Domino Web Server Authentication Options
Cơ bản
Tóm tắt
Nội dung
30/04/2020
Thuộc mục:
Ảnh tiêu đề:
Ẩn ảnhHiện
Tên:
Domino Web Server Authentication Options
Thẻ Keywords (67 ký tự):
Domino Web Server Authentication Options
Thẻ Description (160 ký tự):
Domino Web Server Authentication Options
Thiết lập:Duyệt: Duyệt - Loại tin: Mới - ---Chia sẻ---
Url nguồn:
Tóm tắt (Chỉ viết ngắn gọn ko viết dài quá)

<p>Karen Zwolski, GSEC Practical Assignment - Version 1.4b, Option 1 January 8, 2004</p>
webID: 87F9F85690F6F1A2472584E400169C26
<p><b>Introduction </b></p>
<p>&nbsp;</p>
<p>Lotus Notes/Domino is a widely used group collaboration and messaging platform originally designed to work in a client-server architecture using proprietary protocols. The client is known as Notes, and the server is known as Domino. Later releases of Domino incorporated the use of Internet standard protocols and provided for access to Domino servers using web browsers as well as the Notes client. This helped Domino shops meet the demand for Internet access to email and databases using a browser.</p>
<p>&nbsp;</p>
<p>The original and still current architecture incorporates the use of key pairs based on RSA technology. The public key is stored in the Domino Directory; the private key is stored in a password protected ID file on the Notes client. This model provides robust authentication and encryption and is tightly integrated into the architecture requiring little effort on the part of the administrator to implement. However, this model is not relevant to the browser user accessing a web enabled Domino server. The purpose of this paper is to provide Domino administrators who are familiar with the client-server architecture with an understanding of authentication options and associated security characteristics for the web enabled Domino server. Specific implementation guidance for various options will be presented. This paper is based on Domino version 6.x. However, essential security-related differences between Domino 6.x and earlier versions will be explained. A brief explanation of Domino web server basics will be provided to enhance the reader's understanding of authentication options and requirements in a</p>
<p>&nbsp;</p>
<p><b>Domino web server model. </b></p>
<p>&nbsp;</p>
<p>Basic understanding of the traditional client-server model of Domino is assumed. Domino Web Server Basics In order to understand Domino web server authentication, it will help to first understand the basics of a Domino web server. There are three methods for serving web pages from a Domino server. First, Domino can serve web pages that are stored inside a Domino database in native Notes format. When requested by a browser, Domino will translate the Notes format into HTML and send the page to the browser via HTTP. Typically, this type of presentation would not be very attractive. The second method for serving web pages is to store HTML code inside a form in any Domino database. Using this method, the pages will be presented without translation to the browser. This allows for more options and a better looking web page. If the database will be available to both the Notes client and a browser, the developer will have to create code to detect whether a Notes client or browser is being used so the appropriate format can be presented. The third method for presenting web pages is to store HTML code in the server's file system. Using the file system to store web pages may require some additional security measures beyond what is covered in this document.</p>
<p>&nbsp;</p>
<p>When Domino is initially installed, you will have the option to load HTTP services during the installation. This is all that is required to web enable your Domino server. If HTTP was not installed initially, you can enable the Domino web server manually by loading the HTTP task at any time. This can be done by typing &quot;load HTTP&quot; at the server console. To enable the web server every time Domino starts, add &quot;HTTP&quot; to the &quot;ServerTasks&quot; line in the notes.ini file. To unload HTTP, type &quot;tell HTTP quit&quot; at the server console, or remove the HTTP task from the notes.ini file and restart Domino.</p>
<p>&nbsp;</p>
<p>Once the HTTP task is started, you can view Domino databases with a browser. For example, instead of clicking on the bookmark in the bookmark bar on the Notes client to open names.nsf (the Domino Directory), you would launch your browser and enter &quot;http://SeverName.DomainName/names.nsf&quot; in your browser's address bar. Unless the administrator had set the server and databases up to allow anonymous access, you would then be required to authenticate. Because the traditional Notes client is not being used to access the server, the familiar public/private key pair and Notes ID file will not be involved in authenticating or authorizing the user. Other methods to authenticate and authorize access to various databases will have to be used.</p>
<p>&nbsp;</p>
<p>As a side note, the reader should understand that typically, adding the HTTP task is not all you would do to make your Domino server into a web server. A typical application might be to create an HTML file or Domino database that would serve as the default home page for your web server with links to other databases. There is a field in the server document for specifying the name of the default home page.</p>
<p>&nbsp;</p>
<p><b>Authentication Model </b></p>
<p>&nbsp;</p>
<p>Access to Domino using HTTP can be accomplished anonymously or by using a challenge/response security model requiring the user to know a valid user name and password. The valid user name and password must be in the primary Domino Directory or in an alternate directory. Domino supports the use of multiple directories including third party LDAP directories. Some companies may choose to store user names and passwords for browser users in a directory separate from Notes client users. The use of multiple directories is explained in the Lotus Administering the Domino System books. After authenticating, users will be authorized to access only those databases that have an Access Control List (ACL) that permits access to the authenticated user. Users who do not have a valid user name and password in the Domino directory can only access Domino web sites that permit anonymous access and can only access databases that have an ACL that permits anonymous access.</p>
<p>&nbsp;</p>
<p>The same process for registering users to access Domino with a Notes client can be used to register users for access to Domino with a browser. Creation of the Notes ID file is optional and not needed if the Notes client will not be used. The user name that will be required for authentication will be created during the registration process. Additionally, you can select to assign an Internet or browser password during registration or assign a password later by adding a password to the &quot;Internet password&quot; field in the person document in the directory after the person is registered. This allows you to assign browser passwords for persons previously registered for using the Notes client only.</p>
<p>&nbsp;</p>
<p>Management and security of Internet or browser passwords was improved in version 6.x of Domino when compared to earlier versions. Domino 5.x and earlier had no built-in ability to manage browser passwords. Domino 6.x added the ability to allow end user changing of browser passwords, assign password quality, and enforce expiration. Password history can be maintained for Notes clients, but is still not available for browser passwords. An administrator may choose to synchronize Notes and browser passwords and force an update of the browser password when the Notes password is changed. This would essentially enforce a history for the browser, but will introduce another vulnerability created by using the same password for both the Notes client and the browser.</p>
<p>&nbsp;</p>
<p>The new password management features are implemented primarily when using a new feature in Domino 6.x called &quot;Policies&quot;. A policy is a document created by the administrator to apply certain default settings for several administrative areas including registration and security. See Chapter 9 in Lotus Software Domino 6, Administering the Domino System, Volume1 (http://www-12.lotus.com/ldd/doc/uafiles.nsf/docs/domino6PR2/$File/adminvol1.pdf for more information about policies.</p>
<p>&nbsp;</p>
<p>There are still significant vulnerabilities in browser password management that can be addressed with custom applications. One of the most difficult to manage risks related to browser password management is how to identify and authenticate users who call the help desk claiming to have forgotten a password. A third party application that addresses this issue is Web Set Password by PistolStar (www.pistolstar.com/websetpassword_features.html). Web Set Password allows the user to initially select a password challenge question and answer. If the user forgets his password, he can select the originally chosen challenge question from a list. If the user knows the answer to the challenge question, he can then assign a new password for himself. Additionally, Web Set Password adds other security features missing from Domino such as strike-out (locking accounts after a determined number of failed attempts to enter the correct password), disabling of password auto-complete, and logging of invalid user names and passwords that were attempted. Web Set Password also adds to Domino's ability to control password complexity by disallowing certain passwords like &quot;password&quot; or the user's name and checking chosen passwords against a dictionary.</p>
<p>Also, Lotus has made available a Domino Web Server Application Programming Interface (DSAPI) which is a C API that allows a developer to write extensions or filters for the web server allowing customization of web server authentication. For more information about the DSAPI, look for the Lotus C API Toolkit for Domino at http://www14.software.ibm.com/webapp/download/search.jsp?q=toolkit+jdbc+notessql&amp; k=any&amp;cat=groupware&amp;sb=&amp;go=y&amp;srs=1&amp;rs=&amp;S_TACT=&amp;S_CMP=&amp;pf=&amp;dt=&amp;x=28 &amp;y=8.</p>
<p>&nbsp;</p>
<p><b>Password Formats </b></p>
<p>&nbsp;</p>
<p>However the password is created, it is automatically hashed when it is entered in the &quot;Internet password&quot; field in the person document. Hashing is an encryption method that creates a one-way transformation of the data that cannot be decrypted. There are two hashing algorithms described below. The administrator must select the algorithm.</p>
<p>&nbsp;</p>
<p>Less Secure Internet Password: The specific hash function is not publicized by Lotus. Lotus creates the hash by applying the @password function (a standard Notes function available to developers) to the text of the password. When the @password function is applied to a single text password any number of times, the result is the always the same. This leaves the &quot;Less Secure Internet Password&quot; format very susceptible to dictionary attacks. It would take very little skill to run the @password function against a dictionary list and compare the results to the &quot;Internet password&quot; field in the person document. Each match results in a discovered password. This algorithm should not be used. In Domino 5.x and prior versions, this was the default. If you are using Domino 5.x or earlier, you should change this algorithm as described below. Fortunately, Domino 6 no longer uses this as the default setting.</p>
<p>&nbsp;</p>
<p>More Secure Internet Password: If this option is chosen, a different type of hash, known as a &quot;salted&quot; hash, will be used to encrypt the password. The salt is a random number that is added to the hash value and resulting in an encrypted password that is not as likely to be discovered in a dictionary attack. The administrator can follow the steps below to make sure the more secure format is used for each new registered user.</p>
<p>&nbsp;</p>
<p>The default password format for new users can be changed by editing the &quot;Directory Profile&quot; for all servers. A Directory Profile is a document that is used to set up or change miscellaneous configuration settings for the Domino Directory. To access the Directory Profile and enable a more secure password format, follow the steps below. These steps are summarized here but are described in detail in the Chapter 19 in Lotus Software Domino 6, Administering the Domino System, Volume 1 (http://www-12.lotus.com/ldd/doc/uafiles.nsf/docs/domino6PR2/$File/adminvol1.pdf). All users registered after this change is made will have a more secure password</p>
<ul>
<li>Launch the Domino Administrator client</li>
<li>Click the Configuration tab</li>
<li>Click All Server Documents</li>
<li>From the menu bar, choose Actions - Edit Directory Profile</li>
<li>Select Yes in the Use more secure Internet passwords field</li>
<li>Save and close the profile document</li>
</ul>
<p>&nbsp;</p>
<p>If you have already registered users with the less secure password format, you can easily upgrade the format to &quot;more secure&quot; by following the steps below.</p>
<ul>
<li>Launch the Domino Administrator client</li>
<li>Click the People &amp; Groups tab</li>
<li>Select the persons you want to upgrade to a more secure format</li>
<li>From the menu bar, choose Actions, Upgrade to More Secure Internet Password Format</li>
<li>Click Yes</li>
</ul>
<p>&nbsp;</p>
<p>One consideration when using third party or custom applications to manage passwords is whether or not the application works with the more secure password format. For example, if you used an application to allow users to change a password, that application might first ask the user what the original password is. The application may use the @password function to compare what the user indicates is the original password to the password that is stored in the Domino directory. If the more secure format is in use, that particular application may not work because the value returned by the @password function would not match the stored password. So, it is important to evaluate your need for security against the ease of use when selecting the password format and selecting tools to help you manage the password. Some third party applications including Web Set Password, do handle the more secure password format.&nbsp;</p>
<p>&nbsp;</p>
<p><b>Name Options </b></p>
<p>&nbsp;</p>
<p>Another important authentication option that must be chosen is the name variations that will be permitted. This option is set on the Security tab of the relevant server document in the &quot;Internet authentication&quot; field. The options are described below.</p>
<p>&nbsp;</p>
<p>More name variations with lower security: Prior to Domino version 6.x, this setting was the default. This will allow the following variations of the username to be entered when authenticating - last name, first name, any name in the username field, hierarchical name, or short name. For example, in the sample person document below, all the following names could be used to authenticate: John, Public, John Public, John Public/Corporation (hierarchical name abbreviated), cn=John Public/o=Corporation (hierarchical name canonical) or jpublic.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/3e4ce982859e7fc0268f.jpg"></p>
<p>The lookup actually occurs against a hidden view in the Domino directory known as the $Users view. All the name variations above from each person document in the directory comprise the $Users view in the Domino directory. Therefore, when Domino prompts the user to authenticate by entering a name and password, the user could enter &quot;John&quot; and whatever his password was. Domino would search the $Uses view for occurrences of &quot;John&quot; and check to see if the password matched. If a password match were found for &quot;John&quot;, the authentication would be successful. This presents a problem if two persons with the first name of &quot;John&quot; happen to use the same password. For example, if John Public and John Doe happen to use the password &quot;welcome&quot;, John Public could authenticate with John Doe's credentials and have access to things that only John Doe is supposed to have access to.</p>
<p>&nbsp;</p>
<p>Fewer name variations with higher security: This is a more secure option and highly recommended over the previous option. Beginning in Domino 6.x, this is the default. Using the same name example above, only the following names entered during the authentication attempt would result in a match: John Public, John Public/Corporation or cn=John Public/o=Company. A single authentication attempt would not result in as many matches and would thus be more secure. The actual lookup when using this option is performed against the hidden $LDAPCN view.</p>
<p>&nbsp;</p>
<p>Note: To see hidden views in the Domino Directory using the Notes client, press the <ctrl> and shift keys together and double click on the bookmark for the directory. </ctrl></p>
<p>&nbsp;</p>
<p><ctrl>Custom lookup view: The Domino administrator can develop a custom view consisting of any form of the user name and force authentication against that custom view. For example, a custom view might contain only the full user name (first and last). In order for users to authenticate, the first and last name would have to be entered. This is accomplished by first creating the view and then&nbsp;</ctrl>adding a parameter in the Notes.ini file like this: NABWebLookupView=NameOfCustomView.&nbsp;</p>
<p>&nbsp;</p>
<p><b>Authentication Security Levels </b></p>
<p>&nbsp;</p>
<p>The challenge/response security model described so far using names and passwords can actually be deployed using different security levels.</p>
<p>&nbsp;</p>
<p>Low Security: basic authentication or anonymous access Medium Security: session authentication and single sign-on High Security: SSL and X.509 certificate</p>
<p>&nbsp;</p>
<p><b>Low Security </b></p>
<p>&nbsp;</p>
<p>If your requirements for security are very low, you may wish to consider allowing anonymous or &quot;basic name and password authentication&quot; access to the Domino server. If a user requests access to a database requiring authentication, Domino sends a 401 response, &quot;unauthenticated user&quot;. The browser will prompt the user for credentials with a generic dialog box.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/f5be08e165fd9fa3c6ec.jpg"></p>
<p>Those credentials will be passed to the server in the HTTP header encoded in base64 format. For each page requested, the HTTP header containing credentials will be sent. The characteristics of basic authentication make it very insecure for the following reasons.</p>
<p>&nbsp;</p>
<ol>
<li>Authentication credentials are repeatedly passed throughout the session making the credentials especially susceptible to network sniffing.</li>
<li>The credentials are not encrypted. They are encoded, but base64 encoding is easily reversed and read.</li>
<li>User names and passwords are cached on the browser side and will be remembered until the browser is shut down. Any user who leaves the browser up after providing credentials is leaving the session open for anyone else to access the server without providing credentials.</li>
</ol>
<p>It is also important to note the &quot;realm&quot; against which authentication is taking place.</p>
<p>A realm is a text string indicating the path or directory for which a user has been authenticated. If the user requests access to a database that is not in the same directory or a subdirectory, the server will prompt the user to authenticate again. This could be quite annoying for the end user. This problem can be solved by implementing &quot;Session Authentication&quot; as explained later in the Medium Security section.&nbsp;</p>
<p>&nbsp;</p>
<p><b>Enabling Basic Authentication and Anonymous </b></p>
<p>&nbsp;</p>
<p>Access By default, port 80, basic name and password authentication, and anonymous access are enabled for access to Domino. When the server is originally configured, the administrator will have the option to enable or disable anonymous access to existing databases and templates. For better security, select to disable anonymous access to existing databases when initially configuring your server. This will prevent unintentional anonymous access to important databases that are included by default such as the directory and log files. You can always go back and add anonymous access as necessary to individual databases.</p>
<p>&nbsp;</p>
<p>The setting for port 80 can be viewed and edited in the server document of the Domino directory on the Ports-Internet Ports-Web tab.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/213480e0edfc17a24eed.jpg"></p>
<p>The settings for basic name and password authentication and anonymous access to the server can be found on the Security tab of the Internet Sites document in the Domino directory. This document is new to version 6.x of the Domino server. Many of the settings now found in the Internet Sites document of the Domino 6.x server were formerly found on the Ports-Internet Ports-Web tab of the server document. (By default, the settings in the Internet Sites document apply to all servers in the Domino domain.) The following screen shot displays anonymous and basic authentication settings on the Internet Sites document</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/9bbc9fe2f1fe0ba052ef.jpg"></p>
<p>If you want to completely disable anonymous access to the servers in the Domino domain, change the anonymous field in this section of the Internet Sites document to &quot;No&quot;.</p>
<p>&nbsp;</p>
<p>The Domino domain web servers can be set up to allow anonymous connections only to particular databases. For this to work, leave anonymous access set to &quot;Yes&quot; in the Internet Sites document and permit or deny anonymous access to particular databases by using an Access Control List (ACL).</p>
<p>&nbsp;</p>
<p>The screen shot below displays the ACL on a Domino database. This ACL does not allow anonymous access. If a user tries to access this database with a browser, the user will be prompted to authenticate. It is important to note that if you do not have the &quot;Anonymous&quot; keyword in the ACL, anonymous users will have whatever access the &quot;Default&quot; user has. If allowing anonymous access to the server, it is very important to review the ACL's on all databases for anonymous and default keywords to ensure anonymous access is only permitted as intended.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/e9edea3484287e762739.jpg"></p>
<p>&nbsp;</p>
<p><b>Medium Security </b></p>
<p>&nbsp;</p>
<p>A feature called &quot;Session Authentication&quot; can be enabled per each single server or for multiple servers. Session Authentication provides an increased level of security over basic authentication for several reasons. When Session Authentication is enabled, the user is presented with a logon form similar to the display below</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/bb11e56bf5770f295666.jpg"></p>
<p>This basic logon form can be found in a database called &quot;domcfg.nsf&quot;. This database can easily be created from a template provided with the Domino server. The logon form can easily be modified to allow for company branding, addition of banners, or customized error messages. For more information about creating domcfg.nsf and customizing the logon form, see Chapter 42, in Lotus Software, Domino 6, Administering Domino System, Volume2 (http://www-12.lotus.com/ldd/doc/uafiles.nsf/docs/domino6PR2/$File/adminvol2.pdf). Once the user enters proper credentials into the logon form, Domino encrypts the password and stores it in a cookie, and the cookie is used for subsequent access. The following aspects of session authentication additionally enhance security and provide ease of use.</p>
<ol>
<li>The server has knowledge of who is using the server so you can get a listing of active users. To see such a list, just access the server console and type &quot;tell http show users&quot;.</li>
<li>Because the server is maintaining state with a cookie and has knowledge of user activity, sessions can be timed out after a specified period of inactivity. The cookie is simply set to expire after a specified period of time. The administrator can configure the timeout as described below.</li>
<li>A developer can easily create a logout button. Users can click the logout button to destroy the server side-state and clear the session without closing the browser.</li>
<li>The credentials are only passed to the server in clear text when initially entered, reducing the likelihood that credentials will be sniffed. (Please read &quot;Important Tip&quot; in the High Security section for information about encrypting credentials.)</li>
<li>Security policy banners can be appropriately displayed.</li>
</ol>
<p>To enable session authentication, open the Internet Sites document and select the Domino Web Engine tab. Change the Session authentication field from &quot;disabled&quot; to &quot;Single Server&quot;. You can also set the &quot;Idle session timeout&quot; here. The default timeout value is 30 minutes. (Note: Basic Authentication as described above must remain enabled for Session Authentication to work.)</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/9fe51f690f75f52bac64.jpg"></p>
<p>Single Sign-On (SSO) is a special implementation of Session Authentication that allows the user to enter a name and password one time only for access to any server configured to participate in the SSO domain. To enable SSO, change the Session Authentication field displayed above to &quot;Multiple Servers&quot;.</p>
<p>&nbsp;</p>
<p>Additionally, a special document called &quot;Web SSO Configuration&quot; must be created when implementing SSO. To create this document, select the Servers view in the Domino directory. Then from the Menu bar, select &quot;Web - Create Web SSO Configuration&quot;. This document is displayed below. You must enter the organization name, DNS domain name, and a list of participating servers.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/8a9b98e789fb73a52aea.jpg"></p>
<p><b>High Security </b></p>
<p>For maximum security, consider enabling Secure Sockets Layer (SSL) protocol. SSL is a security protocol that can provide a higher level of security for basic or session-based authentication. SSL can also be used to increase the security of anonymous connections by requiring client authentication. Additionally, SSL can provide confidentiality and integrity. Domino supports SSL and uses industry standard X.509 certificates in its implementation.</p>
<p>&nbsp;</p>
<p>SSL consists of two sub-protocols, the SSL record protocol and the SSL handshake. The SSL record protocol specifies the format of messages exchanged between the client and the server. The format includes a message digest, created using the MD5 algorithm, to ensure that messages are not altered, thus providing integrity. During the SSL handshake, the client and server can authenticate each other using certificates and public keys. Also during the handshake, the client and server cooperate to create symmetric keys for the session used to perform encryption that provides confidentiality. (Introduction to SSL).</p>
<p>&nbsp;</p>
<p><b>SSL Authentication </b></p>
<p>&nbsp;</p>
<p>An essential step in implementing SSL is to obtain signed certificate from a Certificate Authority (CA). Initially, a certificate request is issued by the subject (client or server) and submitted to the CA for verification and signing. A Certificate Authority is (usually) a third party organization that signs and issues unique digital certificates to company or individual. The CA performs a background check to confirm the identity of the certificate requestor. The background check for companies is typically more thorough than the check done for individuals. Once the background check is completed, a Certificate containing a serial number and information about the CA and the subject (server or individual requesting the certificate) is signed and issued by the CA. The Certificate is installed as appropriate on the server or the browser client.</p>
<p>&nbsp;</p>
<p>Exactly how does server authentication occur, and why does it matter? If a browser has a trusted or root certificate signed by the same Certificate Authority (CA) that signed the server certificate issued by the CA, then the client can be sure the server is who it says it is. This prevents a third party machine from spoofing the machine that you intended to connect to. That could be critical, for instance, if you were sending a credit card number to a bank's web server. You would want to be certain you were sending the credit card number to the bank's server and not an imposter.</p>
<p>&nbsp;</p>
<p>You may also want the server to authenticate the client. This would help you to confirm that the browser is the browser you were expecting. In this case, the browser would have to have the certificate signed by a trusted CA. The server would have to have a root certificate from the same CA.</p>
<p>&nbsp;</p>
<p>So, exactly how do you obtain a signed Certificate from a CA for your Domino server? There is a special process you must follow to get the certificates signed by the CA. That process, beginning with the selection of a Certificate Authority, will be discussed after a brief explanation of how to enable SSL on your Domino server.</p>
<p>&nbsp;</p>
<p>Where do root certificates come from? Browsers and Domino servers come with many root certificates pre-installed. If the root certificate for the CA you choose is not pre-installed, you will have to obtain and install the root certificate.</p>
<p>&nbsp;</p>
<p><b>Enabling SSL on Domino </b></p>
<p>&nbsp;</p>
<p>You can enable SSL for the entire server, or for any particular database. First you must activate the SSL port in the server document. This is done on the Ports - Internet Ports - Web tab of the server document.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/38d75cdf4ec3b49dedd2.jpg"></p>
<p>&nbsp;</p>
<p>Next, open Security tab on the Internet&nbsp;Sites document to further define how SSL will be used. On this document, you can enforce all TCP connections to use SSL by selecting &quot;Yes&quot; in the &quot;Redirect TCP to SSL&quot; field. Further, you can specify whether anonymous or name and password authentication will be accepted for SSL connections and whether client authentication will be used.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/e6c37d916e8d94d3cd9c.jpg"></p>
<p>&nbsp;</p>
<p>If you choose not to enforce SSL for all connections, you can maintain the flexibility to enforce SSL on specified databases only. To enforce SSL on a specific database, edit the database properties and check the &quot;Web access: Require SSL connection&quot; box.</p>
<p align="center"><img src="http://daotao.cwe.vn/472584D2003B40A0/22124186167C41B24725855A0016FAFD/$File/c9d9cb17df0b25557c1a.jpg"></p>
<p>Important Tip! You can require SSL connection on the domcfg.nsf file discussed in the section on Medium Security to force the initial submission of authentication credentials to be encrypted.</p>
<p>&nbsp;</p>
<p><b>Choosing A Certificate Authority </b></p>
<p>&nbsp;</p>
<p>There are several commonly used Certificate Authorities to choose from. Browsers come with certain preinstalled trusted root certificates for commonly used CA's. It will simplify SSL implementation if you use one of these same CA's. Two commonly used third party CA's are Thawte, http://www.thawte.com, and Verisign, http://www.verisign.com. There are several others as well. After preparing the Domino server to request and store certificates, you can send a certificate request to the CA to obtain a signed certificate. The procedures for doing this may vary some; it depends on your CA. Directions for requesting the certificate can be found on your CA's web site. The CA will charge you an annual fee for this certificate. When requesting a server certificate, the CA will request that you provide information needed to verify your corporate identity&nbsp;</p>
<p>&nbsp;</p>
<p>Domino uses the standard Public-Key Cryptography Standards (PKCS) format for certificates. Make sure the CA that you choose, uses this format. Then you must prepare the Domino server to request the certificate and install the appropriate signed certificate.</p>
<p>&nbsp;</p>
<p>The following procedures explain the steps involved when using a third party certificate authority. Domino could serve as it's own Certificate Authority.</p>
<p>&nbsp;</p>
<p>However, this may complicate things for your end user. If Domino is the CA, each end user will have to install Domino's root certificate in their browser. This could be a great inconvenience over relying on preinstalled certificates. For more information about setting up Domino as a Certificate Authority, see Chapter 45 in the Lotus Software, Domino 6, Administering the Domino System, Volume 2 (http://www-12.lotus.com/ldd/doc/uafiles.nsf/docs/domino6PR2/$File/adminvol2.pdf).</p>
<p>&nbsp;</p>
<p><b>Setting Up the Domino Server to Use SSL Certificates </b></p>
<p>&nbsp;</p>
<p>The following steps were excerpted from pages 46-1 through 46-10 in Lotus Software, Domino 6, Administering the Domino System, Volume 2 (http://www12.lotus.com/ldd/doc/uafiles.nsf/docs/domino6PR2/$File/adminvol2.pdf) and e-Pro Magazine article, &quot;Domino Internet Security: Implementing SSL and X.509&quot; http://www.epromag.com/eparchive/index.cfm?fuseaction=viewarticle&amp;ContentID=500&amp;websiteid=). The steps were simplified and condensed to include elements necessary for most implementations according to the author's actual experience in implementing SSL.</p>
<p>&nbsp;</p>
<p><b>Step 1: </b>Preparing the Server Certificate Admin Application A special database, CERTSRV.NSF, should have been created during server setup. If this database is not on your server, you must create it using the CSRV50.NTF template. This database is the Server Certificate Administration application. This application must be used to request a CA signed certificate, add a predefined certificates as trusted roots, and merge signed certificates into the a special file called the keyring file. Be sure the review the ACL for the CERTSRV.NSF database to limit access appropriately.</p>
<p>&nbsp;</p>
<p><b>Step 2: </b>Create server keyring file The second step in preparing the Domino server is to create the keyring file that will store the signed certificate. You have to do this no matter which CA you use. During the process of creating a keyring file, the unsigned certificate is created. Using a Notes client, open the Server Certificate Administration database on the server, select &quot;Create Keyring&quot; and enter data as follows: &middot; keyring file name: Enter the name of the key ring file. The default is keyfile.kyr. If you change this name, you will have to enter the new name on the Internet Sites document.</p>
<ul>
<li>common name: Enter the fully qualified domain name of the server. This and the following entries must match with the information you may have already provided to the CA during your initial corporate records review.</li>
<li>key size: 512 is the default. Enter 1024 for more secure encryption.</li>
<li>password: Enter a strong password for the keyring.</li>
<li>organization: Enter your company name.</li>
<li>organizational unit: (Optional) - Enter division or department.</li>
<li>Locality: Enter city or town where your company is registered to do business.</li>
<li>State: Enter state where your company is registered to do business.</li>
<li>Country: Enter country where your company is registered to business.</li>
</ul>
<p>&nbsp;</p>
<p>After you have verified the information you entered, click &quot;Create Keyring&quot;. The keyring file and a &quot;stash&quot; file (file type &quot;sth&quot;) holding the keyring password will be created in the Notes\data directory on the Notes client. Copy these files to the Domino\data directory on the server.</p>
<p>&nbsp;</p>
<p><b>Step 3: </b>Merge a CA certificate as a trusted root This step may not be necessary for your CA. It depends on whether or not Domino already has a trusted root for the CA that you chose. Domino includes several trusted root certificates for VeriSign and others. You can view the list of already installed root certificates by selecting the &quot;View and Edit Keyrings&quot; view in the Server Certificate Administration database. If your CA's root certificate is not present, instructions similar to the following can be used to obtain and install a root certificate.</p>
<ul>
<li>Browse to the CA's web site and look for the &quot;trusted root&quot;.</li>
<li>Copy the trusted root certificate information to a notepad file (cert.txt).</li>
<li>Open the Server Certificate Administration database.</li>
<li>Click &quot;Install Trusted Root Certificate&quot; into Key Ring.</li>
<li>Enter the name of the keyring file (use the default name, keyfile.kyr).</li>
<li>Enter the name used to identify the certificate: (eg., name of your CA)</li>
<li>Paste the contents of the notepad file (cert.txt) into the provided field.</li>
<li>Click &quot;Merge Trusted Root Certificate into Key Ring&quot;.</li>
<li>Enter password for keyring file and click OK.</li>
</ul>
<p>&nbsp;</p>
<p><b>Issue Request for Signed Certificate </b></p>
<p>&nbsp;</p>
<p>Now you can actually request a signed certificate that will have to be merged into the keyring file. Issue the request from the Server Certificate Administration database on the Domino server. From the Server Certificate Administration database, click Create &quot;Certificate Request&quot;. Complete the following fields.</p>
<ul>
<li>key ring file name: x:\domino\data\keyfile.kyr (x: = drive containing Domino\data directory). &middot; Log certificate request: yes</li>
<li>Method: paste</li>
<li>Click &quot;Create Certificate Request&quot;</li>
<li>Copy the certificate to a notepad file, server_request.txt. This is your Certificate Request.</li>
<li>Save the notepad file.</li>
</ul>
<p>&nbsp;</p>
<p>The following instructions will not be as specific as those above because the exact remaining steps for requesting your certificate will depend on CA that you have chosen.</p>
<ul>
<li>Go to CA's web site to request the certificate.</li>
<li>Follow instructions for requesting a certificate for Lotus Notes - you will have to paste your Certificate Request (the contents of the notepad file, server_request.txt, created above) during the certificate request process. This is the certificate that will be signed.&nbsp;</li>
</ul>
<ul>
<li>You will receive an email from the CA telling you your certificate is ready. This message will tell you how to pick up the certificate or may send the certificate to you.</li>
<li>Copy the certificate into a notepad file, server_signed.txt.</li>
<li>Merge the signed certificate into the keyring file
<ul>
<li>Open the Server Certificate Administration database</li>
<li>Click &quot;Install Certificate into Key Ring&quot;</li>
<li>Paste the contents of the server_signed.txt file into the form that is presented</li>
<li>Click &quot;Merge Certificate into Key Ring&quot;</li>
</ul>
</li>
</ul>
<p>&nbsp;</p>
<p>That completes the process for installing a signed certificate on you Domino server. You are now ready to provide server authentication, encryption, and data integrity for clients accessing your Domino web server. If you have the need to provide client authentication, you should follow instructions for the browser you are using to initiate a certificate request. These instructions should be available at your browser's web site.</p>
<p>&nbsp;</p>
<p>As you can see, the options for authentication and method for enabling encryption when using a browser are quite different from using a Notes client. The need for security must be evaluated against ease of use for the end user and management of the server and users from an administrator's perspective. With the increasing demand for access to mail and company Intranets from the Internet, a Domino administrator is likely to face these decisions. Hopefully, the information in this paper will assist the administrator with making these decisions.</p>

Introduction

 

Lotus Notes/Domino is a widely used group collaboration and messaging platform originally designed to work in a client-server architecture using proprietary protocols. The client is known as Notes, and the server is known as Domino. Later releases of Domino incorporated the use of Internet standard protocols and provided for access to Domino servers using web browsers as well as the Notes client. This helped Domino shops meet the demand for Internet access to email and databases using a browser.

 

The original and still current architecture incorporates the use of key pairs based on RSA technology. The public key is stored in the Domino Directory; the private key is stored in a password protected ID file on the Notes client. This model provides robust authentication and encryption and is tightly integrated into the architecture requiring little effort on the part of the administrator to implement. However, this model is not relevant to the browser user accessing a web enabled Domino server. The purpose of this paper is to provide Domino administrators who are familiar with the client-server architecture with an understanding of authentication options and associated security characteristics for the web enabled Domino server. Specific implementation guidance for various options will be presented. This paper is based on Domino version 6.x. However, essential security-related differences between Domino 6.x and earlier versions will be explained. A brief explanation of Domino web server basics will be provided to enhance the reader's understanding of authentication options and requirements in a

 

Domino web server model.

 

Basic understanding of the traditional client-server model of Domino is assumed. Domino Web Server Basics In order to understand Domino web server authentication, it will help to first understand the basics of a Domino web server. There are three methods for serving web pages from a Domino server. First, Domino can serve web pages that are stored inside a Domino database in native Notes format. When requested by a browser, Domino will translate the Notes format into HTML and send the page to the browser via HTTP. Typically, this type of presentation would not be very attractive. The second method for serving web pages is to store HTML code inside a form in any Domino database. Using this method, the pages will be presented without translation to the browser. This allows for more options and a better looking web page. If the database will be available to both the Notes client and a browser, the developer will have to create code to detect whether a Notes client or browser is being used so the appropriate format can be presented. The third method for presenting web pages is to store HTML code in the server's file system. Using the file system to store web pages may require some additional security measures beyond what is covered in this document.

 

When Domino is initially installed, you will have the option to load HTTP services during the installation. This is all that is required to web enable your Domino server. If HTTP was not installed initially, you can enable the Domino web server manually by loading the HTTP task at any time. This can be done by typing "load HTTP" at the server console. To enable the web server every time Domino starts, add "HTTP" to the "ServerTasks" line in the notes.ini file. To unload HTTP, type "tell HTTP quit" at the server console, or remove the HTTP task from the notes.ini file and restart Domino.

 

Once the HTTP task is started, you can view Domino databases with a browser. For example, instead of clicking on the bookmark in the bookmark bar on the Notes client to open names.nsf (the Domino Directory), you would launch your browser and enter "http://SeverName.DomainName/names.nsf" in your browser's address bar. Unless the administrator had set the server and databases up to allow anonymous access, you would then be required to authenticate. Because the traditional Notes client is not being used to access the server, the familiar public/private key pair and Notes ID file will not be involved in authenticating or authorizing the user. Other methods to authenticate and authorize access to various databases will have to be used.

 

As a side note, the reader should understand that typically, adding the HTTP task is not all you would do to make your Domino server into a web server. A typical application might be to create an HTML file or Domino database that would serve as the default home page for your web server with links to other databases. There is a field in the server document for specifying the name of the default home page.

 

Authentication Model

 

Access to Domino using HTTP can be accomplished anonymously or by using a challenge/response security model requiring the user to know a valid user name and password. The valid user name and password must be in the primary Domino Directory or in an alternate directory. Domino supports the use of multiple directories including third party LDAP directories. Some companies may choose to store user names and passwords for browser users in a directory separate from Notes client users. The use of multiple directories is explained in the Lotus Administering the Domino System books. After authenticating, users will be authorized to access only those databases that have an Access Control List (ACL) that permits access to the authenticated user. Users who do not have a valid user name and password in the Domino directory can only access Domino web sites that permit anonymous access and can only access databases that have an ACL that permits anonymous access.

 

The same process for registering users to access Domino with a Notes client can be used to register users for access to Domino with a browser. Creation of the Notes ID file is optional and not needed if the Notes client will not be used. The user name that will be required for authentication will be created during the registration process. Additionally, you can select to assign an Internet or browser password during registration or assign a password later by adding a password to the "Internet password" field in the person document in the directory after the person is registered. This allows you to assign browser passwords for persons previously registered for using the Notes client only.

 

Management and security of Internet or browser passwords was improved in version 6.x of Domino when compared to earlier versions. Domino 5.x and earlier had no built-in ability to manage browser passwords. Domino 6.x added the ability to allow end user changing of browser passwords, assign password quality, and enforce expiration. Password history can be maintained for Notes clients, but is still not available for browser passwords. An administrator may choose to synchronize Notes and browser passwords and force an update of the browser password when the Notes password is changed. This would essentially enforce a history for the browser, but will introduce another vulnerability created by using the same password for both the Notes client and the browser.

 

The new password management features are implemented primarily when using a new feature in Domino 6.x called "Policies". A policy is a document created by the administrator to apply certain default settings for several administrative areas including registration and security. See Chapter 9 in Lotus Software Domino 6, Administering the Domino System, Volume1 (http://www-12.lotus.com/ldd/doc/uafiles.nsf/docs/domino6PR2/$File/adminvol1.pdf for more information about policies.

 

There are still significant vulnerabilities in browser password management that can be addressed with custom applications. One of the most difficult to manage risks related to browser password management is how to identify and authenticate users who call the help desk claiming to have forgotten a password. A third party application that addresses this issue is Web Set Password by PistolStar (www.pistolstar.com/websetpassword_features.html). Web Set Password allows the user to initially select a password challenge question and answer. If the user forgets his password, he can select the originally chosen challenge question from a list. If the user knows the answer to the challenge question, he can then assign a new password for himself. Additionally, Web Set Password adds other security features missing from Domino such as strike-out (locking accounts after a determined number of failed attempts to enter the correct password), disabling of password auto-complete, and logging of invalid user names and passwords that were attempted. Web Set Password also adds to Domino's ability to control password complexity by disallowing certain passwords like "password" or the user's name and checking chosen passwords against a dictionary.

Also, Lotus has made available a Domino Web Server Application Programming Interface (DSAPI) which is a C API that allows a developer to write extensions or filters for the web server allowing customization of web server authentication. For more information about the DSAPI, look for the Lotus C API Toolkit for Domino at http://www14.software.ibm.com/webapp/download/search.jsp?q=toolkit+jdbc+notessql& k=any&cat=groupware&sb=&go=y&srs=1&rs=&S_TACT=&S_CMP=&pf=&dt=&x=28 &y=8.

 

Password Formats

 

However the password is created, it is automatically hashed when it is entered in the "Internet password" field in the person document. Hashing is an encryption method that creat


File Attachment Icon
38d75cdf4ec3b49dedd2.jpg
File Attachment Icon
8a9b98e789fb73a52aea.jpg
File Attachment Icon
9fe51f690f75f52bac64.jpg
File Attachment Icon
bb11e56bf5770f295666.jpg
File Attachment Icon
e9edea3484287e762739.jpg
File Attachment Icon
9bbc9fe2f1fe0ba052ef.jpg
File Attachment Icon
213480e0edfc17a24eed.jpg
File Attachment Icon
f5be08e165fd9fa3c6ec.jpg
File Attachment Icon
3e4ce982859e7fc0268f.jpg
File Attachment Icon
e6c37d916e8d94d3cd9c.jpg
File Attachment Icon
c9d9cb17df0b25557c1a.jpg