5.4 Creating an AES 256-Bit Tree Key

Tree keys are a special kind of NICI SDI key and are available to all servers in the tree. When multiple servers need access to the same encrypted data, eDirectory uses the Tree keys to provide access while still keeping the data secure in conjunction with eDirectory rights. In all prior versions of eDirectory a single security domain consisting of the whole tree has been established and the associated key is often referred to as the Tree key or sometimes the W0 key (as the SDI key object used to manage this key is CN=W0.CN=KAP.CN=Security). This key is a 3DES key, and all the servers in an eDirectory tree have the rights to acquire this key. This key will continue to be available.

Beginning in eDirectory 9.0 with NICI 3.0, eDirectory supports the creation of a new AES 256-bit Tree key. The SDI key object used to manage this new Tree key is CN=W1.CN=KAP.CN=Security. This key will be known as the W1 key. It is required that all servers in the tree be upgraded to eDirectory 9.x before enabling this key. Although eDirectory 9.x will automatically create this SDI key object, it will not assign a Key server and the key will not get created by default. An administrator will need to assign a Key server to the SDI key object, after confirming that all servers in the tree have been upgraded to eDirectory 9.x, in order to enable the new AES 256-bit Tree key.

IMPORTANT:

Do not create an AES 256-bit key unless all servers in your tree are upgraded to 9.x.
Creating an AES 256-bit key with Identity Manager causes all passwords to be re-synced. For more information, see Re-encrypting Data with AES 256-Bit NICI SDI Key in the NetIQ eDirectory Administration Guide.

When a server holding the master replica of the KAP.Security container is upgraded to eDirectory 9.x, the eDirectory install creates a W1 object in this container. When all the servers in a tree are upgraded to eDirectory 9.x, the tree administrator can create an AES 256-bit SDI key.

Log in to the eDirectory tree as an administrator with the appropriate rights.
On the Roles and Tasks menu, click Directory Administration > Modify Object.
On the Modify Object screen click Object Selector .

The Object Selector screen appears.
On the Object Selector (Browser) screen select Security > KAP > W1 object.
Click OK.

The Modify Object: W1.KAP.Security screen appears.
Select the NDSPKI:SD Key Server DN and click Add .

The Add Attributes screen appears.
Click Object Selector > Select Server Context > Select Server DN > Click OK.

NOTE:Server DN: Name of the NCP server (Server name) is provided while creating a tree.

For more information see: NDSPKI:SD Key Server DN.
On the Add Attribute screen Click OK.
On the Modify Object: W1.KAP.Security screen click Apply > OK.

A message appears as Success, Your changes have been saved.

Figure 5-1 Creating an AES 256-Bit Tree Key
To create the AES 256-bit SDI key, trigger the NICI health check by performing one of the following actions:
- Linux: Unload and reload the NICI SDI module (niciext) using ndstrace.
  
  Example:
  
  Check niciext status by running: ndstrace -c "modules".
  
  Unload niciext by running: ndstrace -c "unload niciext".
  
  Load niciext by running: ndstrace -c "load niciext".
- Windows: Use the DHost console to reload and niciext module.
  
  Go to the Control panel > Netiq eDirectory services or navigate to <eDirectory installed location> C:\NetIQ\eDirectory open NDSCons.
  
  On the DHost console > stop and start niciextwx64.dlm service.
- Restart the eDirectory.
- Restart the server.

After the AES 256-bit SDI key is created, the new key will automatically be synchronized to all servers in the tree using the normal synchronization schedule. If the servers in the tree have been up for some time, the automatic synchronization process is likely to be slow because SDI keys are synchronized on a sliding scale depending on how long the SDI module has been running. You can speed the synchronization process to each of the servers in the tree by using one of the following methods on each server in the tree:

Linux: Unload and reload the NICI SDI module (niciext) using ndstrace.

Example:

Check niciext status by running: ndstrace -c "modules".

Unload niciext by running: ndstrace -c "unload niciext".

Load niciext by running: ndstrace -c "load niciext".
Windows: Use the DHost console to reload and niciext module.

Go to the Control panel > Netiq eDirectory services or navigate to <eDirectory installed location> C:\NetIQ\eDirectory open NDSCons.

On the DHost console > stop and start niciextwx64.dlm service.
Restart the eDirectory.
Restart the server.

IMPORTANT:The NICI SDI key is available to all servers in the tree. Therefore, you must upgrade all servers in the tree to NICI 3.0 before creating the AES 256-bit SDI key.