Removing the First NetWare 5 Server from a Tree and Its Effects On NICI
Articles and Tips: qna
01 May 2001
Q.
Dear Ab-end: Could you please explain how removing the first NetWare 5 server from the tree affects the Novell International Cryptographic Infrastructure (NICI)? How do you move the foundation key to another server? - Foundering in Fairfax
A.
Dear Foundering: Since the introduction of cryptographic requirements into NetWare, this has been a major issue and can create major problems if not completed correctly. Here's the general rule of thumb:
All NetWare 5.1 servers, as well as NetWare 5.0 servers with Certificate Services installed, will be issued a Key Material Object (KMO), also known as an SSL - <server name> object in Novell Directory Services. These objects maintain information about the certificate server and therefore will need to be re-issued after the deployment of the new Certificate Server.
Browse the tree and delete all SSL - Certificate - <server name> and SAS - <server name> objects. These objects are typically found in the same container level as the servers.
On each of the above identified NetWare servers, delete the contents of the SYS:\SYSTEM\NICI directory. This will delete the exported NICISDI keys as well as backup information for the NICIFK.
Re-deploy the NICIFKs as per the information that is found in Technical Information Document #10025666, entitled "NW5 Reinstalling NICI Files."
Install the new Novell Certificate Server. You must do this from the local server console. Using the workstation-based installation of Certificate Server will not create all of the required NDS security objects. Install from the NetWare 5.1 installation media and then re-apply the current NetWare support pack.
Reinstall the Certificate Server software on all NetWare 5.1 servers, as well as any NetWare 5.0 servers that you expect to use any type of encryption on. This will recreate all SSL - Certificate - <server name> and SAS - <server name> objects in NDS.
Note: If you will be using any applications that require SSL (Secure Socket Layer) authentication through the SAS (Secure Authentication Services) code path, you must have a replica of the server where the SAS object resides on the server.
Here are some Novell Support Connection TIDs for additional information:
TID #10050254 - Reinstalling Certificate Server
TID #10053572 - How to Restore or Recreate KAP and W0 objects
(Answer contributed by Reid Oakes, Novell Consulting)
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.