SECURING
In this release, the on-premises Domino® server can use a credential store application (credstore.nsf). The credential store is a secure repository for document encryption keys and other tokens necessary for Notes® client users to grant access to applications that use the OAuth (open authorization) protocol. OAuth allows user credentials to be shared with compliant applications so that users avoid extra password prompts.
About this task
A credential store allows Notes users to authorize a Domino server application which can access their resource data on an OAuth-compliant Web site without additional password prompts.In addition, you can centrally store OAuth consumer keys and secret information without requiring any insecure distribution of document encryption keys.
After you have created the credential store, you use it to for central storage of the consumer key and secret that you create whenever you configure a Domino server application to access the Web using the OAuth protocol, as well as the access token generated when Notes or iNotes® user authorizes the Domino application for access to his or her data on an OAuth-compliant Web site.
Note: A credential store can also benefit iNotes client users. iNotes users accessing their mail are protected from cross-site referral forgeries across a cluster with additional password prompts.
Procedure
Perform the tasks in the following procedure.
2. Creating the credential store application in a cluster You use Keymgmt commands at the Domino server console to set up the credential store application (credstore.nsf). When the application is used in a cluster, you also create replicas of it on each server.
3. Moving the credential store application When you move or decommission a server that includes a credential store application (credstore.nsf), be sure to manage the movement of the credential store so that it functions properly after the change. Moving the credential store application requires different steps depending on whether the servers are in a cluster or not, and whether a server is being decommissioned. You perform all of the steps for moving a credential store at the Domino server console, and you can check the key fingerprints displayed either in the console itself or in the server console log. For syntax and examples on the Keymgmt commands, see the related topics.