Open Mic on ID Vault Overview & Best Practices 19th December, 2012 1
Open Mic Team Sunil Chelani Domino SME Presenter Seema Janjirkar Software Engineer Presenter Ranjit Rai Lotus Technical Advisor Focussing on Entire Notes Domino Hansraj Mali Lotus Technical Advisor Focussing on Notes Domino,LotusLive Jayaval Rajendran Lotus Technical Advisor Focussing on Entire Notes Domino Vinayak Tavargeri Lotus Support Manager Open Mic Facilitator 2
Agenda What is a Notes ID Vault Why deploy a Notes ID Vault ID Vault Requirements Understanding ID Vault components Notes ID Vault Creation, and Configuration Operations on the Notes ID Vault Understanding Vault Security Password Reset Deployment Recommendations Troubleshooting ID Vault Notes.ini settings Case Studies Resources Q 3
What is Notes ID Vault The Notes ID Vault is an optional, server-based database that holds protected copies of Notes user IDs Uploading copies of ID files for existing users Adding ID files to vault during registration of new users Resetting of passwords when forgotten Help desk Self service applications Synchronization of ID files across multiple computers Auditor function to gain access to encrypted data Integration with inotes/blackberry Requires administrator access to server, vault administration rights (manager in vault db ACL), auditor role Can be disabled using SECURE_DISABLE_AUDITOR=1 in notes.ini Marking of ID files as Inactive via adminp when deleting users directly in vault 4
Why Deploy Notes ID Vault Can replace time-consuming, expensive ID file and password recovery systems, giving potential for significant reduction in user downtime and help desk costs Simplifies provisioning of Lotus Notes ID credentials Streamlines process for resetting forgotten passwords Help desk options Programmatic interfaces for self-service password applications Automates ID file maintenance ID file synchronization ID renames ID key rollovers ID file replacement due to loss or corruption Supports processes for legal discovery/access to encrypted data, potentially preventing the loss of valuable information 5
ID Vault Requirements IBM Lotus Domino 8.5.x IBM Lotus Notes 8.5.x 8.5.x Lotus Domino directory design 8.5.x Personal address book design(notes Client Address book) Policy to assign the vault A minimum of one Vault server 6
Understanding ID Vault Components Vault Server Vault Database Vault Administrator Vault ID Vault trust Certificates Reset Password Authority Policy Vault Replica Server Auditor Role 7
Notes ID Vault Creation Tools > ID Vaults > Create from Configuration tab Specify a name for the vault used for Hierarchical name of vault Database file name Vault ID file (used when adding or removing vault replicas) Specify password for vault ID Select server on which to deploy vault 8
Notes ID Vault Creation Contd.. Select at least one vault administrator Add / remove vault servers Delete ID files from the vault Add / remove other administrators Select organizations or organizational units whose IDs will be stored Need access to certifier IDs Vault Trust certificates are created for each certifier and stored in Domino Directory Only IDs registered with these certifiers can be uploaded to the vault 9
Notes ID Vault Creation Contd.. Select user names that are authorized to reset passwords Password Reset certificate is created for each user Include IDs associated with any self-service password reset application 10
Notes ID Vault Creation Contd.. Create ID vault policy Create new Edit existing Skip and create later Create Vault Locate certifier IDs 11
Notes ID Vault Creation Contd.. ID Vault application Stored on hosting Domino server Encrypted with hosting Domino server ID Vault Trust Certificate One for each registered certifier Password Reset Certificates Notes Cross-Certificates stored in Domino Directory Notes Cross-Certificates stored in Domino directory One for each user or application authorized to reset passwords Policy Settings If selected during Vault install In new or existing policy document 12
Notes ID Vault Creation Complete Vault ID On vault creators desktop Should be secured like a certifier ID Needed to create vault replicas ID Vault Directory Entry From where ID vault can be managed 13
Notes ID Vault Configuration Security Settings > ID Vault tab Hierarchical name of vault Forgotten password help text Enforce password change Automatic ID downloads Time limit Failure message Person document > ID Vaults Number of downloads 14
Notes ID Vault Database Application is encrypted with the host server's ID ACL Vault Administrators - Manager Vault server - Manager No access required for anyone else Record per ID Modification time Download limit User ID (encrypted) 15
Notes ID Vault Replicas First vault ID Vaults > Create Primary Vault Server Carries out key vault operations Name changes Key rollover Last replica to be deleted Checkmark in ID Vaults > Manage Additional vault replicas ID Vaults > Manage Do not use Create Replica tool Console command show idvaults 16
Operations-Adding new user to Vault Register new user Select Vault policy in Basics tab Vault will be automatically selected in ID Info tab During new user setup User enters their name Server identifies user as having ID in vault and prompts for password Correct password results in ID being downloaded to desktop 17
Operations-Adding existing user to Vault Add user to policy In person document Or via policy assignment tab User logs into Notes ID is uploaded in background User Security Settings indicate ID has been uploaded to vault 18
Operations-Forgotten Password User clicks on link on login dialog User receives instructions to get password reset Contact an administrator Or use a custom-built self-service application 19
Operations-Resetting Password-manual Operator Needs to verify user's identity Requires Password Reset Certificate Resets password from Person Document Does not need access to Vault Does not need access to ID file User Enters new password Can be prompted to change password immediately 20
Operations-Resetting Password-automated Custom Application Help Desk Application Self-service application ResetUserPassword method available in C, Java, JavaScript or LotusScript only API call currently exposed i.e: you cannot develop custom program to extract IDs Sample self-service application code snippet supplied with Domino 8.5 uses the ResetUserPassword method in a LotusScript agent can be used as basis for own application 21
Operations-Synchronizing ID Synchronization Scenarios Name change Key Rollover Password Change Encryption Keys Vault treats synchronization and download differently Synchronization: Client has the ID and password Download: Client only has the password Synchronization occurs At login Immediately (if local ID change is made when user is online) Polling interval (if local ID change is made when user is offline 22
Operations-Extracting id from Vault Provide user with physical copy of ID Extract ID from Person view Supply current password for ID Extract ID from Person document Supply copy of ID for Auditor User should be unaware of access Operator requires Auditor role Extract ID from Person view Don't supply current password (presumably not known) Supply new password to be used by Auditor 23
Operations-Recovering ID ID deleted or corrupted Remove corrupted ID Ensure user can download a new ID Automatic downloads set to Yes or Number of downloads allowed set to greater > 0 User logs in and new copy of ID is downloaded ID lost or stolen Reset password on the ID in the vault Roll over the keys on the ID Ensure that server key checking is enabled Ensure user can download a new ID User logs in and new copy of ID is downloaded 24
Understanding Vault Security Protection against the use of an unauthorized vault Creation of vault trust certificate requires access to certifier ID(s) Protection against unauthorized: Upload of IDs Only IDs registered by authorized certifiers can be uploaded Only IDs specified via policy will be uploaded Downloads of IDs Failed password attempts restricted to 10 per day (configurable) Option to require authorization for all downloads Password resets Requires password reset certificate Creation of password reset certificate requires access to certifier ID Access to vault contents Attached IDs are encrypted in vault All encryption/decryption done in memory no storage of IDs on disk Access to data transmitted over network ID vault transactions are encrypted 25
Password Reset Deployment Recommendation Issue password reset certificates to a small number of highly trusted individuals Issue a password reset certificate to an entire helpdesk OU Issue special IDs for resetting passwords Renaming people into and out of that OU will grant/deny access Administrators switch to these IDs to perform password reset tasks Issue a single password reset certificate to an application and give the help desk access to that application Easy to add and remove people from that ACL Can add supplemental logging and auditing 26
Troubleshooting Where and how to find logs for ID vault?. Security events in the local/server log.nsf 27
Troubleshooting Logs for Extract ID from vault - / Not in vault name Logs for Reset Password from vault 28
Troubleshooting Using the administrator client for analyzing the Vault issues. 29
Troubleshooting Domain monitoring: DDM database 30
Troubleshooting Error Messages Error when trying to extract ID file from ID vault : Server Error: You are not authorized to perform that operation This is due to administrator don't have the Auditor role in the ID vault database. In other case even though administrator has the Auditor role however the server notes.ini SECURE_DISABLE_AUDITOR=1 can prevent ID file to be extracted. User registration fails to upload the new user's ID to the Lotus Domino ID Vault with the error, "Error: File does not exist" URL:http://www.ibm.com/support/docview.wss?uid=swg21366245 Also If Extracting id file if vault name is not mentioned properly that is if Forward slash Missing (/Testvault) same error will come "Error: File does not exist" ID upload to an ID vault can fail during user registration. User registration process is completed with error: FAILED: ID upload to Notes ID Vault failed. In some cases problem was caused because of corruption in Domino Directory (names.nsf) 31
Troubleshooting A user lost his ID or it becomes corrupt. You attempt to launch their Notes client and download a new ID for this user, but you receive the error message "File cannot be created". Refer URL:http://www.ibm.com/support/docview.wss?uid=swg21411443 Error is generated in the Domino logs repeatedly: "Failed to authenticate with server Acmeserver/Acme. This server does not have the vault. A referral was returned. Refer URL: http://www.ibm.com/support/docview.wss?uid=swg21454997 When administrator tries to reset the password for the user ID it gives the error message: Server Error: Missing or invalid Password Reset Trust certificate, Check the log file for details. User.id not uploaded to id vault when user is renamed to new organization Unit "03:11 ON REMOTE SERVER" 32
ID vault NOTES.INI settings Which debugs used to collect the logs for the ID vault issues. Client Side Server Side Debug_IDV_TrustCert=1 Debug_IDV_TrustCert=1 Debug_Namelookup=1 Debug_Namelookup=1 Console_log_enabled=1 Console_log_enabled=1 DEBUG_IDV_TRACE=1 Debug_threadid=1 33
ID vault NOTES.INI settings IDV_POLL_INTERVAL IDVault_Max_Auth_Failures IDVault_Max_Auth_Failure_Cache_Size IDVAULT_RESYNC_INTERVAL SECURE_DISABLE_AUDITOR IDVAULT_COUNT1 IDVaultLastFlushTime IDVaultLastServer IDVAULT_STAMP1 34
Case Study 1: Problem: For Existing users ID files are not getting uploaded to the ID Vault. Troubleshooting: Errors :"Unable to find ID for <user name> in Vault. Error: Entry not found in index Failed to set download count for <user> to 0. Error: Entry not found in index" We have checked following details: User must be using an 8.5.x version client. 35
Case Study 1 Contd... Check policy requirements: A policy must exist that enrolls the user into the vault. It may be organizational or explicit. Verify the client has successfully pulled down the policy. To do this open names.nsf at the client and then hold down SHIFT+CONTROL while selecting the menu options "View" -> "Go To". Open the ($Policies) view. You should see a list of policies for the user as seen below. If you do not, you need to investigate a possible problem with the policy. For assistance in troubleshooting policies, refer to technote 7010353 "Self-Training: Troubleshooting Domino policies and settings documents" for assistance. 36
Case Study 1Contd... We checked the policy setting which has ID vault settings which applied to user is not getting pulled down to client however it is applied with different settings and that is the reason gives the error. "Unable to find ID for <user name> in Vault. Error: Entry not found in index" After investigation we found there is another policy which is called Organisation policy it has set some enforce settings which has caused Organisation policy is getting assigned to this user. Further to my testing, when we enable the setting "Ignore settings from Ancestor policies" in Administration tab -- Exception policy field of "idvault' policy document then the ID vault setting are pulled at notes client end. Then Id got uploaded to the vault. 37
Case Study 2: Administrator are unable to reset the password with below error messages: "Missing or Invalid Vault trust certificate. Check the log file for details" & "Server Error: Missing or invalid Password Reset Trust certificate,check the log file for details" Customer has following O in the address book which are cross certified with each other. O=Acme O=Bat O=Cat O=Lotus The vault DB name is Acme ID Vault for each of the O. Now from any of these O users if they tried to reset password using the ID vault it gives the above errors. Then we enabled the following debugs on server. Debug_IDV_TrustCert=1 Debug_Namelookup=1 Console_log_enabled=1 Debug_threadid=1 38
Case Study 2 Contd... - The console log shows the following errors [1254:0EE3-16F8] ----- Trust cert lookup Subject: CN=Lotus Admin/O=Lotus; Issuer: CN=Test1/O=Lotus, OrgCombo: O=Lotus:PR:O=Lotus [1254:101E-16F8] NAMELookup::<Lookup> PID:TID (1254:101E) start of routine [1254:101E-16F8] NAMELookup::<lookup> Searching view '($CrossCertByRoot)' (1 of 1 views). [1254:101E-16F8] NAMELookup::<lookup> Searching name='o=lotus:pr:o=lotus' (1 of 1 names). [1254:101E-16F8] NAMELookup::<lookup> Searching DBIndex=1. [1254:101E-16F8] NAMELookup::<LocateNameSpace> locate namespace in DBIndex=1, view='($crosscertbyroot)' [1254:101E-16F8] NAMELookup::<ReturnNameInfo> name='o=lotus:pr:o=lotus' was found '0' match(es) [1254:101E-16F8] NAMELookup::<lookup> No matches found for name 'O=Lotus:PR:O=Lotus' in dbindex '1' [1254:101E-16F8] NAMELookup::<LocateNameSpace> locate namespace in stable DBIndex=1, view='($crosscertbyroot)' [1254:1028-0274] NAMELookup::<LocateNameSpace> locate namespace in DBIndex=1, view='$serveraccess' [1254:101E-16F8] NAMELookup::<lookup> NumReturned=0, TotalNumReturned=0 match(es) for name='o=lotus:pr:o=lotus' [1254:0EE3-16F8] ---- Error in IDVLookupTrustCert, subject: CN=Lotus Admin/O=Lotus, issuer: CN=Test1/O=Lotus [1254:0EE3-16F8] ---- Error in IDVValidatePRIssuer for pw resetterl CN=Lotus Admin/O=Lotus, vault:'o=acmeidvault' user:'cn=test1/o=lotus' From the Error and console log, the admin is trying to reset password for user CN=Test1/O=Lotus. During this process, server is trying to find 'O=Lotus:PR:O=Lotus' but nothing found. In names.nsf, in Security - Certificates view, expand "Password Reset Certificates", there is only password reset certificate for organization Acme. No password reset certificate for organization Lotus That's why reset password failed. 39
Case Study 2 Contd... We modified the ID vault setting using Manage tool by adding the other O's in the password reset certificate and the password reset has worked fine for Lotus users. However for the other users who comes under the O Acme/Bat/cat was not happening it was giving the below error "Missing or Invalid Vault trust certificate. Check the log file for Details. We also reproduced the same issue at our end for the above error message and found the error message is no where recorded/capture at server however the error message was for the local client. To resolve this issue we removed all the cross certificates in personal address book and then copied the certificates and cross certificates from server address book to the local address book, After that tested and found reset for the other O is happening successfully without any issues. 40
Case Study 3: User ID file is not getting sync with the ID vault DB below error message is: In vault 'O=third' was not downloaded because the wrong password was supplied. Error: Wrong Password. (Passwords are case sensitive be sure to use correct upper and lower case) http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-logging-for-8.5-faq This message is logged whenever an incorrect password is entered. This may result because the user simply miss typed his password, or because an attacker is trying to guess the user's password. If this message is logged multiple times and/or for multiple users around the same time period, you may want to investigate the situation. Does ID file security does the ID vault Sync button shows enabled? Found not enabled. So we have reset the password and problem got resolved. However this problem was faced for most of the users To identify why it is not sync we need to check the policy has properly applied to user and also we need to enable some debugs on client. Client Debug. You need to shut down the notes client and then open the notes.ini for the client and then insert the below notes.ini before last two line and save and close the file. To disable on client you need to remove the notes.ini parameters, IDV_TrustCert=1 Debug_IDVault_Server_Selection=1 IDVault_Count1=1 IDVaultLastServer=1 IDV_Poll_Interval=5000 Debug_namelookup=1 CONSOLE_LOG_ENABLED=1 Debug_ThreadID=1 41
Case Study 3 Contd... After reviewed logs we didnt found id is getting synchronized and person document and id vault database is uploaded. To further troubleshoot on the issue. Please try the following 1. Set the following parameter on the notes client. set Idvault_count1 greater than 4 set idvault_stamp1 more than 24 hrs ago Example. To force sync you can set IDVAULT_COUNT1=5 IDVAULT_STAMP1=21/12/2011 12:33:12 PM 2. Delete the user id file from the Notes client and login - copy to c:\temp.the Notes client should automatically sync and pull down a new copy of the ID from the Vault. 3. Gather logging - add these settings to the Notes client notes.ini : console_log_enabled=1 -> Enables logging... This is already enabled Debug_IDV_Trace=1 -> trace ID vault issue logstatusbar=1 -> logs anything in status bar You should get an error when trying to upload to the ID Vault the issue was due to multiple entry in the notes.ini. 42
Case Study 3 Contd... IDVAULT_COUNT1=0 IDVAULT_STAMP1=12/23/2011 03:54:17 PM IDV_TrustCert=1 Debug_IDVault_Server_Selection=1 IDVault_Count1=1 IDVaultLastServer=1 IDV_Poll_Interval=5000 IDVAULT_COUNT1=5 IDVAULT_STAMP1=21/12/2011 12:33:12 PM Debug_IDV_Trace=1 - We removed the duplicate entry and then followed by updating the below notes.ini with the vault server name IDVaultLastServer - With this we deleted the ID file from the data directory and then relaunched the notes client and ID file was downloaded and then we changed the password and found it was successfully synched with ID vault. 43
Case Study 4: Delete the ID vault where there is no password for ID vault ID file. Normally we suggest keep the Vault ID file and password in a safe place. However it you have lost the password then below are the manual process of deleting ID vault on the domino server. 1) Keep the back up of your names.nsf and ID vault database in case if need for reference. 2)From the administration client delete the database for the ID vault. Right click the id vault database which is in the IBM_ID_Vault. Note: If there are replica exist on the other server you need to delete those as well. 3) Go to the Configuration Tab-> Security-> Certificates -> ID vaults. Select the document and delete it. 4) Now in the same tab i.e in the Configuration Tab-> Security->Certificates -> Delete the certificates which you have under "Password Reset Certificates" and "Vault Trust Certificates" 5) Now run the updall on the names.nsf Load Updall -R names.nsf 6) Issue command on the server show idvaults This completes the deletion of the ID vault manually. 44
Case Study 5: Unable to extract theid file from the Vaulted database. The users were moved from one O to different O and for those users they are unable to extract the ID file. checked the ID vault database and found the ID file which is stored has the old name. checked the person document and then verified with the ID file name and found the ID file still having the old name and the person document has the new one. It has confirmed that rename was not proper however manual changed the name in the person document. Then changed the name in the person document back to the original one and then recertified the person document. moved the user from /Acme to /Star and the rename was successful wait till tomorrow to know if the new ID file get uploaded to the ID vault database. Then extracted ID. 45
Resources Lotus Domino Wiki Link for ID vault documents Lotus Domino and Notes Information Center ID vault logging for 8.5 FAQOpen Mic "Lotus Domino ID Vault" call of October 22 2009 Open Mic Q&A: ID Vault & Notes Shared Login - 20 October 2010 Open Mic Webcast REPLAY: ID Vault in Lotus Notes/Domino - 16 May 2012 Notes ID vault deployment at Renovations Open Mic on Notes ID Vault - 19th May 2011 Notes.ini Reference - "ID Vault 46
Your Turn! Q 47