jspωiki
TreeKey

Overview#

TreeKey as used for eDirectory are a special kind of NICI SDI Key

The Security Domain Infrastructure for TreeKey consists of the whole eDirectory tree, and they are automatically managed by eDirectory and NICI Security Domain Infrastructure.

In all prior versions of eDirectory a single Security Domain consisting of the whole tree has been established and the associated key is often referred to as the TreeKey or sometimes the W0 key (as the SDI Key object used to manage this key is CN=W0.CN=KAP.CN=Security). This key is a 3DES key, and all the servers in an eDirectory tree have the rights to acquire this key. This key will continue to be available.

NICI 3.0#

Beginning in EDirectory 9.0.0.0 (40002.79) with NICI 3.0 3.0, there are now two TreeKey objects, CN=W0.CN=KAP.CN=Security which manages the older 3DES TreeKey (or the W0 key), and CN=W1.CN=KAP.CN=Security which manages the new AES 256-bit TreeKey (or the W1 key).

The new AES 256-bit TreeKey requires that all servers in the tree be upgraded to EDirectory 9.0.0.0 (40002.79) before enabling this key. Although EDirectory 9.0.0.0 (40002.79) will automatically create this SDI Key object, it will not assign a Key server and the key will not get created by default. An administrator will need to assign a Key server to the SDI key object, after confirming that all servers in the tree have been upgraded to EDirectory 9.0.0.0 (40002.79), in order to enable the new AES 256-bit TreeKey.

Although any server can be configured as a Key server for the TreeKey, it is recommended that only servers holding a ReadWrite replica of the SDI key objects be assigned. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).

NICISDI supports having multiple Key servers for any SDI Key and it is recommended that multiple Key servers be assigned. In NICI 3.0 once a Key server has been assigned to the TreeKey objects, the new Heath-Check feature will automatically add servers holding a writeable replica of the SDI key object). The idea here is that NICI SDI will automatically mirror the Key servers to your eDirectory replicas.

Various services rely on the availability of TreeKey, including but not limited to SecretStore/Single Sign-On, PKI Novell Certificate Server, and NMAS.

More Information#

There might be more information for this subject on one of the following: