Overview#NDSPKISDKeyServerDN is a MULTI-VALUE attribute on the W0 or W1 objects contains the list of the key servers in the tree for the respective SDI Key object.
There must be at least one server in this list for the SDI Key object to be active. The NICIEXT module reads this attribute and then connects to each server in this list and requests any new Security Domain keys from each server in this list. Only servers in this list can create and distribute the TreeKey.
Adding a server to this attribute makes that server a Key server. Although any server can be configured as a “Key server”, for the treeKeys, it is recommended that only servers holding a writeable Edirectory Replicas of the SDI key object be configured.
NOTE: If a key server does not hold a writeable Edirectory Replicas, additional rights will need to be assigned.
The eDirectory installation will automatically populate this attribute for the W0 object, so no action is required by an administrator for the W0 object.
For the W1 object, an administrator will need to assign a Key Server to this attribute, after confirming that all servers in the tree have been upgraded to EDirectory 18.104.22.168 (40002.79), in order to enable the new AES 256-bit TreeKey. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).
There must be at least one server in this list.
NDSPKISDKeyServerDN must be at least one NcpServer DN value.
- requests any new security domain keys from each server in this list
- Existing security keys are also checked for Key Revocation
- However, deletion of a security domain key is not automatically done.