Tree keys are a special kind of NICI SDI key. Like all SDI keys, tree keys are managed by the associated SDI key object and it’s attributes. There are now two Tree key objects, CN=W0.CN=KAP.CN=Security which manages the older 3DES Tree key (or the W0 key), and CN=W1.CN=KAP.CN=Security which manages the new AES 256-bit Tree key (or the W1 key).
The new object CN=W1.CN=KAP.CN=Security will get created when a server holding a writable replica of the CN=KAP.CN=Security container is upgraded to eDirectory 9.0. Although eDirectory 9.0 will automatically create this SDI key object, it will not assign a Key server and the key will not get created by default. An administrator will need to assign a Key server to the SDI key object, after confirming that all servers in the tree have been upgraded to eDirectory 9.0, in order to enable the new AES 256-bit Tree key. For more information, see Creating an AES 256-Bit Tree Key.
NOTE:Do not delete the W0 object after upgrading the tree.
The W0 and W1 objects contain the following attributes:
The NDSPKI:SD Key Server DN attribute is used to determine which servers are Key servers and can create and distribute the SDI key.
This multivalued attribute on the W0 or W1 objects contains the list of the key servers in the tree for the respective SDI key object. There must be at least one server in this list for the SDI key object to be active. The niciext module reads this attribute and then connects to each server in this list and requests any new security domain keys from each server in this list. Only servers in this list can create and distribute the tree key.
Adding a server to this attribute makes that server a Key server. Although any server can be configured as a “Key server”, for the tree keys, it is recommended that only servers holding a writeable replica of the SDI key object be configured.
NOTE:If a key server does not hold a writeable replica, additional rights will need to be assigned.
The eDirectory Install will automatically populate this attribute for the W0 object, so no action is required by an administrator for the W0 object. For the W1 object, an administrator will need to assign a Key server to this attribute, after confirming that all servers in the tree have been upgraded to eDirectory 9.0, in order to enable the new AES 256-bit Tree key. It is recommended that the first Key server assigned be the Master replica (for example, the server holding the Master replica of the object CN=W1.CN=KAP.CN=Security).
The ACL attribute is used to determine which servers can acquire a copy of the key. Servers need the Read right to the [All Attributes Rights] attribute and the Browse rights to the object in order to be able to acquire a copy of the key.
In 3.0, the NICI SDI health check process runs periodically and creates an inherited rights mask for the KAP.Security object. The inherited rights mask is created automatically to make sure only servers which have been specifically granted rights to a SDI key object are able to acquire the key (objects are not allowed to inherit the rights necessary to acquire an key, they must be specifically assigned the rights).