Lotus Domino Administrator 8.5 Help - Customizing an install kit to set certifier and trust defaults

NOTES CLIENT INSTALLATION AND UPGRADE

Customizing an install kit to set certifier and trust defaults
You can configure the deploy.nsf application to specify administrative trust settings using an Export option in the server's Domino Directory (names.nsf) to add those settings to the install kit's deploy.nsf application.

The administrative trust defaults in deploy.nsf and the Internet certifiers in the install kit's Java keystore are processed to define trusted certifiers. The keystore is used directly during install, but is ignored at runtime. The deploy.nsf is processed at startup to add trust certifiers to the user's Contacts application (names.nsf) to be used at runtime.

You can install the deploy.nsf application as part of a IBM® Lotus® Notes® client install kit.

Pushing administrative trust settings to users by customizing the install kit enables you to do the following:

Add third party certificates to the Java® keystore, which allows signed features/plugins added to the install kit to be trusted at install time. The keystore can be modified manually using keytool, but this method is simpler and leverages existing infrastructure.
Push Internet Certifiers, Internet Cross Certificates, and Notes Cross Certificates to the user's Contacts application (names.nsf), so that when user install new features/plugin at runtime, or access new applications, they will not be prompted for trust decisions.

You can alternatively push administrative trust settings to users from Domino policy, which is the recommended method, to centrally manage and change settings as needed. For pushing trust defaults using Domino policy, see "Pushing cross-certificates to Lotus Notes clients."

Note If you use the Domino policy method (Keys and Certificates tab on the Security policy page) to push trust settings, then even if there is an installed deploy.nsf it will be ignored and the policy settings will instead be used. Any certificates resident in the Contacts application because of the deploy.nsf, and that are not specified in Domino policy, will be removed.

To add administrative trust settings to an install kit without pushing those settings from the Keys and Certificate tab on the Security policy page, proceed as follows.

1. Log into a Domino Administrator or Notes client using an administrative ID.

The client and server must be version 8.5.1 or later, and the server must be running the 8.5.1 version of names.nsf, based on the pubnames.ntf template.

2. Open the server's Domino Directory (names.nsf).

This server must contain all of the certificates and cross-certificates that you want to deploy.

3. Open the Security/Certificates view.

4. Select all the Internet certifiers, and Notes and Internet cross-certificates, that you want to deploy.

Note

Each must be checked (checkmark) and visible in the view, not hidden under a category. The currently selected document must also be checked.

5. Click "Export Certificates to the Deploy Database" on the Actions menu.

6. Specify the location at which to create the Java keystores and the deploy.nsf application.

This must be an existing directory; ensure that the specified path is correct before continuing.

Note If these files do not exist, they will be created.

Note To augment an existing install kit, choose the "deploy" directory of that kit. The selected Internet certifiers will be added to any existing .keystore* files, and all selected documents will replace any certificate documents in the existing deploy.nsf.

7. Respond to the "force deletes" prompt and click Next.

Choose Yes to delete any certificate documents in the user's Contacts application previously added by a deploy.nsf. The certificates in deploy.nsf are copied to the Contacts application.
Choose No, to copy all the certificates in deploy.nsf to the user's Contacts application, if they don't already exist. Certificates that were previously added by deploy.nsf, but do not exist in the current deploy.nsf, remain unchanged in the user's Contacts application.

If you selected Internet Certifiers, the result should be as follows, otherwise only the deploy.nsf application is created.

<location>/.keystore.JCEKS.Java_HotSpot™_Client_VM.install

<location>/.keystore.JCEKS.IBM_J9_VM.install

<location>/extras/deploy.nsf

8. Copy the .keystore* files to the deploy directory of the kit and the deploy.nsf to the deploy/extras directory of the kit.

Note

On Windows the deploy directory is located in the same directory as setup.exe.

Note On Mac OS X the deploy directory is located at Lotus Notes Installer.mpkg\Contents\deploy\. To access it in Finder, right-click on "Lotus Notes Installer.mpkg" and choose "Show Package Contents."

Note Linux requires a different process, see "Customizing Notes install for Linux RPM or DEB."

Note If using Notes (basic configuration) install kit customization, ensure that the deploy.nsf is installed to the user's data directory.

The resultant deploy.nsf is based on the client's Contacts application template (pernames.ntf) and can be opened to check that all of the certificates have copied correctly.

If the resultant deploy.nsf application is not what you expected, or error messages appear during processing, start Notes and select Tools -- Show Java Debug Console to view log messages or Java exceptions and contact Lotus Support with that information.

Note To ease performance, deploy.nsf is only processed when new components are installed to the Notes runtime by way of an add-on installer or the client is upgraded. To force deploy.nsf to be reprocessed, set the notes.ini variable FORCE_PROCESS_DEPLOY_NSF=1. After deploy.nsf is processed, the value resets to zero.

9. Run the Notes installation program.

Note

When you install Notes (standard configuration), deploy.nsf is created in the deploy\extras directory in the install kit and installed to the Notes framework\rcp\extras directory.

You cannot manually edit or delete certificates in the deploy.nsf. You can only make changes to the installed deploy.nsf only by exporting from the server's Domino Directory to a new deploy.nsf and then overwriting the installed deploy.nsf with the new file. The NOTES.INI statement FORCE_PROCESS_DEPLOY_NSF=1 ensures that the deploy.nsf application is processed. Alternatively, you can simply use Domino policy. If there are certificates listed in the installed deploy.nsf and you overwrite the with a new deploy.nsf, any certificates that are not in the new deploy.nsf are deleted. If you are going to use this technique, maintain a central and cumulative deploy.nsf so as not to unintentionally delete certificates from a user's system.

Pushing certificates to clients through security policy settings

Creating a cross-certificate from a Notes certifier

Creating an Internet cross-certificate in the Domino Directory from a certifier document

Signing custom or third-party features and plug-ins for install and update

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary