryptographic Infrastructure files are different or to another server altogether since the private key is stored in the PFX file. The certificates would no longer wrapped by Novell International Cryptographic Infrastructure, the certificate is now protected by a password.

What is or can be effected If Novell International Cryptographic Infrastructure is lost and there is no backup of Novell International Cryptographic Infrastructure or the certificates

  • Encrypted Replication policy - Novell Technical Support can be engaged to remote in and remove the Encrypted Replication policy.
  • Encrypted attributes are wrapped via NICI in a server specific database key which is in turn wrapped in a server specific storage key both of which are held in the eDirectory database within FLAIM. If a server's NICI files are lost not only are these attributes' data lost but the database itself cannot be opened. Since the database storage key is generated when the server is upgraded to or installed with eDirectory 8.8 SP1 or higher the database cannot be opened regardless of whether the encrypted attribute functionality is being used or not.
  • Add no servers to the Tree
  • No passwords can be used or recovered.

Novell International Cryptographic Infrastructure and Licensing#

The NICI Configuration Files are signed and partially encrypted. An invalid license file (NICIFK) renders Novell International Cryptographic Infrastructure nonfunctional.

Novell International Cryptographic Infrastructure Installation#

Note that, Novell International Cryptographic Infrastructure does not require a special user to run, except during the installation.

For Novell International Cryptographic Infrastructure installation a privileged user who can install setuid programs must install Novell International Cryptographic Infrastructure.

Multiple Instances #

We recommend running each instance of eDirectory on the same host with different user IDs to separate their cryptographic materials using the host system's security mechanisms.

Otherwise, the server based Security Domain Infrastructure private key will be the same for all instances.

NICISDI#

NICISDI stands for Novell International Cryptographic Infrastructure Security Domain Infrastructure. This module is responsible for managing domain keys, where a domain is typically defined as the whole tree. In the future, a directory partition or custom domains will be able to be defined.

Up to Novell International Cryptographic Infrastructure version 1.5.x, Novell International Cryptographic Infrastructure supports one single partition key, the partition being the whole tree. Starting with NICI version 2.0.1, NICI can manage multiple partition keys of varying strengths and algorithms. Such keys are called Security Domain keys.On NetWare®, Windows, and libniciext.so on UNIX platforms, the module manages security domain keys in coordination with NICI. Various other services rely on the availability on security domain keys, including but not limited to:

  • SecretStore/Single-Sign-On,
  • PKI (Certificate Server)
  • NMAS, which includes Universal password.

NOTE: The NICISDI module has nothing to do with the SASDFM module. SASDFM manages session keys between two boxes, typically between a client and a server. The modules are both loaded during autoexec.ncf processing on NetWare.

Security domain servers manage security domain keys. Any server can be configured as a security domain server. There can be multiple security domain servers in a tree. Security domain keys are not intended for clients. One tree key is installed by an eDirectory installation. The tree key is created or retrieved from the security domain key server during the server installation.

Determining Which Version Of NICI is Installed#

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-1) was last changed on 30-Dec-2016 11:10 by jim