jspωiki
Security Domain Infrastructure

Overview#

Security Domain Infrastructure (SDI) and NICI are tightly related.

NICISDI stands for NICI Security Domain Infrastructure. The NICISDI module is responsible for managing Keys, where a Security Domain is typically defined as the eDirectory Tree.

When eDirectory is installed a few special security objects are created.

First, the Key Access Partition (KAP) container is created underneath the Security Container. Inside the KAP container, the WX Entries is created. The KAP and WX Entries represent the NICI Security Domain for the eDirectory Tree. A server, or list of servers, are assigned to be the Key server. The Key server job is to hand out the SDI Key or TreeKey to other servers in the eDirectory Tree. Security Domain servers ("Key server") manage SDI Key or TreeKey. Any NcpServer can be configured as a Key server and therefore there can be multiple Security Domain servers Key server in a eDirectory Tree.

NICISDI Keys types The Security Domain Key is created when the first NcpServer is installed, or if there is an existing eDirectory Tree with the Security Domain Infrastructure already in the eDirectory Tree, the server retrieves the SDI Key from the WX Entries Key server during the server installation.

A SDI Key is a key which is held by each server in the EDirectory Tree.

The Key Access Partition and WX Entries #

The Key Access Partition and WX Entries don't hold a copy of the actual SDI Key. The WX Entries simply holds the Distinguished Name of ncpServer(s) in the tree (NDSPKISDKeyServerDN) which can distribute the SDI Key to other ncpServers.

The actual SDI Key is encrypted and stored on the File System of the ncpServer in the NICISDI.KEY which is one of the NICI Configuration Files.

Note: The NICISDI.KEY file is wrapped with each ncpServer's own Key. Therefore you should never copy or restore the NICISDI.KEY file from one ncpServer to another ncpServer, as the Keys are specific to each ncpServer.

The main reason why the SDI Key MUST be the same on all ncpServer in a EDirectory Tree is because these keys are used to encrypt/decrypt the following things:

It is imperative that all NcpServer in the same EDirectory Tree have the same SDI Key. There are cases where there can be multiple TreeKeys in a EDirectory Tree. Whether you have 20 TreeKeys or 1 TreeKey, all ncpServers in the tree need to have all SDI Keys. NICISDI Tree Key Provider Fault Tolerance

Security Domain Infrastructure NICIEXT Modules:#

Depending on the Operating System, NICISDI is represented by the following modules:

NICISDI is responsible for managing SDI Key, where a NICI Security Domain is defined as an entire EDirectory Tree.

Regardless of the operating system there is a NICISDI.KEY file located on each server's File System within a Security Domain Infrastructure. The NICISDI.KEY file contains the encrypted SDI Key

This file is stored, depending on the Operating System, in the following File System locations:

Novell Support#

Always consult Novell before you get in trouble. These are where we could find more information:

Security Domain Infrastructure, how do they sync?#

'NDSPKI:SD Key Server DN' Attribute is a multi-valued attribute contains the list of Security Domain Infrastructure servers (Key server) in the tree. There MUST be at least one server in this list.

When a server boots or when NICISDI, NICIEXT, or libniciext.so are loaded the 'NDSPKI:SD Key Server DN' attribute is read. Following this read, NICISDI, NICIEXT, or libniciext connects to each server in the list and requests any new SDI Key from each server in this list.

NOTE: Only new SDI Key retrieval and Key Revocation is automatically done on every loading of NICISDI. During this process existing security keys are also checked for Key Revocation.

NOTE: Deletion of a SDI Key is NOT automatically done.

Example#

The first NcpServer was installed on Server1 and a tree was created called MyTree. The KAP and W0 objects were created during the install and the W0 object lists who is the Key server (NDSPKI:SD Key Server DN attribute on the W0 object). In this case, since this is the first server in the tree, Server1 would be listed as the Key server via the NDSPKI:SD Key Server DN attribute on the W0 object.

When the second server (Server2) is installed into the tree, Server2 would ask Server1 to send the SDI Key. This way both Server1 and Server2 each have a copy of their own SDI Key (or Treekey). Each server holds a physical copy of a NICISDI.KEY.

NICI SDI Tree Key Provider Fault Tolerance#

You can provide NICI SDI Tree Key Provider Fault Tolerance so every server would have every other server's 'NDSPKI:SD Key Server DN'

Security Domain Infrastructure Diagnostic Utility#

To obtain specific Security Domain Key (SDI Key or Treekey) information from servers or to verify all servers in the tree have the same SDI Key use the SDIDIAG.

We also have compiled some examples of using SDIDIAG Switches

NICISDI and SASDFM modules#

The NICISDI module manages the TreeKeys. SASDFM manages Session Keys between two physical boxes, typically between a client and a server.

More Information#

There might be more information for this subject on one of the following: