Environment
Novell International Cryptographic Infrastructure (NICI) 2.7
Novell eDirectory 8.8 SP2 for All PlatformsSituation
Error: -6061 when attempting to open an eDirectory 8.8 SP2 database.
Unable to open the eDirectory database.
Opening the database in restricted mode.
Conditional Mode.
Unable to open the eDirectory database.
Opening the database in restricted mode.
Conditional Mode.
Resolution
INTRODUCTION
eDirectory 8.8 introduced the ability to create encrypted attributes and perform encrypted replication. Encrypting attributes provides the ability to prevent sensitive data from being read directly from the database provided the attributes are not flagged public read. A restriction can also be set so that a secure connection to that server is required (ie., LDAPS) in order to view the data of an encrypted attribute. An encrypted replication policy encrypts data before it is sent to other servers via replication.
For more information please refer to the eDirectory 8.8 Administration Guide found at:
https://www.novell.com/documentation/edir88
BACKGROUND
Encrypted attributes
Encrypted attributes are wrapped via NICI in a server specific database key which is in turn wrapped in a server specific storage key both of which are held in the eDirectory database within FLAIM. If a server's NICI files are lost not only are these attributes' data lost but the database itself cannot be opened. Since the database storage key is generated when the server is upgraded to or installed with eDirectory 8.8 SP1or higher the database cannot be opened regardless of whether the encrypted attribute functionality is being used or not. Therefore it is imperative to not only backup the eDirectory database itself but also the NICI files for that server. The procedure for backing up the NICI files for each platforn can be found below. Essentially what is done is stop the NDS service or unload the DS.NLM and manually copy the files to a secure location.
eDirectory 8.8 Administration Guide: https://www.novell.com/documentation/edir88
eDirectory on NetWare: TID 3290174
eDirecory on Linux\Unix: TID 3295479
NICI 2.7 Administration Guide: https://www.novell.com/documentation/nici27x/
Backing up NICI 2.6 and 2.7: TID 3890146
ENCRYPTED REPLICATION RECOVERY
Encrypted replication uses a server's SSL certificates which are held in the database. The private key of the certificates is wrapped by NICI. Therefore if the NICI files are lost or corrupted the certificates can no longer be used. These certificates can be backed up as well. This task is performed by exporting the certificates to a PKCS#12 file (PFX). Detailed information on the procedure can be found in the Certificate Server Administration Guide. https://www.novell.com/documentation/crt33/
Though the certificates are held in the eDirectory database and can be restored by restoring the database they are still tied to the server's NICI files. Exporting and safekeeping the certificates in a PFX file has an the added benefit. They can be restored to the server even if the NICI files are different or to another server altogether since the private key is stored in the PFX file. It is no longer wrapped by NICI, it is instead protected by a password.
(If NICI is lost and there is no backup of NICI or the certificates Novell Technical Support can be engaged to remote in and remove the Encrypted Replication policy.)
ENCRYPTED ATTRIBUTE RECOVERY:
As explained above, if the NICI files are lost, changed or corrupted there is no recovery of the data contained in the Encrypted Attribute data held for that server. In a complete disaster recovery, even if the eDirectory database can be is restored it cannot be opened. However, eDirectory 8.8 SP2 provides a way to open a database in restricted mode. This mode allows the database to be opened and used with the following restrictions:
- Encrypted attribute data cannot be accessed or viewed
- Unattended repairs cannot be performed (local repairs can still be run).
- No new encrypted attributes can be created.
To open the database in restricted mode type the following command:
Linux/Unix:
set the NDSCONF variable to the conf file
/etc/init.d/ndsd start -rdb
Windows: dhost.exe /datadir=dibpath –rdb (or /rdb)
Netware:load ds.nlm –rdb. It shows that database has been opened.
Dstrace can be used to verify that it is opened in restricted mode.
The database will have to be opened in this mode from now on or eDirectory will have to be removed then readded. To remove the encrypted attributes from the database a call will have to be made to Novell Technical Services so an engineer can remote into the database and manually remove them. It is hoped that a forthcoming version of eDirectory will allow for the database to be opened in non-restricted code after such an operation is performed. Regardless, the encryption is unrecoverable and the data will be permanently lost on that server in the event of the NICI files changing.
eDirectory 8.8 introduced the ability to create encrypted attributes and perform encrypted replication. Encrypting attributes provides the ability to prevent sensitive data from being read directly from the database provided the attributes are not flagged public read. A restriction can also be set so that a secure connection to that server is required (ie., LDAPS) in order to view the data of an encrypted attribute. An encrypted replication policy encrypts data before it is sent to other servers via replication.
For more information please refer to the eDirectory 8.8 Administration Guide found at:
https://www.novell.com/documentation/edir88
BACKGROUND
Encrypted attributes
Encrypted attributes are wrapped via NICI in a server specific database key which is in turn wrapped in a server specific storage key both of which are held in the eDirectory database within FLAIM. If a server's NICI files are lost not only are these attributes' data lost but the database itself cannot be opened. Since the database storage key is generated when the server is upgraded to or installed with eDirectory 8.8 SP1or higher the database cannot be opened regardless of whether the encrypted attribute functionality is being used or not. Therefore it is imperative to not only backup the eDirectory database itself but also the NICI files for that server. The procedure for backing up the NICI files for each platforn can be found below. Essentially what is done is stop the NDS service or unload the DS.NLM and manually copy the files to a secure location.
eDirectory 8.8 Administration Guide: https://www.novell.com/documentation/edir88
eDirectory on NetWare: TID 3290174
eDirecory on Linux\Unix: TID 3295479
NICI 2.7 Administration Guide: https://www.novell.com/documentation/nici27x/
Backing up NICI 2.6 and 2.7: TID 3890146
ENCRYPTED REPLICATION RECOVERY
Encrypted replication uses a server's SSL certificates which are held in the database. The private key of the certificates is wrapped by NICI. Therefore if the NICI files are lost or corrupted the certificates can no longer be used. These certificates can be backed up as well. This task is performed by exporting the certificates to a PKCS#12 file (PFX). Detailed information on the procedure can be found in the Certificate Server Administration Guide. https://www.novell.com/documentation/crt33/
Though the certificates are held in the eDirectory database and can be restored by restoring the database they are still tied to the server's NICI files. Exporting and safekeeping the certificates in a PFX file has an the added benefit. They can be restored to the server even if the NICI files are different or to another server altogether since the private key is stored in the PFX file. It is no longer wrapped by NICI, it is instead protected by a password.
(If NICI is lost and there is no backup of NICI or the certificates Novell Technical Support can be engaged to remote in and remove the Encrypted Replication policy.)
ENCRYPTED ATTRIBUTE RECOVERY:
As explained above, if the NICI files are lost, changed or corrupted there is no recovery of the data contained in the Encrypted Attribute data held for that server. In a complete disaster recovery, even if the eDirectory database can be is restored it cannot be opened. However, eDirectory 8.8 SP2 provides a way to open a database in restricted mode. This mode allows the database to be opened and used with the following restrictions:
- Encrypted attribute data cannot be accessed or viewed
- Unattended repairs cannot be performed (local repairs can still be run).
- No new encrypted attributes can be created.
To open the database in restricted mode type the following command:
Linux/Unix:
set the NDSCONF variable to the conf file
/etc/init.d/ndsd start -rdb
Windows: dhost.exe /datadir=dibpath –rdb (or /rdb)
Netware:load ds.nlm –rdb. It shows that database has been opened.
Dstrace can be used to verify that it is opened in restricted mode.
The database will have to be opened in this mode from now on or eDirectory will have to be removed then readded. To remove the encrypted attributes from the database a call will have to be made to Novell Technical Services so an engineer can remote into the database and manually remove them. It is hoped that a forthcoming version of eDirectory will allow for the database to be opened in non-restricted code after such an operation is performed. Regardless, the encryption is unrecoverable and the data will be permanently lost on that server in the event of the NICI files changing.
