Adding a server to this attribute makes that server a Key server. Although any server can be configured as a “Key server”, for the treeKeys, it is recommended that only servers holding a writeable Edirectory Replicas of the SDI key object be configured.
NOTE: If a key server does not hold a writeable Edirectory Replicas, additional rights will need to be assigned.
The eDirectory installation will automatically populate this attribute for the W0 object, so no action is required by an administrator for the W0 object.
For the W1 object, an administrator will need to assign a Key Server to this attribute, after confirming that all servers in the tree have been upgraded to EDirectory 9.0.0.0 (40002.79), in order to enable the new AES 256-bit TreeKey. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).
There must be at least one server in this list.
NICI 2.0.1 and newer versions, which are distributed with NetWare 6 or later, make use of this attribute may be implemented to maintain Fault Tolerance
NDSPKISDKeyServerDN must be at least one NcpServer DN value.
NICISDI or NICIEXT reads this NDSPKISDKeyServerDN on each loading (normally when eDirectory starts).
Then, NICISDI or NICIEXT connects to each server in NDSPKISDKeyServerDN, and
Only new key retrieval (not creation) and Key Revocation is automatically done on every loading of NICISDI or NICIEXT, or periodically as configure by the NICISDI Sync Period.