DOMINO SERVER INSTALLATION


Setting up security for Internet site documents
To set up security for Internet site documents, you can enable SSL server and client authentication, name-and-password authentication, or anonymous access for Internet and Intranet clients.

In order to enable SSL for Internet sites, you must configure the SSL port on the Server document and set up SSL on the server by obtaining a server certificate and key ring from an Internet certificate authority.

To set up SSL authentication, you must create a server key ring file for each Internet site document. However, if the Internet site documents are for the same organization, but are created for different protocols, a single server key ring file can be used. Be sure to enter the server key ring file name in the appropriate field on the Security tab of each site document.

If you want to use Certificate Revocation Lists (CRL) for Internet certificate authentication, the server must be using a IBM® Lotus® Domino® server-based certification authority for issuing Internet certificates.

Note For Web sites, the common name on the server key ring must match the DNS name to which the IP address in the Web Site document is mapped. The IP address must be stored in the field "Host name or addresses to map to this site," which is located on the Web Site document. If you enable Redirect TCP to SSL in a Web Site document, both the host name and the IP address must be stored in this field.

You should be familiar with SSL authentication, name and password authentication, and anonymous access before completing these steps.

To set up security for Internet site documents

Note In IBM® Lotus® Domino®, it is possible to effectively prohibit access to an Internet site by selecting "no" for all authentication options in an Internet site Document. These options include TCP authentication, SSL authentication, and TCP anonymous access.

1. From the Domino Administrator, click Configuration - Web - Internet sites.

2. Choose the Internet site document to modify, and click Edit Document.

3. Click Security, and complete these fields:
FieldEnter
TCP Authentication
Anonymous (Applies to all Internet sites, except IMAP and POP3)

Choose one:

  • Yes -- To allow anonymous access to this site
  • No -- To prohibit anonymous access
Name & passwordChoose one:
  • Yes -- To require a user to authenticate with the user's name and Internet password to access the site
  • No -- To not require name and password authentication
Redirect TCP to SSL (Applies to Web Site only) Choose one:
  • Yes -- To require clients and servers to use the SSL protocol to access the Web site
  • No -- To allow clients and servers to use SSL or TCP/IP to access the Web site
SSL Authentication
Anonymous(Applies to all Internet sites, except IMAP and POP3)

Choose one:

  • Yes -- To allow users access over the SSL port without authenticating with a name and password
  • No -- To deny users anonymous access
Name & passwordChoose one:
  • Yes -- To require a user to authenticate with user name and Internet password in order to access this site using SSL
  • No --To not require a name and password
Client certificate(Applies to Web Site, IMAP, POP3, and LDAP)

Choose one:

  • Yes -- To require a client certificate for access to this site
  • No -- To not require a client certificate
SSL Options
Key file nameEnter the name of the server key ring file.
Protocol version Choose one:
  • V2.0 only -- Allows only SSL 2.0 connections.
  • V3.0 handshake -- Attempts an SSL 3.0 connection. If this fails and the requester detects SSL 2.0, attempts to connect using SSL 2.0.
  • V3.0 only -- Allows only SSL 3.0 connections.
  • V3.0 with V2.0 handshake -- Attempts an SSL handshake, which displays relevant error messages. Makes an SSL 3.0 connection if possible.
  • Negotiated (default) -- Attempts an SSL 3.0 connection. If this fails, attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions.
Accept SSL site certificatesChoose one:
  • Yes -- To accept the certificate and use SSL , even if the server does not have a certificate in common with the protocol server
  • No (default) -- To prohibit the acceptance of SSL site certificates for access
Accept expired SSL certificates Choose one:
  • Yes -- To allow clients access, even if the client certificate is expired
  • No -- To prohibit client access using expired SSL certificates
Check for CRLsChoose one:
  • Yes -- To check the certifier's Certificate Revocation List (CRL) for the user certificate you are attempting to validate. If a valid CRL is found and the user certificate is on the list, the user certificate is rejected.
  • No -- To not use Certificate Revocation Lists
Trust expired CRLsChoose one:
  • Yes -- To use expired but otherwise valid Certificate Revocation Lists when attempting to validate user certificates
  • No -- To reject expired Certificate Revocation Lists
Allow CRL search to failChoose one:
  • Yes -- If the attempt to locate a valid Certificate Revocation List fails, proceed as if "Check for CRLs" is set to No.
  • No -- If a valid Certificate Revocation List for the user certificate is not found, reject the certificate. If "Trust expired CRLs" is set to Yes, an expired CRL is valid. If "Trust expired CRLs" is set to No, the authentication will fail for every user certificate for which a matching valid CRL is not located.
SSL Security
SSL ciphersClick Modify to change the SSL cipher settings for this site document. These settings apply only to SSL v3. SSL v2 ciphers cannot be changed.
Enable SSL V2Choose Yes to enable SSL v2 for this site document.
4. Save the document.

Related topics