Lotus Domino Administrator 8.5 Help - Creating a security policy settings document

USER AND SERVER CONFIGURATION

Creating a security policy settings document
A security policy settings document allows you to manage IBM® Lotus® Notes® and Internet passwords, configure customized password polices for your organization, set up key rollover, manage administration ECLs, push trusted cross-certificates to clients and configure an ID vault. You can also configure settings for signed plugins and the home portal server for composite applications.

To create a security settings document

1. Make sure that you have Editor access to the IBM® Lotus® Domino® Directory and one of these roles:

PolicyCreator role to create a settings document
PolicyModifier role to modify a settings document

2. From the Domino Administrator, select the People & Groups tab, and then open the Settings view.

3. Click "Add Settings," and then choose Security.

4. On the Basics tab, complete these fields:

Field Action

Name Enter a name that identifies the users (and, if you are a service provider, the hosted organization) that use these settings.

Description Enter a description of the settings.

5. You can do any, or all, of the following on the security settings document:

Managing Notes and Internet passwords

Complete the following fields on the Password Management tab.

Note For information on the Notes Shared Login tab, see the topic "Using Notes shared login to suppress password prompts."

Field Action

Password management options

Use custom password policy for Notes clients Choose one:

No (default)
Yes - to implement a custom password policy. Custom password policies enable you to configure specific password parameters so that passwords are not trivial or predictable. Use settings on the "Custom Password Policy" tab to set up the policy.

Check password on Notes ID file Choose one:

No (default)
Yes - to require that all copies of the user ID have the same password

Allow users to change Internet password over HTTP Choose one:

Yes (default) -- to allow users to use a Web browser to change their Internet passwords.
No

Update Internet password when Notes client password changes Choose one:

No (default)
Yes -- to synchronize the user Internet password with the Notes client password.
Note Selecting Yes activates use of the more secure Internet password format if it is not already in use.

Enable Notes single logon with Workplace Rich Client (prior to 8.0 only) Choose one:

No (default)
Yes - to allow users to enable single login with the Notes plug-in for the IBM Workplace rich client

Password expiration settings

Enforce password expiration Choose one:

Disabled (default) -- to disable password expiration. If you disable password expiration, do not complete the remaining fields in this section.
Note If you enable password expiration for any of the following options, the security settings document defaults change.

Notes only -- to enable password expiration for only Notes passwords.
Internet only -- to enable password expiration for only Internet passwords.
Notes and Internet -- to enable password expiration for both Notes and Internet passwords.
Note Internet password expiration settings are recognized only by the HTTP protocol. This means that Internet passwords can be used with other Internet protocols (such as LDAP or POP3) indefinitely.
Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.

Required change interval Specify the number of days for which a password is valid before it must be changed. Default is 0.
Note If you set this value to less than 30, the value for the "Warning period" field is calculated automatically. The calculated value is 80% of the value entered for this field.

Allowed grace period Specify the number of days that users have to change an expired password before being locked out. Default is 0, meaning users will not be locked out.

Password history (Notes only) Specify the number of expired passwords to store. Storing passwords prevents users from reusing old passwords. Default is 0.

Warning period Specify the number of days prior to password expiration at which the user receives an expiration warning message. Default is 0.
Note The value of this field is calculated if the "Required change interval" setting is set at less than 30 days. Password expiration must be enabled in order for the value of this field to be calculated. If this value is calculated, it cannot be overwritten.

Custom warning message Enter a custom warning message that will be sent to users whose password has passed the expiration threshold specified in the Warning Period field.
Note The custom warning message is for Notes clients only, regardless of how you enabled password expiration. Internet users do not see the warning message.

Configuring Internet password lockout

Complete the following fields on the Internet Password Lockout Settings tab.

Field Action

Internet password lockout settings

Override server's Internet lockout settings? When this policy document setting is enabled, the settings in the policy override the Internet password lockout settings in the server's Configuration Settings document.
Note The server must enforce Internet password lockout for these policy settings to be in effect.

Maximum tries allowed Maximum number of password attempts allowed before a lockout occurs. When set to 0, unlimited password attempts are allowed.

Lockout expiration Period of time for which a lockout is enforced. After this time period, a user account is automatically unlocked the next time the user tries to authenticate. When set to 0, automatic unlock is disabled.

Maximum tries interval If a user is not locked out, this is the period of time that must elapse before a successful authentication clears any previous failure attempts. Specify a longer protection strength time for greater security. When set to 0, failed password attempts are cleared every time a successful authentication occurs.

Password quality settings

Required password quality If you require users to choose passwords based on password quality, specify that quality by choosing a value from the drop-down list.

Use length instead If you require users to choose passwords based on length, click Yes. When you do, the "Required Password Quality" field changes to "Required password length." Specify the minimum password length here.

Configuring custom password policies

If you have chosen to implement a custom password policy, complete these fields on the Custom Password Policy tab.

Field Action

Change password on first Notes client use Require users to change their passwords the first time they log in using Notes.
Note This only works if the policy is applied during user registration.

Allow common name in password Allow combination of common name of user to be used in passwords.
For example: John232 is the password for user CN=John Doe/O=Mutt, where the common name is John Doe.

Password length minimum Specify the minimum number of characters that users can have in their passwords

Password length maximum Specify the maximum number of characters that users can have in their passwords

Password quality minimum Specify the minimum password quality value that users can have for their passwords

Minimum number of alphabetic characters required Specify the minimum number of alphabetic characters that users are allowed to have in their passwords

Minimum number of upper case characters required Specify the minimum number of uppercase characters that users are allowed to have in their passwords

Minimum number of lower case characters required Specify the minimum number of lowercase characters that users are allowed to have in their passwords

Minimum number of numeric characters required Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords

Minimum number of special characters required Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords

Minimum number of non-lower case characters required Specify the minimum number of special characters, numbers, and upper case characters that you require in user passwords. A higher value here makes passwords more difficult to guess.
After you enter a number, a checklist appears, listing the character types you can specify for this requirement. You can pick any combination of the following:

numbers
special characters
upper case

Maximum number of repeated characters required Specify the maximum number of repeated characters, of any kind, that are allowed in user passwords.

Minimum number of unique characters required Specify the minimum number of characters that appear only once in a password

Password may not begin with Specify the type of characters with which users cannot begin their passwords

Password may not end with Specify the type of characters with which users cannot end their passwords

Configuring administration ECLs

Complete the fields on the Execution Control List tab to configure administration ECLs used in your organization.

Field Action

Admin ECL Choose one:

Edit -- to edit the ECL whose name is displayed next to the Edit button.
Manage -- see Managing admin ECLs for information about using this function.
Note The Edit and Manage buttons are displayed only when the security settings document is in edit mode.

Update mode Choose one:

Refresh -- to update client ECLs with new or changed information from the admin ECL, as follows:
If the client ECL lists a signature that the admin ECL does not, than that signature and its settings stay the same in the client ECL.
If the admin ECL lists a signature that the client ECL does not, than that signature and its settings are added to the client ECL.
If the client ECL and the admin ECL list the same signature, than the settings for the signature in the client ECL are discarded and replaced by those for the signature in the admin ECL.
Replace -- to overwrite the client ECL with the admin ECL. None of the information in the client ECL is retained.

Update frequency Choose one:

Once Daily -- to update the client ECL when the client authenticates with the home server and when it has either been a day since the last ECL update or the admin ECL has changed.
When Admin ECL Changes -- to update the client ECL when the client authenticates with the home server and the administration ECL has changed since the last update.
Never -- to prevent the update of the client ECL during authentication.

Managing admin ECLs
When you set up the first server in a domain, Domino creates a default administration ECL, which you can then customize for your organization. You may need to have more than one type of admin ECL - for example, one for contractors and one for full-time employees. You can use the Workstation Security: Admin Execution Control Lists dialog box to manage admin ECLs you have created. You can also use it to create new ones or to delete any that are no longer needed.

1. On the security settings document toolbar, click Edit Settings.

Note

The Edit and Manage buttons are displayed only when the security settings document is in edit mode.

2. Click Manage. The Workstation Security: Admin Execution Control Lists dialog box appears. You now have the following options:

To	Do the following
Edit an existing admin ECL	Select the name of the admin ECL you want to edit from the list box and click OK. The name of the selected admin ECL is displayed in the Admin ECL field of the Execution Control List tab. Click the Edit button to open the selected admin ECL.
Create a new admin ECL	Type a name for the new ECL in the 'Create New Admin ECL' field and click OK. The name of the new admin ECL is displayed in the Admin ECL field of the Execution Control List tab. Click the Edit button to create the new admin ECL.
Delete an existing admin ECL	Select the name of the admin ECL you want to delete from the list box and click Delete. The selected admin ECL is deleted and the list of existing admin ECLs is refreshed.

Caution Admin ECLs are stored independently of security settings documents. If you edit an administration ECL, the changes will be used by all the security settings documents that refer to that particular named admin ECL. If you delete an admin ECL, all security settings documents that referred to that particular admin ECL will use the default admin ECL. Once you delete an admin ECL, you cannot undo the deletion by clicking Cancel.

Note Clicking Cancel leaves the name of the admin ECL displayed in the settings document unchanged.

Pushing trusted cross-certificates to clients

Use the "Administrative trust defaults" fields in the Keys and Certificates tab to push trusted Internet certificates, Internet cross-certificates, and Lotus Notes cross-certificates to Lotus Notes clients to avoid prompts to create cross-certificates. For information, see the topic "Pusing trusted certificates to clients."

Enabling key rollover

Complete the fields on the Keys and Certificates tab to configure key rollover for groups of users. You specify triggers that initiate key rollover for a group or groups of users. You have the option of spacing out the rollover process over a specified period of time for the group of users to which this policy applies.

Note For information on Document/Mail Encryption Settings, see the topic "Configuring AES for mail and document encryption."

Field Choose

Default public key Requirements

Inherit public key requirement settings from parent policy
Enforce public key requirement settings in child policies

User Public Key Requirements

Minimum allowable key strength Note Keys weaker than the one specified will be rolled over.

No minimum.
Maximum compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).
Compatible with Release 7 and later (2048 bits).

Maximum allowable key Strength Note Keys weaker than the one specified will be rolled over.

Compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).
Compatible with Release 7 and later (2048 bits).

Preferred key strength Choose the preferred key strength to use when creating new keys:

Compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).
Compatible with Release 7 and later (2048 bits).

Maximum allowable age for key (in days) Specify the maximum age a key can reach before needing to be rolled over. Default is 36500 days (100 years).

Earliest allowable key creation date Any key created prior to this date will be rolled over.

Spread new key generation for all users over this many days: Specify the time period, in days, for new keys to be generated for all users to whom this security settings policy document applies. User keys are randomly rolled over during the configured time period. Default is 180 days.

Maximum number of days the old key should remain valid after the new key has been created Specify the length of time that the old key can be used during network authentication. During Notes key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree and then that tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.

Certificate Expiration Settings

Warning period Specify the number of days prior to certificate expiration at which the user receives an expiration warning message. Default is 0.

Custom warning message Enter a custom warning message that will be sent to users whose certificate has passed the expiration threshold specified in the Warning Period field.

Enabling On-line Certificate Status Protocol (OCSP) checking

The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation state of an identified certificate. OCSP checks are made during S/MIME signature verification and mail encryption by the Notes client. OCSP is enabled through a policy, using the "Enable OCSP checking" setting on the Keys and Certificates tab of the security settings document.

Configuring for signed plug-ins

Plug-ins can be provisioned to a Notes user and are ordinarily signed with a certificate that is trusted by the Notes client, and verifies that the data they contain is not corrupted. Users can then install or update the signed plug-ins.

Occasionally, a plug-in is found to have a problem. Either it is unsigned, not signed with a trusted certificate, or the certificate has either expired or is not yet valid. For these cases, you can establish a policy for never installing these plug-ins, always installing them, or asking users to decide at the time the plug-in is installed on their workstations.

You can time-stamp plug-in jar signatures using the jarsigner tool provided by the Java™ SDK to ensure the long term validity of plug-in signatures. The Notes client uses a time stamp included with a plug-in jar signature to determine if the plug-in signing certificate was valid at the time of signing. If a plug-in signing certificate has expired but was valid at the time of signing, Notes accepts it so that users are not confronted with security prompts during plug-in installation or provisioning. Use the "Ignore expiration for time stamping certificate" setting described in the following table to additionally control whether to allow the installation of signed plug-ins with expired time stamping certificates. Their installation is allowed by default.

Field Choose

Installation of plug-ins that are expired or not yet valid

Ask the user
Never install
Always install

Installation of unsigned plug-ins

Ask the user
Never install
Always install

Installation of plug-ins signed by an unrecognized entity

Ask the user
Never install
Always install

Trust IBM® plug-in signing certificate

Ask the user
Never trust for install
Always trust for install

Ignore expiration for time stamping certificate

Ask the user
Never install
Always install

To configure Portal Server settings

Field Action

Home Portal server Type the name of the IBM® WebSphere® Portal Server that hosts Notes user accounts

Authentication URL Type the URL that Notes users need to access in order to authenticate with the Portal Server

Authentication type Choose one:

J2EE-Form, for
HTTP, for Web-based authentication

To configure ID vault settings

For information on ID vaults and ID vault settings, see the topics "Notes ID vault" and "Creating or editing ID vault policy settings documents manually."

Related topics

Setting up password verification

Creating security policy settings for Lotus iNotes users

Using Notes shared login to suppress password prompts

Securing Internet passwords

Managing Internet passwords

Custom password policies

The execution control list

Default ECL settings

Setting up Notes clients for S/MIME

Setting up Notes and Internet clients for SSL client authentication

User and server key rollover

Creating a policy document

Name-and-password authentication for Internet/intranet clients

The password quality scale

Customizing Notes using a plugin_customization.ini file

Using Domino policy to set or verify trust

Notes ID vault

Creating or editing ID vault policy settings documents manually

Signing custom or third-party features and plug-ins for install and update

Pushing trusted certificates to Lotus Notes clients

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Name	Enter a name that identifies the users (and, if you are a service provider, the hosted organization) that use these settings.
Description	Enter a description of the settings.

Field	Action
Password management options
Use custom password policy for Notes clients	Choose one: No (default) Yes - to implement a custom password policy. Custom password policies enable you to configure specific password parameters so that passwords are not trivial or predictable. Use settings on the "Custom Password Policy" tab to set up the policy.
Check password on Notes ID file	Choose one: No (default) Yes - to require that all copies of the user ID have the same password
Allow users to change Internet password over HTTP	Choose one: Yes (default) -- to allow users to use a Web browser to change their Internet passwords. No
Update Internet password when Notes client password changes	Choose one: No (default) Yes -- to synchronize the user Internet password with the Notes client password. Note Selecting Yes activates use of the more secure Internet password format if it is not already in use.
Enable Notes single logon with Workplace Rich Client (prior to 8.0 only)	Choose one: No (default) Yes - to allow users to enable single login with the Notes plug-in for the IBM Workplace rich client
Password expiration settings
Enforce password expiration	Choose one: Disabled (default) -- to disable password expiration. If you disable password expiration, do not complete the remaining fields in this section. Note If you enable password expiration for any of the following options, the security settings document defaults change. Notes only -- to enable password expiration for only Notes passwords. Internet only -- to enable password expiration for only Internet passwords. Notes and Internet -- to enable password expiration for both Notes and Internet passwords. Note Internet password expiration settings are recognized only by the HTTP protocol. This means that Internet passwords can be used with other Internet protocols (such as LDAP or POP3) indefinitely. Caution Do not enable password expiration if users use Smartcards to log in to Domino servers.
Required change interval	Specify the number of days for which a password is valid before it must be changed. Default is 0. Note If you set this value to less than 30, the value for the "Warning period" field is calculated automatically. The calculated value is 80% of the value entered for this field.
Allowed grace period	Specify the number of days that users have to change an expired password before being locked out. Default is 0, meaning users will not be locked out.
Password history (Notes only)	Specify the number of expired passwords to store. Storing passwords prevents users from reusing old passwords. Default is 0.
Warning period	Specify the number of days prior to password expiration at which the user receives an expiration warning message. Default is 0. Note The value of this field is calculated if the "Required change interval" setting is set at less than 30 days. Password expiration must be enabled in order for the value of this field to be calculated. If this value is calculated, it cannot be overwritten.
Custom warning message	Enter a custom warning message that will be sent to users whose password has passed the expiration threshold specified in the Warning Period field. Note The custom warning message is for Notes clients only, regardless of how you enabled password expiration. Internet users do not see the warning message.

Field	Action
Internet password lockout settings
Override server's Internet lockout settings?	When this policy document setting is enabled, the settings in the policy override the Internet password lockout settings in the server's Configuration Settings document. Note The server must enforce Internet password lockout for these policy settings to be in effect.
Maximum tries allowed	Maximum number of password attempts allowed before a lockout occurs. When set to 0, unlimited password attempts are allowed.
Lockout expiration	Period of time for which a lockout is enforced. After this time period, a user account is automatically unlocked the next time the user tries to authenticate. When set to 0, automatic unlock is disabled.
Maximum tries interval	If a user is not locked out, this is the period of time that must elapse before a successful authentication clears any previous failure attempts. Specify a longer protection strength time for greater security. When set to 0, failed password attempts are cleared every time a successful authentication occurs.
Password quality settings
Required password quality	If you require users to choose passwords based on password quality, specify that quality by choosing a value from the drop-down list.
Use length instead	If you require users to choose passwords based on length, click Yes. When you do, the "Required Password Quality" field changes to "Required password length." Specify the minimum password length here.

Field	Action
Change password on first Notes client use	Require users to change their passwords the first time they log in using Notes. Note This only works if the policy is applied during user registration.
Allow common name in password	Allow combination of common name of user to be used in passwords. For example: John232 is the password for user CN=John Doe/O=Mutt, where the common name is John Doe.
Password length minimum	Specify the minimum number of characters that users can have in their passwords
Password length maximum	Specify the maximum number of characters that users can have in their passwords
Password quality minimum	Specify the minimum password quality value that users can have for their passwords
Minimum number of alphabetic characters required	Specify the minimum number of alphabetic characters that users are allowed to have in their passwords
Minimum number of upper case characters required	Specify the minimum number of uppercase characters that users are allowed to have in their passwords
Minimum number of lower case characters required	Specify the minimum number of lowercase characters that users are allowed to have in their passwords
Minimum number of numeric characters required	Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords
Minimum number of special characters required	Specify the minimum number of special characters, namely punctuation, that users are allowed to have in their passwords
Minimum number of non-lower case characters required	Specify the minimum number of special characters, numbers, and upper case characters that you require in user passwords. A higher value here makes passwords more difficult to guess. After you enter a number, a checklist appears, listing the character types you can specify for this requirement. You can pick any combination of the following: numbers special characters upper case
Maximum number of repeated characters required	Specify the maximum number of repeated characters, of any kind, that are allowed in user passwords.
Minimum number of unique characters required	Specify the minimum number of characters that appear only once in a password
Password may not begin with	Specify the type of characters with which users cannot begin their passwords
Password may not end with	Specify the type of characters with which users cannot end their passwords

Field	Action
Admin ECL	Choose one: Edit -- to edit the ECL whose name is displayed next to the Edit button. Manage -- see Managing admin ECLs for information about using this function. Note The Edit and Manage buttons are displayed only when the security settings document is in edit mode.
Update mode	Choose one: Refresh -- to update client ECLs with new or changed information from the admin ECL, as follows: If the client ECL lists a signature that the admin ECL does not, than that signature and its settings stay the same in the client ECL. If the admin ECL lists a signature that the client ECL does not, than that signature and its settings are added to the client ECL. If the client ECL and the admin ECL list the same signature, than the settings for the signature in the client ECL are discarded and replaced by those for the signature in the admin ECL. Replace -- to overwrite the client ECL with the admin ECL. None of the information in the client ECL is retained.
Update frequency	Choose one: Once Daily -- to update the client ECL when the client authenticates with the home server and when it has either been a day since the last ECL update or the admin ECL has changed. When Admin ECL Changes -- to update the client ECL when the client authenticates with the home server and the administration ECL has changed since the last update. Never -- to prevent the update of the client ECL during authentication.

Field	Choose
Default public key Requirements	Inherit public key requirement settings from parent policy Enforce public key requirement settings in child policies
User Public Key Requirements
Minimum allowable key strength	Note Keys weaker than the one specified will be rolled over. No minimum. Maximum compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits). Compatible with Release 7 and later (2048 bits).
Maximum allowable key Strength	Note Keys weaker than the one specified will be rolled over. Compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits). Compatible with Release 7 and later (2048 bits).
Preferred key strength	Choose the preferred key strength to use when creating new keys: Compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits). Compatible with Release 7 and later (2048 bits).
Maximum allowable age for key (in days)	Specify the maximum age a key can reach before needing to be rolled over. Default is 36500 days (100 years).
Earliest allowable key creation date	Any key created prior to this date will be rolled over.
Spread new key generation for all users over this many days:	Specify the time period, in days, for new keys to be generated for all users to whom this security settings policy document applies. User keys are randomly rolled over during the configured time period. Default is 180 days.
Maximum number of days the old key should remain valid after the new key has been created	Specify the length of time that the old key can be used during network authentication. During Notes key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree and then that tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.
Certificate Expiration Settings
Warning period	Specify the number of days prior to certificate expiration at which the user receives an expiration warning message. Default is 0.
Custom warning message	Enter a custom warning message that will be sent to users whose certificate has passed the expiration threshold specified in the Warning Period field.

Field	Choose
Installation of plug-ins that are expired or not yet valid	Ask the user Never install Always install
Installation of unsigned plug-ins	Ask the user Never install Always install
Installation of plug-ins signed by an unrecognized entity	Ask the user Never install Always install
Trust IBM® plug-in signing certificate	Ask the user Never trust for install Always trust for install
Ignore expiration for time stamping certificate	Ask the user Never install Always install

Field	Action
Home Portal server	Type the name of the IBM® WebSphere® Portal Server that hosts Notes user accounts
Authentication URL	Type the URL that Notes users need to access in order to authenticate with the Portal Server
Authentication type	Choose one: J2EE-Form, for HTTP, for Web-based authentication