NICI SDI Tree Key Provider Fault-tolerance #
An easy way to add fault-tolerance to
NICI is to designate more than one server as the
NICITreeKeyProvider (more precisely a "
Security Domain Infrastructure Key Server") for the tree. With more than one
SDI Key provider, you eliminate a single point of failure for
NICI and anything that relies on the tree
SDI Key such as
Universal Password and
SecretStore.
You can and probably should use
SDIDIAG to add
NICI servers to the
Security Domain Infrastructure.
List the existing keys #
To list the existing keys:
SDIDIAG> lk
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP.
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE.
Server : .server2.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
Add All Write
Partition NcpServers as
Security Domain Infrastructure Domain Key Servers
SDIDIAG> AP
*** [Adding SDI Domain Key Servers - BEGIN] ***
Checking Server .server2.srv.WILLEKE.COM.WILLEKETREE.
- Currently an SDI Domain Key Server.
Checking Server .server3.srv.WILLEKE.COM.WILLEKETREE.
- Added as SDI Domain Key Server.
Checking Server .server4.srv.WILLEKE.COM.WILLEKETREE.
- Added as SDI Domain Key Server.
*** [Adding SDI Domain Key Servers - END] ***
!! Check
SDI Keys for Domain Problems
SDIDIAG> check
*** [Key Consistency Check - BEGIN] ***
[Checking SDI Domain]
SDI Check Domain Configuration...
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE.
- Configuration is good.
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE.
- Configuration is good.
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE.
- Configuration is good.
*** SDI Check Domain Configuration is [GOOD]
SDI Check Domain Keys...
SDI Domain Key Server .server2.srv.WILLEKE.COM.WILLEKETREE.
- Keys are good.
SDI Domain Key Server .server4.srv.WILLEKE.COM.WILLEKETREE.
- Keys are good.
SDI Domain Key Server .server3.srv.WILLEKE.COM.WILLEKETREE.
- Keys are good.
*** SDI Check Domain Keys are [GOOD]
[Checking SDI Domain: GOOD]
*** No Problems Found ***
*** [Key Consistency Check - END] ***
SDIDIAG>
NOTE: The "Key Size" must be at least 168 bits for Universal Password to operate.
SDIDIAG> lk
Displaying keys in domain W0, object .W0.KAP.Security.DEV_CORP.
Displaying keys on .server4.srv.WILLEKE.COM.WILLEKETREE.
Server : .server4.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
Displaying keys on .server3.srv.WILLEKE.COM.WILLEKETREE.
Server : .server3.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
Displaying keys on .server2.srv.WILLEKE.COM.WILLEKETREE.
Server : .server2.srv.WILLEKE.COM.WILLEKETREE.
SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : 2B 7F BB E6 89 4A F9 B4 2B 2F C3 C9 2E 23 5D 43
Validity : Sun Sep 26 09:37:59 2006 - Sun Feb 03 23:59:00 2036
You can see the
NDSPKISDKeyList and the
NDSPKISDKeyServerDN in the O=Security container in the
EDirectory tree. Look for
Key server
- CN=W0.CN=KAP.CN=Security (3DES Key)
- CN=W1.CN=KAP.CN=Security (AES 256-bit Key)!! More Information
There might be more information for this subject on one of the following: