SECURING


Comparing public key values

The signatures on user and server certificates exchanged during authentication are always checked. You can enable an additional level of verification for public keys, by having the value of the key passed in the certificates checked against the value of the key listed in the HCL Domino® Directory. It is possible for users to authenticate with a server, but have a mismatch between the value of the public keys in their certificates and what is listed for them in the Domino Directory.

About this task

This extra level of key verification protects against misuse of a lost or compromised ID file. Typically, if an ID file is lost, its owner needs to be registered to create a new ID file and directory entry; and if the ID file has been compromised then the owner's public and private keys need to be rolled-over and that new set of keys need to be certified (thus updating the directory entry). By enabling directory-level key checking, an attacker in possession of the old ID file will not be able to use it to access the server, even though that old ID file may contain a valid certificate.

You can also choose to control whether a log message is generated if authentication succeeds but a mismatch is detected. This allows administrators to detect when the ID file contents have gotten out of sync with directory entries, but to do so without preventing those users from authenticating because of public key mismatches.

Procedure

1. From the Domino Administrator, click the Configuration tab, and open the Server document.

2. Click the Security tab.

3. In the Security Settings section, click the list next to Compare public keys and choose one of the following options:

4. Click the list next to Log public key mismatches and choose one of the following options: 5. Stop and restart the server so that the changes take effect. The server polls every hour to see if these settings have changed, so if the server is not restarted it may be as long as an hour before the new settings take effect.

Parent topic: Customizing access to a Domino server

Related concepts
Public key security