Tree keys are a special kind of NICI SDI key and are available to all servers in the tree. When multiple servers need access to the same encrypted data, eDirectory uses the Tree keys to provide access while still keeping the data secure in conjunction with eDirectory rights. In all prior versions of eDirectory a single security domain consisting of the whole tree has been established and the associated key is often referred to as the Tree key or sometimes the W0 key (as the SDI key object used to manage this key is CN=W0.CN=KAP.CN=Security). This key is a 3DES key, and all the servers in an eDirectory tree have the rights to acquire this key. This key will continue to be available.
Beginning in eDirectory 9.0 with NICI 3.0, eDirectory will support the creation of a new AES 256-bit Tree key. The SDI key object used to manage this new Tree key is CN=W1.CN=KAP.CN=Security. This key will be known as the W1 key. It is required that all servers in the tree be upgraded to eDirectory 9.0 before enabling this key. Although eDirectory 9.0 will automatically create this SDI key object, it will not assign a Key server and the key will not get created by default. An administrator will need to assign a Key server to the SDI key object, after confirming that all servers in the tree have been upgraded to eDirectory 9.0, in order to enable the new AES 256-bit Tree key.
IMPORTANT:
Do not create an AES 256-bit key unless all servers in your tree are upgraded to 9.0
Do not create an AES 256-bit key if you have OES servers in your environment
When a server holding the master replica of the KAP.Security container is upgraded to eDirectory 9.0, eDirectory install creates a W1 object in this container. When all servers in the tree are upgraded to eDirectory 9.0, the tree administrator can create an AES 256-bit SDI key
Log in to the eDirectory tree as an administrator with the appropriate rights.
On the Roles and Tasks menu, click Directory Administration > Modify Object.
Browse and select the W1.KAP.Security object.
Click OK.
In the window that displays, add NDSPKI:SD Key Server DN attribute and set the value to the DN of a server holding a master replica of the partition that contains the W1.KAP.Security object.
To create the AES 256-bit SDI key, trigger the NICI health check by performing one of the following actions:
Linux: Unload and reload the NICI SDI module (niciext) using ndstrace.
Windows: Use the DHost console to reload and niciext module.
Restart eDirectory.
Restart server.
After the AES 256-bit SDI key is created, the new key will automatically be synchronized to all servers in the tree using the normal synchronization schedule. If the servers in the tree have been up for some time, the automatic synchronization process is likely to be slow because SDI keys are synchronized on a sliding scale depending on how long the SDI module has been running. You can speed the synchronization process to each of the servers in the tree by using one of the following methods on each server in the tree:
Linux: Unload and reload the NICI SDI module (niciext) using ndstrace.
Windows: Use the DHost console to reload and niciext module.
Restart eDirectory.
Restart server.
IMPORTANT:The NICI SDI key is available to all servers in the tree. Therefore, you must upgrade all servers in the tree to NICI 3.0 before creating the AES 256-bit SDI key.