Configuring the HCL Traveler server for TOTP authentication

TOTP authentication setup for the HCL Verse mobile clients follows the steps defined in the Domino Administration guide for Configuring TOTP authentication. This topic identifies Traveler server specific setup information.

TOTP is a forms-based authentication. Once TOTP is enabled for the Traveler endpoint, any session override rules allowing basic authentication are ignored. This means that any client configured for the same endpoint that requires Basic authentication will no longer be able to authenticate. To support additional modes of authentication, consider configuring multiple web sites. For more information, see Enabling support for Server Name Indication (SNI).

Traveler server setup

The HCL Traveler server(s) should be configured prior to enabling TOTP authentication. This allows validation that HCL Traveler is functioning prior to making any changes for TOTP authentication.

Preparing for TOTP authentication

Domino TOTP authentication support requires that the Traveler server users have a vaulted user id. Ensure the following setup is completed before configuring Domino for TOTP authentication:

Ensure the ID Vault is configured and user IDs are vaulted. For more information, see Notes® ID vault.
Upgrade the ID Vault database and Directory database with the HCL Domino 12.0 template designs.
Ensure the ID Vault is configured with Allow Notes-based programs to use the Notes ID vault set to Yes. For more information, see Enabling programs that store IDs in databases to use a vault.

Configuring TOTP authentication

Read the following notes, then complete the steps to Configure TOTP authentication as outlined in the HCL Domino Administration guide.

After completing Step 2 (Enabling TOTP authentication in the Configuration Settings document), in the Configuration Settings document, select Security > Check internet password in vault OR Check vault first, then directory. For more information, see Authenticating web users against the Notes® ID passwords in the ID vault.
After completing Step 5 (Configuring the TOTP login form), the new login form displays. Vaulted users need to supply their user ID, password, and the Multi-factor authentication (MFA) code to authenticate (first time users must now complete the MFA setup).

At this point, the Traveler server endpoint is configured for TOTP authentication. Accessing the Traveler Web Administration interface (/LotusTraveler.nsf) or the Traveler Admin APIs (/api/traveler) requires that the administration user be vaulted and authenticate using TOTP. For non-TOTP authentication access, set up an additional web site for /api and /LotusTraveler.nsf requests.

Next review and update the authentication timeout settings for the optimum user experience. For information on configuring the client for TOTP authentication, see HCL Verse Client setup.