Home
IBM® Domino 10.0.1 Documentation
Welcome to the IBM® Domino 10.0.1 Administrator Help.
Securing
This section describes IBM® Domino® security features, including execution control lists, IDs, and SSL.
Domino® server and Notes® user IDs
Domino® uses ID files to identify users and to control access to servers. Every Domino server, Notes® certifier, and Notes user must have an ID.
Adding cross-certificates to the Domino® Directory or Contacts
You can use several methods to obtain an IBM® Notes® or Internet cross-certificate.
Adding a Notes® cross-certificate for IDs by Notes® mail
If you can route mail to the organization that will cross-certify a user, server, or certifier ID, you can use IBM® Notes® mail to add a Notes cross-certificate. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification. You cannot use these procedures to create an Internet cross-certificate.

IBM® Domino 10.0.1 Documentation
Welcome to the IBM® Domino 10.0.1 Administrator Help.
- What's new in IBM® Domino® 10?
  Learn about all of the new features for administrators in IBM® Domino® 10.
- Overview
  Welcome to IBM® Domino® Administrator Help.
- Installing
  Use this documentation to install the IBM® Domino® server and subsequently deploy the IBM Notes® client.
- Planning
  Use this topic as an overview of planning task.
- Configuring
  Use this information to configure an IBM® Domino® network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters. Also use this information to set up IBM iNotes® on a server using Domino Off-Line Services (DOLS).
- Securing
  This section describes IBM® Domino® security features, including execution control lists, IDs, and SSL.
  - Overview of Domino security
    Setting up security for your organization is a critical task. Your security infrastructure is critical for protecting your organization's IT resources and assets. As an administrator, you need to give careful consideration to your organization's security requirements before you set up any servers or users. Up-front planning pays off later in minimizing the risks of compromised security.
  - Server access for Notes® users, Internet users, and Domino® servers
    To control user and server access to other servers, Domino® uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes® user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server.
  - The database access control list
    Every .NSF database has an access control list (ACL) that specifies the level of access that users and servers have to that database. Although the names of access levels are the same for users and servers, those assigned to users determine the tasks that they can perform in a database, while those assigned to servers determine what information within the database the servers can replicate. Only someone with Manager access can create or modify the ACL.
  - Domino® server and Notes® user IDs
    Domino® uses ID files to identify users and to control access to servers. Every Domino server, Notes® certifier, and Notes user must have an ID.
    - Certificates
      A certificate is a unique digital signature that identifies a user or server. Server and user IDs contain one or more IBM® Notes® certificates. In addition, user IDs may contain one or more Internet certificates that identify users when they use SSL to connect to an Internet server or send a signed S/MIME mail message.
    - Notes clients and two-factor authentication
      Notes client authentication with a Notes ID provides built-in, automatic, two-factor authentication.
    - Password-protection for Notes® and Domino® IDs
      To ensure the security of the Domino® system, password-protect all Notes® and Domino IDs -- certifier, server, and user. When you password-protect an ID, a key that is derived from the password encrypts the data on the ID. Then, when you attempt to access mail, open a server-based database, or examine ID file information, you are prompted to enter a password.
    - The password quality scale
      When creating passwords for user, server, or certifier IDs, you need to understand the criteria by which Domino® measures password strength and security. Domino measures this criteria according to the level assigned on its password quality scale. The scale assigns a minimum level of quality to the password on an ID file. Domino bases the password quality on the number and variety of characters in the password.
    - Verifying user passwords during authentication
      You can enable password verification so that a Notes® user can authenticate with a server only after providing the correct password that is associated with the user ID.
    - Setting up password verification
      You can enable password verification through the use of a security policy settings document, which allows you to enable this feature for multiple users, or you can enable password verification on an individual basis through the Domino® Directory.
    - Custom password policies
      Information protection and data privacy laws include specific requirements for the selection of secure passwords for identity verification. To help users comply with these laws, IBM® Domino® includes the ability to implement password restrictions on a policy basis. Administrators can enforce password requirements that will fit almost any set of corporate or government security requirements.
    - Assigning multiple passwords to server and certifier IDs
      To assign multiple passwords to server and certifier IDs, all of the administrators whose passwords will be assigned to the ID must be present. Then, during the procedure of assigning multiple passwords, each administrator completes a series of steps.
    - Using Notes® Shared Login (NSL) to suppress password prompts
      Notes® Shared Login (NSL) allows users to start Notes without having to provide Notes passwords. Instead, they only need to log in to Microsoft™ Windows™ using their Windows passwords.
    - Using Notes® Client Single Logon to synchronize Notes® and Windows™ OS passwords
      You can use Notes® Client Single Logon to synchronize your Notes users' Microsoft™ Windows™ passwords with their Notes passwords, allowing them to use the same password.
    - Notes® ID vault
      The ID vault is an optional, server-based database that holds protected copies of Notes® user IDs. An ID vault allows administrators and users to easily manage Notes user IDs. Users are assigned to a vault through policy configuration, and copies of user IDs are uploaded to a vault automatically once the policy has taken effect.
    - ID recovery
      Use of the ID vault for ID recovery is strongly recommended. However, the ID recovery feature described in this topic is still supported.
    - Public key security
      Every Notes® user ID and Domino® server ID has a unique public key for the Notes certificate. The public key is stored in an ID file and in the Person or Server document for that ID in the Domino Directory. Notes and Domino use the public key to authenticate users and servers, verify digital signatures, and encrypt messages and databases. A Notes user ID can also have a unique public key for an Internet certificate.
    - User and server key rollover
      Key rollover is the process used to update the set of Notes® public and private keys that is stored in user and server ID files. Periodically, this set of keys may need to be replaced -- as a precaution against undetected compromise of the private key; as a remedy to recover from a known compromise of the private key; or to increase security by updating to a larger key.
    - Certificate authority key rollover
      IBM® Domino® administrators can assign a new set of public and private keys to a Domino certificate authority (CA). These keys are used to certify the keys of OUs, servers, and users in that organization. The process of assigning news keys is known as key rollover.
    - Using cross-certificates to access servers and send secure S/MIME messages
      Domino® uses both Notes® and Internet cross-certificates. Notes cross-certificates allow users in different hierarchically-certified organizations to access servers and to receive signed mail messages. Internet cross-certificates allow users to receive signed mail messages and send encrypted mail messages.
    - Adding cross-certificates to the Domino® Directory or Contacts
      You can use several methods to obtain an IBM® Notes® or Internet cross-certificate.
      - Examples of cross-certification
        There are several different ways to cross-certify with another server or individual.
      - Adding a Notes® or Internet cross-certificate on demand
        When users access a server or receive a signed message, they can accept an IBM® Notes® or Internet cross-certificate from another organization. IBM Domino® adds the cross-certificate to the user's Contacts. Then the next time the user tries to access the server, the user can authenticate the server with that cross-certificate. Similarly, the user can use the cross-certificate to verify signed messages from the organization that was cross certified.
      - Adding a Notes® cross-certificate by phone
        Two organizations can add an IBM® Notes® cross-certificate to user, server, and certifier IDs by providing the name and public key of the IDs to be cross-certified over the phone. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification.
      - Adding a Notes® cross-certificate for IDs by postal service
        Organizations that cannot communicate through IBM® Notes® mail can use these steps to add a Notes cross-certificate for user, server, and certifier IDs. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification. You cannot use these procedures to create an Internet cross-certificate.
      - Adding a Notes® cross-certificate for IDs by Notes® mail
        If you can route mail to the organization that will cross-certify a user, server, or certifier ID, you can use IBM® Notes® mail to add a Notes cross-certificate. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification. You cannot use these procedures to create an Internet cross-certificate.
      - Creating a cross-certificate from a user's Person document
        You can create an IBM® Notes® and/or Internet cross-certificate from a certificate stored in a user's Person document.
      - Creating a cross-certificate from a Notes® certifier
        You can create an IBM® Notes® cross-certificate in the IBM Domino® Directory from a Notes certifier. You can then push the cross-certificate to Notes user contacts.
      - Displaying cross-certificates
        You can view the types of cross-certificates available. Certificates whose type cannot be determined are listed as Unknown.
  - The execution control list
    You use an execution control list (ECL) to configure workstation data security. An ECL protects user workstations against active content from unknown or suspect sources, and can be configured to limit the action of any active content that does run on workstations.
  - Domino® server-based certification authority
    You can set up a Domino® certifier that uses the CA process server task to manage and process certificate requests. The CA process runs as a process on Domino servers that are used to issue certificates. When you set up a Notes® or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.
  - SSL security
    Secure Sockets Layer (SSL) is a security protocol that provides communications privacy and authentication for Domino® server tasks that operate over TCP/IP.
  - SSL and S/MIME for clients
    Clients can use a Domino® certificate authority (CA) application or a third-party CA to obtain certificates for secure SSL and S/MIME communication.
  - Encryption
    Encryption protects data from unauthorized access.
  - Name-and-password authentication for Internet/intranet clients
    Name-and-password authentication, also known as basic password authentication, uses a basic challenge/response protocol to ask users for their names and passwords and then verifies the accuracy of the passwords by checking them against a secure hash of the password stored in Person documents in the Domino® Directory.
  - Multi-server session-based authentication (single sign-on)
    Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a Domino® or WebSphere® server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.
  - Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
    Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino® and Notes®, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
  - Using a credential store to share credentials
    In this release, the on-premises Domino® server can use a credential store application (credstore.nsf). The credential store is a secure repository for document encryption keys and other tokens necessary for Notes® client users to grant access to applications that use the OAuth (open authorization) protocol. OAuth allows user credentials to be shared with compliant applications so that users avoid extra password prompts.
- Administering
  This documentation provides information about the administration tools for managing and monitoring IBM Domino® servers and databases.
- Tuning
  Use this information to improve IBM® Domino® server, Domino Web server, and messaging performance through the use of resource balancing and activity trends, Server.Load commands, advanced database properties, cluster statistics, and the Server Health Monitor.
- Troubleshooting
  This section describes how to find and solve problems with IBM® Domino® server and Administrator client.
- Glossary

Adding a Notes® cross-certificate for IDs by Notes® mail

If you can route mail to the organization that will cross-certify a user, server, or certifier ID, you can use IBM® Notes® mail to add a Notes® cross-certificate. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification. You cannot use these procedures to create an Internet cross-certificate.

To send an ID for cross-certification

Procedure

Choose File > Security > User Security, select the ID, and enter the password.
Click Your Identity > Your Certificates, and then click Other Actions. Select Mail, Copy Certificate (Public Key).
Select the user, server, or certifier ID you want to have cross-certified, and then click OK.
Enter the password (if required).
Address the cross-certification request to the certification administrator at the other organization, and then click Send.

To cross-certify the ID

Procedure

Open the cross-certification request in your mail file.
Choose Actions > Cross Certify Attached ID File.
Select the certifier that will issue the cross-certificate. If you choose a non-CA enabled certifier, enter the password for that certifier ID, and then click OK.

Complete one or more of these fields:

Table 1. Cross-certification Fields
Field	Enter
Subject name	Organization or organizational unit certifier to be cross-certified, for example, `/Renovations`.
Subject alternate name list	An alternate name for the subject of the certificate. Alternate names allow you to assign names that are recognizable in a user's native language to an ID file.
Expiration date	Date when the cross-certificate expires.
Certifier	File name of your organization's certifier ID.
Server	Location of the IBM® Domino® Directory where you want to copy the cross-certificate.

Click Cross Certify. Domino® places the cross-certificate in the Server > Certificates view of the Domino® Directory of the server you specified in Step 5.