CONFIGURING
A security policy settings document allows you to manage HCL Notes® and Internet passwords, configure customized password polices for your organization, set up key rollover, manage administration ECLs, push trusted cross-certificates to clients, and configure an ID vault. You can also configure settings for signed plug-ins and the home portal server for composite applications.
Before you begin
Make sure that you have Editor access to the HCL Domino® Directory and one of these roles:
Note: See the related topics for information on the Notes Shared Login tab and on using Notes shared login to suppress password prompts. For information on the Federated Login tab see the related topics for information on applying a Notes federated login configuration to users.
Note: For information on creating security policy settings for HCL iNotes® users, and using an HTTP-proxy servlet to restrict URLs to external servers, see the HCL iNotes administration product documentation at the related information.
Procedure
1. From the Domino Administrator, select the People & Groups tab, and then open the Settings view.
2. Click Add Settings and then choose Security.
3. On the Basics tab, complete these fields:
Managing Notes and Internet passwords
1. On the Password Management tab, complete the following options fields:
Note: When the password on a user's Notes ID is changed, when the user next authenticates to a server, the authentication process generates an Administration Process (AdminP) request to update the user's Password Digest field in the Person document in the directory. If the password is changed again in less than two days, the next authentication process delays creating a new password change request until two days have passed.
For example, if a user changes their password on Monday kicking off an AdminP request, if they change the password again on Tuesday, the authentication process does not create the second AdminP request until authentication on Wednesday.
The same delay applies to the use of the notes.ini setting IDV_RESETPASSWORD_DIGEST and resetting a password in the ID vault. A new request is not created until the next password reset occurs on Wednesday, two days after the last password reset.
For additional information on IWA, see the technote Integrated Windows authentication (IWA) for Eclipse-based components within Lotus Notes in the related information.
Note: Do not enable password expiration if users use Smartcards to log in to Domino servers.
Note: If you set this value to less than 30, the value for the Warning period field is calculated automatically. The calculated value is 80% of the value entered for this field.
Note: The value of this field is calculated if the Required change interval setting is set at less than 30 days. Password expiration must be enabled in order for the value of this field to be calculated. If this value is calculated, it cannot be overwritten.
Note: The custom warning message is for Notes clients only, regardless of how you enabled password expiration. Internet users do not see the warning message.
About this task
Internet password lockout settings are ignored if your organization uses SAML for session authentication.
1. On the Password Management tab, complete the following lockout settings:
Note: The server must enforce Internet password lockout for these policy settings to be in effect.
Configuring custom password policies
You need to complete the following fields only if you have chosen to implement a custom password policy.
1. On the Password Management tab, under Password Management Options, select Yes for the Use Custom Password Policy for Notes Clients field.
Note: This only works if the policy is applied during user registration.
After you enter a number, a checklist appears, listing the character types you can specify for this requirement. You can pick any combination of the following:
Complete the fields on the Execution Control List tab to configure administration ECLs used in your organization.
Table 7. Execution Control List tab fields
If the admin ECL lists a signature that the client ECL does not, than that signature and its settings are added to the client ECL.
If the client ECL and the admin ECL list the same signature, than the settings for the signature in the client ECL are discarded and replaced by those for the signature in the admin ECL.
Managing administration Execution Control Lists (ECLs)
When you set up the first server in a domain, Domino creates a default administration ECL, which you can then customize for your organization. You may need to have more than one type of admin ECL -- for example, one for contractors and one for full-time employees. You can use the Workstation Security: Admin Execution Control Lists dialog box to manage administration ECLs you have created. You can also use it to create new ones or to delete any that are no longer needed.
Note: The Edit and Manage buttons are displayed only when the security settings document is in edit mode.
1. On the Security Settings document toolbar, click Edit Settings.
2. Click Manage. The Workstation Security: Admin Execution Control Lists dialog box appears. Select from the following options:
Admin ECLs are stored independently of security settings documents. If you edit an administration ECL, the changes will be used by all the security settings documents that refer to that particular named admin ECL. If you delete an admin ECL, all security settings documents that referred to that particular admin ECL will use the default admin ECL. Once you delete an admin ECL, you cannot undo the deletion by clicking Cancel.
Clicking Cancel leaves the name of the admin ECL displayed in the settings document unchanged.
Enabling key rollover
Complete the fields on the Keys and Certificates tab to configure key rollover for groups of users. You specify triggers that initiate key rollover for a group or groups of users. You have the option of spacing out the rollover process over a specified period of time for the group of users to which this policy applies.
See the related topics for information on configuring AES for mail and document encryption.
1. In the Default public key Requirements field, specify settings for parent and child policies. Select one:
4. Under Certificate Expiration Settings, in the Warning period field, specify the number of days prior to certificate expiration at which the user receives an expiration warning message; the default is 0.
5. Under Certificate Expiration Settings, in the Custom warning message field, enter a custom warning message that will be sent to users whose certificate has passed the expiration threshold specified in the Warning period field.
Enabling On-line Certificate Status Protocol (OCSP) checking
The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP checks are made during S/MIME signature verification and mail encryption by the Notes client. OCSP is enabled through a policy, using the Enable OCSP checking setting on the Keys and Certificates tab of the Security settings document.
Applying trusted cross-certificates to clients
You can avoid user prompts to create cross-certificates. Use the Administrative Trust Defaults section of the Keys and Certificates tab to apply trusted Internet certificates, Internet cross-certificates, and Notes cross-certificates to Notes clients. For information on applying (sometimes called pushing) trusted certificates to clients, see the related topics.
Configuring installation of signed plug-ins
Plug-ins can be provisioned to a Notes user and are ordinarily signed with a certificate that is trusted by the Notes client, and verifies that the data they contain is not corrupted. Users can then install or update the signed plug-ins.
Occasionally, a plug-in is found to have a problem. Either it is unsigned, not signed with a trusted certificate, or the certificate has either expired or is not yet valid. For these cases, you can establish a policy for never installing these plug-ins, always installing them, or asking users to decide at the time the plug-in is installed on their computers.
You can time-stamp plug-in jar signatures using the jar signer tool provided by the Java SDK to ensure the long term validity of plug-in signatures. The Notes client uses a time stamp included with a plug-in jar signature to determine if the plug-in signing certificate was valid at the time of signing. If a plug-in signing certificate has expired but was valid at the time of signing, Notes accepts it so that users do not see security prompts during plug-in installation or provisioning. Use the Ignore expiration for time stamping certificate setting on the Signed Plug-ins tab to control whether to allow the installation of signed plug-ins with expired time stamping certificates. Their installation is allowed by default.
Table 10. Ignore expiration for time stamping certificate settings
Configuring Portal Server settings
Table 11. Portal server settings
Note: For information on the ID Vault and Proxies tabs, see the related topics.
Related concepts Using Notes Shared Login to suppress password prompts Managing Internet passwords Enabling integrated Windows authentication (IWA) for Eclipse-based clients Setting up Notes clients for S/MIME Name-and-password authentication for Internet/intranet clients Customizing Notes using plugin_customization.ini Using Domino policy to set or verify trust for client plug-ins Notes ID vault
Related tasks Enabling Notes federated login Securing Internet passwords Configuring encryption for ID files The execution control list Configuring AES for mail and document encryption Setting up Notes and Internet clients for TLS client authentication User and server key rollover Pushing certificates to clients through security policy settings Creating or editing ID vault policy settings documents manually Signing custom or third-party features and plug-ins for install and update
Related reference Custom password policies Default ECL settings The password quality scale
Related information