Setting Up the Security Domain Infrastructure (SDI) Key

Novell® Single Sign-on requires a Security Domain Infrastructure (SDI) Key in order to function properly. The SDI Key enables the secure transport of keys between servers within a single NDS® tree.

Follow the sections below to properly set up the SDI key before continuing with the Single Sign-on installation.

NOTE:  SDI is automatically set up for Solaris* and Linux* servers during installation. Therefore, this section might not apply to Solaris and Linux servers running NDS eDirectoryTM 8.5 or NDS Corporate Edition 8.5.

  1. Create and populate the Security container, if necessary.

    1. From ConsoleOneTM, verify that a Security container exists at the [Root] of your NDS tree.

      Verify that the Security container has a KAP container object and a W0 object inside the KAP container object.

      2.

    2. If a Security container is not there, create one at the [Root].

      The object class is SAS: Security Container. Name the container object "Security."

      3.

    3. If the KAP container object is not there, create one inside the Security container.

      The object class is NDSPKI: SD Key Access Partition. Name the object "KAP."

      4.

    4. If the W0 object is not there, create one inside the KAP object.

      The object class is NDSPKI: SD Key List. Name the object "W0" (the "0" is a zero).

      5.

  2. Designate a SDI Key Reference Server.

    1. In the W0.KAP object, select Properties > Other.

      2.

    2. Click Attributes > Add.

      3.

    3. Select the NDSPKI:SD Key Server DN Attribute > click OK.

      4.

    4. Enter the distinguished name of the server where the key file resides.

      5.

  3. Check for an existing SDI Key.

    • On NetWare® look in:

      SYS:\SYSTEM\NICI\NICISDI.KEY

      •

    • On Windows* NT* look in:

      %SYSTEMROOT%\SYSTEM32\NOVELL\NICI\NICISIDI.KEY

    4.

  4. If necessary, create the SDI Key.

    IMPORTANT:  You should only create a new SDI key when you wish to reinitialize your tree. Creating a new SDI Key when one is already there can disable existing security services on your server.

    • On NetWare. enter:

      LOAD INITSDI.NLM -NEW NICISDI.LOG NICISDI.ERR

      •

    • On Windows NT, enter:

      INITSDI -NEW NICISDI.LOG NICISDI.ERR

      •

    The NICISDI.LOG file is created if the program executed properly. If there was a problem, the NICISDI.ERR file is created and will contain an error code of the failure.

    5.

  5. After creating the key, shut down and restart NDS services.

    6.

  6. Make a copy of the tree key on the non-tree key server.

    You can copy the currently defined SDI Key to a server that doesn't have a key with the following commands:

    • On NetWare, enter:

      LOAD INITSDI.NLM -GET NICISDI.LOG NICISDI.ERR server_distinguished_name

      •

    • On Windows NT, enter:

      INITSDI -GET C:\NICISDI.LOG C:\NICISDI.ERR server_distinguished_name tree_name

      INITSDI.EXE is located in the SERVER\NICI_1.5\TREEKEY4NT directory on the Novell Single Sign-on CD.

    NOTE:  You can obtain the NDS server name from the current SDI reference server in the W0 object property page in ConsoleOneTM.

    The NICISDI.LOG file is created if the program executed properly. If there was a problem, the NICISDI.ERR file is created and will contain an error code of the failure.

    7.

  7. After making a copy of the tree key on the non-tree key server, shut down and restart NDS services.

    8.


Previous | Next