Lotus Domino Administrator 8.5 Help - User and server key rollover

SECURITY

User and server key rollover
Key rollover is the process used to update the set of IBM® Lotus® Notes® public and private keys that is stored in user and server ID files. Periodically, this set of keys may need to be replaced - as a precaution against undetected compromise of the private key; as a remedy to recover from a known compromise of the private key; or to increase security by updating to a larger key.

You configure triggers to initiate user key rollover through a security settings policy document, and for the server key rollover, in the Server document. Triggers include:

Existing key size
Issue date of existing key
Age of existing key

Key rollover gives administrators the ability to deploy replacement keys to groups of users through a security settings policy document.

Lotus Notes users can also trigger key rollover through the "Create New Public Keys" button on the User Security dialog box. If they choose 'Authentication protocol' to as the certificate request method, the current keys are rolled over just as if it were triggered by a policy setting. If they choose "Mail Protocol," the R6 and earlier mail method is used.

For more information on how users can trigger key rollover, see "Creating a new Notes public key and adding it to the Domino Directory."

When a policy has been established, or if the user has triggered key rollover through the User Security dialog box, the next time the user authenticates with the home server, key rollover information is written to the ID file. When a trigger condition occurs and a user accepts the prompt to allow key rollover, key rollover is initiated and new keys are created in the user ID file and marked pending. When the user authenticates with the home server after the new/pending keys are generated, a Certify New Key Request is created in the Administration Requests database.

To complete the key rollover process:

1. In the IBM® Lotus® Domino® Administrator, open the Administration Requests database.

2. In the Certify New Key Requests view, select the request for the user, and then click Certify Selected Entries.

3. In the Choose a Certifier dialog box, do one of the following:

If you are using a server-based certification authority, choose one from the drop-down list.
If you use the certifier ID, provide the certifier ID location and password.

When the request is completed and the new keys are certified, the Person document is updated with new key and certificate information.

4. In the Certificate Expiration Date dialog box, verify that the date is correct and click OK.

5. In the Processing Statistics dialog box, verify that there are no failures and click OK.

When the user next authenticates with the home server, a dialog box appears, asking the new user if they want to accept the new public keys. The user must click OK to accept the new certificates. The new/pending keys in the user's ID file are activated and the old keys are archived.

Note The archived keys remain in the ID file so they are available to decrypt documents that were encrypted with that key.

To configure server key rollover

1. In the Server document, click Administration.

2. Under Public Key Requirements, complete the following fields:

Field Action

Minimum allowable key strength Specify the weakest key size allowed for a server ID. Keys weaker than this will be rolled over.

No minimum (default)
Compatible with all releases (512).
Compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits).
Compatible with Release 7 and later (2048 bits).

Maximum allowable key strength Specify the strongest key size allowed. Keys stronger than this will be rolled over:

Compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits) (default).
Compatible with Release 7 and later (2048 bits).

Preferred key strength Specify the key strength to be used when a key is rolled over:

Minimum (512 bits).
Compatible with all releases (630 bits).
Compatible with Release 6 and later (1024 bits) (default).
Compatible with Release 7 and later (2048 bits).

Maximum allowable age for key Specify the maximum age, in days, that a key can reach before needing to be rolled over. Default is 36500 days (100 years)

Earliest allowable key creation date Any key created prior to this date will be rolled over.

Don't automatically generate a new key before Specify the earliest date on which keys not meeting key width requirements can be rolled over

Maximum number of days the old key should remain valid after the new key has been created Specify the length of time that the old key can be used during network authentication. During Notes key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree. That tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.

3. Close and save the document.. Key rollover information is written to the server ID file. When a trigger condition occurs, key rollover is initiated and new keys are created in the server ID file and marked pending.

4. Restart the server.

5. In the Domino Administrator, open the Administration Requests database.

6. In the Certify New Key Requests view, select the request for the server, and then click Certify Selected Entries.

7. In the Choose a Certifier dialog box, do one of the following:

If you are using a server-based certification authority, choose one from the drop-down list.
If you use the certifier ID, provide the certifier ID location and password.

8. In the Certificate Expiration Date dialog box, verify that the date is correct and click OK.

9. In the Processing Statistics dialog box, verify that there are no failures and click Ok.

10. At the server console, type "tell adminp process all" to complete the key certification processing.

11. Type "restart server." Restarting the server causes the server to read its configuration and accept the new certified keys.

Creating a new Notes public key and adding it to the Domino Directory

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Minimum allowable key strength	Specify the weakest key size allowed for a server ID. Keys weaker than this will be rolled over. No minimum (default) Compatible with all releases (512). Compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits). Compatible with Release 7 and later (2048 bits).
Maximum allowable key strength	Specify the strongest key size allowed. Keys stronger than this will be rolled over: Compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits) (default). Compatible with Release 7 and later (2048 bits).
Preferred key strength	Specify the key strength to be used when a key is rolled over: Minimum (512 bits). Compatible with all releases (630 bits). Compatible with Release 6 and later (1024 bits) (default). Compatible with Release 7 and later (2048 bits).
Maximum allowable age for key	Specify the maximum age, in days, that a key can reach before needing to be rolled over. Default is 36500 days (100 years)
Earliest allowable key creation date	Any key created prior to this date will be rolled over.
Don't automatically generate a new key before	Specify the earliest date on which keys not meeting key width requirements can be rolled over
Maximum number of days the old key should remain valid after the new key has been created	Specify the length of time that the old key can be used during network authentication. During Notes key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree. That tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.