Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Notes > Notes security > ID vault interoperability FAQ
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Notes URLs

Notes URLs The launching of Notes URLs is the mechanism the client uses to create bookmarks and launch components. This document describes various configurations of that URL and the results of launching them. Format: notes:serverdbviewdocument?Commandparamsvalues Server Examples: NPD1, ...

IBM's phase 1 deployment of the Notes ID vault

IBM has begun its internal deployment of the Notes ID vault, the new Notes ID file recovery and management feature in Lotus Notes and Domino 8.5. This article provides a window on phase 1 of our ID vault deployment during which we deployed the ID vault in one of the domains used by the Lotus ...

Security Assertion Markup Language (SAML) Notes Federated Login

This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team

Adding an ID vault password reset authority from a different organization

If a password reset authority is in an organization different from the organization assigned to your vault, you may need to take additional steps in order for the password reset authority to be able to reset passwords successfully. If not already created, you will need to create crosscertificates ...

Upgrading from Notes client single logon to Notes shared login

Lotus Notes 8.5 supports both Notes client single logon (introduced in an earlier release) and Notes shared login (new in 8.5). Notes single logon is not a supported configuration if you use the ID vault. Therefore, if you use the ID vault, use Notes shared login instead, which is designed to work ...
Community articleID vault interoperability FAQ
Added by Michael Stewart on April 27, 2021 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: Notes ID Vault
How does the ID vault interact with existing features?

Certificate authority (CA) process
The ID vault and the CA process will work well together. Starting in Notes/Domino 8.5.1, ID files registered via the CA process can be automatically uploaded to the ID vault, as determined by policy. (This is not supported in Notes/Domino 8.5.) Although you can use the CA process for day-to-day operations with the ID vault, the initial creation of Vault Trust Certificates and Password Reset Certificates must be performed with the actual certifier ID file and not the CA process.
ID Recovery
Although you can implement either or both the ID vault and ID Recovery management features in your environment, replacing ID Recovery with the ID vault is recommended. The ID vault provides all of the functionality of ID Recovery, such as ID backup and recovery from lost passwords, and is much easier to use and administer.

When switching from ID Recovery to the ID vault, there is no need to remove recovery information prior to enabling the ID vault. ID files with recovery information can be successfully uploaded to the vault and can use ID vault features. Backups to the recovery database are still triggered. To disable ID Recovery, use the Admin Client to edit recovery information for each of the certifier IDs and remove all the recovery authorities. See this help document.
iNotes (formerly known as DWA)
In Release 8.5.1, Lotus iNotes users can take advantage of the ID management features that an ID vault provides. For more information, read the help document at the IBM Lotus Notes and Domino Information Center. In Release 8.5, iNotes cannot use the copy of the ID file in the vault; it can only use the copy of the ID file in the mail file. However, the ID vault and iNotes will co-exist cleanly together without any conflicts.
IDs protected with multiple passwords
A user with an ID protected by multiple passwords can continue using the ID file in an environment with the ID vault. However, the user cannot become a vaulted user because an ID file protected with multiple passwords cannot resynchronize with the vault. Users with ID files protected by multiple passwords should not be assigned to a vault.
Notes shared login (new feature)
Notes shared login is designed to work with the ID vault. In the case that a user loses his or her ID file, a password will need to be set for that user in the ID vault (if not already set) so that the user may download the ID file. After the ID file is obtained by the user, Notes shared login will automatically begin protecting the ID file again.
Notes Single Logon
Using Notes Single Logon (introduced in an earlier release) with the ID vault is not a supported configuration. If you would like to use the ID vault, use the new Notes shared login feature instead.
Password checking
Password checking will continue working as normal with the ID vault.
Pre-8.5 ID files
All ID files can be used with the ID vault. However, if you have multiple copies of your ID file that use different passwords, one or more of your ID files may not be able to resynchronize with the vault. See the Password Management FAQ.
Pre-Notes 8.5 clients
Pre-Notes 8.5 clients work fine in an environment with the ID vault, but do not take advantage of the features provided by the ID vault. Note that if the password on an ID file is changed on a pre-Notes 8.5 client, the password change, along with any further changes to the local ID file, will not be recognized by the vault. You must change your password on a Release 8.5 or later Notes client.
Pre-Domino 8.5 servers
Pre-Domino 8.5 servers work fine in an environment with the ID vault. However, pre-Domino 8.5 servers cannot be ID vault servers and a pre-Domino 8.5 administration server cannot execute ID vault operations.
Public key checking
Public key checking and and the ID vault work cleanly together.
However, if public key checking is being enforced for all users, there may be issues when registering new users into the vault because their Person Documents are not yet in the directory. To avoid this problem, select the "Enforce key checking for Notes users and Domino servers listed in trusted directories only" setting rather than the "Enforce key checking for all Notes users and Domino servers" setting. These settings are in the Server document under the Security tab in the Security Settings section.
Rename
Renames are done on IDs in the vault and resynchronized to the user's local ID file. An administrator specifies a new name for a user and this user's Person Document is updated by the Administration Process with the new name information. The next time the user's ID file is resynchronized with the server, the new user name is transparently and automatically transferred to the user's local ID file.
Roaming
Roaming and the ID vault work cleanly together as independent features. However, note that if a user, who is both vaulted and roaming, sets up a new Notes client with no local ID file, the Notes client fetches the ID file first from the vault, and not from the Domino Directory.

If you are using Domino Server roaming and storing the ID file in the Personal Address Book, there could be some instances where the ID in the Personal Address Book and the ID in the vault are out of sync.

NOTE:
In 8.53, there is a standalone IBM tool called DetachID which can be used to remove the ID from the Personal Address Book. This tool is available inside "DetachID.zip" within "Notes_Customization_Toolkit.zip" on the Notes 8.5.3 CD.
Server key rollover
Server ID files are not stored in the vault. The ID vault will not affect server keys, and the server key rollover process and the ID vault work cleanly together.
Smartcards
A user with a Smartcard-protected ID file can continue using the ID file in an environment with the ID vault. However, the user cannot become a vaulted user - an ID file locked with a Smartcard cannot resynchronize with the vault. Do not assign users with Smartcard-protected IDs to a vault.
User key rollover
The ID vault server takes care of the User key rollover process. For all vaulted users, the option for users to create new publics keys from a Notes client is disabled. User key rollover is automatically triggered as configured via policy when needed, and is also automatically completed of by the ID vault. An advantage of this is that users will never receive dialogs related to User key rollover. Also, User key rollover will always only be initiated once on the ID vault server. Users should not attempt rolling over keys using pre-Notes 8.5 clients themselves, as this could lead to discrepancies between the user's local ID file and the vaulted ID file.
Notes Passthru Server
Access to an ID Vault Server through a Notes Passthru Server is not a supported configuration. As a workaround, please use a standard network proxy.













  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)Apr 27, 2021, 3:30:44 PMMichael Stewart  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility