This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Security Domain Infrastructure
Security Domain Infrastructure

Version management

Difference between version and

At line 1 added 79 lines
!!! Overview
[{$pagename}] ([SDI]) and [NICI] are tightly related.
[NICISDI] stands for [NICI] [{$pagename}]. The [NICISDI] module is responsible for managing [Keys], where a [Security Domain] is typically defined as the [eDirectory Tree].
When [eDirectory] is installed a few special security objects are created.
First, the [Key Access Partition] ([KAP]) container is created underneath the Security Container. Inside the [KAP] container, the [WX Entries] is created. The [KAP] and [WX Entries] represent the [NICI Security Domain] for the [eDirectory Tree]. A server, or list of servers, are assigned to be the [Key server]. The [Key server] job is to hand out the [SDI Key] or [TreeKey] to other servers in the [eDirectory Tree]. [Security Domain] servers ("[Key server]") manage [SDI Key] or [TreeKey]. Any [NcpServer] can be configured as a [Key server] and therefore there can be multiple [Security Domain] servers [Key server] in a [eDirectory Tree].
[NICISDI Keys] types
The [Security Domain Key|SDI Key] is created when the first [NcpServer] is installed, or if there is an existing [eDirectory Tree] with the [Security Domain Infrastructure] already in the [eDirectory Tree], the server retrieves the [SDI Key] from the [WX Entries] [Key server] during the server installation.
A [SDI Key] is a key which is held by each server in the [EDirectory Tree].
!! The [Key Access Partition] and [WX Entries]
The [Key Access Partition] and [WX Entries] don't hold a copy of the actual [SDI Key]. The [WX Entries] simply holds the [Distinguished Name] of [ncpServer](s) in the tree ([NDSPKISDKeyServerDN]) which can distribute the [SDI Key] to other [ncpServers].
The actual [SDI Key] is [encrypted|Encryption] and stored on the [File System] of the [ncpServer] in the [NICISDI].KEY which is one of the [NICI Configuration Files]. Note: The [NICISDI].KEY file is wrapped with each [ncpServer]'s own Key. Therefore you should never copy or restore the [NICISDI].KEY file from one [ncpServer] to another [ncpServer], as the [Keys] are specific to each [ncpServer].
The main reason why the [SDI Key] [MUST] be the same on all [ncpServer] in a [EDirectory Tree] is because these [keys] are used to [encrypt]/decrypt the following things:
* [Universal Password]
* Users secrets stored in [SecretStore]
* [Data] stored by [NMAS] to allow users to [authenticate]
* Users [Private Keys] created by the [Novell Certificate Server]
%%warning
It is imperative that all [NcpServer] in the same [EDirectory Tree] have the same [SDI Key]. There are cases where there can be multiple [TreeKeys] in a [EDirectory Tree]. Whether you have 20 [TreeKeys] or 1 [TreeKey], all [ncpServers] in the tree need to have all [SDI Keys]. [NICISDI Tree Key Provider Fault Tolerance|NICISDITreeKeyProviderFaultTolerance]
%%
! [{$pagename}] [NICIEXT] Modules:
Depending on the [Operating System], [NICISDI] is represented by the following modules:
* On [NetWare] - [NICISDI].XLM (nicisdi.nlm)
* On Windows - [NICIEXT].DLM
* On Unix - libniciext.so
[NICISDI] is responsible for managing [SDI Key], where a [NICI Security Domain] is defined as an entire [EDirectory Tree].
Regardless of the operating system there is a [NICISDI].KEY file located on each server's [File System] within a [{$pagename}].
The [NICISDI].KEY file contains the [encrypted] [SDI Key]
This file is stored, depending on the [Operating System], in the following [File System] locations:
* On [NetWare] - SYS:\SYSTEM\NICI\[NICISDI].KEY
* On [Microsoft Windows] - %SystemRoot%\System32\Novell\NICI\[NICISDI].KEY
* On [Linux]/[Unix] - /var/novell/nici/0/[NICISDI].KEY
!! Novell Support
Always consult Novell before you get in trouble. These are where we could find more information:
* [Troubleshooting SDIDIAG and NICI Problems|http://www.novell.com/coolsolutions/tip/19110.html|target='_blank']
* [Using SDIDiag to gather specific SDKey information from servers|http://www.novell.com/support/viewContent.do?externalId=3455150|target='_blank']
* [Verifying and Resolving Tree Key Inconsistencies with SDIDIAG|http://www.novell.com/support/viewContent.do?externalId=3092072|target='_blank']
!! [Security Domain Infrastructure], how do they sync?
['NDSPKI:SD Key Server DN'|NICITreeKeyProvider] [Attribute] is a multi-valued attribute contains the list of [Security Domain Infrastructure] servers ([Key server]) in the tree. There [MUST] be at least one server in this list.
When a server boots or when [NICISDI], [NICIEXT], or libniciext.so are loaded the ['NDSPKI:SD Key Server DN'|NICITreeKeyProvider] attribute is read. Following this read, [NICISDI], [NICIEXT], or libniciext connects to each server in the list and requests any new [SDI Key] from each server in this list.
__NOTE:__ Only new [SDI Key] retrieval and [Key Revocation] is automatically done on every loading of [NICISDI]. During this process existing security keys are also checked for [Key Revocation].
__NOTE:__ Deletion of a [SDI Key] is NOT automatically done.
!! [Example]
The first [NcpServer] was installed on Server1 and a tree was created called MyTree. The [KAP] and W0 objects were created during the install and the W0 object lists who is the [Key server] (NDSPKI:SD Key Server [DN] attribute on the W0 object). In this case, since this is the first server in the tree, Server1 would be listed as the [Key server] via the [NDSPKI:SD Key Server DN|NICITreeKeyProvider] [attribute] on the W0 object.
When the second server (Server2) is installed into the tree, Server2 would ask Server1 to send the [SDI Key]. This way both Server1 and Server2 each have a copy of their own [SDI Key] (or Treekey). Each server holds a physical copy of a [NICISDI].KEY.
!! [NICI SDI Tree Key Provider Fault Tolerance|NICISDITreeKeyProviderFaultTolerance]
You can provide [NICI SDI Tree Key Provider Fault Tolerance|NICISDITreeKeyProviderFaultTolerance] so every server would have every other server's ['NDSPKI:SD Key Server DN'|NICITreeKeyProvider]
!! [Security Domain Infrastructure Diagnostic Utility|SDIDIAG]
To obtain specific [Security Domain Key (SDI Key or Treekey)|NICITreeKeyProvider] information from servers or to verify all servers in the tree have the same [SDI Key] use the [SDIDIAG].
We also have compiled some examples of using [SDIDIAG Switches]
!! [NICISDI] and [SASDFM] modules
The [NICISDI] module manages the [TreeKeys]. [SASDFM] manages [Session Keys] between two physical boxes, typically between a [client] and a [server].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop