<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] ([SDI]) and [NICI] are tightly related.

[NICISDI] stands for [NICI] [{$pagename}]. The [NICISDI] module is responsible for managing [Keys], where a [Security Domain] is typically defined as the [eDirectory Tree]. 

When [eDirectory] is installed a few special security objects are created.  

First, the [Key Access Partition] ([KAP]) container is created underneath the Security Container. Inside the [KAP] container, the [WX Entries] is created.  The [KAP] and [WX Entries] represent the [NICI Security Domain] for the [eDirectory Tree].  A server, or list of servers, are assigned to be the [Key server].  The [Key server] job is to hand out the [SDI Key] or [TreeKey] to other servers in the [eDirectory Tree]. [Security Domain] servers (&quot;[Key server]&quot;) manage [SDI Key] or [TreeKey]. Any [NcpServer] can be configured as a [Key server] and therefore there can be multiple [Security Domain] servers [Key server] in a [eDirectory Tree].

[NICISDI Keys] types 
The [Security Domain Key|SDI Key] is created when the first [NcpServer] is installed, or if there is an existing [eDirectory Tree] with the [Security Domain Infrastructure] already in the [eDirectory Tree], the server retrieves the [SDI Key] from the [WX Entries] [Key server] during the server installation.

A [SDI Key] is a key which is held by each server in the [EDirectory Tree]. 

!! The [Key Access Partition] and [WX Entries] 
The [Key Access Partition] and [WX Entries] don't hold a copy of the actual [SDI Key].  The [WX Entries] simply holds the [Distinguished Name] of [ncpServer](s) in the tree ([NDSPKISDKeyServerDN]) which can distribute the [SDI Key] to other [ncpServers].  

The actual [SDI Key] is [encrypted|Encryption] and stored on the [File System] of the [ncpServer] in the [NICISDI].KEY which is one of the [NICI Configuration Files]. Note: The [NICISDI].KEY file is wrapped with each [ncpServer]'s own Key.  Therefore you should never copy or restore the [NICISDI].KEY file from one [ncpServer] to another [ncpServer], as the [Keys] are specific to each [ncpServer].

The main reason why the [SDI Key] [MUST] be the same on all [ncpServer] in a [EDirectory Tree] is because these [keys] are used to [encrypt]/decrypt the following things:
* [Universal Password]
* Users secrets stored in [SecretStore]
* [Data] stored by [NMAS] to allow users to [authenticate]
* Users [Private Keys] created by the [Novell Certificate Server]

%%warning
It is imperative that all [NcpServer] in the same [EDirectory Tree] have the same [SDI Key]. There are cases where there can be multiple [TreeKeys] in a [EDirectory Tree]. Whether you have 20 [TreeKeys] or 1 [TreeKey], all [ncpServers] in the tree need to have all [SDI Keys]. [NICISDI Tree Key Provider Fault Tolerance|NICISDITreeKeyProviderFaultTolerance]
%%

! [{$pagename}] [NICIEXT] Modules:
Depending on the [Operating System], [NICISDI] is represented by the following modules:
* On [NetWare] - [NICISDI].XLM (nicisdi.nlm)
* On Windows - [NICIEXT].DLM
* On Unix - libniciext.so

[NICISDI] is responsible for managing [SDI Key], where a [NICI Security Domain] is defined as an entire [EDirectory Tree].

Regardless of the operating system there is a [NICISDI].KEY file located on each server's [File System] within a [{$pagename}].
The [NICISDI].KEY file contains the [encrypted] [SDI Key]

This file is stored, depending on the [Operating System], in the following [File System] locations:
* On [NetWare] - SYS:\SYSTEM\NICI\[NICISDI].KEY
* On [Microsoft Windows] - %SystemRoot%\System32\Novell\NICI\[NICISDI].KEY
* On [Linux]/[Unix] - /var/novell/nici/0/[NICISDI].KEY

!! Novell Support
Always consult Novell before you get in trouble. These are where we could find more information: 
* [Troubleshooting SDIDIAG and NICI Problems|http://www.novell.com/coolsolutions/tip/19110.html|target='_blank']
* [Using SDIDiag to gather specific SDKey information from servers|http://www.novell.com/support/viewContent.do?externalId=3455150|target='_blank']
* [Verifying and Resolving Tree Key Inconsistencies with SDIDIAG|http://www.novell.com/support/viewContent.do?externalId=3092072|target='_blank']

!! [Security Domain Infrastructure], how do they sync?
['NDSPKI:SD Key Server DN'|NICITreeKeyProvider] [Attribute] is a multi-valued attribute contains the list of [Security Domain Infrastructure] servers ([Key server]) in the tree. There [MUST] be at least one server in this list.

When a server boots or when [NICISDI], [NICIEXT], or libniciext.so are loaded the ['NDSPKI:SD Key Server DN'|NICITreeKeyProvider] attribute is read. Following this read, [NICISDI], [NICIEXT], or libniciext connects to each server in the list and requests any new [SDI Key] from each server in this list.

__NOTE:__ Only new [SDI Key] retrieval and [Key Revocation] is automatically done on every loading of [NICISDI]. During this process existing security keys are also checked for [Key Revocation].

__NOTE:__ Deletion of a [SDI Key] is NOT automatically done.

!! [Example]
The first [NcpServer] was installed on Server1 and a tree was created called MyTree.  The [KAP] and W0 objects were created during the install and the W0 object lists who is the [Key server] (NDSPKI:SD Key Server [DN] attribute on the W0 object). In this case, since this is the first server in the tree, Server1 would be listed as the [Key server] via the [NDSPKI:SD Key Server DN|NICITreeKeyProvider] [attribute] on the W0 object.

When the second server (Server2) is installed into the tree, Server2 would ask Server1 to send the [SDI Key].  This way both Server1 and Server2 each have a copy of their own [SDI Key] (or Treekey).  Each server holds a physical copy of a [NICISDI].KEY.

!! [NICI SDI Tree Key Provider Fault Tolerance|NICISDITreeKeyProviderFaultTolerance]
You can provide [NICI SDI Tree Key Provider Fault Tolerance|NICISDITreeKeyProviderFaultTolerance] so every server would have every other server's ['NDSPKI:SD Key Server DN'|NICITreeKeyProvider]

!! [Security Domain Infrastructure Diagnostic Utility|SDIDIAG]
To obtain specific [Security Domain Key (SDI Key or Treekey)|NICITreeKeyProvider] information from servers or to verify all servers in the tree have the same [SDI Key] use the [SDIDIAG].

We also have compiled some examples of using [SDIDIAG Switches]

!! [NICISDI] and [SASDFM] modules
The [NICISDI] module manages the [TreeKeys]. [SASDFM] manages [Session Keys] between two physical boxes, typically between a [client] and a [server].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>