Domino Consulting - HCL Domino Administrator 12 Help

SECURING

ID vault notes.ini settings

The following notes.ini settings pertain to the ID vault.

ENABLE_AUTORECOVERY_FROMBADPASSWORD

Syntax

ENABLE_AUTORECOVERY_FROMBADPASSWORD=1

Default

None

Description

Replace the ID file in the ID vault with the local ID on the Notes client when synchronization remains stopped for longer than seven days due to mismatched passwords between the local and vault ID files. For more information, see Enabling automatic restart of ID file synchronization.

Applies to

Vault servers

IDVAULT_COUNT1

Syntax

IDVAULT_COUNT1=number

Default

None

Description

Number of Notes sessions since the Notes client last synced with the ID vault. This is a session counter that increments when the Notes client starts and zeroes out when the client syncs. This setting is used with IDVAULT_STAMP1.

Administrators don't control this setting.

Applies to

Notes clients

IDVAULT_RESYNC_INTERVAL

Syntax

IDVAULT_RESYNC_INTERVAL=<minutes>

Default

480 (8 Hours)

Description

This setting controls how soon after the last successful sync with the ID vault Notes clients attempt to sync again. The IDVAULT_STAMP1 setting records the time of the last successful sync.

The lower the IDVAULT_RESYNC_INTERVAL value the sooner changes are synced. This setting also controls the balance between resources used on the server. The higher the value the less balance between resources.

For example, a company wants to sync changes to IDs in the vault to clients within five hours rather than eight hours. The ID vault server can handle the increased load. The company uses the following setting:

IDVAULT_RESYNC_INTERVAL=300

Note:

When users don't run their Notes clients for extended periods, sync occurs automatically when they restart their clients. Weekends, holidays, and company shutdowns are taken into account so that a "sync storm" does not occur after those events.
To prevent a heavy load on the server when the ID vault is first enabled for a large group of users, we stagger the time that each user attempts their first sync with the vault for the Notes session. This time is a random point between 1 poll cycle (default 5 mins) and the IDVAULT_RESYNC_INTERVAL value.

Applies to

Notes clients

IDVAULT_STAMP1

Syntax

IDVAULT_STAMP1=Date/Time

Default

None

Description

Last time a Notes client synchronized with the ID vault.

If it has been more than 24 hours since the last sync and IDVAULT_COUNT1 is greater than 4, then the client synchronizes immediately.

Otherwise, the IDVAULT_RESYNC_INTERVAL value added to this value determines when the client next attempts to sync with the vault to check for changes.

Administrators don't control this setting.

Applies to

Notes clients

IDV_ENABLE_VAULT_SCAN

Syntax

IDV_ENABLE_VAULT_SCAN=value

IDV_ENABLE_VAULT_SCAN=1 enables maintenance of ID file synchronization
IDV_ENABLE_VAULT_SCAN=0 disables maintenance of ID file synchronization

Default

IDV_ENABLE_VAULT_SCAN=1

Description

Controls whether the Query Vault (qvault) command can be run. For more information on this command, see Monitoring ID synchronization.

Applies to

Vault servers, Domino Administrator clients

IDV_POLL_INTERVAL

Syntax

IDV_POLL_INTERVAL=<milliseconds>

Default

5000 ms (5 seconds)

Description

The maximum time allowed for an ID download from the ID vault to the Notes client. An ID download is attempted when a user provides an incorrect password or a new password after a password change. Specify a value in milliseconds.

For example, at a small company an ID vault server is also used as an application server and server response can be slow. An administrator uses the following setting to increase the interval to 10 seconds to give the vault server time to respond:

IDV_POLL_INTERVAL=10000

If access to the vault server is slow, you can use this setting to solve two problems:

When a user enters the correct password for the ID in the vault but the ID is not downloaded within this period the user is told the password is wrong. The user must try again with the same password. To reduce the likelihood of this problem on slower systems, increase this maximum wait time.
When a user miss-types the password and the vault server does not respond with an error quickly, the user must wait this amount of time before they are told that their password is wrong

Select a value that is a balance between these two needs.

Applies to

Notes clients

IDV_RESETPASSWORD_DIGEST

Syntax

IDV_RESETPASSWORD_DIGEST=2

Updates the password digest field in a Person document after resetting a password in the ID vault.

Default

IDV_RESETPASSWORD_DIGEST=0 (No action)

Description

When you reset a password on a Notes ID in the vault and the Check password on Notes id file option is enabled in a user policy, use this setting on the Domino server with the ID vault to create an administration process request to update the password digest in the user's Person document to match the new password. Only ID files with this password digest can access the server after the administration process request is processed. For more information, see Resetting the password on an ID in a vault.

Applies to

Vault servers

IDVaultLastFlushTime

Syntax

IDVaultLastFlushTime=<date/time>

Default

None

Description

When the value of the IDVaultLastServer variable was last changed.

Administrators don't control this setting.

Applies to

Notes clients

IDVaultLastServer

Syntax

IDVaultLastServer=<vault server>

Default

None

Description

The name of the vault server last successfully used. This server is tried for ID vault transactions to avoid the cost of asking the home server for a referral list.

The variable is deleted every two weeks to ensure load balancing occurs among the vault replicas after a change in replicas or a replica failure / recovery.

Administrators don't control this setting.

Applies to

Notes clients

IDVault_Max_Auth_Failure_Cache_Size

Syntax

IDVault_Max_Auth_Failure_Cache_Size=<size>

Default

500

Description

The number of bad password entries in the bad password cache that trigger a log error when an ID vault is used. When a user enters a bad password, a bad password entry is made in a cache. The cache is cleared daily. If the limit is reached, an error is logged suggesting that too many people have entered bad passwords and the administrator should check the log for an attack.

For example, a company's ID vault holds a very large number of ID files and people often legitimately forget their passwords, so the company uses the following setting to increase the value to 1000:

IDVault_Max_Auth_Failure_Cache_Size = 1000

Applies to

Vault servers

IDVault_Max_Auth_Failures

Syntax

IDVault_Max_Auth_Failures=<number>

Default

Description

The maximum number of consecutive download attempts that are allowed in a day before attempts are denied. Consecutive failed attempts are kept in the bad password cache.

Applies to

Vault servers

SECURE_DISABLE_AUDITOR

Syntax

SECURE_DISABLE_AUDITOR=1

Default

SECURE_DISABLE_AUDITOR=0

Description

When set to 1, disables the vault administrator Auditor role. The Auditor role is enabled by default and allows a vault administrator to extract an ID file from the vault without knowing its password. For more information, Extracting an ID file from a vault.

Note: To set this variable, you must edit the notes.ini file directly on the server.

Applies to

Vault servers

Parent topic: Notes ID vault

Help on Help

All Help Contents

Help on Help

All Help Contents