NICI SDI Tree Key Provider Fault-tolerance #

An easy way to add fault-tolerance to NICI is to designate more than one server as the NICITreeKeyProvider (more precisely a "Security Domain Infrastructure Key Server") for the tree. With more than one SDI Key provider, you eliminate a single point of failure for NICI and anything that relies on the tree SDI Key such as Universal Password and SecretStore.

Use Security Domain Infrastructure Diagnostic Utility #

You can and probably should use SDIDIAG to add NICI servers to the Security Domain Infrastructure.

List the existing keys #

To list the existing keys:

 
SDIDIAG> lk 
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP. 
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server2.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 

Add other NcpServers #

Add All Write Partition NcpServers as Security Domain Infrastructure Domain Key Servers

 
SDIDIAG> AP 

*** [Adding SDI Domain Key Servers - BEGIN] *** 
Checking Server .server2.srv.WILLEKE.COM.WILLEKETREE. 
- Currently an SDI Domain Key Server. 
Checking Server .server3.srv.WILLEKE.COM.WILLEKETREE. 
- Added as SDI Domain Key Server. 
Checking Server .server4.srv.WILLEKE.COM.WILLEKETREE. 
- Added as SDI Domain Key Server. 
*** [Adding SDI Domain Key Servers - END] *** 

!! Check SDI Keys for Domain Problems

 
SDIDIAG> check 
*** [Key Consistency Check - BEGIN] *** 
[Checking SDI Domain] 
SDI Check Domain Configuration... 
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE. 
- Configuration is good. 
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE. 
- Configuration is good. 
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE. 
- Configuration is good. 
*** SDI Check Domain Configuration is [GOOD] 
SDI Check Domain Keys... 
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE. 
- Keys are good. 
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE. 
- Keys are good. 
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE. 
- Keys are good. 
*** SDI Check Domain Keys are [GOOD] 

[Checking SDI Domain: GOOD] 

*** No Problems Found *** 

*** [Key Consistency Check - END] *** 
SDIDIAG> 

List Server SDI Keys #

NOTE: The "Key Size" must be at least 168 bits for Universal Password to operate.

 
SDIDIAG> lk 
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP. 
Displaying keys on .server4.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server4.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 
Displaying keys on .server3.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server3.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE. 
Server : .server2.srv.WILLEKE.COM.WILLEKETREE. 
SDKey : 1 
Object Class : Secret Key 
Key Size : 168 bits 
Key Usage : 0x4400C0 
Key Format : DES-EDE3-CBC-IV8 
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43 
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036 

From LDAP #

You can see the NDSPKISDKeyList and the NDSPKISDKeyServerDN in the O=Security container in the EDirectory tree. Look for Key server

• CN=W0.CN=KAP.CN=Security (3DES Key)
• CN=W1.CN=KAP.CN=Security (AES 256-bit Key)!! More Information

There might be more information for this subject on one of the following:

• Edirectory Backup Strategy
• Key Access Partition
• NDSPKISDKeyServerDN
• NICITreeKeyProvider
• Security Domain Infrastructure