Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > ID vault miscellaneous administration FAQ
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Notes URLs
Notes URLs The launching of Notes URLs is the mechanism the client uses to create bookmarks and launch components. This document describes various configurations of that URL and the results of launching them. Format: notes:serverdbviewdocument?Commandparamsvalues Server Examples: NPD1, ...

IBM's phase 1 deployment of the Notes ID vault
IBM has begun its internal deployment of the Notes ID vault, the new Notes ID file recovery and management feature in Lotus Notes and Domino 8.5. This article provides a window on phase 1 of our ID vault deployment during which we deployed the ID vault in one of the domains used by the Lotus ...

Security Assertion Markup Language (SAML) Notes Federated Login
This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team

Adding an ID vault password reset authority from a different organization
If a password reset authority is in an organization different from the organization assigned to your vault, you may need to take additional steps in order for the password reset authority to be able to reset passwords successfully. If not already created, you will need to create crosscertificates ...

Upgrading from Notes client single logon to Notes shared login
Lotus Notes 8.5 supports both Notes client single logon (introduced in an earlier release) and Notes shared login (new in 8.5). Notes single logon is not a supported configuration if you use the ID vault. Therefore, if you use the ID vault, use Notes shared login instead, which is designed to work ...
Community articleID vault miscellaneous administration FAQ
Added by Michael Stewart on April 27, 2021 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: Notes ID Vault
How can I tell whose IDs are in the ID vault?

An ID vault administrator can open up the ID vault database to see whose IDs are stored in that ID vault. The ID vault is located in the "IBM_ID_VAULT" folder in the server data directory and holds ID documents, to which encrypted user ID files are attached.


How do I configure an exception for my CEO?

To configure an exception for certain people, create an explicit policy with the desired ID vault settings for those users.


How do I write a self-service agent?

Developers can use the ResetUserPassword method available in C, Java®, JavaScript® or LotusScript® to develop a custom application for resetting passwords. This can be a self-service application that allows users to reset their own passwords or an application that help desk personnel use to reset user passwords. Domino comes with a sample self-service application that uses the ResetUserPassword method in a LotusScript agent that you can customize for your environment.


How do I set up the sample password reset tool?

An IBM® Lotus® Domino® server comes with the application "Sample Web Agent - Reset User Password" (PwdResetSample.nsf). The application contains a sample LotusScript® agent called UserPasswordReset that enables users with IDs stored in an ID vault to reset their IBM® Lotus® Notes® passwords from a browser. A user who has forgotten his or her Notes password might do this to specify a new one.

This application is intended as an example for you to customize to suit your needs. By default, users use their HTTP passwords to log into a Domino Web server in the domain that is authorized to run the agent. The agent code also provides examples of setting up the agent not to require HTTP authentication or to allow users to specify the number of ID downloads they are allowed for ID recovery.

To set up the sample application:
1. Open the PwdResetSample.nsf database located in the data directory of a Lotus Domino server and modify the database ACL as follows:

  • Give at least Editor access to the vaulted users who will use the application to reset their passwords. One way to do this is to ensure that the -Default- entry has Editor access.
  • Give Manager access to the name of the Notes ID that will be used to sign the agent in the next step.
2. From Domino® Designer®, open PwdResetSample.nsf and perform the following steps to sign the UserPasswordReset agent using a Notes ID that you will trust to reset passwords. Using an ID created specifically for this purpose is recommended.
  • Click Code - Agents and then double-click.
  • With the UserPasswordReset agent selected, click Sign.
3. Decide which server or servers in the Domino domain to allow to run the agent on behalf of the agent signer specified in Step 2. Then in the Server document of each in the Domino Directory, give the name of the agent signer "Run restricted LotusScript/Java agents" access. A server does not have to be a vault server to run the agent.
4. Copy the signed PwdResetSample.nsf to the data directory of each server that will run it.
5. Using the ID vault wizard in the Domino Administrator (Open the Configuration tab and click Tools - ID Vaults - Password Reset Authority), assign "Self-service password reset authority" to the following names:
  • The name that signed the agent in Step 2.
  • The names of each server you allowed to run the agent in Step 3.
6. Specify instructions to display when users click "Forgot your password?" during Notes login.
7. Run the HTTP task on each server that is allowed to run the agent.
Users whose IDs have been uploaded to the vault can now perform the following steps to reset their Notes passwords:
1. Launch a Web browser and open the sample application by specifying a URL such as the following one: http:///PwdResetSample.nsf
2. Log in to the HTTP server.
3. In the Reset User Password window, type and confirm a new password, then click "Reset My Password."


What do I do if I need an ID file to access encrypted content?

A vault administrator assigned to the Auditor role in the vault database ACL can extract an ID from a vault to gain access to a user's encrypted data. You can disable the Auditor role capability using the notes.ini setting SECURE_DISABLE_AUDITOR=1. You must edit the notes.ini file directly on the server.


For Release 8.51, read the help document at the IBM Lotus Notes and Domino Information Center for more information. Beginning in Release 8.51, only an administrator who has been assigned the Auditor role can extract a user's ID file from the ID vault. Being able to extract an ID with the known password without being assigned the Auditor Role was removed at the request of customers to enhance security.

For Release 8.5, a user ID file can be extracted overtly with the user's knowledge by using the user's password or by resetting the user's password to a new known value. ID files can also be extracted secretly without the user's knowledge by a vault administrator with the Auditor role. A copy of the ID remains in the vault after extraction.
Extract the ID file by performing the below steps in the Domino Administrator:

1. Open the People & Groups tab of the Domino Administrator, and select the Person document of the user whose ID will be extracted. If the ID is for an inactive user, select any Person document.
2. Click Tools - ID Vaults - Extract ID From Vault.
3. If the name of the vault that holds the user ID is not filled in for you, type in the vault name. The name of the vault is filled in if the user's effective policy refers to it.
4. Type the ID password. Note: A vault administrator with the "Auditor" role in the vault database ACL can extract an ID without providing its password.
5. Click "OK."
6. Specify a local file location for the copy of the ID file.
7. If you did not type a password in step 4, provide a new password when prompted.
Note: The extract ID feature is also subject to the ID file's download expiration time and download count.


How can I require authorization for ID file downloads to control downloads from the ID vault?

To help thwart unauthorized access to ID files, you can choose to require that someone with password reset authority approve all ID downloads by specifying a number of downloads allowed (a download count) before a user may download his ID file.

Either of the following events is considered an ID download:
  • Recovery from a missing ID file
  • Recovery from a forgotten password

You use policy configuration to require authorization for ID downloads, to specify a download time limit that applies to all users of the policy, and to specify help text to display to users when either a download time limit or download count limit has been exceeded.

As an administrator, configure the policy to require authorization for ID file downloads by performing the following steps:
1. Open the Security Settings document in the users' policies in edit mode and click on the ID vault tab.
2. Edit the following fields and then save the document.

Field
Description
Allow automatic ID downloads
Select No. (Default=Yes).
Allow ID downloads for
Specify a period of time in days and hours (after a Password Reset Authority has authorized the download) within which users are allowed to download new copies of IDs to recover from a forgotten password or missing local ID file.
ID download authorization failure message
Type the text to display to users who have exceeded the download time limit or download count limit. For example, "Please call 123-4567 to authorize the download of your ID from the ID vault."


A Password Reset Authority may authorize an ID file download by specifying a new download count limit on a per-user basis through Domino Administrator tools through the following steps:
1. Click the People & Groups tab of the Domino Administrator, and select the user for whom to specify a download count.
2. Click Tools - ID Vaults - Set ID Download Count and specify a count. For example, if a user runs Notes from two workstations, you might specify a count of 2.
A Password Reset Authority may also specify an ID download count when resetting a user's password.


How can I see configuration details and other information for an ID vault?

To see configuration details for an ID vault, use the show idvaults command at the Domino server console. The "show idvaults" command displays configuration information about the ID vaults on a server and indicates if any documents required for proper vault operation are missing. The command also deletes a vault replica that is marked for deletion, and creates the vault keys used for vault encryption and decryption if a problem prevented the keys from being created during vault creation.
You can also search for ID vault events that are reported to the Security Events view of the client and server Log file (LOG.NSF) and to the Domino Domain Monitor database (DDM.NSF). See the Logging FAQ.


In the ID vault database, I see one or more ID entries labeled as "Replication Conflict." (The same user has multiple entries.) What should I do about them?

Do not do anything about those multiple ID entries. Having two or more entries for a single name is not a problem and is generally caused by slow server replication or server down time. The next time the user modifies his ID file and resynchronizes with the ID vault, the vault will automatically merge the multiple entries, ending up with only one entry in the vault.


While in the "Vault Users" view in the ID vault database, I see an ID entry with multiple owner names. Is there a problem?

An entry with multiple names is not a problem. The owner name field was designed to hold multiple values in order to support renames so that a renamed user will have only one entry in the vault instead of one with the old name and one with the new name.


How is the vault server that a client uses to synchronize the ID file chosen?

Initially, one vault server is randomly selected out of all the configured vault servers, and a client will use that particular vault server for a period of 2 weeks. That server name is saved in the notes.ini file (see http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IDVaultLastServer.) After two weeks, that value is flushed and a new vault server is randomly selected again. This is done for load balancing.


When attempting to create an ID vault replica, I cannot find the desired server in the list of available servers in the ID vault wizard. What can I do?

First, check that your directory settings are correct: in Domino Administrator, go to "File" > "Preferences" > "Administration Preferences", and make sure the directory server listed is what you expect.
Second, check that your server list is up to date: go to "Administration -> "Refresh Server List."


Are there any additional NOTES.INI variables I can use to configure my ID vault?

See the Notes.ini page in this wiki for more information on these settings.

The ID vault-related variables include:
SECURE_DISABLE_AUDITOR
IDV_POLL_INTERVAL
IDVault_Max_Auth_Failures
IDVault_Max_Auth_Failure_Cache_Size
IDVAULT_RESYNC_INTERVAL
IDVAULT_COUNT1
IDVaultLastFlushTime
IDVaultLastServer
IDVAULT_STAMP1
DEBUG_IDV_CONNECT
DEBUG_IDV_TRACE
DEBUG_IDV_TRUSTCERT
DEBUG_IDV_UPDATE
DEBUG_IDVAULT_SERVER_SELECTION


  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)Apr 27, 2021, 5:23:04 PMMichael Stewart  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility