4.2 Directory Objects

In the directory, the Security.KAP.W0 container off the root has a list of attributes to aid in security domain key management. These attributes are described below:

4.2.1 NDSPKI:SD Key Server DN

This multivalued attribute contains the list of SD key servers in the tree. There must be at least one server in this list. NICI 2.0.1 and newer versions, which are distributed with NetWare 6 or later, make use of this attribute. NICISDI or NICIEXT reads this attribute on each loading (typically server boot). Then NICISDI or NICIEXT connects to each server in this list, and requests any new security domain keys from each server in this list. Existing security keys are also checked for revocation. However, deletion of a security domain key is not automatically done. Only new key retrieval (not creation) and key revocation are automatically done on every loading of NICISDI or NICIEXT, or periodically as configured by the NICISDI sync period.

For a tree merge, add the name of the new SD key server’s name to this list after trees are merged, and reboot all the servers in the tree unless periodic synchronization is enabled. The final list must contain the names of SD key servers in all trees. We strongly recommend that NICI version 2.0.1 or newer be installed on servers.

4.2.2 NDSPKI:SD Key List

This attribute is reserved for future use to hold the list of security domain key identifiers.