The signatures on user and server certificates exchanged
during authentication are always checked. You can enable an additional
level of verification for public keys, by having the value of the
key passed in the certificates checked against the value of the key
listed in the IBM® Domino® Directory.
It is possible for users to authenticate with a server, but have a
mismatch between the value of the public keys in their certificates
and what is listed for them in the Domino Directory.
About this task
This extra level of key verification protects against
misuse of a lost or compromised ID file. Typically, if an ID file
is lost, its owner needs to be registered to create a new ID file
and directory entry; and if the ID file has been compromised then
the owner's public and private keys need to be rolled-over and that
new set of keys need to be certified (thus updating the directory
entry). By enabling directory-level key checking, an attacker in possession
of the old ID file will not be able to use it to access the server,
even though that old ID file may contain a valid certificate.
You
can also choose to control whether a log message is generated if authentication
succeeds but a mismatch is detected. This allows administrators to
detect when the ID file contents have gotten out of sync with directory
entries, but to do so without preventing those users from authenticating
because of public key mismatches.
Procedure
- From the Domino Administrator,
click the Configuration tab, and open the Server
document.
- Click the Security tab.
- In the Security Settings section,
click the list next to Compare public keys and
choose one of the following options:
- Enforce key checking for all Notes users and Domino
servers --to compare the key value in the certificates
passed during authentication against the key value stored in the Domino Directory. Any user or
server not listed in a trusted directory will be treated as if it
failed this verification check and will not be allowed to access this
server.
- Enforce key checking for Notes users and Domino servers
listed in trusted directories only -- to compare the key
value in the certificates passed during authentication against the
key value stored in the directory only when the user or server is
listed in a trusted directory. Any user or server not listed in a
trusted directory will be treated as if it passed this verification
check.
Note: This option allows administrators to give
users not listed in the directory access to databases and applications
on the server. For example, a database may have its Access Control
List configured to give editor access enabled for users listed in
the Domino Directory, and
reader access for everyone else. So if this key checking option is
enabled, users not listed in the directory can still access the server
to use the database, for which they will have reader access only.
- Do not enforce key checking -- if you want
only the certificate signatures checked during authentication, but
not verify the keys against the directory contents.
- Click the list next to Log public key mismatches and
choose one of the following options:
- Log key mismatches for all Notes users and Domino
servers -- to log events that occur when the key value
in the certificates passed during authentication does not match the
key value stored in the Domino Directory.
- Log key mismatches for Notes users and Domino servers
listed in trusted directories only -- to log events that
occur when the key value in the certificate passed during authentication
does not match the key value stored in the directory only when the
user or server is listed in a trusted directory.
- Do not log key mismatches -- to log
only authentication failures.
- Stop and restart the server so that the changes take effect.
The server polls every hour to see if these settings have changed,
so if the server is not restarted it may be as long as an hour before
the new settings take effect.