At a shell type the following then restart NDSD: ndsconfig set n4u.server.fips_tls=0
This will update the respective line in the /etc/opt/novell/eDirectory/conf/nds.conf file.
This should allow for 56 bit based UP to be changed using the usual methods.
Solution:
In a mixed tree make sure there is at least one 9.x server in the tree that is at a minimum version of 9.2.2. A new tree key will be created on a 8.8 SP8 server. Lastly, a new 3DES key will be created for each user on the 9.2.2 server. This will be used to re-wrap all their secrets. The steps are below. If all servers are at version 9.x just enable the AES tree key as described in the Admin Guide.
1. Disable FIPS as shown above.
2. Generate new tree key. Pull down and install Sdidiag from the 8.8 SP8 patches download site.
NOTE:
- To generate a new 3DES tree key an 8.8 SP8 server holding a copy of root must be used. If it does not hold root the server must have write rights to the W0 object for both entry and all attributes.
When installed:
type sdidiag -g from the command line or type SD -G once in the utility's command line then quit to exit.
(NOTE: use only one of these methods and enter no other commands. DO NOT revoke any keys already present.)
3. Synchronize the new key to ALL servers in the tree. There are three ways to acheive this:
a. Restart niciext as show above on each server in the tree.
b. NDSD or dhost can be restarted on every server.
c. Entering the sdidiag utility and typing SD then quitting out of it.
4. Re-encrypt the users' keys and passwords using diagpwd
The eDirectory 9.22 installation lays down but does not install <path to installation>/eDirectory/setup/novell-nmas-ldap-ext-client-9.2.1-0.x86_64.rpm. Install this rpm then run the utility against a user container or all users in the tree.
The syntax is: diagpwd LDAP_SERVER_ADDR TLS_PORT CA_CERT_FILE SEARCH_BASE SEARCH_SCOPE BIND_DN [BIND_PWD] -t
Example: diagpwd 192.168.1.1 636 /var/opt/novell/eDirectory/data/SSCert.pem ou=users,o=netiq sub cn=admin,o=netiq -t
This will login as admin.netiq and re-encrypt the passwords and secrets with the new key for all users under the organizational unit of netiq and all containers under it.
5. Turn FIPS mode back on and restart NDSD or dhost.
Password and driver password changes should now be working with the new 3DES or AES keys and their wrapped passwords.
(NOTE: re-encrypting a user's password will result in an IDM password change so modify the drivers accordingly.)
NOTE: If a user has a policy and UP is disabled the new SCRAM method must be used. More information is in the Admin Guide. If this method is not installed and in the policy the following will be seen when running diagpwd on the user.
ERROR: -16049
Failed to retrieve data in login config with tag: ChallengeResponseQuestions
ERROR: -16060
Failed to decrypt password history value
ERROR: -16060
Failed check password for CN=ATS004.OU=Users.OU=Internal.O=UMB
-16049
0xFFFFC14F NMAS_E_ENTRY_ATTRIBUTE_NOT_FOUND The requested attribute does not
exist on the specified object.
-16060
0xFFFFC144 NMAS_E_CRYPTO_FAILURE If you upgrade your eDirectory server to 9.2
from any previous version and the tree has any users with Universal Password
encrypted with DES tree key, then for such users login or password change might
fail with this error.
NOTE2: In some cases a customer may be on a pure 9.x environment and want to upgrade to a 3DES key. eDirectory 9.x's sdidiag will only generate AES tree keys. However, there is a manual workaround:
Option 1: Install an eDirectory 8.8 SP8 server into the tree, give it a copy of root and use sdidiag from there to generate the key.
Option 2: Force a server holding root to think there are no tree keys.
a. On every server holding a copy of root perform: ndstrace -c "unload niciext"
b. On one of these servers, move the /var/opt/novell/nici/0/nicisdi.key and /var/opt/novell/nici/0/backup to a safe place.
c. For that same server remove all it's rights to the W0 object.
d. Have two shells open: one to run ndstrace with the +nici flag and another to reload niciext on that same server: ndstrace -c "load niciext".
You should see in the shell running ndstrace that no tree key is found and a new 3DES key is created. Give the server RW and all attribute rights to the W0 object and unload, reload niciext once again. Now load niciext on the other servers holding root. At this point the old 56 bit and the new 3DES key will be synch'd across the servers.