Lotus Domino Administrator 8.5 Help - Creating security policy settings for Lotus iNotes users

LOTUS INOTES

Creating security policy settings for Lotus iNotes users
To create or enforce security settings for IBM® Lotus® iNotes™ users, you must create a Security Policy Settings document. Although there are other security policy settings that can be created for IBM Lotus Notes® users, the settings here are applicable to Lotus iNotes security, and the explanations in the table below describe how these settings affect Lotus iNotes users.

For a full explanation about using policies, and the relationship between Policy documents and policy settings documents, see the "User and Server Configuration - Policies" section of this help.

1. Make sure that you have Editor access to the Domino Directory and one of these roles:

PolicyCreator role to create a settings document
PolicyModifier role to modify a settings document

2. From the Domino Administrator, select the People & Groups tab, and then open the Settings view.

3. Click "Add Settings," and then choose "Security."

4. On the tabs listed in the table below, complete these fields:

Password Management Basics tab Description

Allow users to change Internet password over HTTP This setting determines whether the Lotus iNotes user preference "Change Internet Password" displays:

Yes (default) - allows users to use a Web browser to change their Internet passwords. Lotus iNotes users use the "Change Internet Password" preference to do so.
No - the user preference "Change Internet Password" will not display.

Update Internet Password When Notes Client Password Changes For Lotus iNotes users, this setting determines whether there will be one user preference "Change Password," instead of two preferences, "Change Notes ID" and "Change Internet Password." If there is only one preference, then the Notes ID password in their mail file is updated when the Internet password is changed.
Choose one:

No (default) -- User preferences include both "Change Notes ID" and "Change Internet Password" user preferences, and the user must change both.
Yes -- Synchronizes the user Internet password with the Notes client password. User preferences include only the "Change Password" preference, which is used to change both passwords.

Enforce password expiration If you enable password expiration for any of the options, the security settings document defaults change. Choose one:

Disabled (default) - disables password expiration. If you disable password expiration, do not complete the remaining fields in this section.
Notes only - enables password expiration for Notes passwords only. For Lotus iNotes users, this enables expiration for the Notes ID stored in the user's mail file.
Internet only - enables password expiration for Internet passwords only.
Notes and Internet -- enables password expiration for both Notes and Internet passwords. For Lotus iNotes users, it enables expiration for both the Notes ID stored in the user's mail file and for the Internet password.
Note Internet password expiration settings are recognized only by the HTTP protocol. This means that Internet passwords can be used with other Internet protocols (such as LDAP or POP3) indefinitely.
Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.

Required password quality If you require users to create passwords based on password quality, specify that quality by choosing a value from the drop-down list. To use length instead of password quality, continue to the next field.
For Lotus iNotes users, password quality settings are enforced when the Notes ID is stored in the user's mail file and the password is changed via Lotus iNotes user preferences.

Use length instead If you require users to create passwords based on length, click Yes. When you do, the "Required Password Quality" field changes to "Required password length." Specify the minimum password length here.
For Lotus iNotes users, password quality settings are enforced when the Notes ID is stored in the user's mail file and the password is changed via Lotus iNotes user preferences.

Custom Password Policy tab Description

Change Password on First Notes Client Use Require users to change their passwords the first time they log in using Notes. For Lotus iNotes, users must change the embedded Notes ID password before using it the first time.
Note This works only if the policy is applied during user registration.

Keys and Certificates tab Description

Specify the number of days prior to certificate expiration at which the user Warning period receives an expiration warning message.

ID Vault tab Description

Allow Notes-based programs to use the Notes ID vault Set to Yes to allow iNotes users to use the Notes ID Vault to back up their Notes ID. If this feature is enabled, the user preference "Synchronize Notes ID with Vault" displays in iNotes security preferences.

Proxies tab (click Edit List to view these fields) Description

Context The path of the request to the proxy server, specifies which proxy the rule is for. Examples include:
xsp/proxy/QuickrProxy
xsp/proxy/GoogleProxy
xsp/proxy/BasicProxy

URL Address of the site to which this policy applies.
This is the target of the proxy.

Actions The set of HTTP actions this policy allows.
These can be GET, POST, HEAD, PUT, DELETE. The most frequently used are GET and POST. For Lotus Quickr integration with Lotus iNotes, make sure that HEAD is included.

Cookies Cookies allowed for this site. That is, the cookies that will be passed from the browser to the target URL server.
Note Cookies with specified names will always be proxied to this site. In addition, any incoming (Set-Cookie response headers) received from the site will also be remembered and eventually sent back on subsequent requests to this site.

Mime-types Content types allowed back from the target server, or use * to allow all.

Headers Headers allowed for this site, or use * to allow all. This attribute determines which headers are forwarded to the target server.
Note Cookies are not handled as a standard header. Putting the entry "cookie" in the headers list will have no effect.

Related topics

Creating policies

Policies

Planning and assigning policies

Using ID vault with Lotus iNotes

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Password Management Basics tab	Description
Allow users to change Internet password over HTTP	This setting determines whether the Lotus iNotes user preference "Change Internet Password" displays: Yes (default) - allows users to use a Web browser to change their Internet passwords. Lotus iNotes users use the "Change Internet Password" preference to do so. No - the user preference "Change Internet Password" will not display.
Update Internet Password When Notes Client Password Changes	For Lotus iNotes users, this setting determines whether there will be one user preference "Change Password," instead of two preferences, "Change Notes ID" and "Change Internet Password." If there is only one preference, then the Notes ID password in their mail file is updated when the Internet password is changed. Choose one: No (default) -- User preferences include both "Change Notes ID" and "Change Internet Password" user preferences, and the user must change both. Yes -- Synchronizes the user Internet password with the Notes client password. User preferences include only the "Change Password" preference, which is used to change both passwords.
Enforce password expiration	If you enable password expiration for any of the options, the security settings document defaults change. Choose one: Disabled (default) - disables password expiration. If you disable password expiration, do not complete the remaining fields in this section. Notes only - enables password expiration for Notes passwords only. For Lotus iNotes users, this enables expiration for the Notes ID stored in the user's mail file. Internet only - enables password expiration for Internet passwords only. Notes and Internet -- enables password expiration for both Notes and Internet passwords. For Lotus iNotes users, it enables expiration for both the Notes ID stored in the user's mail file and for the Internet password. Note Internet password expiration settings are recognized only by the HTTP protocol. This means that Internet passwords can be used with other Internet protocols (such as LDAP or POP3) indefinitely. Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.
Required password quality	If you require users to create passwords based on password quality, specify that quality by choosing a value from the drop-down list. To use length instead of password quality, continue to the next field. For Lotus iNotes users, password quality settings are enforced when the Notes ID is stored in the user's mail file and the password is changed via Lotus iNotes user preferences.
Use length instead	If you require users to create passwords based on length, click Yes. When you do, the "Required Password Quality" field changes to "Required password length." Specify the minimum password length here. For Lotus iNotes users, password quality settings are enforced when the Notes ID is stored in the user's mail file and the password is changed via Lotus iNotes user preferences.
Custom Password Policy tab	Description
Change Password on First Notes Client Use	Require users to change their passwords the first time they log in using Notes. For Lotus iNotes, users must change the embedded Notes ID password before using it the first time. Note This works only if the policy is applied during user registration.
Keys and Certificates tab	Description
	Specify the number of days prior to certificate expiration at which the user Warning period receives an expiration warning message.
ID Vault tab	Description
Allow Notes-based programs to use the Notes ID vault	Set to Yes to allow iNotes users to use the Notes ID Vault to back up their Notes ID. If this feature is enabled, the user preference "Synchronize Notes ID with Vault" displays in iNotes security preferences.
Proxies tab (click Edit List to view these fields)	Description
Context	The path of the request to the proxy server, specifies which proxy the rule is for. Examples include: xsp/proxy/QuickrProxy xsp/proxy/GoogleProxy xsp/proxy/BasicProxy
URL	Address of the site to which this policy applies. This is the target of the proxy.
Actions	The set of HTTP actions this policy allows. These can be GET, POST, HEAD, PUT, DELETE. The most frequently used are GET and POST. For Lotus Quickr integration with Lotus iNotes, make sure that HEAD is included.
Cookies	Cookies allowed for this site. That is, the cookies that will be passed from the browser to the target URL server. Note Cookies with specified names will always be proxied to this site. In addition, any incoming (Set-Cookie response headers) received from the site will also be remembered and eventually sent back on subsequent requests to this site.
Mime-types	Content types allowed back from the target server, or use * to allow all.
Headers	Headers allowed for this site, or use * to allow all. This attribute determines which headers are forwarded to the target server. Note Cookies are not handled as a standard header. Putting the entry "cookie" in the headers list will have no effect.