How does Novell implement a Security Domain Infrastructure?

  • 3611186
  • 30-May-2007
  • 14-Feb-2017

Environment

Novell eDirectory 8.8 SP7
Novell International Cryptographic Infrastructure (NICI)
Security Domain Infrastructure

Situation

How does Novell implement a Security Domain Infrastructure?

Overview of Security Domain Infrastructure:

When eDirectory is installed a few special security objects are created. First, the KAP or Key Access Partition container is created underneath the Security Container. Inside the KAP container, the W0 object is created. The KAP and W0 objects represent the Security Domain for the tree. A server, or list of servers, are assigned to be the "W0 server". The "W0 Servers" job is to hand out the SDI Key or "Treekey" to other servers in the tree. Security Domain servers ("W0 Servers") manage SD Key (Treekey). Any server can be configured as a "W0 Server" and therefore there can be multiple Security Domain servers "W0 Servers" in a tree.

The Security Domain Key (SD key or Treekey) is created when the first server is installed, or if there is an existing tree with the Security Domain Infrastructure already in the tree, the server retrieves the SD key (Treekey) from the "W0 Servers" during the server installation.

A SD key (or Treekey) is a key which is held by each server in the tree. This key is used to encrypt and decrypt information, such as users Passwords, etc.

Note: The KAP and W0 objects don't hold a copy of the actual SD key (or Treekey). The KAP object simply holds the DN of a server in the tree which can distribute the SD Key (or Treekey) to other servers. The actual SD key (or Treekey) is encrypted and stored on the hard disk of the server in the NICISDI.KEY file. Note: The NICISDI.KEY file is wrapped with each servers own Key. Therefore you should never copy or restore the NICISDI.KEY file from server to server, as these are server specific files.

The main reason why the SD Keys (Treekey) must be the same on all servers in a tree is because these keys are used to encrypt/decrypt the following things:
1. Universal Password
2. Users secrets stored in SecretStore
3. Data stored by NMAS to allow users to authenticate
4. Users private keys created by the Novell Certificate Server

Note: It is imperative that all servers in the same tree have the same SDI Key (or Treekey). There are cases where there can be multiple Treekeys in a tree. Whether you have 20 SDI Keys (Treekeys) or 1 SDI Key, all servers in the tree need to have all Keys.



Security Domain Infrastructure Modules:

Depending on the operating system, NICISDI is represented by the following modules:

On NetWare - NICISDI.XLM (nicisdi.nlm)
On Windows - NICIEXT.DLM
On Unix - libniciext.so

NICISDI stands for NICI Security Domain Infrastructure. NICISDI is responsible for managing SDI key (Treekey), where a domain is defined as a whole eDirectory tree.

In conjunction with NICI, these modules above manage SDI Key (Treekey)

Regardless of the operating system there is a NICISDI.KEY file located on each server within a security domain infrastructure.
The NICISDI.KEY file contains the encrypted SDI Key (Treekey)

This file is stored, depending on the operating system, in the following locations:
On NetWare - SYS:\SYSTEM\NICI\NICISDI.KEY
On Windows - %SystemRoot%\System32\Novell\NICI\NICISDI.KEY
On Unix - var/novell/nici/0/NICISDI.KEY

Please see Using SDIDiag to gather specific SDKey information from servers - TID# 3455150
to verify all servers in the tree have the same SDI Keys (Treekeys).


Security Domain Infrastructure, how do they sync?

'NDSPKI:SD Key Server DN' Attribute is a multi-valued attribute contains the list of Security Domain servers ("W0 Servers") in the tree. There must be at least one server in this list.

When a server boots or when NICISDI, NICIEXT, or libniciext.so are loaded the 'NDSPKI:SD Key Server DN' attribute is read. Following this read, NICISDI, NICIEXT, or libniciext connects to each server in the list and requests any new SD Key (Treekey) from each server in this list.

NOTE: Only new key retrieval and key revocation is automatically done on every loading of NICISDI. During this process existing security keys are also checked for revocation.
NOTE: Deletion of a SD key (Treekey) is NOT automatically done.


Example:

The first NetWare 6.5 was installed on Server1 and a tree was created called MyTree. The KAP and W0 objects were created during the install and the W0 object lists who is the "W0 Server" (NDSPKI:SD Key Server DN attribute on the W0 object). In this case, since this is the first server in the tree, Server1 would be listed as the "W0 Server" via the NDSPKI:SD Key Server DN attribute on the W0 object.

When the second NetWare 6.5 (Server2) is installed into the tree, Server2 would ask Server1 to send the SDI key (Treekey). This way both Server1 and Server2 each have a copy of their own SDI Key (or Treekey). Each server holds a physical copy of a NICISDI.KEY.


Additional Information

Formerly known as TID# 10083941