Setting up Domino® security for Internet site documents
To set up security for Internet site documents, you can enable TLS server and client authentication, name-and-password authentication, or anonymous access for Internet and Intranet clients.
About this task
To enable TLS for Internet sites, configure the TLS port on the server document and set up TLS on the server by obtaining a server certificate and keys from an Internet certificate authority.
You should be familiar with TLS authentication, name and password authentication, and anonymous access before completing these steps.
Procedure
- From the Domino® Administrator, click .
- Choose the Internet site document to modify, and click Edit Document.
- Click Security and complete these
fields:
Table 1. Security for Internet site fields and descriptions Field
Description
TCP Authentication Anonymous
(Applies to all Internet sites, except IMAP and POP3)
Choose one:
- Yes -- To allow anonymous access to this site
- No -- To prohibit anonymous access
Name & password
Choose one:
- Yes -- To require a user to authenticate with the user's name and Internet password to access the site
- No -- To not require name and password authentication
Redirect TCP to TLS
(Applies to Web Site only) Choose one:
- Yes -- To require clients and servers to use the TLS protocol to access the Web site
- No -- To allow clients and servers to use TLS or TCP/IP to access the Web site
TLS Authentication Anonymous
(Applies to all Internet sites, except IMAP and POP3)
Choose one:
- Yes -- To allow users access over the TLS port without authenticating with a name and password
- No -- To deny users anonymous access
Name & password
Choose one:
- Yes -- To require a user to authenticate with user name and Internet password in order to access this site using TLS
- No --To not require a name and password
Client certificate
(Applies to Web Site, IMAP, POP3, and LDAP)
Choose one:
- Yes -- To require a client certificate for access to this site
- No -- To not require a client certificate
TLS Options Key file name
Specify one of the following:- If a certstore.nsf configuration is used, specify the host name of the server or any other certificate present in certstore.nsf for the server.
- If certstore.nsf configuration is not used, specify the kyr file.
Accept TLS site certificates
Choose one:
- Yes -- To accept the certificate and use TLS, even if the server does not have a certificate in common with the protocol server
- No (default) -- To prohibit the acceptance of TLS site certificates for access
Accept expired TLS certificates
Choose one:
- Yes -- To allow clients access, even if the client certificate is expired
- No -- To prohibit client access using expired TLS certificates
Check for CRLs
Choose one:
- Yes -- To check the certifier's Certificate Revocation List (CRL) for the user certificate you are attempting to validate. If a valid CRL is found and the user certificate is on the list, the user certificate is rejected.
- No -- To not use Certificate Revocation Lists
Trust expired CRLs
Choose one:
- Yes -- To use expired but otherwise valid Certificate Revocation Lists when attempting to validate user certificates
- No -- To reject expired Certificate Revocation Lists
Allow CRL search to fail
Choose one:
- Yes -- If the attempt to locate a valid Certificate Revocation List fails, proceed as if Check for CRLs is set to No.
- No -- If a valid Certificate Revocation List for the user certificate is not found, reject the certificate. If Trust expired CRLs is set to Yes, an expired CRL is valid. If Trust expired CRLs is set to No, the authentication will fail for every user certificate for which a matching valid CRL is not located.
TLS Security TLS ciphers
Click Modify to change the TLS cipher settings for this site document. These settings apply only to TLS v3. TLS v2 ciphers cannot be changed.
- Save the document.