Previous Page: Setting Up a Security Container As a Separate Partition  

Merging Trees with Multiple Security Containers

Special considerations need to be made when merging NDS trees where a Security container has been installed in one or both of the trees. Make sure that this is something you really want to do---this procedure has the potential to be a very time-consuming and laborious task.

IMPORTANT:  These instructions are complete for trees with Novell® Certificate ServerTM 2.21 and earlier, Novell Single Sign-on 2.x, and NMAS 2.x.

  1. In ConsoleOneTM, identify the trees that will be merged.

  2. Identify which tree will be the source tree and which tree will be the target tree.

    Keep in mind these security considerations when the source and target trees:

    • Any certificates signed by the source tree's Organizational CA must be deleted.
    • The source tree's Organizational CA must be deleted.
    • All user secrets stored in Secret Store on the source tree must be deleted.
    • All NMAS login methods in the source tree must be deleted and reinstalled in the target tree.
    • All NMAS users that were in the source tree must be re-enrolled when the trees are merged.
    • All users and servers that were in the source tree must have new certificates created for them when the trees are merged.
    • All users that were in the source tree must have their secrets reinstalled into their Secret Store.

If neither the source tree nor the target tree has a container named Security under the [Root] of the tree, or if only one of the trees has the Security container, no further action is required. Otherwise, continue with the remaining procedures in this section.


Product-Specific Operations to Perform Prior to Tree Merge


Novell Certificate Server

If Novell Certificate Server (previously known as Public Key Infrastructure Services, or PKIS) has been installed on any server in the source tree, you should complete the following steps.

NOTE:  Depending on how the product was used, the objects and items referred to might or might not be present. If the objects and items referred to in a given step are not present in the source tree, you can skip the step.

  1. Any Trusted Root certificates in the source tree should be installed in the target tree.

    Trusted Root certificates are stored in Trusted Root objects, which are contained by Trusted Root containers. Trusted Root containers can be created anywhere within the tree; however, only the Trusted Root certificates that are in the Trusted Root containers within the Security container must be moved manually from the source tree to the target tree.

  2. Install the Trusted Root certificates in the target tree.

    1. Pick a Trusted Root container in the Security container in the source tree.

    2. Create a Trusted Root container in the Security container of the target tree with the exact name used in the source tree (Step 2a).

    3. In the source tree, open a Trusted Root object in the selected Trusted Root container and export the certificate.

      IMPORTANT:  Remember the location and filename you choose; you will use them in the next step.

    4. In the target tree, create a Trusted Root object in the container that you created in Step 2b. Specify the same name as the source tree and, when prompted for the certificate, specify the file that you created in Step 2c.

    5. Delete the Trusted Root object in the source tree.

    6. Repeat Step 2c through Step 2e until all Trusted Root objects in the selected Trust Root container have been installed into the target tree.

    7. Delete the Trusted Root container in the source tree.

    8. Continue Step 2a through Step 2f until all Trusted Root containers have been deleted in the source tree.

  3. Delete the Organizational CA in the source tree.

    The Organizational CA object is in the Security container.

    NOTE:  Any certificates signed by the Organizational CA of the source tree will become nonusable following this step. This includes server certificates and user certificates that have been signed by the Organizational CA of the source tree.

  4. Delete every Key Material object (KMO) in the source tree that has a certificate signed by the Organizational CA of the source tree.

    Key Material objects in the source tree with certificates signed by other CAs will continue to be valid and do not need to be deleted.

    HINT:  If you are uncertain about the identify of the signing CA for any Key Material object, reference the Trusted Root Certificate section of the Certificates tab in the Key Material object property page.

  5. Delete all user certificates in the source tree that have been signed by the Organizational CA of the source tree.

    NOTE:  If users in the source tree have already exported their certificates and private keys, those exported certificates and keys will continue to be usable. Private keys and certificates that are still in NDS will no longer be usable after you perform Step 3.

    For each user with certificates, open the properties of the User object. Under the Certificates section of the Security tab, a table lists all the certificates for the user. All of those certificates with the Organizational CA as the issuer must be deleted.

    NOTE:  User certificates will be present in the source tree only if Novell Certificate Server 2.0 or later has been installed on the server that hosts the Organizational CA in the source tree.


Novell Single Sign-on

If Novell Single Sign-on has been installed on any server in the source tree, you should delete all Novell Single Sign-on secrets for users in the source tree.

For every user using Novell Single Sign-on in the source tree, open the properties of the User object. All of the user's secrets will be listed under the SecretStore section of the Security tab. Delete all listed secrets.

NOTE:  Depending on how the product was used, the objects and items referred to might or might not be present. If the objects and items referred to are not present in the source tree, you can skip this step.


NMAS

If NMAS has been installed on any server in the source tree, you should complete the following steps.

NOTE:  Depending on how the product was used, the objects and items referred to might or might not be present. If the objects and items referred to are not present in the source tree, you can skip the step.

  1. In the target tree, install any NMAS login methods that were in the source tree but not in the target tree.

    HINT:  To ensure that all of the necessary client and server login components are properly installed in the target tree, we recommend that you install all new login methods using original Novell or vendor-supplied sources.

    Although methods can be reinstalled from existing server files, establishing a clean installation from Novell or vendor-supplied packages is typically simpler and more reliable.

  2. To ensure that the previously established login sequences in the source tree available in the target tree, migrate the desired login sequences.

    1. In ConsoleOne, select the Security container in the source tree.

    2. Right-click the Login Policy object > select Properties.

    3. For each login sequence listed in the Defined Login Sequences drop-down list, notate the Login Methods used (listed in the right pane).

    4. Select the Security container in the target tree and replicate the login sequences using the same login methods notated in Step 2c.

    5. Click OK when you are finished.

  3. Delete NMAS login security attributes in the source tree.

    1. In the Security container of the source tree, delete the Login Policy object.

    2. In the Authorized Login Methods container of the source tree, delete all login methods.

    3. Delete the Authorized Login Methods container in the source tree.

    4. In the Authorized Post-Login Methods container of the source tree, delete all login methods.

    5. Delete the Authorized Post-Login Methods container in the source tree.


Novell Security Domain Infrastructure

If Novell Certificate Server 2.x or later, Novell Single Sign-on, or NMAS, NetWare 5.1 or later, or NDS eDirectory 8.5 or later, has been installed on any server in the source tree, the Novell Security Domain Infrastructure (SDI) will be installed. If SDI has been installed, you should complete the following steps.

NOTE:  Depending on how the product was used, the objects and items referred to might or might not be present. If the objects and items referred to are not present in the source tree, you can skip the step.

  1. Delete the W0 object and then the KAP container in the source tree.

    The KAP container is in the Security container. The W0 object is in the KAP container.

  2. On all servers in the source tree, delete the Security Domain Infrastructure (SDI) keys by deleting the SYS:\SYSTEM\NICI\NICISDI.KEY file.

    IMPORTANT:  Make sure that you delete this file on all servers in the source tree.


Other Security-Specific Operations

If a Security container exists in the source tree, delete the Security container before you merge the trees.


Performing the Tree Merge

NDS trees are merged using the DSMERGE utility. For more information, refer to the DSMERGE documentation.


Product-Specific Operations to Perform after the Tree Merge


Novell Security Domain Infrastructure

If the W0 object existed in the target tree before the merge, the Security Domain Infrastructure (SDI) keys used by the servers that formerly resided in the target tree must be installed in the servers that formerly resided in the source tree.

The easiest way to accomplish this is to install Novell Certificate Server 2.0 or later on all servers formerly in the source tree that held SDI keys (the SYS:\SYSTEM\NICI\NICISDI.KEY file). This should be done even if the Novell Certificate Server has already been installed on the server.

If the W0 object did not exist in the target tree before the merge but did exist in the source tree, the SDI must be reinstalled in the resulting tree.

The easiest way to accomplish this is to install Novell Certificate Server 2.0 or later on the servers in the resulting tree. Novell Certificate Server must be installed on the servers formerly in the source tree that held SDI keys (the SYS:\SYSTEM\NICI\NICISDI.KEY file). It can also be installed on other servers in the resulting tree.


Novell Certificate Server

If you are using Novell Certificate Server, after the tree merge reissue certificates for servers and users that were formerly in the source tree, as necessary.

NOTE:  We recommend that you install Novell Certificate Server 2.0 or later on all servers that hold a replica of the partition containing a User object.

In order to issue a certificate for a server, Novell Certificate Server 2.0 or later must be installed.

Novell Certificate Server 2.0 or later must be installed on the server that hosts the Organizational CA.


Novell Single Sign-on

If you are using Novell Single Sign-on, after the tree merge re-create SecretStore secrets for users that were formerly in the source tree, as necessary.


NMAS

If you are using NMAS, after the tree merge re-enroll NMAS users that were formerly in the source tree, as necessary.



  Previous Page: Setting Up a Security Container As a Separate Partition