<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview

!! Importance of The [Security Domain Infrastructure] 
[NICI] and [PKI] are often overlooked because they are not always used. However [NICI] has become critical to [Universal Password] and the new [encryption] features in eDirectory 8.7.1 and later. Problems with [NICI] can lead to permanent [Data loss]. [PKI|Public Key Infrastructure] problems such as the loss of the tree [Certificate Authority] are more easy to recover from, but could involve a lot of work since it can affect every server in the tree. 


The first server in a tree (8.7x) play special roles for both [NICI] and [PKI] that are related but separate: 
* [{$pagename}] (NICI based) 
* Tree [Certificate Authority] (PKI based) 
In both cases, be sure that the customer updates server and disaster recovery processes to identify if the &quot;lost server&quot; in question was either or both the tree [Certificate Authority] or the [NICI] tree key provider. 

!! [NICI] Directory Objects 
In the directory, the Security.[KAP].W0 container off the root has a list of attributes to aid in security domain key management. These attributes are described below: 

! [NDSPKISDKeyServerDN] 
This multi-valued attribute contains the list of [Security Domain Infrastructure] key servers in the [NDS Tree-name]. There must be at least one server in this list. NICI 2.0.1 and newer versions, which are distributed with NetWare 6 or later, make use of this attribute. [NICISDI Tree Key Provider Fault Tolerance] may be implemented to maintain Fault Tolerance. 

[NICISDI|Security Domain Infrastructure] or [NICIEXT] reads this attribute on each loading (typically server boot). Then [NICISDI|Security Domain Infrastructure] or [NICIEXT] connects to each server in this list, and requests any new [Security Domain Infrastructure] [keys] from each server in this list. Existing security keys are also checked for [Key Revocation]. 

However, deletion of a [Security Domain Infrastructure] key is not automatically done. 
* Only new key retrieval (not creation) 
* existing security keys are also checked for revocation. 
* key revocation are automatically done on every loading of NICISDI or NICIEXT, or periodically as configured by the NICISDI sync period. 
* deletion of a security domain key/s is NOT automatically done. 

For a [EDirectory Tree Merge], add the name of the new [SDI Key] server’s name to this list after trees are merged, and reboot all the servers in the tree unless periodic synchronization is enabled. The final list must contain the names of [SDI Key] servers in all trees. We strongly recommend that [NICI] [version] 2.0.1 or newer be installed on servers. 


!! More Information 
There might be more information for this subject on one of the following: 
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>