SECURITY

ID vault trust
User IDs can be to be stored in an ID vault only if a parent certifier of the IDs has been used to issue a Vault Trust Certificate to the vault. A Vault Trust Certificate is a special-purpose cross-certificate establishing that an organizational or organizational unit certifier trusts an ID vault to store the user IDs that are descended from the certifier. You create Vault Trust Certificates in the Configuration - Security - Certificates view of the Domino Directory using the ID Vaults - Create or ID Vaults - Manage tool.

If users in your environment are certified under different organizations or organizational units, you will need to decide how to implement vault trust. For example, if you have an organizational certifier and multiple organizational unit certifiers below it, decide which one or ones should issue Vault Trust Certificates.

For example, assume the Acme company uses the organization certifier /Acme and three organizational unit certifiers /Dallas/Acme, /NewYork/Acme, and /Shanghai/Acme. All the users are registered in one Domino Domain and will use the same vault. In this case, the /Acme certifier could issue one Vault Trust Certificate. However, perhaps /Acme doesn't want to store the IDs of /Shanghai/Acme users in the vault because those users are registered in a different Domino Domain and will use a different vault. The /Dallas/Acme and /NewYork/Acme certifiers, rather than the /Acme certifier, could each issue a Vault Trust Certificate, preventing IDs certified under /Shanghai/Acme (as well as under /Acme) from using the vault.

Note Vault Trust Certificates determine which IDs are allowed in a vault; policy configuration determines which IDs are actually stored there.

Related topics