WHAT'S NEW IN DOMINO 12?
These are the security features and enhancements provided with HCL Domino 12.
Time-based one-time password (TOTP) authentication When users log on to a Domino Web server, you can require that they provide time-based one-time passwords in addition to their user names and passwords.
Enforce internet password lockout based on IP address Starting with HCL Domino 12, you can enforce internet password lockouts for users who are not in the directory according to IP addresses.
TLS 1.0 is disabled by default Domino 12 disables Domino's support for TLS 1.0 by default, leaving TLS 1.2 as the currently supported TLS protocol version.
Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy The TLS 1.2 ciphers that use Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) for forward secrecy now support two new curves for forward secrecy: X25519 and X448.
New template signing ID uses 2048-bit keys A new template signing ID, CN=Domino Template Development/O=Domino, provides stronger encryption using 2048-bit keys. Templates that are new or modified in Notes and Domino 12 are signed with the new ID.
NRPC port encryption supports forward secrecy using X25519 Support for forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) using X25519 (https://en.wikipedia.org/wiki/Curve25519) has been added to NRPC port encryption on the Domino 12 server.
Import internet certificates that contain unsupported critical extensions You can now allow internet certificates that contain critical extensions that are unsupported by Domino to be imported into the Domino directory or Notes personal address book.
Suppress key rollover alerts during ID vault synchronization You can disable the key rollover alert that is shown routinely when a Notes ID is synchronized with the ID vault.
New Query Vault command options The Query Vault (qvault) command provides options to inactivate and reactivate user's ID vault documents.
Upload IDs to the vault manually Vault administrators and users can upload IDs to the ID vault manually through the Domino directory.
Support for SameSite cookie You can now configure the SameSite cookie attribute to enable a Domino Web server to assert that browsers can only send cookies that originate from the Domino server Web site.
Web server GET /names.nsf?Login requests prevented by default For improved security, Domino 12 Web servers do not allow GET /names.nsf?Login requests by default.
New Web server login form The login form $$LoginUserFormMFA is provided as a modern-looking login form for Web users. The login form is required if you configure time-based one-time password (TOTP) authentication but can be used even if you don't use TOTP.