In last month's tip, Your views on Notes ID storage, I responded to the results of SearchDomino.com's poll about storage of Notes ID files. Several readers had interesting feedback about that tip, including a particularly insightful post by reader John K. Be sure to look at what he says at the bottom of my tip. This month I address the poll results related to storage of certifier IDs.
In June, SearchDomino.com asked the question: "Where do you store your certifier IDs?" A total of 189 people responded, which is a pretty good sample. Your answers were:
As I noted last month, the answer "network drive" is ambiguous, which is my fault for wording the choices poorly. I did not distinguish between a shared, wide-open network folder, and a tightly controlled, secure place on a file server. Given this caveat, I have several comments on the poll results.
Unfortunately, the "locked computer" and "locked cabinet" models break down in large organizations. When many people around the world must be able to create new user IDs, it is not practical to keep all the certifiers in a single room. One solution to this problem is to make careful use of organizational unit certifiers, and then distribute the organization certifiers only to administrators who need them. Here is an example:
Suppose the top-level certifier is /Acme. Only a couple people, in one room, have access to this certifier. They use it only to create organization units. So they create certifiers for /Servers/Acme, /Beijing/Acme, /Boston/Acme. The certifier for /Servers/Acme is given to one group of peopl
To continue reading for free, register below or login
To read more you must become a member of SearchDomino.com
e, in one location, and they are the only people who can create new server IDs for Acme Corp. The /Beijing/Acme certifier is given to the Beijing office, and only a small set of people there can create Beijing IDs. Similarly, the /Boston/Acme certifier is given only to the Boston office. This overall scheme allows a large organization to function effectively, but controls the proliferation of each certifier ID.
A final suggestion: The optimum number of copies for each certifier is two. The first is your production copy, which you use day-to-day to create organization/user/server IDs. Since there is only one copy in-house, which you protect carefully, the chance of it being stolen is small. But you need a second copy in case the first is corrupted. Keep the second copy in a very secure location outside the building, such as a bank safe-deposit box.
I'd like to continue the interactive nature of this column. Please write to me with ideas for future articles. What do you want me to address? What have I said that you disagree with? Do you have a different idea for how to attack a problem I discussed? Send an e-mail to either editor@searchdomino.com or connell@chc-3.com. Or you can pose a question in my Security forum on SearchDomino.com.
Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes. CHC-3 allows companies to outsource their Domino administration needs via DominoAdministration.com and runs the popular security site DominoSecurity.org.
Do you have comments of your own? Let us know.
