TreeKey as used for eDirectory are a special kind of NICI SDI Key and are available to all servers in the NDS Tree-name.

When multiple servers need access to the same encrypted data, eDirectory uses the Tree keys to provide access while still keeping the data secure in conjunction with eDirectory rights. In all EDirectory Versions prior to EDirectory (40002.79) a single Security Domain Infrastructure consisting of the whole tree has been established and the associated TreeKey or sometimes the "W0" key (as the SDI Key object used to manage this key is CN=W0.CN=KAP.CN=Security). This key is a 3DES SDI Key, and all the servers in an eDirectory tree have the rights to acquire this key. This key will continue to be available.

NICI 3.0#

Beginning in EDirectory (40002.79) with NICI 3.0, there are now two TreeKey objects, CN=W0.CN=KAP.CN=Security which manages the older 3DES TreeKey (or the W0 key), and CN=W1.CN=KAP.CN=Security which manages the new AES 256-bit TreeKey (or the W1 key).

The new AES 256-bit TreeKey requires that all servers in the tree be upgraded to EDirectory (40002.79) before enabling this key. Although EDirectory (40002.79) will automatically create this SDI Key object, it will not assign a Key server and the key will not get created by default. An administrator will need to assign a Key server to the SDI Key object, after confirming that all servers in the tree have been upgraded to EDirectory (40002.79), in order to enable the new AES 256-bit TreeKey.

Although any server can be configured as a Key server for the TreeKey, it is recommended that only servers holding a ReadWrite replica of the SDI Key objects be assigned. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).

NICISDI supports having multiple Key servers for any SDI Key and it is recommended that multiple Key servers be assigned. In NICI 3.0 once a Key server has been assigned to the TreeKey objects, the new Heath-Check feature will automatically add servers holding a writable Edirectory Replicas of the SDI Key object). The idea here is that NICI SDI will automatically mirror the Key servers to your Edirectory Replicas.

Various services rely on the availability of TreeKey, including but not limited to SecretStore/Single Sign-On, PKI Novell Certificate Server, and NMAS.

More Information#

There might be more information for this subject on one of the following: