Home
Welcome to the HCL Domino 11.0.1 documentation
Welcome to the HCL Domino® 11.0.1 documentation. Here administrators can find information about planning, installing, configuring, and administering Domino 11.0.1.
Securing
This section describes security features, including execution control lists, IDs, and SSL.
Server access for Notes® users, Internet users, and Domino® servers
To control user and server access to other servers, Domino® uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes® user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server.
Customizing access to a Domino® server
After you set up basic access for HCL Notes® users and HCL Domino® servers, you can customize access to restrict specific users and servers to specific activities.
Setting up anonymous server access for Notes® users and Domino® servers
When a server is set up for anonymous access, Notes® users and Domino® servers do not need a valid certificate to access the server, since the server does not validate or authenticate them. Use anonymous access to allow users and servers outside your organization to access a server without first obtaining a certificate for the organization. You can also set up anonymous access for Internet/intranet users.

Welcome to the HCL Domino 11.0.1 documentation
Welcome to the HCL Domino® 11.0.1 documentation. Here administrators can find information about planning, installing, configuring, and administering Domino 11.0.1.
- Translated documentation
  The HCL Domino 11.0.1 documentation is currently available in the following languages.
- What's new in Domino® 11?
  Learn about all of the new features for administrators in HCL Domino® 11.
- Overview
  Welcome to HCL Domino® Administrator Help.
- Domino trial
  A trial version of HCL Domino® 11.0.1 is available free of charge.
- Installing
  Use this documentation to install the HCL Domino® server and subsequently deploy the HCL Notes®client.
- Planning
  Use this topic as an overview of planning task.
- Configuring
  Use this information to configure your network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters.
- Securing
  This section describes security features, including execution control lists, IDs, and SSL.
  - Overview of Domino security
    Setting up security for your organization is a critical task. Your security infrastructure is critical for protecting your organization's IT resources and assets. As an administrator, you need to give careful consideration to your organization's security requirements before you set up any servers or users. Up-front planning pays off later in minimizing the risks of compromised security.
  - Server access for Notes® users, Internet users, and Domino® servers
    To control user and server access to other servers, Domino® uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes® user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server.
    - Setting up Notes® user, Domino® server, and Internet user access to a Domino® server
      You can specify Notes® users and Domino® servers that are allowed to access the server, as well as users who access the server using Internet protocols (HTTP, IMAP, LDAP, POP3). If your system uses multiple Domino Directories, Domino searches only the first Domino Directory specified in the Names setting in the NOTES.INI file for Notes users. If you have enabled the server access settings for Internet protocols, you can also specify users from secondary Domino directories and external LDAP directories in the Allow or Deny access lists.
    - Customizing access to a Domino® server
      After you set up basic access for HCL Notes® users and HCL Domino® servers, you can customize access to restrict specific users and servers to specific activities.
      - Denying Notes® users access to all servers in a domain
        To deny Notes® users access to all servers in a domain, lock out their user IDs and enable password checking. When locked-out users try to access the server, Domino® tries to verify the passwords they enter by comparing them against those stored in Person documents. Domino denies the users access because their IDs are locked out.
      - Restricting administrator access
        You can specify various access levels for different types of administrators in your organization. For example, you may want to give only a few people 'system administrator' access, while all of the administrators on your team are designated as database administrators.
      - Comparing public key values
        The signatures on user and server certificates exchanged during authentication are always checked. You can enable an additional level of verification for public keys, by having the value of the key passed in the certificates checked against the value of the key listed in the HCL Domino® Directory. It is possible for users to authenticate with a server, but have a mismatch between the value of the public keys in their certificates and what is listed for them in the Domino Directory.
      - Setting up anonymous server access for Notes® users and Domino® servers
        When a server is set up for anonymous access, Notes® users and Domino® servers do not need a valid certificate to access the server, since the server does not validate or authenticate them. Use anonymous access to allow users and servers outside your organization to access a server without first obtaining a certificate for the organization. You can also set up anonymous access for Internet/intranet users.
      - Controlling access to a specific server port
        Use a port access list to allow or deny HCL Notes® user and HCL Domino® server access to a specific network port. If you use a port access list and a server access list, users and servers must be listed on both to gain access to the server.
      - Controlling creation of databases, replicas, and templates
        To manage available disk space, control which users and servers are allowed to create databases and replicas on a server. If your system uses multiple Domino® Directories, HCL Domino searches only the first Domino Directory specified in the Names setting in the NOTES.INI file.
      - Controlling the use of headline monitors
        Notes® users can set up their headlines to search server databases automatically for items of interest. You can control which users can or cannot access this server for headlines. This task applies toHCL Notes users only.
      - Controlling access to a pass-through server or pass-through destination
        A pass-through server allows users and servers to use a pass-through connection to connect to another server. The server to which users connect is called a pass-through destination. You can control which users and servers can access a pass-through server and pass-through destination.
      - Controlling agents and XPages that run on a server
        You can control the types of agents and XPages that users can run on a server. The fields in this section are organized hierarchically with regard to privileges. For example, Sign or run unrestricted methods and operations has the highest level of privilege and Run Simple and Formula agents has the lowest. A user or group name in one list automatically receives the rights of the lists beneath. Therefore a name has to be entered in only one list, which then gives that user the highest rights.
      - Controlling Web browser access to files
        You can use File Protection documents and Web realms to control Internet/intranet access to files on the servers.
      - Restricting access to a server's data directory
        By default, any Notes® user who can access a server can access the server's entire data directory. You can restrict Notes user access to a server's data directory or a subdirectory of the data directory by defining an access list, or ACL file, for it. ACL files are an option for protecting server directories, and contain the names of users authorized to access those directories.
      - Physically securing the Domino® server
        Physically securing servers and databases is just as important as preventing unauthorized user and server access. Therefore, locate all Domino® servers in a ventilated, secure area, such as a locked room. If servers are not secure, unauthorized users might circumvent security features -- for example, ACL settings -- access applications on the server, use the operating system to copy or delete files, and physically damage the server hardware itself.
    - Validation and authentication for Notes® and Domino®
      Whenever a Notes® client or Domino® server attempts to communicate with a Domino server to replicate, route mail, or to access a database, two security procedures use information from the client or server ID to verify that the client or server is legitimate. Validation establishes trust of the client's public key. If validation occurs successfully, authentication begins. Authentication verifies user identity, and uses the public and private keys of both the client and the server in a challenge/response interaction.
  - The database access control list
    Every .NSF database has an access control list (ACL) that specifies the level of access that users and servers have to that database. Although the names of access levels are the same for users and servers, those assigned to users determine the tasks that they can perform in a database, while those assigned to servers determine what information within the database the servers can replicate. Only someone with Manager access can create or modify the ACL.
  - Domino® server and Notes® user IDs
    Domino® uses ID files to identify users and to control access to servers. Every Domino server, Notes® certifier, and Notes user must have an ID.
  - The execution control list
    You use an execution control list (ECL) to configure workstation data security. An ECL protects user workstations against active content from unknown or suspect sources, and can be configured to limit the action of any active content that does run on workstations.
  - Domino® server-based certification authority
    You can set up a Domino® certifier that uses the CA process server task to manage and process certificate requests. The CA process runs as a process on Domino servers that are used to issue certificates. When you set up a Notes® or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.
  - SSL security
    Secure Sockets Layer (SSL) is a security protocol that provides communications privacy and authentication for Domino® server tasks that operate over TCP/IP.
  - SSL and S/MIME for clients
    Clients can use a Domino® certificate authority (CA) application or a third-party CA to obtain certificates for secure SSL and S/MIME communication.
  - Encryption
    Encryption protects data from unauthorized access.
  - Name-and-password authentication for Internet/intranet clients
    Name-and-password authentication, also known as basic password authentication, uses a basic challenge/response protocol to ask users for their names and passwords and then verifies the accuracy of the passwords by checking them against a secure hash of the password stored in Person documents in the Domino® Directory.
  - Multi-server session-based authentication (single sign-on)
    Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a Domino® or WebSphere® server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.
  - Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
    Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino® and Notes®, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
  - Using a credential store to store credentials
    A Domino® server can use a credential store application as a secure artifact repository. Examples of secure artifacts include authentication credentials and security keys.
- Administering
  This documentation provides information about the administration tools for managing and monitoring servers and databases.
- Tuning
  Use this information to improve HCL Domino® server, Domino Web server, and messaging performance through the use of resource balancing and activity trends, Server.Load commands, advanced database properties, cluster statistics, and the Server Health Monitor.
- Troubleshooting
  This section describes how to find and solve problems with HCL Domino® server and Administrator client.
- Notices

Setting up anonymous server access for Notes® users and Domino® servers

When a server is set up for anonymous access, Notes® users and Domino® servers do not need a valid certificate to access the server, since the server does not validate or authenticate them. Use anonymous access to allow users and servers outside your organization to access a server without first obtaining a certificate for the organization. You can also set up anonymous access for Internet/intranet users.

Procedure

From the Domino® Administrator, click the Configuration tab, and open the Server document.
Click the Security tab.
In the Security Settings section, enable Allow anonymous Notes connections.
Save the document.
Create an entry named Anonymous in the ACL of all databases to which you want to allow anonymous access. Assign the appropriate access level -- typically Reader access. If you do not add Anonymous as an entry in the ACL, anonymous users and servers get -Default- access.
Stop and restart the server so that the changes take effect.