SECURITY
Authenticating clients and servers using SSL
IBM® Lotus® Notes® and other Internet clients use the SSL protocol to encrypt data, authenticate server identity and, optionally, authenticate client identity when a Lotus Notes or other Internet client connects to an Internet server -- for example, a Web server or an LDAP server.
On the server, SSL is set up on a protocol-by-protocol basis. You can enable SSL on all protocols or enable SSL on some protocols but not others. For example, you can enable SSL on mail protocols (IMAP, POP3, SMTP) and disable it for HTTP.
Server authentication lets clients verify the identity of the server to which they are connecting, to make sure that another server is not posing as the server they want to access.
Client certificate authentication lets server administrators identify the client accessing the server and control access to applications based on that identity. For example, if you want Alan Jones to have Editor access to a database and all others accessing the database to have no access, you can set up the application database ACL to include Alan Jones as an Editor and Anonymous as No Access.
Lotus Notes and other Internet clients that use client certificate authentication have an Internet certificate that is stored in the Lotus Notes ID file for Lotus Notes client, and in a local file for Internet clients. The certificate includes a public key, a name, an expiration date, and a digital signature. The corresponding private key is stored in the ID file, but is stored separately from the certificate. For Lotus Notes clients, the client certificate is also stored in the Lotus Domino Directory so that others can access the public key.
Lotus Notes and Internet clients can obtain Internet certificates from either a Lotus Domino certification authority or a third-party certifier.
How you set up the client depends on whether the server requires client certificate authentication.
As an administrator, you should carefully consider whether you want to require client certificate authentication. If you do not need to identify Internet users who access the server, you do not need to set up client authentication. In fact, in some cases, requiring an Internet certificate may deter users from accessing a server -- for example, a server that hosts a Web site. If you require an Internet certificate, users need to perform additional steps to obtain the certificate and set up client certificate authentication.
Note By enabling the setting "Accept SSL Site Certificates" in the Location record, the Lotus Notes client can ignore cross-certificates and server authentication entirely. The user can also choose to create cross-certificates on the fly when connecting to a server using SSL.
Securing messages with S/MIME
S/MIME is a protocol used by clients to sign mail messages and send encrypted mail messages over the Internet to users of mail applications that also support the S/MIME protocol -- for example, Microsoft® Outlook Express. The Lotus Notes client uses the public key stored in the Internet certificate in Contacts, Lotus Domino Directory, or LDAP directory to encrypt messages.
Encrypted mail messages cannot be read by unauthorized users while the message is in transit. Electronically signed messages show that the person who signed the message had access to the private key associated with the certificate stored in the signature.
Related topics