USER AND SERVER CONFIGURATION
To create a security settings document
1. Make sure that you have Editor access to the IBM® Lotus® Domino® Directory and one of these roles:
3. Click "Add Settings," and then choose Security.
4. On the Basics tab, complete these fields:
Managing Notes and Internet passwords
Complete the following fields on the Password Management tab.
Note For information on the Notes Shared Login tab, see the topic "Using Notes shared login to suppress password prompts."
Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.
Note If you set this value to less than 30, the value for the "Warning period" field is calculated automatically. The calculated value is 80% of the value entered for this field.
Note The value of this field is calculated if the "Required change interval" setting is set at less than 30 days. Password expiration must be enabled in order for the value of this field to be calculated. If this value is calculated, it cannot be overwritten.
Note The custom warning message is for Notes clients only, regardless of how you enabled password expiration. Internet users do not see the warning message.
Complete the following fields on the Internet Password Lockout Settings tab.
Note The server must enforce Internet password lockout for these policy settings to be in effect.
If you have chosen to implement a custom password policy, complete these fields on the Custom Password Policy tab.
Note This only works if the policy is applied during user registration.
After you enter a number, a checklist appears, listing the character types you can specify for this requirement. You can pick any combination of the following:
Complete the fields on the Execution Control List tab to configure administration ECLs used in your organization.
If the admin ECL lists a signature that the client ECL does not, than that signature and its settings are added to the client ECL.
If the client ECL and the admin ECL list the same signature, than the settings for the signature in the client ECL are discarded and replaced by those for the signature in the admin ECL.
1. On the security settings document toolbar, click Edit Settings.
Note Clicking Cancel leaves the name of the admin ECL displayed in the settings document unchanged.
Pushing trusted cross-certificates to clients
Use the "Administrative trust defaults" fields in the Keys and Certificates tab to push trusted Internet certificates, Internet cross-certificates, and Lotus Notes cross-certificates to Lotus Notes clients to avoid prompts to create cross-certificates. For information, see the topic "Pusing trusted certificates to clients."
Enabling key rollover
Complete the fields on the Keys and Certificates tab to configure key rollover for groups of users. You specify triggers that initiate key rollover for a group or groups of users. You have the option of spacing out the rollover process over a specified period of time for the group of users to which this policy applies.
Note For information on Document/Mail Encryption Settings, see the topic "Configuring AES for mail and document encryption."
The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP checks are made during S/MIME signature verification and mail encryption by the Notes client. OCSP is enabled through a policy, using the "Enable OCSP checking" setting on the Keys and Certificates tab of the security settings document.
Configuring for signed plug-ins
Plug-ins can be provisioned to a Notes user and are ordinarily signed with a certificate that is trusted by the Notes client, and verifies that the data they contain is not corrupted. Users can then install or update the signed plug-ins.
Occasionally, a plug-in is found to have a problem. Either it is unsigned, not signed with a trusted certificate, or the certificate has either expired or is not yet valid. For these cases, you can establish a policy for never installing these plug-ins, always installing them, or asking users to decide at the time the plug-in is installed on their workstations.
You can time-stamp plug-in jar signatures using the jarsigner tool provided by the Java™ SDK to ensure the long term validity of plug-in signatures. The Notes client uses a time stamp included with a plug-in jar signature to determine if the plug-in signing certificate was valid at the time of signing. If a plug-in signing certificate has expired but was valid at the time of signing, Notes accepts it so that users are not confronted with security prompts during plug-in installation or provisioning. Use the "Ignore expiration for time stamping certificate" setting described in the following table to additionally control whether to allow the installation of signed plug-ins with expired time stamping certificates. Their installation is allowed by default.
For information on ID vaults and ID vault settings, see the topics "Notes ID vault" and "Creating or editing ID vault policy settings documents manually."
Related topics