3.8 Post-Installation Tasks

In most configurations there is no need to perform any post-installation tasks. However, NICI can be configured to meet the policies and requirements defined by your business processes. Possible post-installation tasks include the following:

3.8.1 Configuring the Settings for NICI User Directory

NICI creates a new NICI user directory the first time a user uses NICI. NICI sets the rights on each user directory when it creates the directory, so that only the user has access to it.

The default directory for new NICI user directories is:

  • Linux: /var/opt/novell/nici/<uid of user>

  • 32-bit Windows: Windows\System32\Novell\NICI\<user>

  • 64-bit Windows: Windows\SysWOW64\Novell\NICI\<user>

Changing the Permission of NICI User Directory on Linux Servers

The installation program places nici64.cfg (64-bit NICI) and nici.cfg (32-bit NICI) configuration files in the /etc/opt/novell directory on your Linux operating system.

The NICI configuration file emulates the Windows registry and is a minimally editable text file. Most of the entries in the file are set up when you install NICI and should not be modified. Modifications to some fields will leave NICI inoperable. The entries in the configuration file vary for a 32-bit NICI and 64-bit NICI. Nevertheless, a typical configuration file contains the following entries:

ConfigDirectory:s:20:/var/opt/novell/nici
SharedLibrary:s:19:/opt/novell/lib64/libccs2.so
DAC:b:8:1a:aa:6d:49:48:a8:83:98
MkUserDir:s:24:/var/opt/novell/nici/nicimud
NiciVersion:s:5:2.4.0
BuildDate:s:6:020123
NiciStrength:s:2:u0
RestrictionLevel:b:1:00

NOTE:For FIPS mode, only modify the last digit of the RestrictionLevel entry.

Each line can have multiple entries all separated by a colon (:). The first entry in a line is the name, followed by its type. The second is the length in decimal, followed by the actual value. There are two types, string (s) and binary (b). For example, the name of the first line in the sample above is ConfigDirectory, of type string (s) 20 characters. The value is /var/opt/novell/nici. Each line is described in Table 3-6.

Table 3-6 Linux Key Values

Key

Description

MkUserDir

NICI uses this executable to create user directories. /var/novell/nici/nicimud is supplied by the NICI installation program. (Do NOT modify)

NICIVersion

NICI version string. (Do NOT modify)

BuildDate

NICI module’s build date; year, month, and day, each in two decimal digits. (Do NOT modify)

NiciStrength

u0 for strong, w1 for import restricted (no longer supported). (Do NOT modify)

RestrictionLevel

0 for no restriction, 1 for FIPS mode. (Modify only the last digit)

NICISDI Sync Period

(Optional) NICISDI synchronization period in minutes, represented in hexadecimal. (Not recommended)

The libniciext.so module reads the NICISDI sync period value when eDirectory loads it. If the value does not exist, or if the period is zero, the module uses an automatic sync period based on a sliding scale that starts with a heavy synchronization and moves towards lighter synchronization. If the value exists and contains a non-zero period, libniciext.so reads the value and uses it to determine synchronization periods.

NOTE:You should not use the optional sync period unless support directs you to do so.

The /var/opt/novell/nici/uid/nicisdi.key file contains the encrypted security domain keys as discussed in Section 5.0, Understanding the NICI Keys. For example, it is typically 0 for root. Having a nicisdi.key file for each user enables multiple instances of eDirectory running with different user IDs to host multiple trees on the same physical box.

NOTE:The UID is the variable numeric user ID defined by the Linux system.

All users have read and execute (where applicable) rights to the files in the NICI configuration directory (/var/opt/novell/nici). Only the user who installs NICI has full rights to the configuration directory. The setuid executable (nicimud for 32-bit NICI and nicimud64 for 64-bit NICI), creates the NICI directories for users. For example, nicimud will create a directory when a user first uses NICI and will give full rights to only the user creating the directory (0700).

Changing the Permission of NICI User Directory on Windows Servers

The NICI installation program creates and populates a key in the Windows registry. The registry key is different for 32-bit and 64-bit.

  • 64-bit registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Novell\nici_x64.

  • 32-bit registry key:

    • On 32-bit machine: HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI

    • On 64-bit machine: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Novell\NICI

Table 3-7 Windows Key Values

Key

Type

Description

ConfigDirectory

String

Location of NICI configuration files

DAC

Binary

NICI module’s digital authentication code

SharedLibrary

String

The name of the library, such as ccsw32.dll

UserDirectoryRoot

String

(Optional). Name of a directory where user directories are created. Defaults to ConfigDirectory

Version

DWORD

NICI version, such as 0x00002400 for 2.4

NICISDI Sync Period

DWORD

(Optional - Not Recommended) - NICISDI synchronization period in minutes, represented in hexadecimal.

EnableUserProfileDirectory

DWORD

(Optional) - NICI user files are created in the Application Data\Novell\NICI directory in the user’s profile directory.

RestrictionLevel

Binary

(Optional 64-bit only) - 0 for no restriction, 1 for FIPS mode.

  • By default, NICI creates users directories in the %SystemRoot%\System32\Novell\NICI (32-bit) and %SystemRoot%\SysWOW64\Novell\NICI (64-bit) directories by the user’s name. For example, c:\windows\sysWOW64\novell\nici\administrator.

  • If you want to change the root directory in which all user directories are created, navigate to the NICI registry key and create a String value using UserDirectoryRoot as the name and the desired root directory as the value.

  • When creating a user directory, NICI uses the name of the user. If it is a local user, NICI uses the username. If it is a remote or a domain user, NICI forms the username as the combination of username and domain separated by a dot (userName.domainName).

  • By default the EnableUserProfileDirectory key is not created and User Profile functionality is disabled. If you enable user profile functionality, you might need to copy or move the existing NICI user files to the new location. If the user profile directory is enabled, NICI does not set the ACLs on this directory, but relies on existing security properties (ACLs, inheritance, and ownership) of the user’s profile directory. Use this option very carefully, because you can disclose all users’ NICI keys.

  • NICI creates the Application\Novell\NICI directory if it is not present on your server and stores all NICI user files in this directory. NICI provides this option to support the dynamic user creation/deletion feature in the Novell ZENWorks® product. It must be set manually or by another application’s installation, such as ZENWorks.

  • niciext.dlm reads the nicisdi sync period value when eDirectory loads it. If the value does not exist, or if the period is zero, the module does not attempt to read it again. If the value exists and contains a non-zero period, the value is read once in a period before synchronization. We recommend that you do not set the sync period unless directed to by support.

  • The nicisdi.key file contains encrypted security domain keys as discussed in Section 5.0, Understanding the NICI Keys.

  • All users have read, execute, and create rights to the files in the NICI configuration directory (<SystemRoot>\Novell\NICI). NICI dynamically creates user directories when a user uses NICI for the first time and provides full rights only to the user creating the directory.

3.8.2 Using NICI for Configuring System-Level FIPS Mode

NICI 3.0 provides the ability to turn on FIPS mode at the computer level. When FIPS mode is turned on, all 64-bit NICI enabled applications, products, and services running on that computer will be able to perform cryptographic operations only using FIPS compliant algorithms. Any attempt to use a non-FIPS compliant algorithm will fail. To enable the FIPS mode at the computer level, perform the following steps:

  • Linux: Navigate to the nici64.cfg file and change RestrictionLevel to 1. This file is located in /etc/opt/novell on Linux.

    NOTE:Modify only the last digit of the Restriction Level setting from 00 to 01.

  • Windows: Navigate to the HKLM\SOFTWARE\Novell\nici_x64 registry and change the restriction Level settings from 0 to 1.

    You will need to perform this action on each server in your tree that you wish to set each server into FIPS mode.

IMPORTANT:Enabling FIPS mode on NICI affects all applications that use NICI on that server. If these applications are not supported in FIPS mode, they might not work properly. Novell recommends that you do not use FIPS mode for NICI in eDirectory 9.0.