To help applications securely store and transfer data and keys, NICI provides three types of keys - Key Storage key, NICI Security Domain Infrastructure (SDI) key, and Session key (SASDFM).
The Key Storage key is a server specific key. This key is unique to the server it is created on, and is intended to be used to securely wrap keys for either internal or external storage. NICI creates this key for the server on which NICI is installed.
A NICI SDI key is shared by all the servers within a security domain. In eDirectory a security domain consisting of the whole tree has been established and the associated key is often referred to as the Tree key or sometimes the W0 key (as the object used to manage this key is CN=W0.CN=KAP.CN=Security). In NICI 3.0 and eDirectory 9.0, we have added support for a new AES-256 bit tree key (or W1 key). However, this key is not enabled by default because all servers in the tree must be eDirectory 9.0 or later to support it. All the servers in an eDirectory tree have the rights to acquire the Tree key.
Access to SDI keys is governed by eDirectory rights and attributes. There is a specific set of rights and attributes that allow a server to create and distribute an SDI key. A server with this set of rights and attributes is known as a “Key server”. There is a different set of rights and attributes that allows a server to acquire keys from a Key server.
NICI provides a Session key (or SASDFM key) to securely communicate between client and server.