Skip to main content

Preparation

Before Bravura Security Fabric can perform operations, you must:

  1. Configure a target system administrator

  2. Install the client software

  3. Install the lcppn.dll

  4. Create at least one template account

  5. Set up a certifier repository for ID files

  6. Implement cross certification

  7. Configure a deny access group

  8. Configure default mail file ACLs

    Note

    The following instructions are for Lotus Notes 6.5. Details may vary depending on your version of the software.

Configuring a target system administrator

Bravura Security Fabric uses a designated account (for example, psadmin) on the Lotus Domino Server target system to perform operations.

Create an administrative account for the Domino Directory on each target server.

Ensure that you copy the designated administrator’s ID file to a directory on the Bravura Security Fabric server. You will be required to enter the path to the ID file and its password when you add the target system to Bravura Security Fabric .

Configuring the Lotus Notes client

You must install the Lotus Notes client on the Bravura Security Fabric server. It is recommended that you choose a single-user installation, which installs the notes.ini file in the install directory.

On the Bravura Security Fabric server:

  1. Update the system PATH to include the directory in which you installed the Lotus Notes client.

  2. If you run IIS, reboot the server to ensure that the new path information is loaded.

  3. Set the target system administrator account as the default user on the Lotus Notes client.

    Choose: File > Security > Switch ID.

  4. Copy the files getpass.dll and psynchpwd.dll from the util directory into the same directory that contains the nnotes.dll file.

    For Lotus Notes version 6.x and 7.x, the default location is C:\Program Files\lotus\notes.

    For Lotus Notes version 8 and 8.5, the default location is C:\Program Files\IBM\lotus\notes.

    For Lotus Notes version 9, the default location is C:\Program Files\IBM\notes.

  5. Edit the notes.ini file in that same directory. At the end of the file add this line followed by a blank line:

    EXTMGR_ADDINS=psynchpwd.dll

    If this line already exists, then add psynchpwd.dll to the beginning of the list (after the = symbol) and separate it from the other processes with a comma:

    EXTMGR_ADDINS=psynchpwd.dll,process2.dll,process3.dll

    Ensure that the permissions on the notes.ini file allow all users to read and write.

  6. Locate nnotes.dll. Include the path to nnotes.dll in the path environment variable:

    1. Open Control Panel > System > Advanced > Environment Variables.

    2. Click on the Path variable, under System variables, and click Edit.

    3. Enter the path to nnotes.dll in the Variable value field. Be sure to separate the paths with a semicolon.

    4. Click OK, then click OK again to close Environment Variables.

  7. If the Lotus Notes client is open, close it and start it again so it re-loads the latest notes.ini file.

    Note

    Ensure that the Lotus Notes client is not used by human users on the Bravura Security Fabric server and that the last user to have logged in was the administrative account. Never log into Lotus Notes from the Bravura Security Fabric server using any login ID other than the one which is used by Bravura Security Fabric to manage accounts and/or passwords.

Installing lcppn.dll

After installing the Lotus Notes client, obtain the lcppn.dll and move it to the same location as the notes.ini file.

Note

Contact your Lotus Notes solution provider to obtain the lcppn.dll. The 32-bit version is required.

Creating the administrative account

To create an administrative account for Bravura Security Fabric , first create an administration group that can manage the Domino Directory. When creating an administration group, you must:

  • Name the group

  • Grant access to the database

  • Define the type of access being granted

To create an administration group with Domino Administrator:

  1. From a Windows workstation, select Programs > Lotus Applications > Lotus Domino Administrator.

  2. Log into Lotus Domino Administrator by typing your login ID and password in the appropriate fields.

  3. Select the People & Groups tab.

  4. Select Domino Directories > Groups > Add Group.

  5. Type a name for the new group in the Group Name field of the Basics tab. Complete the remaining fields as necessary.

  6. Click Save and Close to close the New Group window.

To give the group administrative rights to the Domino Directory:

  1. Select the Files tab in the Lotus Domino Administrator window.

  2. Right-click the names.nsf file in the middle pane and select Access Control > Manage.

    The Access Control List dialog box displays.

  3. Click Add.

    The Add User dialog box displays.

  4. Click the user icon to view the Names dialog box.

  5. Select the name of the new administration group from the left pane. Click Add to move it to the right pane.

  6. Click OK to close the Names dialog box.

  7. Select the name of the new administration group in the left pane of the Access Control List tab.

  8. Set the Access drop-down list to Manager.

  9. In the Roles list box ensure User Creator, User Modifier, and Group Modifier are selected.

  10. Click OK.

After you create the administration group, create the target system administrator account then add it to the group. To do this:

  1. Create a new account.

    See Creating a template account for more information.

  2. From the Lotus Domino Administrator window, select the People and Groups tab, then select Groups to view the list of administration groups in the right pane.

  3. Right-click the group name to which you want to add the account and select Manage Groups.

    The Manage Groups window displays.

  4. Select the name of the account from the left pane.

  5. Select the name of the administration group to which you want to add the account from the right pane.

  6. Click Add.

    The name of the target system administrator account displays under the name of the administration group in the right pane.

  7. Click Done to close the Manage Groups window.

The administrative account also requires appropriate permissions to access the certifier repository for ID files, which is named pscert.nsf by default, in order to be able to create new Lotus Notes users on the Domino server. In the access control list for pscert.ntf, set the account’s permissions as:

  • User type : Person

  • Access : Manager

and select Delete documents and Replicate or copy documents checkboxes.

See your Lotus Notes system administrator or Lotus Notes documentation for more information if necessary.

Creating a template account

Bravura Identity uses template accounts as models or "blueprints" for creating new accounts on Lotus Domino Server targets.

The following illustrates an example of how you can create a template account:

  1. From a Windows workstation, select Programs > Lotus Applications > Lotus Domino Administrator.

  2. Log into Lotus Domino Administrator by typing your user name and password in the appropriate fields.

  3. Select the People and Groups tab and expand Domino Directories.

  4. Right-click People and select Register Person to view the Choose a Certifier dialog box.

  5. Enter the Certifier password.

  6. Click OK to view the Register Person – New Entry dialog box.

  7. Type the new account’s names and password in the appropriate fields.

  8. For Lotus Notes users, ensure that the Create a Notes ID for this person checkbox is selected.

  9. Click the checkbox next to Advanced in the left section of the dialog box.

    For a Lotus Notes user:

    1. Click ID Info to view the Location for storing user ID section of the dialog box.

    2. Ensure the checkboxes next to In Domino Directory and In file are selected.

    3. Click Set ID File to search for and select the ID file location.

  10. Click the check mark 27134.png button (add user).

    The account’s name displays in the User Registration Queue.

  11. Click Register.

    A message is displayed to confirm if the registration is successful.

  12. Click Done to close the Register Person window.

  13. Configure any additional attributes in the template account that you want to be automatically set for new accounts.

    For non-Notes Internet-only users:

    1. Double-click the user you just created.

      The Person Record for:<User Name> window displays.

    2. Click Edit Person to edit the user’s details.

    3. Click the Basics tab.

    4. Type an Internet Password for the user.

  14. Click Save and Close to close the Person Record for:(User Name) window.

See your Lotus Notes system administrator or Lotus Notes documentation for more information if necessary.

Enabling certification authority

If you are using the CA (Certification Authority) process, edit agtdmno.cfg and set:

"certificate-authority = yes"

When this is set, the default CA server will be selected when creating accounts or enabling cross-certification (rename). You do not have to set up the certifier repository as outlined in Setting up a certifier for ID files.

Follow Lotus Notes Domino documentation for setting up CA. Start the CA process by doing the following on the Lotus Notes server:

  1. From Domino Administrator, click the Server - Status tab.

  2. Select a task in the top pane.

  3. Click Start and choose Certificate Authority (CA) Process, then start the task.

Setting up a certifier repository for ID files

Newly provisioned ID files must be certified with an appropriate certifier ID before they can connect to the Domino server. Bravura Security Fabric houses these ID files in a certifier repository to use during provisioning. The certifier repository must be configured before a new user can be created.

You can use an existing certifier repository by defining database options in the configuration file that is specified in the target address. Configuration options are defined in Writing a configuration file for Lotus Domino target systems .

Alternatively, you can create a certifier repository with the default settings used by Bravura Security Fabric .

Note

You do not need to do this if you are using the CA process.

To create a certifier repository:

  1. From a Windows workstation, select Programs > Lotus Applications> Lotus Domino Designer.

    The Lotus Domino Designer window displays.

  2. Log into Lotus Domino Designer by typing your login ID and password in the appropriate fields.

  3. Click Create a New Application to open the New Application window.

  4. Select the appropriate server, not the local server.

  5. In the Title field, type a description of the repository.

  6. Type pscert.nsf in File Name field.

    The default file name is pscert.nsf. If you use a different file name, you must specify it in the target configuration file .

  7. Select Blank from the list box.

  8. Click OK to open the Design-Forms window.

  9. Create a new form:

    1. Click New Form.

    2. In the Name field, type CertifierForm, then close the dialog box.

    3. In the new form, type CertifierName and then a space.

    4. Right-click after the space and select Create Field to open the Field dialog box.

    5. In the Name field, type CertifierName, then close the dialog box.

    6. Click in the new form (after the newly created CertifierName field) to return focus to Design Forms and press Enter to add a new line.

    7. On the new line, type Password and then a space.

    8. Right-click after the space and select Create Field to open the Field dialog box.

    9. In the Name field, type Password, then close the dialog box.

    10. Select File > Save.

  10. Create a new view:

    1. Select Views from the bookmark.

    2. Double-click the untitled view, then right-click the # column, then select View Properties, type CertifierView in the Name field, then close the dialog box.

    3. Right-click the # column, then select Column Properties, type CertifierName in the Title field, then close the dialog box.

    4. Right-click next to CertifierName and select Append New Column.

      The newly created column displays.

    5. Right-click on the new column and select Column Properties to display the Column dialog box.

    6. Type Password in the Title field and then close the dialog box.

    7. Select the CertifierName column.

    8. In the CertifierName (column): Column Value pane, select the Field radio button and click CertifierName.

    9. Select the Password column.

    10. In the Password (column): Column Value pane, select the Field radio button and click Password.

    11. Select File > Save to save the view.

See below for more information about adding a certifier’s ID file to the Bravura Security Fabric Certifier Repository, for integration with a Lotus Notes target system.

addcert

Use the addcert program to add a certifier’s ID file to the Bravura Security Fabric Certifier Repository, for integration with a Lotus Notes target system.

Usage

addcert.exe -s <ServerAddress> -i <adminIDfile> -p <password>
             -certid <certifierID> -certp <password> -idfile <path>
             [--instance <instance>]
Table 1. addcert arguments

Argument

Description

-i <adminIDfile> -p <password>

Identifies the credentials to be used by the connector to log in before starting.

-s <ServerAddress>

Specifies the server address. Use the format: <server>[/<config-file.cfg>]

-certid <certifierID>

Specifies the certifier’s short name.

-certp <password>

Specifies the current password for the certifier’s ID file.

-idfile <path>

Specifies a full path to the certifier’s ID file.

–instance <instance>

The name of the Bravura Security Fabric instance on which to run this utility to get log information. If not specified, the program looks for the default instance.



Examples

  • To add a certifier’s ID file by supplying the target system administrator credentials and server address:

    addcert.exe -i c:\admin.id -p haikou02 -s 10.10.77.188 -certid /bravura 
-certp haikou02 -idfile c:\cert.id

Note

Ensure that every certifier added is also copied to Administrators address book. To do this, launch the Notes client then select File > Open > IBM Notes Application > Server DB > Server’s Directory (names.nsf) > Security > Certificates > Notes Certifiers and select all of the certifiers and click Copy to Personal Address Book.

Implementing cross certification

In order to enable the MoveContext operation for Lotus Notes targets, you must implement cross certification on the Domino server.

Cross certification is a process within Lotus Notes where one certifier is given permission to be able to certify operations under another organization or organizational unit.

There is a certifier ID file for each organization and organizational unit. This file is modified during the cross certify process.

In order for the cross-certify process to work, it has to be completed two ways. For example, if you want to cross certify "A" and "B", complete the cross-certify process from "A" to "B", then complete the process again from "B" to "A".

To implement cross certification:

  1. From a Windows workstation, select Programs > Lotus Applications > Lotus Domino Administrator.

  2. Enter your login ID and password to log into Lotus Domino Administrator.

  3. Click the Configuration tab.

  4. Select Tools > Registration > Organizational Unit.

    1. Enter your server name in the Server field.

    2. Select the radio button for Supply certifier ID and password.

    3. Click Certifier ID, then browse to select the ID you want to use.

    4. Click OK.

  5. Type the certifier’s password, then click OK.

  6. In the Register organizational unit certifier window:

    1. Click Registration Server, then select the correct server name instead of the default (local).

    2. Enter the organizational unit name and password.

    3. Click Register to complete the ou registration.

  7. Select Tools > Certification > Cross certify.

    1. Type your server name in the Server field.

    2. Select radio button for Supply certifier ID and password.

    3. Click Certifier ID, then browse to select the ID you want to use.

    4. Click OK.

  8. Input certifier’s password, then click OK.

  9. Choose the ID to be cross certified. The Issue Cross Certificate window loads.

  10. Select Subject name, then click Cross certify.

  11. Repeat this procedure for the second certifier to complete two-way certification.

Configuring a deny-access group

Lotus Domino servers do not provide a native disable user operation. The most common solution to this problem is for you to create a "deny access" group on the Domino server with no access to any of the server’s resources. You can then move users in and out of this group, thus enabling or disabling their access to the server’s resources. The agtdmno agent uses the Disable and Enable account operations to move users in and out of the "deny access" group. By default, these operations are disabled and must be configured once the group is created.

Warning

If a deny-access group is present in the agtdmno.cfg file but not on the server, all users will be denied access.

To create the deny access group on the Domino server:

  1. Log into the server with administrative privileges.

  2. Select the People and Groups tab.

    1. Click on Deny Access Groups, then use Add Group to add a new group.

      Set the group’s Category to "Administrator" and Group Type to "Deny List only".

  3. Select the Configuration tab.

    1. Select Server > Current server document.

    2. Select the Security tab.

    3. In the Server Access section, set Not Access server to the new deny access group you just created.

  4. Ensure that your changes are saved.

To configure the Disable, Enable, and IsEnabled account operations for agtdmno on the Bravura Security Fabric server: edit the "deny-access" option in the Domino server configuration file to include the name of the deny-access group. See Writing a configuration file for Lotus Domino target systems for details.

Note

If the user is an administrator that is listed or is part of a group that is listed in the "Full Access administrators" field in the Domino server’s Security tab, then that user can not be disabled using this method.

Configuring default mail file ACL settings

The following procedure details how to set the default access control list (ACL) attributes on a new Domino/Notes user’s mail file. The purpose of this procedure is to make sure that mail files created by the Bravura Security Fabric contain the required access rights. By default Bravura Security Fabric only gives the new user access to the new mail file. If additional ACL’s are required, you can add them to the mail file template using the square bracket (for example, [a user]) notation. This tells Domino that any databases created using this template should have "a user" in the ACL’s. A common use for this is to give Bravura Security Fabric access to delete the user’s mail file, but any ACL that you require can be added to the mail file this way.

To set default mail file ACL attributes:

  1. Using Lotus Domino Administrator, open the access control dialog box for the appropriate mail file template; for example mail7.ntf.

  2. Add the required accounts or groups to the access control list.

    Ensure that the user or group is surrounded by square brackets; for example, [psadmin/domain]. This tells Domino to apply the ACL to databases created from the template, and not the template itself. You can add the square brackets by clicking Rename after adding the user or group.

  3. Define the access control level for the users or groups added previously; for example, if Bravura Security Fabric will be used to de-provision users and delete their mail file, set permissions as:

    • User type: Person

    • Access : Manager

    and select Delete documents and Replicate or copy documents checkboxes.

  4. Click OK to close the access control list dialog.

In this section: