jspωiki
NDSPKISDKeyServerDN

Overview#

NDSPKISDKeyServerDN is a MULTI-VALUE attribute on the W0 or W1 objects contains the list of the key servers in the tree for the respective SDI Key object.

There must be at least one server in this list for the SDI Key object to be active. The NICIEXT module reads this attribute and then connects to each server in this list and requests any new Security Domain keys from each server in this list. Only servers in this list can create and distribute the TreeKey.

Adding a server to this attribute makes that server a Key server. Although any server can be configured as a “Key server”, for the treeKeys, it is recommended that only servers holding a writeable Edirectory Replicas of the SDI key object be configured.

NOTE: If a key server does not hold a writeable Edirectory Replicas, additional rights will need to be assigned.

The eDirectory installation will automatically populate this attribute for the W0 object, so no action is required by an administrator for the W0 object.

For the W1 object, an administrator will need to assign a Key Server to this attribute, after confirming that all servers in the tree have been upgraded to EDirectory 9.0.0.0 (40002.79), in order to enable the new AES 256-bit TreeKey. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).

There must be at least one server in this list.

NICI 2.0.1 and newer versions, which are distributed with NetWare 6 or later, make use of this attribute may be implemented to maintain Fault Tolerance

NDSPKISDKeyServerDN must be at least one NcpServer DN value.

NICISDI or NICIEXT reads this NDSPKISDKeyServerDN on each loading (normally when eDirectory starts).

Then, NICISDI or NICIEXT connects to each server in NDSPKISDKeyServerDN, and

  • requests any new security domain keys from each server in this list
  • Existing security keys are also checked for Key Revocation
  • However, deletion of a security domain key is not automatically done.

Only new key retrieval (not creation) and Key Revocation is automatically done on every loading of NICISDI or NICIEXT, or periodically as configure by the NICISDI Sync Period.

NDS Tree Merge#

In the case of a NDS Tree Merge, add the name of the new SDI key server's name to this list after trees are merged, and reboot all the servers in the tree unless periodic synchronization is enabled. The final list MUST contain the names of SDI Key servers in all trees.

Category#

eDirectory

More Information#

There might be more information for this subject on one of the following: