Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > ID vault overview FAQ
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Notes URLs
Notes URLs The launching of Notes URLs is the mechanism the client uses to create bookmarks and launch components. This document describes various configurations of that URL and the results of launching them. Format: notes:serverdbviewdocument?Commandparamsvalues Server Examples: NPD1, ...

IBM's phase 1 deployment of the Notes ID vault
IBM has begun its internal deployment of the Notes ID vault, the new Notes ID file recovery and management feature in Lotus Notes and Domino 8.5. This article provides a window on phase 1 of our ID vault deployment during which we deployed the ID vault in one of the domains used by the Lotus ...

Security Assertion Markup Language (SAML) Notes Federated Login
This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team

Adding an ID vault password reset authority from a different organization
If a password reset authority is in an organization different from the organization assigned to your vault, you may need to take additional steps in order for the password reset authority to be able to reset passwords successfully. If not already created, you will need to create crosscertificates ...

Upgrading from Notes client single logon to Notes shared login
Lotus Notes 8.5 supports both Notes client single logon (introduced in an earlier release) and Notes shared login (new in 8.5). Notes single logon is not a supported configuration if you use the ID vault. Therefore, if you use the ID vault, use Notes shared login instead, which is designed to work ...
Community articleID vault overview FAQ
Added by Michael Stewart on April 27, 2021 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: Notes ID Vault
What is the ID vault?

The Notes® ID vault is an optional, server-based application that holds protected copies of Notes user IDs. An ID vault allows administrators and users to easily manage Notes user IDs, reducing user downtime and help desk costs. Users are assigned to a vault through policy configuration, and copies of user IDs are uploaded to a vault automatically once the policy has taken effect.

The benefits of using an ID vault include:
  • Ability for authorized personnel to change (reset) passwords on IDs stored in a vault when users forget them, without access to the ID files or the vault database
  • Support for the use of a custom application to reset passwords
  • Easy recovery of lost or damaged user IDs
  • Automatic synchronization of multiple ID copies
  • No user involvement during ID renames or ID key rollover. The use of an ID file with Notes is made virtually transparent.
  • “Auditor” function to extract ID files for legal discovery/access to encrypted data


How is the ID vault configured?

To create and configure an ID vault, you perform the following required steps from the Domino Administrator:
  • Create the vault database on a server
  • Create the vault ID file, which is initially stored on the local computer. The vault ID file should be treated as securely as a certifier ID. Back up copies should be securely stored.
  • Specify at least one vault administrator. Additional administrators are recommended for administrative backup.
  • Specify which user organizations trust the vault . At least one user organization certifier or organizational unit certifier issues a Vault Trust Certificate to the vault.
  • Assign password reset authority. Password Reset Certificates are issued by the certifiers that also have issued Vault Trust Certificates.
  • Use Security Settings policy configuration to assign users to the vault. To be assigned to a vault, users must be in an organization that has issued a Vault Trust Certificate.

Optionally you can replicate the vault (add vault servers), specify forgotten password instructions to display in the Notes login prompt, specify whether users must change passwords that have been reset, and require authorization for ID file downloads from the vault.


How does password reset work?

A benefit of the vault is the ability to easily reset passwords on IDs when users forget them. There are two models available for resetting passwords: authorized personnel can use the Domino Administrator to reset passwords for users, or users or authorized personnel can reset passwords using a custom application. One or both models may be implemented.

People who log in to the Domino Administrator under an identity with password reset authority can reset user passwords using the Reset Password tool in the Domino Administrator. To give password reset authority to these people, a Domino administrator creates Password Reset Certificates for individuals or organizational units. This step requires use of the certifier ID.
People who reset passwords through Domino Administrator have two options for conveying the new passwords to users. They can pick the new password or generate a random one and then inform the user of it themselves. It's important that they have a method to confirm the user's identity. Alternatively, they can generate a random new password and send it by encrypted e-mail to someone, for example a user's manager,who could then convey the password to the user.

Developers can use the ResetUserPassword method available in C, Java®, JavaScript® or LotusScript® to develop a custom application for resetting passwords. This can be a self-service application that allows users to reset their own passwords or an application that help desk personnel use to reset user passwords. Domino comes with a sample self-service application that uses the ResetUserPassword method in a LotusScript agent that you can customize for your environment.


How will this save time and money?

The Notes ID vault can replace time-consuming, expensive ID file and password recovery systems. Administrators provide instructions in the Notes login window (which can include a URL link to a Web site) for users who have forgotten their passwords. Passwords are easily reset using the Domino Administrator or a custom application, and users can use the new passwords automatically from any computer. If ID files are lost or damaged, users are not hindered because copies of the IDs are immediately downloaded from the vault when users provide the passwords.

In addition, tasks involving the ID file, such as ID file synchronization, user renames, and user key rollovers, will no longer require any user involvement and will automatically be handled by the ID vault, reducing complexity and saving time.

The "Auditor” function can be used to extract ID files for legal discovery/access to encrypted data, preventing the loss of any valuable information.


What release of Domino and Notes is required to use an ID vault?

To use a vault IBM® Lotus® Notes® clients must run Release 8.5 or later. Vault servers must run Release 8.5 or later. A user's home server or at least one server in a home server cluster must run Release 8.5 or later but does not have to be a vault server. The Domino Directory administration server must run Release 8.5 or later but does not have to be a vault server.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)Apr 27, 2021, 3:28:04 PMMichael Stewart  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility