Backing Up and Restoring NICI

Novell International Cryptography Infrastructure (NICI) stores keys and user data in the file system and in system and user specific directories and files. These directories and files are protected by setting the proper permissions on them using the mechanism provided by the operating system. This is done by the NICI installation program.

Uninstalling NICI from the system does not remove the system or user directories and files. Therefore, the only reason to restore these files to a previous state is to recover from a catastrophic system failure or a human error. It is important to understand that overwriting an existing set of NICI user directories and files might break an existing application.

Backing up and restoring NICI requires two things:

  1. Backing up and restoring directories and files.
  2. Backing up and restoring specific user rights on those directories and files.

The exact sequence of events required is depends on the platform you are using.

The critical issue with backup and restore is to maintain the exact permissions on the directories and files. NICI's operation and the security it provides depend on these permissions being set properly.

Typical commercial backup software should preserve permissions on the NICI system and user directories and files. Check your backup software to see if it does the job before doing a custom backup of NICI.

Care should be taken to back up the existing NICI directory structure and its contents, if any, before doing a restore. Losing the machine key is unrecoverable. Because the user data and keys could be encrypted using the machine key, losing it would result in a permanent loss of user data.

Doing a restore of just NICI will require knowledge on your part to determine which files must be restored. During restoration, it is important that the correct access rights be restored for the correct owner. On UNIX and Windows systems, the name of the user specific directory reflects the ID of the owner, but on both systems, the owner ID might change between the time of the backup and the time of the restore. For security reasons, the operator must know which account is being restored and determine that the directory name and access rights are assigned accordingly. The mere existence of a user account on the system with the same ID as the one that was backed up does not mean that the current account is the actual owner of the information being restored.

For more information, see TID10098087, How to Backup NICI 2.7.x and 2.6.x and TID10096647, How to Backup the eDirectory Database and Associated Security Services Files in the Novell Knowledgebase.


UNIX

In NICI 2.6.5 and earlier, the /var/novell/nici directory contains all the system and user directories and files. In NICI 2.7.0 and later, /var/novell/nici is a symbolic link to the /var/opt/novell/nici directory that contains the files.

To determine the version of NICI you are using, see the /etc/nici.cfg file.


Performing a Backup

The following files and directories should be backed up. Make sure you preserve the rights on all the directories and files.


For NICI Versions Earlier Than 2.7.0

File/Directory Name Type of File and Special Instructions

/etc/nici.cfg

Configuration file.

/usr/lib/libccs2.so

Symbolic link to the actual library in /usr/lib/.

/usr/lib/libccs2.so.*

The NICI library (the version of the library completes the name).

/var/novell/nici

This directory contains all the system keys, user directories and files/keys, and the programs used to initialize NICI.


For NICI 2.7.0 and Later

File/Directory Name Type of File and Special Instructions

/etc/nici.cfg

Symbolic link to the /etc/opt/novell/nici.cfg config file.

/etc/opt/novell/nici.cfg

Configuration file.

/usr/lib/libccs2.so

Symbolic link to the actual library in /opt/novell/lib/.

/opt/novell/lib/libccs2.so.*

The NICI library (the version of the library completes the name).

/var/novell/nici

Symbolic link to the /var/opt/novell/nici directory.

/var/opt/novell/nici

This directory contains all the system keys, user directories and files/keys, and the programs used to initialize NICI.


Restoring NICI

To restore the NICI configuration files, first determine whether NICI is already installed on the machine by searching for the /etc/nici.cfg file or link.

  1. If NICI is already installed on the system, take a backup of the existing set up as outlined above.

  2. Uninstall NICI and remove the /var/novell/nici or /var/opt/novell/nici directory structure.

    This is to make sure that the existing system keys do not conflict with the restored set.

  3. Restore the whole structure from the backup store (depending on the version of NICI), remembering to restore the access rights.

We recommend that you follows the above steps, but knowledgeable operator can choose to restore individual files or directories, possibly changing the names of the files or directories and assigning new access rights. This can be done if the nicifk and xmgrcfg.wks files haven't changed from those on the backup store.

The following guidelines for each file/directory are recommended when restoring when NICI is already installed on the box:

File Name Procedure

xmgrcfg.nif

Can be restored over an existing file.

xarchive.000

Can be restored over an existing file.

User specific directories and files

Take care that the userid in the backup is the same as the user on the box. If the user directory already exists, determined if the user wants to keep the current files or restore them to a previous state. Normally, user configuration files should be restored as a group rather than individually. Be sure to restore the user files under the correct user's correct userid and to restore the rights on the user directory and contents.

For example, if BOB had userid 1000 at the time of the backup but now has userid 5000, the files in the backed up directory 1000 should be restored to directory 5000, or BOB's UID must be changed back to 1000.

The restore process must not just blindly restore the user directories without input from the operator. In either case, a backup of the existing NICI user directory needs to be done.


NetWare

Before NICI 2.x, the configuration files were kept in sys:\_NetWare and different procedures apply. These instructions are valid only for NICI 2.x or later.


Performing a Backup

Back up the sys:\system\NICI directory and any subdirectories and access rights. There is only one user on NetWare so the complication of backing up and restoring the user directories as on UNIX and Windows does not exist.


Restoring NICI

If NICI is not installed, restore the sys:\system\NICI directory and its contents.

If NICI is installed (as indicated by the presence of the sys:\system\NICI\nici.cfg file), take a backup of the existing setup and remove NICI. Copy the whole backup structure from the backup store to restore.

Selective restoration can be done only if the nicifk file hasn't changed from the one on the backup store. If it hasn't changed, restore whatever files in the sys:\system\NICI directory you want. Generally, the files should be restored as a group, but a knowledgeable operator can choose to restore only certain files or subdirectories.


Windows

Configuration information is kept in the system registry under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI.

A second key will identify the version of NICI currently installed. For example:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI (Shared) U.S./Worldwide (128 bit)


Performing a Backup

  1. Backup any registry information under HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI*

    NICI* indicates all registry keys which begin with NICI. There might be more than one.

  2. Back up the directory, including subdirectories, identified by HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\ConfigDirectory.

    As with the UNIX systems, remember the access rights on that directory and all subdirectories. See Performing a Backup for more information.

If commercial software is used to do the back up, make sure the backup program itself runs as a system process. This will ensure that the program will be able to access all the directories and subdirectories.


Restoring NICI

  1. If NICI is not installed, restore all the registry information first.

    or

    If NICI is installed, remove NICI and overwrite the registry information from the backup store.

  2. Restore the files and directories within HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\ConfigDirectory as selected by the operator.

As in the UNIX case, we recommend restoring all the files as a group. But a knowledgeable operator can choose to restore individual entries. This can be done only if the nicifk and xmgrcfg.wks files did not change from the one on the backup store. In that case, be sure to adjust the access rights based on the new owner of the user configuration directories. The individual directories are named after the owner but access rights are controlled by the SID. Just because a subdirectory is named BOB does not automatically mean that the current user BOB is the correct owner of the information being restored.


Special Case for Windows

It is possible to configure the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI\UserDirectoryRoot to indicate that the user configuration files be placed in the user's personal configuration directory. In that case, be prepared to back up and restore the user information independently as part of normal backup and restore operations. If NICI has been configured in that manner, you should know about it and be prepared to do individual backups.

This special case for the Windows user directory is enabled by creating the registry value EnableUserProfileDirectory rather than just pointing the directory path there. If Windows is configured to automatically create and delete user accounts, the directory might be automatically deleted when the user profile directory is enabled. In that case, backup and restore is only necessary for those specific users who are permanent. The default path will be user the Application Data\Novell\Nici directory branch of the user's directory in Documents and Settings.