plug-in for lotus domino version 2 - etruserve.com.t€¦ · plug-in for lotus domino solution is...

www.VASCO.comwww.vasco.comThe world’s leading software company specializing in Internet Security

Quick Installation Example: Plug-in for Lotus DominoVersion 2.0

www.VASCO.comwww.vasco.com© 2007 - 2008 VASCO Data Security. All rights reserved. of 18

Table of Contents1. Overview ..................................................................................................................................................32. Problem Description ..................................................................................................................................33. Solutions ...................................................................................................................................................3 3.1 Lotus Domino Replication .................................................................................................................3 Features ...........................................................................................................................................3 Disadvantages ..................................................................................................................................3 3.2 Lotus Domino Web Access ................................................................................................................4 Features ...........................................................................................................................................44. Technical Concept .....................................................................................................................................5 4.1. General Overview .............................................................................................................................5 4.2. Configuration of Lotus Domino ..........................................................................................................55. Supported platforms and configurations ..................................................................................................186. Conclusion ..............................................................................................................................................18

About VASCO ..............................................................................................................................................18For more info .............................................................................................................................................18

All information contained in this document is provided ‘as is’; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document.

CopyrIght

© VASCO Data Security 2007 - 2008. All rights reserved.No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security.

tradEmarkS

DIGIPASS and VACMAN are trademarks of VASCO Data Security.All other trademarks are trademarks of their respective owners.

Disclaimerdisclaimer of Warranties and Limitation of Liabilities

www.VASCO.comwww.vasco.com

1. OverviewThe purpose of this document is to show how the Plug-In for Lotus Domino can easily enhance the security of your roaming users connecting to their Lotus Notes data using Domino Web Services. This guide is an example of how the plug-in may be installed, since there are different, more advanced configurations possible.

2. Problem DescriptionMost of people in their work need to access data anytime, from anywhere using the most global network, the Internet.It’s a perfect tool for roaming users but is also very well known for its security weaknesses.Vasco’s goal with this Plug-In for Lotus Domino is to secure the authentication of roaming users so that their credentials cannot be reused or hacked.The weakest link in any security infrastructure is the use of static passwords, hence there is a need for strong user authentication, based on 2-factors: something you have and something you know.

3. SolutionsLotus Domino allows remote users to access their Lotus Domino databases (such as email, pricelist, corporate application etc.) using a web interface.In order to allow users to remotely access their Domino documents, such as mails or Notes data, there are several solutions listed below.

3.1 Lotus Domino ReplicationLotus Notes users have the possibility to create a local replica copy of their mail file on their laptop either using Dial Up direct connection or using Internet.This method uses the regular Notes ID File to provide the secured environment.

FEaturES• Full access to the mail file• Secure: communication may be encrypted. Access to the database is protected by the Lotus Domino security integrated mechanism

dISadvantagES• May only be used from the user’s PC. Cannot be used from an Internet kiosk PC• Making an Internet connection could be too difficult for the average end-user. The PC must still be connected to a phone line or to a LAN. An Internet POP must be known. The user must have an account with the foreign Internet Service Provider. TCP/IP settings must be configured• Replication may take too much time• If Dial up solution is involved, other disadvantages appears: o Connecting a PC to a phone line may be too difficult for the average user, especially when traveling to foreign countries o High communication costs o It is not always possible to connect a PC to a phone line in a hotel room o The Domino server requires a dedicated modem pool

© 2007 - 2008 VASCO Data Security. All rights reserved. Page � of 18


Accessing a Domino server over HTTP is a very good option in terms of deployment ease and costs. However, such a solution does not use the standard Notes security model. Instead of using a Notes user-id a simple username and password model is used. Of course this limits the security of the system and security focused companies are not willing to expose the employee’s mail files to the web when simply protected with a static password.

With the Vasco Plug-In for Lotus Domino, roaming users can access protected resources using their Web Access UserID and rely on the genuine Lotus Notes Access Control List, the Vasco solution proposes to use a dynamically generated One-Time Password instead of any static password.You can still enforce the security model with server-based certificates.

FEaturES• Easy access to the full mail file from any Internet connected PC : public PC, PC from a customer or supplier, hotel room television. No need to install any file on the client. Cookies are not required• Low communication charges• No need to replicate: just open the mail messages you need to read• Easy to use: most people know how to use a browser• Secure access: data flow is encrypted, server’s identity guaranteed by SSL, random passwords• No agents or mail rules required on the Domino server• No risk of infinite mail loops. All mail is kept on the Domino server located in the DMZ• Complete mail history: the end-user is always using the same mail file. All received and sent messages are kept in a single file• Compatible with standard and session based authentication• Selective deployment is possible: not all users using HTTP access must have a Vasco token• Based on proven Vasco technology• Scalable solution – pay as you grow• Compatible with 5.X, 6.X and 7.X servers• No user training required• May be used with any Domino directory configuration: single directory, multiple directories, directory assistance• The Plug-In for Lotus Domino is active during the authentication phase. Once authenticated the Domino security model protects all resources: ACL, realm settings, file access parameters, …• May be used to protect the access to any Notes database – not just the mail file • No need to modify the firewall. Only http or https traffic flows between the user and the server

Hence, the Plug-In for Lotus Domino will secure HTTP(S) Based authentications so that remote users can access their Domino applications, databases or mailbox safely.

By using DIGIPASS patented technology, you eliminate the weakest link in any security infrastructure; the use of static passwords that are easily stolen, guessed, reused, or shared.

It can be deployed as a small hand-held device, as a smart card reader, as software for computers, laptops, PDA’s or cell phones.

3.2 Lotus Domino Web Access



4. Technical Concept4.1. General OverviewThe Plug-In for Lotus Domino mainly resides in a Lotus Domino (.nsf) database for administration tasks (such as DIGIPASS import, assignment etc.). Some runtimes will be executed when accessing a Notes database via the Web interface. The runtimes are called by the Domino HTTP task when the credentials of a web user must be validated. When the user is authenticated by the Vasco runtimes he may access all Domino resources in the traditional way.

Administrative task rights rely on Lotus Notes embedded ACL’s, as well as further NSF consultations or updates. The Plug-In for Lotus Domino solution is 100% Domino based. There is no need to install any additional hardware or software.

4.2. Configuration of Lotus Domino• Copy the Help Database (.nsf) and the Vasco Plug-in for Lotus Domino template (.ntf) into the Lotus Client working directory, ideally it should be at the DATA root of the Domino server.• Open the Lotus Administrator and use it to open the LOCAL server.

User Database

HTTPHTTPS

Lotus Domino

VASCO NSFDatabase

NSFDocument NSF

Document

NSFDocument

HTTP Service

VASCO Runtimes

© 2007 - 2008 VASCO Data Security. All rights reserved. of 18


• Select the FILE tab and select databases to sign.

• Select TOOLS in the right pane then in the document base, select SIGN.



• Select the Active User ID to sign the NSF and validate all confirmations.

• Launch Lotus Designer, open the Vasco Plug-in for Lotus Domino template (.ntf file) and set the proper ACL for it, using the File/Database/Access Control menu.

• Create an NSF Base from the template: o Launch Lotus Notes Client, Go to File/Database/New menu, o Select From Template, browse to the Vasco Plug-in for Lotus Domino Template



• The Plug-in for Lotus Domino configuration database will open and allow you to go further on in the process.

• Select File/Database/Access Control and set your Admin Roles.



• Install Runtime libraries To install runtime libraries you have to detach them from the DIGIPASS Pack for Lotus Domino database to the specified folders, such as c:\lotus\notes and c:\lotus\domino. Select System/Installation from the navigator. The document ‘Runtime Files’ contains the required runtime libraries.

Detaching Runtimes files and saving them to relevant folders.



• Update Notes.ini in order to reflect these changes. The Notes.ini is located in Domino binaries folder.

o STDBFilename This parameter specifies the location of the Vacman Middleware for Lotus Domino application database. This database resides in the Domino data directory or one of its subdirectories.

Example: STDBFileName=Vacman\VascoKey.nsf

o STDBServer This parameter specifies the hierarchical name of the Domino server where the active application database resides.

Example: STDBServer=Acme/SVR/Comp

o STDebugLevel This numeric parameter specifies the amount of logging to the Domino log file and console that will be generated by the DSAPI filter.

Example: STDebugLevel=0 (no logging at all up to 6� where log is full)

o CheckCacheBeforeDSAPI=1 This parameter is only related to the Lotus Domino Fix to Issue # SPR MBAB�MKP�C in Lotus Knowledge Base in order to allow a consistent DSAPI filters behavior, please refer to the Lotus Domino Knowledge base for further details.



• Add DSAPI in server document so that an authentication request will be handled by VASCO dynamic authentication. To add a DSAPI filter, open Lotus Notes Administrator, go to the Configuration Tab, browse in ‘All server Documents’ and select ‘Server Document’. Switch to edit mode and add the DSAPI filter name (ndpld.dll) in the HTTP part.

Adding DSAPI filter

Verify that the Domino hierarchical name gets properly resolved into an IP address. This may be achieved by using Domino connection documents, DNS entries, host files or by specifying the IP address or FQDN of the Windows machine that runs the Domino software. In the print screen the name resolution is achieved by entering the FQDN of the Windows machine in the server document. (tab Ports/Notes network ports)



• Select system/licenses and click the action Tools/New license to create a new license document. In case of a demo license, the serial number can be found in the README.TXT provided with the package.

First open the Plug-in for Lotus Domino configuration database, go to Parameter and Licensing, in the TOOLS option, select ‘generate activation request’

License settings in Application



• Copy this Activation request and go to https://www.vasco.com/dpdomino/licensing. Fill in the form and you will receive a LICENSE.DAT File that you will be able to import and activate.

Licensing web page

Once the licensing process is completed your Plug-In for Lotus Domino is fully installed and ready to run.Restart HTTP daemon using these commands in the Lotus Console:

TELL HTTP QUITLOAD HTTP

Result of a HTTP task restart

© 2007 - 2008 VASCO Data Security. All rights reserved. Page 1� of 18


• In APPLICATION PARAMETERS, update the information fields in order to be able to import correctly the DIGIPASS definition files (.DPX)

Application Parameters Details

• Save and close the application profile. Navigate to the “tokens>all section in the navigator and click the action button Tools> Import tokens.

© 2007 - 2008 VASCO Data Security. All rights reserved. Page 1� of 18


If you use the demo.dpx, the application name will be ‘APPLI 1’ and the Initialisation Key will be ‘11111111111111111111111111111111’ (�2 times 1).

Import a DPX file.

Import a DPX file successful.



• You can now list the free DIGIPASS present in your Database, select one and assign to a user (Tools> Options> Assign).

Detail of a DIGIPASS Assignment

DIGIPASS list with users assigned.



Launch your Browser and enter the URL of a protected Lotus Domino document, the session Authentication form (or the Authentication popup) will appear.

Session Based Authentication screen and Basic Authentication popup.

Enter your regular user ID and the One-Time Password generated by your DIGIPASS instead of the static password.

The authentication process is safe from now on thanks to the VASCO dynamic authentication scheme. Only “Response Only” operating modes are supported by the Plug-in for Lotus Domino. Please contact your Vasco representative, or visit the Vasco Web site for further details about DIGIPASS operating modes.



5. Supported platforms and configurationsThe current version of the Plug-in for Lotus Domino has been tested on Windows/2000/200� for Intel platforms.The software requires a Domino R5, R6 or R7 server and administrative workstation.Due to a known issue - see Lotus Knowledge Database nr 1877�� - the DSAPI filter does not run in R5.0.7 or R5.0.8.

R6 may be configured in � modes: A-basic authentication B-session based authentication single server C-session based authentication multi server

Option B is not supported, but you can configure option C, even if you are working in a single server environment.

6. ConclusionLotus Domino with Plug-In for Lotus Domino authentication solutions provides roaming users with an easy to deploy and secure access to corporate published applications anywhere, anytime, anyhow.

VACMAN®, IDENTIKEY®, aXs GUARD®, and DIGIPASS® are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. © 2007 - 2008 VASCO. All rights reserved.

BOSTON (Nor th Amer i ca )phone : +1 .508 . � 66 . �� 00ema i l : i n f o - u sa@vasco . c om

SYDNEY (Pac i f i c )phone : +61 .2 .8 � 20 . � 666ema i l : i n f o - aus t r a l i a@vasco . c om

S INGAPORE (As ia )phone : +65 .6�2� .0�06ema i l : i n f o - a s i a@vasco . c om

BR USSELS (Eu rope )phone : + �2 .2 .60 � . �7 .00ema i l : i n f o - eu r ope@vasco . c om

For more info

VASCO designs, develops, markets and supports patented DIGIPASS user authentication products for the financial world, remote access, e-business and e-commerce. With tens of millions of DIGIPASS products sold, VASCO has established itself as a world leader for Strong User Authentication for e-Banking and Enterprise Security for blue-chip corporations and governments worldwide.

about vaSCo