Setting up Domino security for Internet site documents

To set up security for Internet site documents, you can enable SSL server and client authentication, name-and-password authentication, or anonymous access for Internet and Intranet clients.

About this task

To enable SSL for Internet sites, configure the SSL port on the server document and set up SSL on the server by obtaining a server certificate and key ring from an Internet certificate authority.

To set up SSL authentication, you must create a server key ring file for each Internet site document. However, if the Internet site documents are for the same organization, but are created for different protocols, a single server key ring file can be used. Be sure to enter the server key ring file name in the appropriate field on the Security tab of each site document.

If you want to use Certificate Revocation Lists (CRL) for Internet certificate authentication, the server must be using a Domino® server-based certification authority for issuing Internet certificates.

Note: For Web sites, the common name on the server key ring must match the DNS name to which the IP address in the Web Site document is mapped. The IP address must be stored in the field Host name or addresses to map to this site, which is located on the Web Site document. If you enable Redirect TCP to SSL in a Web Site document, both the host name and the IP address must be stored in this field.

You should be familiar with SSL authentication, name and password authentication, and anonymous access before completing these steps.

Note: You can prohibit access to an Internet site by selecting No for all authentication options in an Internet site document. These options include TCP authentication, SSL authentication, and TCP anonymous access.

Procedure

  1. From the Domino Administrator, click Configuration > Web > Internet sites.
  2. Choose the Internet site document to modify, and click Edit Document.
  3. Click Security and complete these fields:
    Table 1. Security for Internet site fields and descriptions

    Field

    Description

    TCP Authentication

    Anonymous

    (Applies to all Internet sites, except IMAP and POP3)

    Choose one:

    • Yes -- To allow anonymous access to this site
    • No -- To prohibit anonymous access

    Name & password

    Choose one:

    • Yes -- To require a user to authenticate with the user's name and Internet password to access the site
    • No -- To not require name and password authentication

    Redirect TCP to SSL

    (Applies to Web Site only) Choose one:

    • Yes -- To require clients and servers to use the SSL protocol to access the Web site
    • No -- To allow clients and servers to use SSL or TCP/IP to access the Web site

    SSL Authentication

    Anonymous

    (Applies to all Internet sites, except IMAP and POP3)

    Choose one:

    • Yes -- To allow users access over the SSL port without authenticating with a name and password
    • No -- To deny users anonymous access

    Name & password

    Choose one:

    • Yes -- To require a user to authenticate with user name and Internet password in order to access this site using SSL
    • No --To not require a name and password

    Client certificate

    (Applies to Web Site, IMAP, POP3, and LDAP)

    Choose one:

    • Yes -- To require a client certificate for access to this site
    • No -- To not require a client certificate

    SSL Options

    Key file name

    Enter the name of the server key ring file.

    Protocol version

    Choose one:

    • V2.0 only -- Allows only SSL 2.0 connections.
    • V3.0 handshake -- Attempts an SSL 3.0 connection. If this fails and the requester detects SSL 2.0, attempts to connect using SSL 2.0.
    • V3.0 only -- Allows only SSL 3.0 connections.
    • V3.0 with V2.0 handshake -- Attempts an SSL handshake, which displays relevant error messages. Makes an SSL 3.0 connection if possible.
    • Negotiated (default) -- Attempts an SSL 3.0 connection. If this fails, attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions.

    Accept SSL site certificates

    Choose one:

    • Yes -- To accept the certificate and use SSL , even if the server does not have a certificate in common with the protocol server
    • No (default) -- To prohibit the acceptance of SSL site certificates for access

    Accept expired SSL certificates

    Choose one:

    • Yes -- To allow clients access, even if the client certificate is expired
    • No -- To prohibit client access using expired SSL certificates

    Check for CRLs

    Choose one:

    • Yes -- To check the certifier's Certificate Revocation List (CRL) for the user certificate you are attempting to validate. If a valid CRL is found and the user certificate is on the list, the user certificate is rejected.
    • No -- To not use Certificate Revocation Lists

    Trust expired CRLs

    Choose one:

    • Yes -- To use expired but otherwise valid Certificate Revocation Lists when attempting to validate user certificates
    • No -- To reject expired Certificate Revocation Lists

    Allow CRL search to fail

    Choose one:

    • Yes -- If the attempt to locate a valid Certificate Revocation List fails, proceed as if Check for CRLs is set to No.
    • No -- If a valid Certificate Revocation List for the user certificate is not found, reject the certificate. If Trust expired CRLs is set to Yes, an expired CRL is valid. If Trust expired CRLs is set to No, the authentication will fail for every user certificate for which a matching valid CRL is not located.

    SSL Security

    SSL ciphers

    Click Modify to change the SSL cipher settings for this site document. These settings apply only to SSL v3. SSL v2 ciphers cannot be changed.

    Enable SSL V2

    Choose Yes to enable SSL v2 for this site document.
  4. Save the document.