INSTALLING
You can configure the deploy.nsf application to specify administrative trust settings using an Export option in the server's Domino® Directory (names.nsf) to add those settings to the install kit's deploy.nsf application.
About this task
The administrative trust defaults in deploy.nsf and the Internet certifiers in the install kit's Java™ keystore are processed to define trusted certifiers. The keystore is used directly during install, but is ignored at runtime. The deploy.nsf is processed at startup to add trust certifiers to the user's Contacts application (names.nsf) to be used at runtime.
You can install the deploy.nsf application as part of a Notes® client install kit.
You cannot manually edit or delete certificates in the deploy.nsf. You can only make changes to the installed deploy.nsf only by exporting from the server's Domino Directory to a new deploy.nsf and then overwriting the installed deploy.nsf with the new file. The notes.ini statement FORCE_PROCESS_DEPLOY_NSF=1 ensures that the deploy.nsf application is processed. Alternatively, you can simply use Domino policy. If there are certificates listed in the installed deploy.nsf and you overwrite the with a new deploy.nsf, any certificates that are not in the new deploy.nsf are deleted. If you are going to use this technique, maintain a central and cumulative deploy.nsf so as not to unintentionally delete certificates from a user's system.
Pushing administrative trust settings to users by customizing the install kit enables you to do the following:
Note: You should use the action Export Certificates to Deploy Database only to make changes to an existing deploy.nsf.
Note: If you use the Domino policy method (Keys and Certificates tab on the Security policy page) to push trust settings, then even if there is an installed deploy.nsf it will be ignored and the policy settings will instead be used. Any certificates resident in the Contacts application because of the deploy.nsf, and that are not specified in Domino policy, will be removed.
To add administrative trust settings to an install kit without pushing those settings from the Keys and Certificate tab on the Security policy page, proceed as follows.
Procedure
1. Log into a Domino Administrator or Notes client using an administrative ID.
4. Select all the Internet certifiers, and Notes and Internet cross-certificates, that you want to deploy.
6. Specify the location at which to create the Java keystores and the deploy.nsf application.
Note: If these files do not exist, they will be created.
Note: To augment an existing install kit, choose the deploy directory of that kit. The selected Internet certifiers will be added to any existing .keystore* files, and all selected documents will replace any certificate documents in the existing deploy.nsf.
location/.keystore.JCEKS.Java_HotSpot_Client_VM.install
location/.keystore.JCEKS.IBM_J9_VM.install
location/extras/deploy.nsf
Note: On Mac OS X the deploy directory is located at Lotus Notes Installer.mpkg\Contents\deploy\. To access it in Finder, right-click on Lotus Notes Installer.mpkg and choose Show Package Contents.
Note: Linux™ requires a different process. See the related topic on customizing installation for Linux.
The resultant deploy.nsf is based on the client's Contacts application template (pernames.ntf) and can be opened to check that all of the certificates have copied correctly.
If the resultant deploy.nsf application is not what you expected, or error messages appear during processing, start Notes and select Tools -> Show Java Debug Console to view log messages or Java exceptions and contact Support with that information.
Note: To ease performance, deploy.nsf is processed only when new components are installed to the Notes runtime by way of an add-on installer or the client is upgraded. To force deploy.nsf to be reprocessed, set the notes.ini variable FORCE_PROCESS_DEPLOY_NSF=1. After deploy.nsf is processed, the value resets to zero.
Related tasks Pushing trusted certificates to Notes clients Pushing certificates to clients through security policy settings Creating a cross-certificate from a Notes certifier Creating an Internet cross-certificate in the Domino Directory from a certifier document Signing custom or third-party features and plug-ins for install and update