4.1 Tree Merging and Splitting

Merging two or more trees with NICI versions before NICI 2.0.1 caused problems in various components including PKI, NMAS and Novell SecretStore. With NICI 2.0.1, multiple security domain key support and automatic key synchronization is added, reducing such problems short of rebooting a server and adding a server name to a directory attribute. See Section 4.2, Directory Objects for more details.

Tree splits do not cause major problems like tree merges do. Nevertheless, it is strongly recommended that existing security domain keys are revoked, and new ones created after a tree split, so old security domain keys cannot access encrypted data protected by such keys. However, new data must be encrypted with one of the new security domain keys to facilitate cryptographic tree separation. A tool is being developed for administration of security domain keys.