Using Domino Certificate Authority and Password Recovery together

Using Domino Certificate Authority and the ID/password recovery feature together can deliver big benefits to an organization.

Previously, I have written articles for SearchDomino on the Domino Certificate Authority and the ID/password recovery feature. This article will show you how to use the two features together. Doing so has a large benefit to an organization. Because the Certificate Authority (CA) is managing the certifier files, the Domino server can automatically send to users changes that occur in certifier recovery information. This is helpful because, previously, changes to a certifier's recovery information had to be manually exported to user ID files.

Before we get to the step-by-step instructions, there are several points to bear in mind.

1. There is more than one way to perform and configure some of these actions. To help you get started, I have chosen simplicity over higher security.

2. All of these instructions concern standard Notes certifiers and Notes user ID files, not Internet certificates and key rings.

3. You should test this method on a small set of trial users. If that test goes well, you can include ever-larger sets of users.

4. Many of the Domino features used here have inherent and variable time delays. For example, after creating a new user from an organization unit (OU) that is in the CA, the user cannot immediately log on, but must wait for the new ID to be registered by the CA process. Also, when the list of recovery authorities in a certifier is changed, the new list is downloaded to the users' ID files after a hard-to-determine period of time. Each of these delays can be as long as several hours. If it appears that a certain step of these instructions has failed, you should wait a half-day and try again.

Also worth noting: The command tell adminp process all does not always clear pending work items, and the command tell ca show queue * does not always show them. The Domino CA process does some things silently on its own schedule.

Initial set-up

  1. Decide which Domino server will be the CA server in your overall organization. The machine should be very reliable and physically secure.
  2. On the CA server, edit the notes.ini file and add the "ca" task to the line ServerTasks=. Restart the server to start this task.
  3. Create a mail-in database for use by the ID recovery process. The name of the mail-in can be ID Recovery and the location of the mail file should be on a trusted mail server (which may also be the CA server).

Creating and migrating the top-level certifier

  1. Create the top-level certifier, with the command Domino Administrator / Configuration / Registration / Organization. (If you already have a top-level certifier, use that one. Do not create another.)

  2. Migrate the top-level certifier to the CA process, with the command Domino Administrator / Configuration / Certification / Migrate Certifier.

  • Select the top-level certifier ID file.
  • Go to the Basics tab of the migration wizard.
  • Set the name of your CA server.
  • Leave the name of the ICL file as is.
  • Encrypt the certifier ID with the server ID.
  • Do not require a password to activate.
  • Set the names of the Certifier Authority Administrators (CAAs) and Registration Authorities (RAs) as you wish.
  • CAAs own the certifier and can make any change to it. RAs can use the certifier to create users, servers, and OUs with it. (Note that the CAA column is mislabeled as CA.)
  • Since this is the top-level certifier, I suggest maintaining a fairly short list of people who are both CAAs and RAs.
  • Go to the Certificates tab.
  • I suggest leaving all of these defaults as is, except possibly the first entry in the first column. This specifies the default expiration for end-user IDs created with this certifier, which is currently 24 months. Some organizations set this to 12 months.

Modifying the top-level certifier

You must be a CAA of the top-level certifier to perform these operations. You must also have Editor access to the Domino Directory (names.nsf) for this Notes domain.

  • Use the command Domino Administrator / Configuration / Certification / Modifier Certifier.
  • Set the CA server.
  • Select the certifier from the Domino Directory (instead of an ICL database).
  • Choose the certifier to modify.
  • Press OK to open the certifier.
  • Make changes as you want.
  • Press OK to save the changes.

Creating and migrating OU certifiers

To create new organization-level certifiers, use the command Domino Administrator / Configuration / Registration / Organizational Unit. (This only applies to new OUs that you do not already have. For existing OUs, simply migrate them to the CA.)

  • Select the CA server.
  • Select "Use the CA process."
  • From the list of certifiers in the CA, choose the top-level certifier that will create the new OU.
  • Enter the standard information about the new OU certifier, and then press Register.

Next, migrate the OU certifier to the CA process, with the command Domino Administrator / Configuration / Certification / Migrate Certifier.

  • Select the OU certifier ID file.
  • Go to the Basics tab of the migration wizard.
  • Set the name of your CA server.
  • Leave the name of the ICL file as is.
  • Encrypt the certifier ID with the server ID.
  • Do not require a password to activate.
  • Set the names of the Certifier Authority Administrators (CAAs) and Registration Authorities (RAs) as you wish.
  • CAAs own the certifier and can make any change to it. RAs can use the certifier to create users with it. (Note that the CAA column is mislabeled as CA.)
  • Since this is an organization-level certifier, I suggest a short list of CAAs and a longer list of RAs who work within that organization.
  • Go to the Certificates tab.
  • I suggest leaving all of these defaults as is, except possibly the first entry in the first column. This specifies the default expiration for end-user IDs created with this certifier, which is currently 24 months. Some organizations set this to 12 months.

Now, you must give RAs the following additional access rights.

  • Names.nsf – Author access, Create Document right, UserCreator and UserModifier roles.
  • Certlog.nsf – Author access, Create Document right.

Modifying OU certifiers

You must be a CAA of the OU to perform these operations. You must also have Editor access to the Domino Directory (names.nsf) for this Notes domain.

  • Use the command Domino Administrator / Configuration / Certification / Modifier Certifier.
  • Set the CA server.
  • Select the certifier from the Domino Directory (instead of an ICL database).
  • Choose the certifier to modify.
  • Press OK to open the certifier.
  • Make changes as you want.
  • Press OK to save the changes.

Setting up ID recovery

  • Use the command Domino Administrator / Configuration / Certification / Edit Recovery Information.
  • Select the CA server.
  • Select "Use the CA process."
  • From the list of certifiers in the CA, choose the certifier you want to edit.
  • Enter the ID recovery information, as you want.
  • Specify the ID Recovery mail-in database that you previously created.
  • Press OK to save the recovery information.

The new recovery information will be automatically copied to user ID files, when users access their home servers. Updated copies of user ID files (with the new recovery information) will be automatically sent to the ID Recovery mail-in database, as part of this process.

Modifying ID recovery information

Modifying ID recovery information is the same as setting it up for the first time. Users will receive the updated information in the same way, when they access their home servers.

For further information see Domino Administrator 6 Help/ Index / Certificate Authority, and also Index / IDs / Recovering.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.

Dig deeper on Lotus Notes Domino Administration Tools

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.UK

Close