CONFIGURING


Creating a security policy settings document

A security policy settings document allows you to manage IBM® Notes® and Internet passwords, configure customized password polices for your organization, set up key rollover, manage administration ECLs, push trusted cross-certificates to clients, and configure an ID vault. You can also configure settings for signed plug-ins and the home portal server for composite applications.

Before you begin

Make sure that you have Editor access to the IBM Domino® Directory and one of these roles:


About this task

Note: See the related topics for information on the Notes Shared Login tab and on using Notes shared login to suppress password prompts. For information on the Federated Login tab see the related topics for information on applying a Notes federated login configuration to users.

Note: For information on creating security policy settings for IBM iNotes® users, and using an HTTP-proxy servlet to restrict URLs to external servers, see the IBM iNotes administration product documentation at the related information.

Procedure

1. From the Domino Administrator, select the People & Groups tab, and then open the Settings view.

2. Click Add Settings and then choose Security.

3. On the Basics tab, complete these fields:


4. Complete all the required fields described in the following tasks.

Managing Notes and Internet passwords

Procedure

1. On the Password Management tab, complete the following options fields:


2. Also on the Password Management tab, complete the following expiration fields:
Configuring Internet password lockout

About this task

Internet password lockout settings are ignored if your organization uses SAML for session authentication.

Procedure

1. On the Password Management tab, complete the following lockout settings:


2. Also on the Password Management tab, complete the following quality settings fields:
3. For information on completing the fields under ID File Encryption Settings, see the topic Configuring encryption for ID files in the related topics.

Configuring custom password policies

About this task

You need to complete the following fields only if you have chosen to implement a custom password policy.

Procedure

1. On the Password Management tab, under Password Management Options, select Yes for the Use Custom Password Policy for Notes Clients field.


2. Complete the following fields:
Configuring administration ECLs

About this task

Complete the fields on the Execution Control List tab to configure administration ECLs used in your organization.

Table 7. Execution Control List tab fields
Field Action
Admin ECL Choose one:
  • Edit -- to edit the ECL whose name is displayed next to the Edit button.
  • Manage -- see Managing admin ECLs for information about using this function.

Note: The Edit and Manage buttons are displayed only when the security settings document is in edit mode.
Update mode Choose one:
  • Refresh -- to update client ECLs with new or changed information from the admin ECL, as follows:

If the client ECL lists a signature that the admin ECL does not, than that signature and its settings stay the same in the client ECL.

If the admin ECL lists a signature that the client ECL does not, than that signature and its settings are added to the client ECL.

If the client ECL and the admin ECL list the same signature, than the settings for the signature in the client ECL are discarded and replaced by those for the signature in the admin ECL.

  • Replace -- to overwrite the client ECL with the admin ECL. None of the information in the client ECL is retained.
Update frequency Choose one:
  • Once Daily -- to update the client ECL when the client authenticates with the home server and when it has either been a day since the last ECL update or the admin ECL has changed.
  • When Admin ECL Changes -- to update the client ECL when the client authenticates with the home server and the administration ECL has changed since the last update.
  • Never -- to prevent the update of the client ECL during authentication.

Managing administration Execution Control Lists (ECLs)

About this task

When you set up the first server in a domain, Domino creates a default administration ECL, which you can then customize for your organization. You may need to have more than one type of admin ECL -- for example, one for contractors and one for full-time employees. You can use the Workstation Security: Admin Execution Control Lists dialog box to manage administration ECLs you have created. You can also use it to create new ones or to delete any that are no longer needed.

Note: The Edit and Manage buttons are displayed only when the security settings document is in edit mode.

Procedure

1. On the Security Settings document toolbar, click Edit Settings.

2. Click Manage. The Workstation Security: Admin Execution Control Lists dialog box appears. Select from the following options:


Results

Admin ECLs are stored independently of security settings documents. If you edit an administration ECL, the changes will be used by all the security settings documents that refer to that particular named admin ECL. If you delete an admin ECL, all security settings documents that referred to that particular admin ECL will use the default admin ECL. Once you delete an admin ECL, you cannot undo the deletion by clicking Cancel.

Clicking Cancel leaves the name of the admin ECL displayed in the settings document unchanged.

Enabling key rollover

About this task

Complete the fields on the Keys and Certificates tab to configure key rollover for groups of users. You specify triggers that initiate key rollover for a group or groups of users. You have the option of spacing out the rollover process over a specified period of time for the group of users to which this policy applies.

See the related topics for information on configuring AES for mail and document encryption.

Procedure

1. In the Default public key Requirements field, specify settings for parent and child policies. Select one:

2. Under User Public Key Requirements , complete the following fields.
3. Complete the field in Document/Mail Encryption Settings using the information in the topic Configuring AES for mail and document encryption in the related topics.

4. Under Certificate Expiration Settings, in the Warning period field, specify the number of days prior to certificate expiration at which the user receives an expiration warning message; the default is 0.

5. Under Certificate Expiration Settings, in the Custom warning message field, enter a custom warning message that will be sent to users whose certificate has passed the expiration threshold specified in the Warning period field.

Enabling On-line Certificate Status Protocol (OCSP) checking

About this task

The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP checks are made during S/MIME signature verification and mail encryption by the Notes client. OCSP is enabled through a policy, using the Enable OCSP checking setting on the Keys and Certificates tab of the Security settings document.

Applying trusted cross-certificates to clients

About this task

You can avoid user prompts to create cross-certificates. Use the Administrative Trust Defaults section of the Keys and Certificates tab to apply trusted Internet certificates, Internet cross-certificates, and Notes cross-certificates to Notes clients. For information on applying (sometimes called pushing) trusted certificates to clients, see the related topics.

Configuring installation of signed plug-ins

About this task

Plug-ins can be provisioned to a Notes user and are ordinarily signed with a certificate that is trusted by the Notes client, and verifies that the data they contain is not corrupted. Users can then install or update the signed plug-ins.

Occasionally, a plug-in is found to have a problem. Either it is unsigned, not signed with a trusted certificate, or the certificate has either expired or is not yet valid. For these cases, you can establish a policy for never installing these plug-ins, always installing them, or asking users to decide at the time the plug-in is installed on their computers.

You can time-stamp plug-in jar signatures using the jar signer tool provided by the Java SDK to ensure the long term validity of plug-in signatures. The Notes client uses a time stamp included with a plug-in jar signature to determine if the plug-in signing certificate was valid at the time of signing. If a plug-in signing certificate has expired but was valid at the time of signing, Notes accepts it so that users do not see security prompts during plug-in installation or provisioning. Use the Ignore expiration for time stamping certificate setting on the Signed Plug-ins tab to control whether to allow the installation of signed plug-ins with expired time stamping certificates. Their installation is allowed by default.

Table 10. Ignore expiration for time stamping certificate settings
FieldAction
Installation of plug-ins that are expired or not yet valid
  • Ask the user
  • Never install
  • Always install
Installation of unsigned plug-ins
  • Ask the user
  • Never install
  • Always install
Installation of plug-ins signed by an unrecognized entity
  • Ask the user
  • Never install
  • Always install
Trust IBM plug-in signing certificate
  • Ask the user
  • Never trust for install
  • Always trust for install
Ignore expiration for time stamping certificate
  • Ask the user
  • Never install
  • Always install

Configuring Portal Server settings

About this task

Table 11. Portal server settings
FieldAction
Home portal server Enter the name of the IBM WebSphere Portal Server that hosts Notes user accounts.
Authentication URL Enter the URL that Notes users need to access in order to authenticate with the portal server.
Authentication type Choose one:
  • J2EE-Form, for
  • HTTP, for Web-based authentication

Note: For information on the ID Vault and Proxies tabs, see the related topics.

Related concepts
Using Notes Shared Login (NSL) to suppress password prompts
Managing Internet passwords
Enabling integrated Windows authentication (IWA) for Eclipse-based clients
Setting up Notes clients for S/MIME
Name-and-password authentication for Internet/intranet clients
Customizing Notes using plugin_customization.ini
Using Domino policy to set or verify trust for client plug-ins
Notes ID vault

Related tasks
Setting up password verification
Using a security settings policy to apply a Notes federated login configuration to client users
Securing Internet passwords
Configuring encryption for ID files
The execution control list
Configuring AES for mail and document encryption
Setting up Notes and Internet clients for SSL client authentication
User and server key rollover
Pushing certificates to clients through security policy settings
Creating or editing ID vault policy settings documents manually
Signing custom or third-party features and plug-ins for install and update

Related reference
Custom password policies
Default ECL settings
The password quality scale

Related information
IBM iNotes product documentation
Using an HTTP-proxy servlet to restrict URLs to external servers
Technote 21459717: Integrated Windows authentication (IWA) for Eclipse-based components within Lotus Notes