Sie sind auf Seite 1von 54

ID209: Lotus Notes and Domino Security:

Basics and Beyond

Kevin Lynch
IBM Lotus Software Group

Notes and Domino Security Overview
Single Sign On Considerations
Feature Refresher - R6 and Beyond
Questions & Answers

Challenges to Building Secure Systems

How can I control who reads/writes
How can I know you are who you say you are?
How can I protect information from disclosure?
How can I be sure someone really wrote

Domino Security
Enhance interoperability
Reduce cost of development, administration,
Technical Strategy - Adopt standards-based
data structures - certificates
protocols - secure email
interfaces - architecture and design

Notes/Domino Security
Mutual Authentication and Validation
Access Control Lists for servers, databases, views,
documents, sections and fields
Roles-based access control

Port Encryption
Mail Encryption
Document Encryption
Database Encryption

Digital signatures
Data integrity
Originator authentication

Execution Control Lists

ACLs and ACL-like Controls

Access to the Network (Firewalls)
Access to Servers
Rights to Databases
Depositor / Reader / Author / Editor / Designer /

Rights to Documents
Reader Lists / Author Lists

Rights to Sections
Rights to update sections of a document can be
controlled independently

What is a PKI?
All of these things working together:
Certificate authorities
Directories for storing and retrieving Certificates
Policies for deciding which certifiers to trust
Mechanisms for authenticating endpoints, issuing
certificates, and delivering them
Some means of expiration/revocation

Types of Cryptography
Secret key (aka Symmetric key)
Same key used to encrypt and decrypt
Public key (aka Asymmetric key)
Each person has a pair of keys:
Public key which is published
Private key which is kept secret
Public key is used to encrypt, private key to decrypt

Encryption for Privacy

Secret Key Encryption (e.g. 3DES, RC2, IDEA)

Key A

Key A





Public Key Encryption (i.e. RSA)

Public Key


Private Key



Encryption for Integrity and Origin


Secret Key Signatures







Public Key Signatures (encrypted message digest)

Private Key

Public Key





Public Key Certificates

A message signed by a certifier stating: "Jane
Doe's public key is 4829b3d28f386h"
Certificate Authority
A trusted third party
Sign certificates to demonstrate trust and assure
identity and public key assoc.
CA's public key must be known

Signer of certificates (CA) must be trusted

Server must trust signer of client cert
Client must trust signer of server cert

Public Key Authentication

Every user and server has private/public key pair and
Certificate Authorities (and Notes certifier IDs) sign
Private key is stored in ID file encrypted with a
Public key and certificates are held in ID file and posted
in the Domino directory

Notes Authentication
Two-way authentication based on proof of knowledge
of private key


I'm Alice, here are my certificates

Find trusted CA ,
check public key

I'm Server, here are my certificates

challenge with
private key

If you're Alice, what's this number?

Encrypt random
challenge with
Server public key

Find trusted CA,
check public key
Encrypt random
challenge with Alice's
public key

The number was x

If you're Server, what's this number?
The number was y

Decrypt challenge
with private key

I'net Public Key Authentication

Every user and every server has at least one
private/public key pair and certificate, stored in key
ring file or browser
Certificate Authorities sign certificates using standards
X.509 V3
Authentication is through SSL

I'net Certificate Authentication

Two-way authentication based on proof of knowledge
of private key


Hello, I'm Alice

Find trusted CA,

check public key

I'm Server, here are my certificates

Encrypt secret
encryption key
with server public

Here's a secret
Send your certificates
Here are my certificates
Secure data

Decrypt secret key
with Server private
key - use for secure
data exchange
Find trusted CA and
check public key

Single Sign On
Users want...
Fewer id's and passwords to remember/forget
Fewer places to change passwords
Fewer prompts when using application(s)
Administrators want...
Less overhead in creating and maintaining id's and
Increased security, arguably

Why is it so difficult to achieve?

Each application system has its own unique...
Security system
Directory structure
Naming conventions
Each company has multiple...
HTTP servers

Single Sign On
Centralize or Synchronize?
Technology assists
Web Realms
HTTP Session Authentication
Domino Web Server API (DSAPI)
LDAP v3 client integrated with Notes client
Domino with Microsoft IIS
Directory options - Public Address Book (R4.6 server),
Domino directory (R5.0 server) configured for LDAP, or
foreign LDAP directory

Web Realms

Problem: User is prompted for username

and password for each directory

Solution: Web Realms reduce redundant

password prompt
Zone of protection in file system
Define Web Realm in document in the Domino
Browser caches the username and password

HTTP Session Authentication Support

"Log in"
Occurs at authentication
Creates unique session ID on that server
Creates browser cookie with Session ID

"Log out"
Session ID is invalidated on server
Cookie is destroyed

Name and password only passed once
Credential sent every time (regardless of realm)

Domino Web Server API (DSAPI)

C API for writing extensions to Domino

Web Server (used for SSO)
Filter is notified when certain events
occur in web server
Built as shared library (example DLL on
windows platform)
Supported on all Domino Server

Domino R5 Security Features

X.509 V3 Certificate Support
S/MIME and SSL in Notes Client
API for security infrastructure (Domino Web Server API
Web Realms
HTTP Session Authentication
Group Management
ACL Management
Just In Time encryption
Encryption of message / document upon
reconnection (S/MIME and Notes mail)
Local copy of certificates unnecessary

Domino R5 Security Features (cont.)

Password Quality Testing - Domino computes effective password
Functional Separation of Keys - dual key support
non-repudiation (auth+signing)
confidentiality (encryption)
PKCS 12 - key ring exchange
Token support for Domino Server
RSA ACE/Agent for Lotus Domino
RSA ACE/Server

R6 Security Update

Encryption Update

Large key support for Notes

128-bit RC4 for Notes port
128-bit RC2 for local database
Underlying changes for 1024-bit
RSA keys (will allow backward

User Security Dialog

Internet Password Management

Change Password Dialogs

Local Database Encryption by Default

Email Encryption / Signing

Domino 6 Certification Authority

Better security
Administrators don't need certifier ID files & passwords
Certifiers can be password- protected on server, either individually or as a group
Tamper-resistant auditing of all activity

CA Process server task

Signs certificates when requested via admin4
Maintains list of administrators who can approve certificate
requests (RAs)
Manage both Notes and Internet (X.509) certificates
Publishes CRLs for Internet certificates, supports CDP
Better support for x.509 extensions

What's an Execution Control List?

Information on source of ESAs

Central Administration of User ECLs

Smart Card Support

Smart Card enabled ID file
PIN Prompt replaces password prompt
Smart Card disables itself after 3 wrong guesses
Internet (S/MIME) RSA key pushed onto card
If Card lost or destroyed, ID file must be recovered from

Roaming User Support

Permits use of Notes Client by

downloading ID file from server
Server never learns the user's password
Eavesdropper cannot test guesses of
user's password
Separate expensive interaction with
server for each password guessed

Domino Web Access support for Secure

Notes Mail
Security vs. Convenience Trade-off
Encrypted mail normally never readable on any server
Users' Private RSA keys protect the data
Place copy of user's ID file in mail file
User sends password to server
Server decrypts mail, then forgets password - 6.0.1
Server encrypts mail, then forgets password - 6.5

Administrator Hierarchy
Full Access Administrator
Database Administrator
Full Remote Console Administrator
View-only Remote Console Administrator
System Administrator
Restricted System Administrator

Full Access Administrator

Method to resolve access control issues
Highest level of administrative rights on the server
All the rights granted to "Administrators", plus
Manager access, with all roles and access privileges enabled, to all
databases on the server, regardless of the database ACL settings
Manager access, with all roles and access privileges enabled, to the Web
Administrator database (WEBADMIN.NSF)
Access to all documents within databases on the server, regardless of
reader name field controls
Unrestricted agent rights
Does not allow access to encrypted data
Enable by
Listing allowed entries into Full Access Administrators field on server
Select Administration\Full Access Administration from Admin Client menu

Additional Resources
Lotus Security Handbook Redbook

LDD Notes/Domino Security Zone
Domino 6 Technical Overview
Be the authority on the new Domino 6 Certificate Authority
Bonding with User Security in Notes 6
Policy-based system administration with Domino 6
Decoding the new Notes/Domino 6 agent features
Building web applications in Domino 6: Accessing and protecting the
file system



HTTP Connection Settings

Persistent connections
Network timeouts
Client IP address filtering

Full Access Administrators

Same as Local Access
Manager access to all databases on server, regardless of
All programmability rights
All passthru rights
Issue OS-level commands

For Emergency Use Only

Same rights as R5
Can execute remote console commands
Can perform database maintenance tasks
Can manage message tracking

Database Administrators
Database maintenance
Set admin server on ACLs
Compact and delete dbs
Maintain full text indexes
Maintain directories
Create databases
Maintain certain db options
E.G., in/out of service, database quotas, etc.

Remote Console Administrators

Full -- Any console command
View-only -- safe subset of commands
Cannot affect server performance

Neither can maintain databases

System Administrators
Issue operating system commands
Including server restart

Requires new Domino Server Controller running on

Restricted -- restricted subset of commands

Agent Security -- R5
Agents run with the rights of their signer
Allows unprivileged agents on servers
Out of office agent
Special privileged signers
Can only access databases local to server where agent
is running
Server can only authenticate as itself to another

Agent Security

Server can sign agent "On Behalf of"

Enable out of office agent via the web

Agent can open off-server databases

...if its server is privileged on the remote server

Unrestricted agent can choose to bypass

ACLs locally

Agent Security -- On behalf

Access Remote Servers
Server A can now execute an scheduled or web-based agent that accesses database on
Server B
Server A must be listed in "Trusted Servers" field in Server B's server document
Both servers must be running Release 6

Modifying and saving agents on the server

Agent can enable another agent if it has the same effective user OR
Agent's signer is listed in "Sign agents to run on behalf of someone else" field
Agent cannot modify itself

Enabling scheduled agents using a web browser

Allows Outof Office agent to be enabled by web user
Run as web user
Maximum Internet name/password access must be set to Designer

Allow editors to activate agents

Allows Outof Office agent to be activated by users with Editor access to their mail file

Web Server Security

Server document
Protocol security options allow you to filter requests that may be potential attacks
Deny/allow access fields can now be applied to all Internet protocols

HTTP Plug-In Architecture allows for reverse proxy access to

Domino servers inside firewall
Websphere IHS

Web Single Sign On (SSO) enhancements

Can be configured to work with DSAPI authentication in addition to
APIs available to Generate and Verify tokens
Can create multiple SSO documents within Domino directory/domain
Still restricted to one DNS domain

API functions available to support "more secure Internet password format

Windows NT/2000 Single Logon

Works with other Windows single logon
Manages password sync bidirectionally
Once synced, NSL catches the password change from
either Windows or Notes and pushes it to the other
If changed in Windows, change will be held and pushed to
Notes upon startup
If configured for Notes/Internet password sync, change will
update HTTPPassword in person document also

Future Considerations
Support for 1024-bit RSA keys for Notes protocols
128-bit RC2 support for bulk encryption keys and named
encryption keys
Administration tools to automate large key generation for
existing Notes users

Support use of Internet keys pre-installed on

Support crypto accelerators
Support for Internet hierarchies in CA
Support for additional S/MIME features