What is the ID vault?
The Notes® ID vault is an optional, server-based application that holds protected copies of Notes user IDs. An ID vault allows administrators and users to easily manage Notes user IDs, reducing user downtime and help desk costs. Users are assigned to a vault through policy configuration, and copies of user IDs are uploaded to a vault automatically once the policy has taken effect.
The benefits of using an ID vault include:
- Ability for authorized personnel to change (reset) passwords on IDs stored in a vault when users forget them, without access to the ID files or the vault database
- Support for the use of a custom application to reset passwords
- Easy recovery of lost or damaged user IDs
- Automatic synchronization of multiple ID copies
- No user involvement during ID renames or ID key rollover. The use of an ID file with Notes is made virtually transparent.
- “Auditor” function to extract ID files for legal discovery/access to encrypted data
How is the ID vault configured?
To create and configure an ID vault, you perform the following required steps from the Domino Administrator:
- Create the vault database on a server
- Create the vault ID file, which is initially stored on the local computer. The vault ID file should be treated as securely as a certifier ID. Back up copies should be securely stored.
- Specify at least one vault administrator. Additional administrators are recommended for administrative backup.
- Specify which user organizations trust the vault . At least one user organization certifier or organizational unit certifier issues a Vault Trust Certificate to the vault.
- Assign password reset authority. Password Reset Certificates are issued by the certifiers that also have issued Vault Trust Certificates.
- Use Security Settings policy configuration to assign users to the vault. To be assigned to a vault, users must be in an organization that has issued a Vault Trust Certificate.
Optionally you can replicate the vault (add vault servers), specify forgotten password instructions to display in the Notes login prompt, specify whether users must change passwords that have been reset, and require authorization for ID file downloads from the vault.
How does password reset work?
A benefit of the vault is the ability to easily reset passwords on IDs when users forget them. There are two models available for resetting passwords: authorized personnel can use the Domino Administrator to reset passwords for users, or users or authorized personnel can reset passwords using a custom application. One or both models may be implemented.
People who log in to the Domino Administrator under an identity with password reset authority can reset user passwords using the Reset Password tool in the Domino Administrator. To give password reset authority to these people, a Domino administrator creates Password Reset Certificates for individuals or organizational units. This step requires use of the certifier ID.
People who reset passwords through Domino Administrator have two options for conveying the new passwords to users. They can pick the new password or generate a random one and then inform the user of it themselves. It's important that they have a method to confirm the user's identity. Alternatively, they can generate a random new password and send it by encrypted e-mail to someone, for example a user's manager,who could then convey the password to the user.
How will this save time and money?
The Notes ID vault can replace time-consuming, expensive ID file and password recovery systems. Administrators provide instructions in the Notes login window (which can include a URL link to a Web site) for users who have forgotten their passwords. Passwords are easily reset using the Domino Administrator or a custom application, and users can use the new passwords automatically from any computer. If ID files are lost or damaged, users are not hindered because copies of the IDs are immediately downloaded from the vault when users provide the passwords.
In addition, tasks involving the ID file, such as ID file synchronization, user renames, and user key rollovers, will no longer require any user involvement and will automatically be handled by the ID vault, reducing complexity and saving time.
The "Auditor” function can be used to extract ID files for legal discovery/access to encrypted data, preventing the loss of any valuable information.
What release of Domino and Notes is required to use an ID vault?
To use a vault IBM® Lotus® Notes® clients must run Release 8.5 or later. Vault servers must run Release 8.5 or later. A user's home server or at least one server in a home server cluster must run Release 8.5 or later but does not have to be a vault server. The Domino Directory administration server must run Release 8.5 or later but does not have to be a vault server.