<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] as used for [eDirectory] are a special kind of [NICI] [SDI Key] and are available to all [servers|NcpServer] in the [NDS Tree-name].When multiple servers need access to the same encrypted data, eDirectory uses the Tree keys to provide access while still keeping the data secure in conjunction with eDirectory rights. In all [EDirectory Versions] prior to [EDirectory 9.0.0.0 (40002.79)] a single [Security Domain Infrastructure] consisting of the whole tree has been established and the associated [{$pagename}] or sometimes the &quot;W0&quot; key (as the [SDI Key] object used to manage this key is CN=W0.CN=KAP.CN=Security). This key is a [3DES] [SDI Key], and all the servers in an eDirectory tree have the rights to acquire this key. This key will continue to be available.

!! [NICI 3.0]
Beginning in [EDirectory 9.0.0.0 (40002.79)] with [NICI 3.0], there are now two [{$pagename}] objects, CN=W0.CN=KAP.CN=Security which manages the older [3DES] [{$pagename}] (or the W0 key), and CN=W1.CN=KAP.CN=Security which manages the new [AES 256-bit|AES-256] [{$pagename}] (or the W1 key).The new [AES] 256-[bit] [{$pagename}] requires that all servers in the tree be upgraded to [EDirectory 9.0.0.0 (40002.79)] __before__ enabling this [key]. Although [EDirectory 9.0.0.0 (40002.79)] will automatically create this [SDI Key] object, it will not assign a [Key server] and the key will not get created by default. An administrator will need to assign a [Key server] to the [SDI Key] object, after confirming that all servers in the tree have been upgraded to [EDirectory 9.0.0.0 (40002.79)], in order to enable the new [AES 256-bit|AES-256] [{$pagename}]. Although any server can be configured as a [Key server] for the [{$pagename}], it is recommended that only servers holding a [ReadWrite] [replica] of the [SDI Key] objects be assigned. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).

[NICISDI] supports having multiple [Key servers] for any [SDI Key] and it is recommended that multiple Key servers be assigned. In [NICI 3.0] once a [Key server] has been assigned to the [{$pagename}] objects, the new Heath-Check feature will automatically add servers holding a writable [Edirectory Replicas] of the [SDI Key] object). The idea here is that [NICI] [SDI] will automatically mirror the [Key servers] to your [Edirectory Replicas].

Various services rely on the availability of [{$pagename}], including but not limited to [SecretStore]/[Single Sign-On], [PKI] [Novell Certificate Server], and [NMAS].

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
</pre>