26.7 Security Considerations

Reversible encryption of Universal Password is required for convenient interoperation with other password systems. Administrators must evaluate the costs and benefits of the system. Using a Universal Password stored in eDirectory might be more secure or convenient than attempting to manage several passwords.

A Universal Password in eDirectory is protected by three levels of security: triple DES encryption of the password itself, eDirectory rights, and file system rights.

  • Prior to NICI 3.0, the Universal Password was encrypted by a triple DES, user-specific key. Both the Universal Password and the user key were stored in system attributes that only eDirectory can read. The user key (3DES) was stored encrypted with the tree key, and the tree key was protected by a unique NICI key on each machine. Note that neither the tree key nor the NICI key was stored within eDirectory. They were not stored with the data they protect. The tree key was present on each machine within a tree, but each tree had a different tree key, so data encrypted with the tree key could be recovered only on a machine within the same tree. Thus, while stored, the Universal Password was protected by three layers of encryption.

    NICI 3.0 supports AES 256-bit storage keys; therefore, any application that uses the storage keys to securely wrap other keys should be able to handle the new algorithm. However, any data which is currently wrapped with the older 3-DES keys will still be assessable without any changes.

    NICI 3.0 supports AES 256-bit tree key. However, eDirectory does not create the AES 256-bit tree key by default. Creating this key in a an environment with 9.0 and earlier versions can cause issues in services that depend on the tree key. You are recommended to update all your eDirectory servers to 9.0 before creating the key. For more information, see Creating an AES 256-Bit Tree Key.

  • Each key is also secured via eDirectory rights. Only administrators with the Supervisor right or the users themselves have the rights to change Universal Passwords.

NOTE:The password policy can be configured to allow Universal Password to be read by administrators and for users to read their own passwords through using NMAS/nds-cluster-config extensions. This is not enabled by default.

  • File system rights ensure that only a user with the proper rights can access keys.

    If Universal Password is deployed in an environment requiring high security, you can take the following additional precautions:

    • Make sure that the following directories and files are secure:

      Windows

      %SystemRoot%\SysWOW64\Novell\nici

      %SystemRoot%\System32\ where the NICI DLL is installed

      Linux

      /var/opt/novell/nici

      /etc/opt/novell/nici64.cfg

      /opt/novell/lib64/libccs2.so and the NICI shared libraries in the same directory

      Consult the documentation for your system for specific details of the location of NICI and eDirectory files.

    • As with any security system, restricting physical access to the server where the keys reside is very important.

For security consideration relating to password management, see Security Considerations.