Secure Sockets Layer (SSL) is a security protocol that provides communications privacy and authentication for Domino® server tasks that operate over TCP/IP.

SSL offers these security benefits:

• Data is encrypted to and from clients, so privacy is ensured during transactions.
• An encoded message digest accompanies the data and detects any message tampering.
• The server certificate accompanies data to assure the client that the server identity is authentic.
• The client certificate accompanies data to assure the server that the client identity is authentic. Client authentication is optional and may not be a requirement for your organization.

You must set up the Domino server and then set up SSL. You can use SSL security for Internet clients who use one of the following Internet protocols to connect to the Domino server:

• Web server and Web Navigator (HTTP)
• Internet Inter-ORB Protocol (IIOP)

  The Java™ applet that uses this protocol must be set up to use SSL.

• Internet Message Access Protocol (IMAP)
• Lightweight Directory Access Protocol (LDAP)
• Post Office Protocol 3 (POP3)
• Simple Authentication and Security Layer (SASL)

  Domino uses SASL automatically if SSL with client authentication is set up on the server and if the LDAP client supports the protocol. No additional configuration is necessary.

• Simple Mail Transport Protocol (SMTP)

  Setting up SSL on a Domino server
  Set up SSL on a Domino server so that clients and servers that connect to the server use SSL to ensure privacy and authentication on the network. You set up SSL on a protocol-by-protocol basis. For example, you can enable SSL for mail protocols -- such as IMAP, POP3, and SMTP -- and not for other protocols.

  Setting up database access for SSL clients
  After you set up SSL on a Domino server, you must give the clients access to databases on the server.

  Managing server certificates and certificate requests
  Administrators perform a number of tasks in managing the certificate lifecycle. This topic provides a high-level view of the process, with links to additional information on how to view certificates, change the password of a key ring file, specify the trusted root for a certificate authority, view certificate requests, and renew expired certificates.

  Creating a self-certified certificate to test SSL certification
  You can create a self-certified certificate to test the certificate procedure at your organization. Because this certificate is not certified by a CA, use it only for testing purposes.

  Creating an Internet cross-certificate for server-to-server SSL
  One server can obtain an Internet cross-certificate from another server for the purposes of establishing trust. For example, if one server needs to access Directory Assistance on another server.

  Modifying SSL cipher restrictions
  SSL uses public, private, and negotiated session keys. Every SSL certificate has one pair of keys -- a public key and private key -- that are created when the SSL certificate is generated, and enable certificate owners to identify themselves over the network and to use S/MIME to encrypt and sign messages. Certificates contain only the public key. The private key is kept in the ID file for the Notes® client, and is kept in the key ring in the case of the SSL server.

  Authenticating Web SSL clients in secondary Domino and LDAP directories
  When a Web client authenticates with a server, by default, the server checks the primary HCL Domino Directory to see if the client certificate exists in the Person document. If your organization uses a secondary Domino Directory and/or an LDAP directory to verify client certificates, you can set up Domino to check those additional directories. To do so, you set up the secondary Domino and LDAP directories as trusted domains in the Directory Assistance database.

  SSL session resumption
  SSL session resumption greatly improves performance when using SSL by recalling information from a previous successful SSL session negotiation to bypass the most computationally intensive parts of the SSL session key negotiation. HTTP is the protocol that benefits the most from SSL session resumption, but other Internet protocols may benefit as well.

Related concepts
SSL and S/MIME for clients

Related tasks
Setting up SSL on a Domino server
Setting up SSL on a server-based CA server

Help on Help

All Help Contents

Help on Help