Certificate authority (CA) process
The ID vault and the CA process will work well together. Starting in Notes/Domino 8.5.1, ID files registered via the CA process can be automatically uploaded to the ID vault, as determined by policy. (This is not supported in Notes/Domino 8.5.) Although you can use the CA process for day-to-day operations with the ID vault, the initial creation of Vault Trust Certificates and Password Reset Certificates must be performed with the actual certifier ID file and not the CA process.
Although you can implement either or both the ID vault and ID Recovery management features in your environment, replacing ID Recovery with the ID vault is recommended. The ID vault provides all of the functionality of ID Recovery, such as ID backup and recovery from lost passwords, and is much easier to use and administer.
When switching from ID Recovery to the ID vault, there is no need to remove recovery information prior to enabling the ID vault. ID files with recovery information can be successfully uploaded to the vault and can use ID vault features. Backups to the recovery database are still triggered. To disable ID Recovery, use the Admin Client to edit recovery information for each of the certifier IDs and remove all the recovery authorities. See this help document
iNotes (formerly known as DWA)
In Release 8.5.1, Lotus iNotes users can take advantage of the ID management features that an ID vault provides. For more information, read the help document
at the IBM Lotus Notes and Domino Information Center. In Release 8.5, iNotes cannot use the copy of the ID file in the vault; it can only use the copy of the ID file in the mail file. However, the ID vault and iNotes will co-exist cleanly together without any conflicts.
IDs protected with multiple passwords
A user with an ID protected by multiple passwords can continue using the ID file in an environment with the ID vault. However, the user cannot become a vaulted user because an ID file protected with multiple passwords cannot resynchronize with the vault. Users with ID files protected by multiple passwords should not be assigned to a vault.
Notes shared login (new feature)
Notes shared login is designed to work with the ID vault. In the case that a user loses his or her ID file, a password will need to be set for that user in the ID vault (if not already set) so that the user may download the ID file. After the ID file is obtained by the user, Notes shared login will automatically begin protecting the ID file again.
Notes Single Logon
Using Notes Single Logon (introduced in an earlier release) with the ID vault is not a supported configuration. If you would like to use the ID vault, use the new Notes shared login feature instead.
Password checking will continue working as normal with the ID vault.
Pre-8.5 ID files
All ID files can be used with the ID vault. However, if you have multiple copies of your ID file that use different passwords, one or more of your ID files may not be able to resynchronize with the vault. See the Password Management FAQ
Pre-Notes 8.5 clients
Pre-Notes 8.5 clients work fine in an environment with the ID vault, but do not take advantage of the features provided by the ID vault. Note that if the password on an ID file is changed on a pre-Notes 8.5 client, the password change, along with any further changes to the local ID file, will not be recognized by the vault. You must change your password on a Release 8.5 or later Notes client.
Pre-Domino 8.5 servers
Pre-Domino 8.5 servers work fine in an environment with the ID vault. However, pre-Domino 8.5 servers cannot be ID vault servers and a pre-Domino 8.5 administration server cannot execute ID vault operations.
Public key checking
Public key checking and and the ID vault work cleanly together.
However, if public key checking is being enforced for all users, there may be issues when registering new users into the vault because their Person Documents are not yet in the directory. To avoid this problem, select the "Enforce key checking for Notes users and Domino servers listed in trusted directories only" setting rather than the "Enforce key checking for all Notes users and Domino servers" setting. These settings are in the Server document under the Security tab in the Security Settings section.
Renames are done on IDs in the vault and resynchronized to the user's local ID file. An administrator specifies a new name for a user and this user's Person Document is updated by the Administration Process with the new name information. The next time the user's ID file is resynchronized with the server, the new user name is transparently and automatically transferred to the user's local ID file.
Roaming and the ID vault work cleanly together as independent features. However, note that if a user, who is both vaulted and roaming, sets up a new Notes client with no local ID file, the Notes client fetches the ID file first from the vault, and not from the Domino Directory.
If you are using Domino Server roaming and storing the ID file in the Personal Address Book, there could be some instances where the ID in the Personal Address Book and the ID in the vault are out of sync.
NOTE: In 8.53, there is a standalone IBM tool called DetachID which can be used to remove the ID from the Personal Address Book. This tool is available inside "DetachID.zip" within "Notes_Customization_Toolkit.zip" on the Notes 8.5.3 CD.
Server key rollover
Server ID files are not stored in the vault. The ID vault will not affect server keys, and the server key rollover process and the ID vault work cleanly together.
A user with a Smartcard-protected ID file can continue using the ID file in an environment with the ID vault. However, the user cannot become a vaulted user - an ID file locked with a Smartcard cannot resynchronize with the vault. Do not assign users with Smartcard-protected IDs to a vault.
User key rollover
The ID vault server takes care of the User key rollover process. For all vaulted users, the option for users to create new publics keys from a Notes client is disabled. User key rollover is automatically triggered as configured via policy when needed, and is also automatically completed of by the ID vault. An advantage of this is that users will never receive dialogs related to User key rollover. Also, User key rollover will always only be initiated once on the ID vault server. Users should not attempt rolling over keys using pre-Notes 8.5 clients themselves, as this could lead to discrepancies between the user's local ID file and the vaulted ID file.
Notes Passthru Server
Access to an ID Vault Server through a Notes Passthru Server is not a supported configuration. As a workaround, please use a standard network proxy.