In NICI 3.0, the NICI SDI module (niciext) now has a health check which runs each time that the niciext module is loaded. The heath check also runs if a new key is created. The output from the health check is output to NICIext_Health.log file located in the normal eDirectory log directory. In addition, the output can be seen in DSTrace, if enabled.
The NICI SDI health check process performs the following tasks:
Creates an inherited rights mask for the KAP.Security object.
NOTE:The inherited rights mask is created automatically to address a security rights issue.
Automatically adds servers with a Writable replica of the W0 object to be key servers for the W0 object.
Automatically creates a new W1.KAP.Security object. NICI uses this object to represent and administer rights to the new AES 256-bit SDI key.
IMPORTANT:NICI does not automatically create the new AES 256-bit SDI key until a tree administrator performs a specific configuration operation.
Checks to see if a key server has been assigned to the W1 object. Only if a key server has been assigned, the NICI health Check utility will add servers with a Writable replica of W1 object to be Key Servers for W1. For more information, see Creating an AES 256-Bit Tree Key.
Checks to see if a key server has been assigned to the W1 object. Only if a key server has been assigned, the NICI health check will mirror the rights for the W0 object to the new W1 object, which will allow all servers in the tree to get access to the new AES 256-bit SDI key.