Skip to main content

Targeting Lotus Domino

For each Domino domain, add a target system in Bravura Security Fabric (Manage the System > Resources > Target systems).

  • Type is Lotus Domino Server .

  • Address uses the following options:

    Server - The name (or IP address) of the domino server or servers.

    Config file - The name of file used to manage Lotus Notes client users, or to specify additional parameters for non-Notes users.

    See Writing a configuration file for Lotus Domino target systems to learn how to write the configuration file.

    The address syntax is entered as:

      {server={<server>;[<server>...];};config=<cfgfile>;}

  • Administrator ID is the path to the administrator’s Notes ID file on the Bravura Security Fabric server you configured in earlier.

    Note

    Multiple Domino replication servers are supported, which allows Bravura Security Fabric to carry out operations on the first available Domino server relative to the Bravura Security Fabric server. The Domino server uses replication to propagate the changes made on the first available Domino server to all other servers, providing them with the most up-to-date information.

The full list of target system parameters is explained in Target System Options .

Writing a configuration file for Lotus Domino target systems

If you are managing Lotus Notes client users, write the configuration file in KVGroup format and add it to the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory. The sample agtdmno.cfg is included in the <instance>\samples\ directory.

If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.

If you only want to manage the HTTP password, a configuration file is not necessary.

Text inside <angle brackets> indicates variables.

Unused settings on lines without {curly braces} must be commented out.

#KVGROUP-V2.0
hid:domino = {
target = {
# Name of the names.nsf like database to target
#database = <name>;
};
views = {
# Name of the user view defaults to "People"
#user       = <name>;
# Name of the group view defaults to "Groups"
#group      = <name>;
# Name of the deny group view defaults to "Server/Deny Access Groups"
#deny-group = <name>;
};
short-id = {
# Name of the short id field or column name used to derive the short id
# defaults to "ShortName"
#field           = <name>;
# Name of the sort-column field used in searching for the short id
# defaults to "Name"
#sort-column     = <name>;
# Flag used to indicate whether to derived the short id from a view value
# defaults to "no"
#use-view-value = <yes|no>;
# Flag used to indicate whether to treat short IDs as unique
# values when creating users. Note that Lotus Domino does not
# require short IDs to be unique.
# defaults to "no"
# unique = <yes|no>;
certifier = {
# A Certificate Authority can be used to register new users.  If
# the "certificate-authority" value is set, the registration
# process will attempt to obtain the CA context.
# If the "certificate-authority" value is not set, the certifier
# database will be used.
# certificate-authority = <yes|no>;
# Name of the certificate authority server (defaults to the target
# system's server)
# certificate-authority-server = <servername>;
# -- OR --
# Name of the certifier database defaults to "pscert.nsf"
#database            = <name>;
# Name of the field used to hold the certifier's name
# defaults to "CertifierName"
#name-field          = <name>;
# Name of the field used to hold the certifier's password
# defaults to "Password"
#password-field      = <name>;
# Flag used to indicate whether the password stored in the
# password field is encrypted defaults to "yes"
#password-encrypted  = <yes|no>;
# Name of the field where the id-file is stored
# defaults to "Certifier"
#id-file-field       = <name>; 
 };
mail = {
# Used to indicate if and how to delete a user's mailfile
# defaults to "adminp"
#delete-mailfile = <adminp|force|no>;delete-mailfile = force;
# Flag used to indicate whether to look up the mail server
# defaults to "no"
#lookup-mail-server = <yes|no>; 
 };
delete = {
# Used to indicate if and how to delete a user's record
# defaults to "adminp"
# delete-user = <adminp|force>;
delete-user = force; 
 };
groups = {
# Name of the deny access group which needs to be set by the user
#deny-access = <name>;
  };
  password-management = {
# Clear the password digest. Defaults to "yes".
#clear-password-digest       = <yes|no>;
id-file = {
# Flag used to indicate whether or not to manage a user's
# note id file password defaults to "no"
#reset                       = <yes|no>;
# Flag used to indicate whether or not to update the password
# change date. Defaults to "yes".
#update-password-change-date = <yes|no>;
# Flag used to indicate whether or not to manage a user's
# note id file password located in a user's note
# defaults to "no"
#usernote-attachment-update  = <yes|no>;
# Used to indicate the name of the id file located in a user's note
# which needs to be specified by the user
#usernote-attachment-name    = <%shortid%|%existing%|<name>>;
# Flag used to indicate whether or not to manage a user's note id
# file password located in a user's mailfile defaults to "no"
#mailfile-attachment-update  = <yes|no>;
# Flag used to indicate that if updating the mail file copy of a
# users id file, if we should do so under the context of the admin
# user or the target user.  In order to be able to do this as the
# admin user, the admin user id must have sufficient privileges to
# every users mail file.  If set to 'yes', the connector will temporally
# switch to the target user's id file in order to update the attachment
# on the mail file.  This setting defaults to "yes"
#mailfile-attachment-switchid  = <yes|no>;
# Name of the batch file to run which needs to be specified
# by the user#batch-file                  = <name>;
# Flag used to indicate that the Notes ID Vault is being
# used to store user ID files (available in Lotus 8.5 or
# later); defaults to no
# use-vault = <yes|no>;
# Name of the server on which the ID Vault resides; defaults to
# the target system's server
# vault-server = <name>;
# Name of the id vault database
# vault-database = <name>;
# The number of ID downloads available from the vault after a reset;
# defaults to 0 (unlimited)
# download-count = <number>;
# List users from the id vault.  Listing will only be done either from
# the id vault or from the main database, as specified in the "target"
# section above, not from both databases# list-vault = <yes|no>;
# Delete id file backups from the id vault during the delete operation
# vault-delete = <yes|no>
# List inactive accounts from the ID Vault; defaults to "no"
# list-inactive = <yes|no>;
# This flag controls if the reset operation should fail or succeed, when
# we are unable to reset the ID file password AND both the idfile is being
# managed (password-management/id-file/reset = yes), and the web password
# (password-management/web-password/reset = yes) is also being managed.
#
# NOTE: if the web-password is being managed, and updating it fails, the
#       operation will fail regardless of this setting.
#
# The default value for this flag is 'yes', so id file reset failures will
# be treated as operation failures.
#
# fail-idfile-reset-error = <yes|no>; 
 };
#Used to manage the HTTP/Internet password
web-password = {
# Flag used to indicate whether or not to manage a user's web
# password. Defaults to "yes"
#reset = <yes|no>;
# Flag used to indicate whether or not to update the password
# change date. Defaults to "yes".
#update-password-change-date = <yes|no>;   
  }; 
 };
attributes = {
# Marks the listed attributes as "multi-valued", allowing the agent to
# read and write more than one value to the field.
# By default, all attributes are viewed as single-valued.    multivalued = {
# attrname1;
# attrname2; 
  };  
   };
};

Avoiding replication delays

In a large Lotus Notes/Domino network, network replication delays are very high. Under normal operation Bravura Security Fabric targets a single server (for example, the hub server). It may take a long time to replicate changes from the hub to all mail servers, and the user may not be able to log in to the mail server during this time.

In order to avoid problems caused by network latency, you can configure the Lotus Domino agent to locate a user’s designated mail server, so that Bravura Security Fabric can perform operations directly on that server.

To configure the Lotus Domino password agent to locate a user’s mail server include the following option within the mail KVGroup in the configuration file:

  "lookup-mail-server" = "yes"

If this option is not included or the value is no, the agent uses the default mail server.

Configuring Disable, Enable, and IsEnabled account operations

To configure the Disable, Enable, and IsEnabled account operations for agtdmno on the Bravura Security Fabric server:

  1. Configure a "deny access" group on the Domino server.

    See Configuring a deny-access group for details.

  2. Edit the deny-access option in the Domino server configuration file to include the name of the group.

      groups = {  
    # Name of the deny access group which needs to be set by the user  
    #deny-access = <name>;
  };

You can also edit the name of the group in the views section of the configuration file.

Managing a user’s note ID file password

In Lotus Notes there are four places where a user’s ID file is stored:

  1. In a user’s document

  2. In an ID file stored in the mailfile

  3. In a location accessible to a batch file

  4. The Notes ID vault

The following are some of the options for managing a user’s note ID file password in different locations. These and other options are located within the id-file KVGroup in the configuration file :

  • reset determines whether or not to manage a user’s note ID file password. If set to yes , Bravura Pass is able to manage, reset and verify passwords on an ID file. The default is no.

    The ID file must also exist in the DID table before it can be managed by Bravura Pass . There are two ways to add a user’s note ID file to the DID table:

    1. Using the Bravura Security s Lotus Notes Extension. For details, see Lotus Notes Extension .

    2. Usingupddid.

  • usernote-attachment-update determines whether or not to manage a user’s note ID file password within the user’s document. If set to yes , Bravura Pass is able to manage, reset and verify passwords on the ID file in a user’s document. The default is no .

  • batch-file Specify the name of a batch file to enable this option. If a batch file is specified, agtdmno attempts to run the batch file and perform the operations contained within. This is often used to run copy operations and copy changes to other ID files. There is a sample batch file in the samples.

    If you cannot find the sample file, try re-running setup to modify your installation. Sample files are automatically installed with complete (typical) installations. You can select them in custom installations.

    For more information, see Configuring Bravura Pass batch files .

upddid

Use the upddid program to add, delete, or update entries in the Bravura Security Fabric did table (the digital ID repository). This program is installed with Bravura Security Fabric .

Requirements

Note the following:

  • Use double quotes (" ) to specify -didloc, -idfileloc, and -idfiledir arguments.

  • Escape backslashes in file names. That is, write \\.

Usage

upddid.exe -cmd get|put|delete -password <password> -target <target ID> [-workstnid <workstation ID>] [-nosid <NOS ID>] [-account <account ID>] [-didloc <digital ID path>] -idfileloc <filename> [-serverid <domino server>]
Table 1. upddid arguments

Argument

Description

-cmd <command>

The command to execute. Possible values are:

get Retrieve an ID file from the did table.

put Add or update an ID file in the did table.

delete Remove an ID file from the did table.

-password <password>

The password for the new digital ID.

-target <target ID>

The Lotus Notes target ID for the new digital ID.

-nosid <network operating system ID>

The user’s network account ID. This argument is required for a put operation.

-account <account ID>

The account ID for the stored digital ID. This argument is optional for the put command, but required for the get and delete commands.

-workstnid <workstation ID>

The ID of the client workstation on which the update is taking place.

-didloc <digital ID path>

The location path of the digital ID on the client workstation.

-idfiledir <folder>

The folder used to store retrieved digital ID files.

-idfileloc <filename>

The input or output location of the digital ID, including full path and the ID file name.

-serverid <serverid>

The ID of the Lotus Domino server. If not specified, the serverid field in the did table will be empty.



The upddid program verifies the supplied password before adding entries to the did table. It extracts the account name from the digital ID file.

Examples

  1. To get a digital ID file from the repository and place it in the c:\ directory, type on one line:

    upddid.exe -cmd get -account "CN=test 1/O=hitachi-id" -target DD -nosid test -workstnid WINxp206 -idfileloc "c:\psns\t1.id"

  2. To get a digital ID file from the repository and place it in the current working directory, type on one line:

    upddid.exe -cmd get -account "CN=test 1/O=hitachi-id" -target DD -nosid test -workstnid WINxp206 -idfiledir "."

  3. To put a digital ID file from the c:\ directory into the did table, type on one line:

    upddid.exe -cmd put -password haikou02 -target DD -nosid test -workstnid WINXP206 -didloc "c:\\id7\\t1.id" -idfileloc "c:\\id7\\t1.id" -serverid "domino7r"

  4. To delete a digital ID file:

    upddid.exe -cmd delete -account "CN=test 1/O=hitachi-id" -target DD -nosid test -workstnid WINXP20

Managing passwords and accounts in the vault

To configure Bravura Security Fabric to reset passwords and create user accounts in the Notes ID vault:

  • Your Lotus Notes server must use version 8.5 or newer

  • The Bravura Security Fabric server must use Notes client version 8.5.2 or newer

  • The vault must have a policy configured

  • The configuration file must have reset and use-vault enabled

  • If the vault is located on a different server than the one you are targeting, then set the vault-server value in the configuration file

Once you have configured the vault-related values in the configuration file, run auto discovery.

If you are experiencing any issues with Notes ID vault, disable clear-password-digest and update-password-change-date settings.

Specifying the name of the ID file in a user’s note

The usernote-attachment-name setting can be used to set the name of the id file in a user’s note to the %shortid%, %existing%, or a custom <name>.

This setting is not enabled unless the usernote-attachment-update setting is set to yes.

There is no default setting. The options are:

  • %shortid% – sets the ID file in a user’s note to the users’ Bravura Security Fabric Short ID name.

  • %existing% – does not rename the ID file in a user’s note.

    You must include the % symbols when using either the %shortid% or %existing% settings.

  • <name> – sets the ID file to whichever custom name you supply.

Recommended use:

  • Creation operations – only use the %shortid% or <name> options.

  • Reset operation – use the %existing% option.

    Caution

    Do not use the %existing% option if you plan to create users and use the reset operation.

Updating ID files attached to mail files

The mailfile-attachment-update option enables the agent to update ID files that are attached to a user’s mail file. The default is no.

The name of the ID file attached to the mail file is always UserID .

This option is only supported for Lotus Domino version 7.x and for mail files that are created using the dwa.ntf template.

Only a mail file created by Lotus Notes and stored in the mail file will allow a user to read encrypted emails on the Domino Web Access web page.

For example, to update ID files attached to mail files, set mailfile-attachment-update in the id-file KVGroup of the agtdmno.cfg file to:

 "mailfile-attachment-update"= "yes"

Deleting a user’s mail file

The deletemail-file setting determines how a user’s mailfile is handled when the user’s account is deleted. When the value is:

  • no – the mailfile is not deleted when the account is deleted.

  • adminp – (default) the mailfile deletion request is queued in the Domino administrative process. The Domino administrator must manually approve the deletion request before the mailfile is deleted.

  • force – the mailfile is deleted immediately by the agent.

In order to give the psadmin user permission to open a user’s mailfile, and delete it, you must set the proper mail file ACL settings.

See Configuring default mail file ACL settings .

Handling multi-valued attributes

The multivalued setting determines which attributes are multi-valued. By default, all attributes are treated as single-valued.

An example of setting PhoneNumber to a multi-valued attribute:

  multivalued = {
    PhoneNumber;
  };
In this section: