SECURING
Clients can use a Domino® certificate authority (CA) application or a third-party CA to obtain certificates for secure TLS and S/MIME communication.
Authenticating clients and servers using TLS
Notes® and other Internet clients use the TLS protocol to encrypt data, authenticate server identity and, optionally, authenticate client identity when a Notes or other Internet client connects to an Internet server -- for example, a Web server or an LDAP server.
On the server, TLS is set up on a protocol-by-protocol basis. You can enable TLS on all protocols or enable TLS on some protocols but not others. For example, you can enable TLS on mail protocols (IMAP, POP3, SMTP) and disable it for HTTP.
Server authentication lets clients verify the identity of the server to which they are connecting, to make sure that another server is not posing as the server they want to access.
Client certificate authentication lets server administrators identify the client accessing the server and control access to applications based on that identity. For example, if you want Alan Jones to have Editor access to a database and all others accessing the database to have no access, you can set up the application database ACL to include Alan Jones as an Editor and Anonymous as No Access.
Notes and other Internet clients that use client certificate authentication have an Internet certificate that is stored in the Notes ID file for Notes client, and in a local file for Internet clients. The certificate includes a public key, a name, an expiration date, and a digital signature. The corresponding private key is stored in the ID file, but is stored separately from the certificate. For Notes clients, the client certificate is also stored in the Domino Directory so that others can access the public key.
Notes and Internet clients can obtain Internet certificates from either a Domino certification authority or a third-party certifier.
How you set up the client depends on whether the server requires client certificate authentication.
As an administrator, you should carefully consider whether you want to require client certificate authentication. If you do not need to identify Internet users who access the server, you do not need to set up client authentication. In fact, in some cases, requiring an Internet certificate may deter users from accessing a server -- for example, a server that hosts a Web site. If you require an Internet certificate, users need to perform additional steps to obtain the certificate and set up client certificate authentication.
Note: By enabling the setting Accept TLS Site Certificates in the Location document, the Notes client can ignore cross-certificates and server authentication entirely. The user can also choose to create cross-certificates on the fly when connecting to a server using TLS.
Securing messages with S/MIME
S/MIME is a protocol used by clients to sign mail messages and send encrypted mail messages over the Internet to users of mail applications that also support the S/MIME protocol -- for example, Microsoft™ Outlook Express®. The Notes client uses the public key stored in the Internet certificate in Contacts, Domino Directory, or LDAP directory to encrypt messages.
Encrypted mail messages cannot be read by unauthorized users while the message is in transit. Electronically signed messages show that the person who signed the message had access to the private key associated with the certificate stored in the signature.
Pushing trusted certificates to Notes clients You can create cross-certificates in the Domino Directory for Internet certifiers and Notes certifiers and then push the cross-certificates to the Contacts application on Notes clients. The cross-certificates are used to establish client trust of a certifier when accessing servers, reading encrypted S/MIME mail, or installing signed Notes client plug-ins. When you push cross certificates, users are not required to create the cross-certificates or retrieve them from the Domino Directory.
Internet certificates for TLS and S/MIME Before Internet and Notes clients can use client authentication or send signed mail, they must have an Internet certificate. To send encrypted mail using S/MIME, they must have the recipient's Internet certificate.
Setting up Notes clients for S/MIME You can set up an Notes client to use S/MIME encryption and electronic signatures when sending mail to other users of mail applications that support S/MIME.
Setting up Notes and Internet clients for TLS client authentication You can set up a Notes or Internet client for client authentication with a server. You cannot use client authentication for SMTP and IIOP connections.
Setting up TLS for Notes or Domino using SMTP A Notes client or Domino server can act as an SMTP client when routing mail to an SMTP server. The Notes client or Domino server can use TLS to connect to a Domino server running the SMTP service or to another type of SMTP server. You cannot set up a Notes client or Domino server for TLS client authentication when connecting using SMTP.
Using TLS when setting up directory assistance for LDAP directories Directory assistance allows you to extend directory services from a server's primary Domino Directory to other Notes directories, such as secondary Domino Directories, and to remote LDAP directories. To set up directory assistance, you create a directory assistance database from the DA.NTF template, and then create Directory Assistance documents in the database to configure services for specific directories.
OCSP for X.509 certificate revocation checking The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with certificate revocation lists (CRLs), and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.
Related concepts TLS security Encryption