!!! NICI SDI Tree Key Provider Fault-tolerance
An easy way to add fault-tolerance to [NICI] is to designate more than one server as the [NICITreeKeyProvider] (more precisely a "[Security Domain Infrastructure] Key Server") for the tree. With more than one [SDI Key] provider, you eliminate a single point of failure for [NICI] and anything that relies on the tree [SDI Key] such as [Universal Password] and [SecretStore].
!! Use [Security Domain Infrastructure Diagnostic Utility|SDIDIAG]
You can and probably should use [SDIDIAG] to add [NICI] servers to the [Security Domain Infrastructure].
!! List the existing keys
To list the existing keys:
{{{
SDIDIAG> lk
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP.
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE.
Server : .server2.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
}}}
!! Add other [NcpServers]
Add All Write [Partition] [NcpServers] as [Security Domain Infrastructure] Domain Key Servers
{{{
SDIDIAG> AP
*** [Adding SDI Domain Key Servers - BEGIN] ***
Checking Server .server2.srv.WILLEKE.COM.WILLEKETREE.
- Currently an SDI Domain Key Server.
Checking Server .server3.srv.WILLEKE.COM.WILLEKETREE.
- Added as SDI Domain Key Server.
Checking Server .server4.srv.WILLEKE.COM.WILLEKETREE.
- Added as SDI Domain Key Server.
*** [Adding SDI Domain Key Servers - END] ***
}}} !! Check [SDI Keys] for Domain Problems
{{{
SDIDIAG> check
*** [Key Consistency Check - BEGIN] ***
[Checking SDI Domain]
SDI Check Domain Configuration...
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE.
- Configuration is good.
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE.
- Configuration is good.
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE.
- Configuration is good.
*** SDI Check Domain Configuration is [GOOD]
SDI Check Domain Keys...
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE.
- Keys are good.
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE.
- Keys are good.
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE.
- Keys are good.
*** SDI Check Domain Keys are [GOOD]
[Checking SDI Domain: GOOD]
*** No Problems Found ***
*** [Key Consistency Check - END] ***
SDIDIAG>
}}}
!! List Server [SDI Keys]
NOTE: The "Key Size" must be at least 168 bits for Universal Password to operate.
{{{
SDIDIAG> lk
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP.
Displaying keys on .server4.srv.WILLEKE.COM.WILLEKETREE.
Server : .server4.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
Displaying keys on .server3.srv.WILLEKE.COM.WILLEKETREE.
Server : .server3.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE.
Server : .server2.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
}}}
!! From [LDAP]
You can see the [NDSPKISDKeyList] and the [NDSPKISDKeyServerDN] in the O=Security container in the [EDirectory] tree. Look for [Key server]
* CN=W0.CN=KAP.CN=Security ([3DES] [Key])
* CN=W1.CN=KAP.CN=Security ([AES] 256-bit [Key])!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]