Changing the Keys of a Root Replica From the Replica
To change the keys of a root replica from the replica, use these commands:
replica# nisaddcred des replica# nisupdkeys dirs |
Where:
dirs are the directory objects you wish to update, (that is, the directory objects that are served by replica).
When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.
Note - Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information".
Changing the Keys of a Nonroot Server
To change the keys of a nonroot server (master or replica) from the server, use these commands:
subreplica# nisaddcred des subreplica# nisupdkeys parentdir dirs |
Where:
parentdir is the non-root server's parent directory (that is, the directory containing subreplica's NIS+ server).
dirs are the directory objects you want to update (that is, the directory objects that are served by subreplica).
When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.
Note - Whenever you change a server's keys, you must also update the key information of all the clients in that domain, as explained in "Updating Client Key Information".
Updating Public Keys
The public keys of NIS+ servers are stored in several locations throughout the namespace. When new credential information is created for the server, a new key pair is generated and stored in the cred table. However, namespace directory objects still have copies of the server's old public key. The nisupdkeys command is used to update those directory object copies.
The nisupdkeys Command
If a new keypair is generated because the old key pair has been compromised or the password used to encrypt the private key is forgotten, the nisupdkeys can be used to update the old public key in the directory objects.
Update the key of one particular server
Update the keys of all the servers that support an NIS+ directory object
Remove a server's public key from the directory object
Update a server's IP address, if that has changed
However, nisupdkeys cannot update the NIS_COLD_START files on the principal machines. To update their copies of a server's keys, NIS+ clients should run the nisclient command. Or, if the NIS+ cache manager is running and more than one server is available in the coldstart file, the principals can wait until the time-to-live expires on the directory object. When that happens, the cache manager automatically updates the cold-start file. The default time-to-live is 12 hours.
To use the nisupdkeys command, you must have modify rights to the NIS+ directory object.
Updating Public Keys Arguments and Examples
The nisupdkeys command is located in /usr/lib/nis. The nisupdkeys command uses the following arguments (for a complete description of the nisupdkeys command and a full list of all its arguments, see the nisupdkeys man page):
Table 13-4 nisupdkeys Arguments
Argument | Effect |
|---|---|
(no argument) | Updates all keys of servers for current domain. |
directoryname | Updates the keys of the directory object for the named directory. |
-H servername | Updates the keys of the named server for the current domain directory object. A fully qualified host name can be used to update the keys of servers in other domains. |
-s -H servername | Updates the keys of all the directory objects served by the named server. |
-C | Clears the keys. |
Table 13-5 gives an example of updating a public key:
Table 13-5 Updating a Public Key: Command Examples
Tasks | Commands |
|---|---|
Update all keys of all servers of the current domain (doc.com). | rootmaster# /usr/lib/nis/nisupdkeys Fetch Public key for server rootmaster.doc.com. netname='unix.rootmaster@doc.com' Updating rootmaster.doc.com.'s public key. Public key: public-key |
Update keys of all servers supporting the sales.doc.com domain directory object. | salesmaster# nisupdkeys sales.doc.com (Screen notices not shown) |
Update keys for a server named master7 in all the directories that store them. | rootmaster# nisupdkeys -H master7 |
Clear the keys stored by the sales.doc.com directory object. | rootmaster# nisupdkeys -C sales.doc.com |
Clear the keys for the current domain directory object for the server named master7. | rootmaster# nisupdkeys -C -H master7 |
Updating IP Addresses
If you change a server's IP address, or add additional addresses, you need to run nisupdkeys to update NIS+ address information.
To update the IP addresses of one or more servers, use the nisupdkeys command -a option.
To update the IP addresses of servers of a given domain
rootmaster# nisupdkeys -a domain |
To update the IP address of a particular server
rootmaster# nisupdkeys -a -H server |
Updating Client Key Information
Whenever you change any server's keys, you must update all of the clients as well. Remember, that all NIS+ servers are also NIS+ clients, so if you update the keys on one server, you must update key information on all other machines in the domain regardless of whether or not they are NIS+ servers or ordinary clients.
There are three ways to update client key information:
The easiest way to update an individual client's key information is by running the nisclient script on the client.
Another way to update an individual client's key information is by running the nisinit command on the client as described in "Initializing a Client".
You can globally update client key information for all the machines in a domain by shortening the Time To Live value of the domain's directory object as explained in "Globally Updating Client Key Information".
Globally Updating Client Key Information
After changing a server's keys, you can globally update client key information for all the machines in a domain by:
Use the nischttl command to reduce the Time To Live (TTL) value of the domain's directory object so that the value expires almost immediately.
For example, if you have changed the keys for a server in the sales.doc.com. domain, to reduce the directory's TTL value to one minute you would enter:
client% nischttl 60 sales.doc.com.
When the directory's TTL value expires, the cache manager expires the entry and then obtains the new, updated information for clients.
Once the directory object's TTL value has expired, reset the directory object's TTL to its default value.
For example, to reset the TTL value to 12 hours for the sales.doc.com. domain's directory object, you would enter:
client% nischttl 12h sales.doc.com.
See "The nischttl Command" for more information on working with TTL values.