16.2 Configuring Suite B on Existing Servers

To enable Suite B on the existing servers in your eDirectory tree, perform the following actions:

  1. Upgrade the server acting as CA to eDirectory 9.0.

    When the CA server is upgraded, the server creates the ECDSA self-signed CA certificate. When other servers are upgraded to eDirectory 9.0, the new CA issues ECDSA certificates to these servers.

  2. Upgrade the desired servers in the tree to eDirectory 9.0.

    The upgrade process generates ECDSA certificates for the upgraded servers. You must use these certificates for enabling the LDAP and HTTP protocol stack interfaces to Suite B mode. For more information, see Configuring LDAP and HTTP Services to Use ECDSA Certificates and Suite B Ciphers.

  3. Create an AES 256-Bit SDI Key. For more information, see Creating an AES 256-Bit SDI Key.

  4. Re-encrypt the data with the AES 256-bit NICI SDI key. For more information, see Creating an AES 256-Bit SDI Key.

  5. Configure background authentication. For more information, see Enabling Enhanced Background Authentication.

Figure 16-2 shows the sequence of tasks for enabling Suite B when you upgrade eDirectory.

Figure 16-2 Enabling Suite B When eDirectory is Upgraded