Security features

Domino 14.5 provides the following features and enhancements related to security.

Enhanced CA certifier ID password protection

When migrating a new Notes certifier using the Domino Certificate Authority, you can choose to protect the certifier ID with an encrypted key that can only be decrypted by the CA process; you do this by setting the a notes.ini in both the Domino server and the Domino Administrator client. For more information, see the options Encrypt ID with Server ID or Encrypt ID with Lock ID in Table 2 of Migrating a certifier to the CA process.

Mandated NRPC port encryption

Starting in 14.5, NRPC port encryption mandate can be enabled for better security.

Mandated port encryption works in the following ways:

  • Enables and enforces NRPC port encryption on both the 14.5 client and server. If configured by an administrator, encryption needs to be enforced even if the other side does not want to use encryption.
  • Allows the administrator to manage and monitor the enablement state of NRPC port encryption.
  • Enforces mandated NRPC port encryption level for all authenticated NRPC sessions.

Prerequisites

To enable and use this feature, the primary administration server needs to be 14.5 and the server address book design needs to be upgraded to 14.5. Note that NRPC encryption is mandated on 14.5 or later client/servers only.

Enabling mandated NRPC port encryption

For more information, refer to Enabling mandated NRPC port encryption.

Configuring ini settings

You need to configure the directory profile document settings. For pre-14.5 servers, you must use the agent. Note that the existing UI for configuring port encryption will be disabled post-EA1.

The following ini settings are available for the new mandated port encryption:

Setting Description
DEBUG_MANDATED_ENCRYPTION=1 Enables debug logging, which is useful for troubleshooting.
MANDATEDENC_ACTIVE_REFRESH_TIME=<# of seconds> Defines how often mandated port encryption configuration is refreshed on server. The default is every 24 hours, and server polls are every 60 minutes.
DEBUG_PORT_ENC_ADV=1 Enables port encryption debug, which is useful for troubleshooting.

Configuring mandated NRPC port encryption settings

  • New Directory Profile option
    For servers, a new setting for mandated NRPC port encryption will be added to the directory profile. An administrator can edit the current setting in Actions > Edit Directory Profile.
  • Mandated port encryption settings

    The DirectoryProfile form in the server address book allows Domino administrators to manage mandated NRPC port encryption settings. The following image shows the default values.

    Administrators can enable logging through Logging level only to check and fix any configuration issues prior to enforcing port encryption mandate.

    Modifications to any of these mandated encryption settings will set the configuration state to "Non-compliant".

  • New scheduled agent

    A new scheduled agent "CheckPortEncryption" is included in the server address book. The administrator needs to sign and enable this agent to automate configuration updates on servers prior to 14.0.1. The signer needs to have permission to run unrestricted agents on the server.

    This agent runs on all servers in the domain and sets encryption ini's, if needed, on all pre-14.0.1 servers.

    Administrators can choose to set encryption ini's manually on all servers. Mandated configuration can be refreshed by executing the server command portencrypt refreshconfig on the primary admin server. Alternatively, you can just wait until the next configuration refresh. The server poll thread refreshes configuration every 24 hours.

Passkey enhancements

Starting in 14.5 EA1, Domino now supports using the FIDO Metadata Service to more accurate identify and verify passkeys and their authenticators. Setting the notes.ini PASSKEY_FIDO_METADATA_DOWNLOAD=1 will cause the Domino server to automatically download published metadata from the FIDO Metadata Service once per month. Alternatively, administrators can manually download passkey metadata from the FIDO Alliance Metadata Service website, and place the resulting blob.jwt and root.pem files in the Domino server's data directory. The signed metadata blob is generally updated on the first day of each month. If the FIDO Metadata is present and a matching aaguid is found for the passkey being created, that authenticator's metadata will be used to populate the name of the authenticator and its root certs will be used to verify "Packed" and "TPM" attestations. Existing passkey documents can be updated by setting the notes.ini PASSKEY_DATABASE_FIXUP=1

Other changes:

  • In 14.0, user names with non-ASCII characters were not handled correctly in the passkey database. As of 14.0 FP1 and 14.5 EA1, user names with non-ASCII characters are handled correctly.

  • In 14.5 EA1, the passkey database has been updated to interoperate with adminp-based user rename and user deletion operations.
  • More hardcoded authenticator aaguid values have been added, and will be used if FIDO Metadata is not present or the authenticator is not found in the metadata.
  • If the notes.ini PASSKEY_USE_ALLOWCREDENTIALS=1 is set, Domino will attempt to send the "allowCredentials" claim during authentication. This will cause some authenticators to simplify the authentication experience for the end user by assuming that they will want to use the same passkey that they most recently used from that web browser.

Domino as an OICD provider

The Domino HTTP task in 14.5 EAP Drop 1 can act as an OIDC identity provider. This feature allows administrators to leverage their existing Domino HTTP authentication experience -- including passkeys, TOTP, custom domcfg login forms, and external identity providers -- to authenticate end users with applications, servers, and services that support OIDC.

OpenID Connect 1.0 (OIDC) is an authentication protocol built on top of the OAuth 2.0 framework; OIDC providers (OPs) serve the same basic role in Identity Federation as SAML identity providers (IdPs). Identity Federation enables end users to log in once against a single authorization endpoint in order to authenticate against multiple resource servers instead of logging in to each resource server individually. OAuth 2.0 clients that do not fully support the OIDC protocol can be configured to acquire access tokens from these new HTTP endpoints as an OAuth 2.0 Authorization Server (AS).

The Domino OIDC provider functionality uses signed JWT access tokens and id tokens and is fully interoperable with the HTTP Bearer authentication and Web Login with OIDC functionality in Domino 12.0.2 FP3 and higher. In accordance with current security best practices, the Domino OIDC provider supports only the Authorization Code flow with PKCE.

For more information on this feature, see the following topics: