Domino Consulting - HCL Domino Administrator 12 Help

SECURING

Configuring the secondary domain for cross-domain TOTP authentication

Complete these steps to configure TOTP authentication for the secondary domain.

About this task

This procedure uses Domain1 for the primary domain name and Domain2 for the secondary domain name.

Procedure

1. Add the following notes.ini setting to all Web servers in Domain2 and to the ID vault server in Domain2:

ENABLE_IDV_CROSSDOMAIN_AUTHENTICATION=1

2. Ensure that the Domain2 Domino directory has a Notes cross-certificate at the /Org level for the Domain1 /Org that establishes trust.

3. Create a replica of the Domain1 Domino directory on the ID vault server for Domain2.

4. Configure directory assistance on the ID vault server for Domain2 to look up names in its local replica of the Domain1 Domino directory.

Create a directory assistance database (if not created already) on the ID vault server for Domain2.

b. Add a Directory Assistance Document for the Domain1 Domino directory. The following fields in the document are required.

On the

Basics

tab:

Domain type SelectNotes.
Domain name Specify the Domino domain of the secondary directory.
Make this domain available to SelectNotes Clients & Internet Authentication/Authorization
Enabled SelectYes.

On the

Naming Contexts (Rules)

tab, select

Enabled

Yes

and

Trusted for Credentials

Yes

for at least one rule that applies to the primary domain. You can use the default N.C. 1 rule.

On the Domino tab, specify the replica of the Domain1 Domino directory that you created on the ID vault server in Domain2.

For additional information, see Creating a Directory Assistance document for a Domino Directory or extended directory catalog.

At the Domino server console of the ID vault server, run the command sh xdir to verify the configuration. You should see output similar to the following output:

[11A4:0006-105C] DomainName DirectoryType ClientProtocol Replica/LDAP Server

[11A4:0006-105C] --------------- --------------------- -------------- -----------------------

[11A4:007C-105C] 1 Domain2 Primary-Notes Notes & LDAP names.nsf

[11A4:007C-105C] 2 Domain1 Secondary-Notes Notes names-server1.nsf

5. Run the following command twice from the server console of the ID vault server to create Multi-Factor Authentication Certificates for both the Domain1 Org and the Domain2 Org.

mfamgmt create trustcert <Notes DN to allow> <certifier ID file> <certifier password>

For example:

mfamgmt create trustcert */O=Org1 cert.id sr$1ulxl47o mfamgmt create trustcert */O=Org2 cert.id tr$polx3p98

The certificates are created in the Domain2 Domino directory.

6. Replicate the Domain2 Domino directory and Directory Assistance database to all participating ID vault servers in Domain2.

Parent topic: Configuring cross-domain TOTP authentication

Help on Help

All Help Contents

Help on Help

All Help Contents