Hello

When I do a LK in sdidiag in a tree it doesn't show any Key Domain for
the W0 key, while in other trees it shows the DN to the W0 object.

it shows a key domain for the AES key:

SDKey : 1
Object Class : Secret Key
Key Size : 168 bits
Key Usage : 0x4400C0
Key Format : DES-EDE3-CBC-IV8
Key Id : XX
Validity : Thu Mar 7 12:26:37 2013 - Sun Feb 3 23:59:00 2036
Key Domain:
SDKey : 2
Object Class : Secret Key
Key Size : 256 bits
Key Usage : 0x4400C0
Key Format : AES-256-CBC
Key Id : YY
Validity : Tue May 30 12:09:19 2017 - Sun Feb 3 23:59:00 2036
Key Domain: CN=W1.KAP.Security

If I then do a SD -G to create new keys it doesn't create them; it only
shows this:

create on .blablabla.MYTREE.: [ WARN ] rc=-601
*** The Security Domain is synchronized.
*** The Security Domain is synchronized.

I'm troubleshooting another issue that points to NICI so that's why I'm
looking at this.

Any idea why it wouldn't generate a new key?

The tree only has a single server.

CK claims everything is OK:

CK
*** [Key Consistency Check - BEGIN] ***
[Checking SDI Domain]
SDI Check Domain Configuration...
SDI Domain Key Server .blablabla.MYTREE.
- Configuration is good.
*** SDI Check Domain Configuration is [GOOD]
SDI Check Domain Keys...
SDI Domain Key Server .blablabla.MYTREE.
- Keys are good.
*** SDI Check Domain Keys are [GOOD]

[Checking SDI Domain: GOOD]

*** No Problems Found ***

*** [Key Consistency Check - END] ***


Thanks!

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.