Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Learning Center > Video Gallery > Notes ID vault deployment at Renovations
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Notes URLs

Notes URLs The launching of Notes URLs is the mechanism the client uses to create bookmarks and launch components. This document describes various configurations of that URL and the results of launching them. Format: notes:serverdbviewdocument?Commandparamsvalues Server Examples: NPD1, ...

IBM's phase 1 deployment of the Notes ID vault

IBM has begun its internal deployment of the Notes ID vault, the new Notes ID file recovery and management feature in Lotus Notes and Domino 8.5. This article provides a window on phase 1 of our ID vault deployment during which we deployed the ID vault in one of the domains used by the Lotus ...

Security Assertion Markup Language (SAML) Notes Federated Login

This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team

Adding an ID vault password reset authority from a different organization

If a password reset authority is in an organization different from the organization assigned to your vault, you may need to take additional steps in order for the password reset authority to be able to reset passwords successfully. If not already created, you will need to create crosscertificates ...

Upgrading from Notes client single logon to Notes shared login

Lotus Notes 8.5 supports both Notes client single logon (introduced in an earlier release) and Notes shared login (new in 8.5). Notes single logon is not a supported configuration if you use the ID vault. Therefore, if you use the ID vault, use Notes shared login instead, which is designed to work ...
Learning Center articleNotes ID vault deployment at Renovations
Added by Michael Stewart on April 27, 2021 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
Watch this video to see how Renovations' lead system administrator, Bill Ranney, creates an ID vault in the Australia regional office.
Tags: demos, deployment, Notes ID Vault, security, domino_iea
This article describes how a fictitious home improvement company, Renovations, plans for and deploys the Notes ID vault. It describes the questions its IT staff answers during the ID vault planning phase and then shows the steps they take to deploy the ID vault in their environment. Although the details of your ID vault deployment will be different, this article will help you understand the issues to consider and the tools used.

BONUS:
Watch this video to see how Renovations' lead system administrator, Bill Ranney, creates an ID vault in the Australia regional office.


Watch the "Creating an ID Vault: video full screen in a new window

What is a Notes ID vault?

A Notes ID vault is a new Notes ID recovery and management feature in Lotus Notes and Domino 8.5. Copies of Notes user IDs are uploaded into an ID vault application on a Domino server. If users forget their passwords, the passwords can be reset in the ID vault and the new passwords can be used immediately on Notes client computers that can connect to the ID vault. The ID vault is also used to keep copies of an ID on multiple Notes client computers synchronized when the ID changes. In addition, if an ID is deleted from a Notes client computer, a replacement copy is downloaded automatically to it from the ID vault.

For more information on the Notes ID vault, see this page in the wiki. Also refer to the ID vault documentation in the Lotus Domino 8 Information Center.

How will the ID vault help Renovations?

Currently, when employees at Renovations lose their IDs or forget their passwords, Help desk personnel respond by re-registering the users to generate new IDs. The company is eager to deploy the ID vault to reduce the help desk costs, user downtime, and loss of encrypted e-mail associated with their current recovery process.

Renovations' current Domino deployment

Renovations, a large home improvement retail enterprise with $40 billion in annual sales, employees 85,000 people in offices in the United States, China, Europe, and Australia. The characteristics of its current Domino deployment are:
  • Domino 7.0.2 servers and Notes 7.0.2 clients.
  • A single Domino domain across all regions
  • The following server topology in each region:

- Two or more mail server clusters with two servers per cluster
- Two or more application server clusters with two servers per cluster
- One hub server cluster with two servers
  • Domino Directory administration server located on a U.S. hub server
  • One organization level certifier
  • Approximately 200 organizational unit certifiers, based on geography or business unit
  • Centralized help desk that serves all regions
  • Separate Domino administrators for each region


Planning phase

Here are the questions that Renovations answers during its ID vault planning phase.

How many vaults do we need?

Renovations could deploy just one ID vault because all its servers are in one Domino domain. Instead it decides to create a separate ID vaul t for each geographic region. That way, ID vault servers handle transactions only for Notes clients in their regions. In addition, the instructions they provide to users who forget their passwords -- specified in each region's ID vault policy -- can be written in the language appropriate for each region.

What name will we give each ID vault?

An ID vault name can't be the same as the name of an organizational certifier or an organizational unit certifier. Renovations decides on the following ID vault names, which correspond to regions in which the company has offices:

Austrvault
USvault
Chinavault
Eurovault

Which servers will have ID vault replicas
?
Each region serves between 20,000 and 30,000 employees. Because the the ID vault database is relatively small and the impact of ID vault transactions is modest, Renovations decides not to set up dedicated ID vault servers. Instead it will put the ID vault on existing application servers in each regional office.

How will we implement ID vault trust?

A user ID is trusted to be stored in an ID vault if a parent certifier of the ID (O certifier or OU certifier) issues a Vault Trust Certificate to the ID vault. Renovations has one O certifier, /Renovations, and 200 OU certifiers under /Renovations. Since certifying trust at the OU level would require many Vault Trust Certificates, the company decides to certify ID vault trust at the O certifier level instead. This means that /Renovations certifier ID is used to issue just one Vault Trust Certificate to each regional ID vault. Although this means that any user ID in the organization is authorized to be stored in any ID vault, the policy configuration dictates the ID vault in which an ID is stored.

How will we implement policy assignment?

Policies control which trusted IDs (IDs with a parent certifier that has issued a Vault Trust Certificate) are actually uploaded to an ID vault. Renovations wants each regional ID vault to hold the IDs of users whose home servers are in the ID vault's region. They decide to implement a policy for each regional ID vault as follows:
  • Create an auto-populated home server group (new type of group in 8.5) for each region that is automatically populated with the users whose home servers are in the region.
  • Create a dynamic policy (new type of explicit policy in 8.5) for each region and assign it to the auto-populated home server group for the region.
  • Create a Security Settings document for each region that contains the name of the region's ID vault and the forgotten password instructions, and then add the Settings document to the dynamic policy


How will we implement password reset authority?

Renovations wants to allow its help desk operators to use the Reset Password tool in the Domino Administrator to reset (change) passwords of vaulted users. Since all help desk operators use IDs that are registered under the HelpDesk/Renovations OU, the company decides to use its /Renovations certifier ID to issue one Password Reset Certificate to the HelpDesk/Renovations OU. This certificate gives all help desk operators the authority to reset the password of any user ID in the organization. Although they could issue a separate Password Reset Certificate to each help desk operator, issuing one certificate at the OU level better accommodates future changes in help desk personnel.

The company also has written a C-based, self-service password reset application using the ResetUserPassword method which allows vaulted users to reset their own passwords as well. It will deploy the application on one of the ID vault servers in each region and it will issue a Password Reset Certificate to each of these servers.

The company will provide the following instructions, in a language appropriate for the region, to users who click "Fo rgot your password?" in the Notes login window:

"Click the link b elo w to reset your Notes password or call the Help Desk at 1-555-HELP-NOW."

Who will be ID vault administrators
?
ID vault administrators are responsible for adding and removing ID vault server replicas, adding or removing other ID vault administrators, and extracting copies of IDs from an ID vault. Since these tasks are done in frequently, the company decides that the existing regional Domino administrators can perform them.

How will we secure our ID vault servers?

Renovations has read the article "Securing your Notes ID vault server" and plans to take the following security precautions:
  • Password-protect the server IDs of the ID vault servers and use an ID file encryption strength of AES-256 and 2048-bit RSA keys
  • Make backup copies of the server IDs of the ID vault servers and store the backups in a secure location.
  • Locate ID vault servers in rooms that have limited access.
  • Use the SECURE_DISABLE_AUDITOR=1 notes.ini variable on ID vault servers. This setting disables the auditor role feature that allows ID vault administrator to extract ID files without providing a password. On the occasions they may need this auditor role, they will temporarily remove this setting on one ID vault server.


How will we stage the upgrade of servers and clients to 8.5?

Renovations will do a staged upgrade of its release 7.0.2 servers to release 8.5. In this first phase, it will upgrade the following servers:
  • The Domino Directory administration server, located in the U.S. regional office
  • One mail server in each mail server cluster
  • Two application servers in one application cluster in each region. These servers will be ID vault servers.


After the first phase of server upgrades is complete, Renovations will upgrade Notes clients to Release 8.5 over time. After a client is upgraded, a copy of its local ID file will be uploaded to the ID vault automatically within eight hours.

The following diagram illustrates the planned server and client deployment for the Australia region, as related to the ID vault. Only one mail server cluster is shown.


Steps to deploy the ID vault in Australia

Bill Ranney, the lead system administrator for Renovations, performs the following steps to deploy the ID vault in the Australia regional office.

Note
These steps assume that the Domino Directory administration server in the U.S. region has been upgraded to 8.5.

1. Upgrade the following servers from release 7.0.2 to release 8.5: Mail2/Austr/Renovations, Mail4/Austr/Renovations (one server in each of two mail server clusters), App1/Austr/Renovations, App2/Aust/Renovations
2 Upgrade one Domino Administrator client to release 8.5. Bill will use this client to create the ID vault.
3. Password-protect the server IDs of the servers that will be ID vault servers (App1/Austr/Renovations and App2/Austr/Renovations) and store backup copies of the IDs in a secure location.
4. Enable AES-256 encryption on the App1 and App2 server IDs (through User Security dialog). .
5. Perform server key rollover on the App2 and App2 server IDs to bring them to 2048 bit RSA keys.
6. Prepare to create the ID vault on the App1/Austr/Renovations server:

Verify that the client can connect to the Domino Directory administration server, located in the U.S. region. The directory documents required for ID vault operation will be cr eated in the Domino Directory on the U.S. administration server and then replic ate back to the A ustralia servers.
Verify that the Domino administrators who will be authorized as ID vault administrators have the required Full Access Administrators or Administrators access to the App1 server. This access is controlled through the Security tab of the Server document.
Bill verifies that he has access to the /Renovations organization certifier ID that is required to issue the Vault Trust Certificate and Password Reset Certificates.

7 . Use the ID Vaults - Create tool in the Domino Administrator 8.5 client to create the ID vault on the App1/Austr/Renovations server.
8. Make a backup copy of the ID vault ID file and store it in a secure location.
9. After the Domino Directory changes have replicated from the US administration server, use the ID Vaults - Manage tool in the Domino Administrator 8.5 client to create an ID vault replica on App2/Austr/Renovations. In addition to creating the ID vault replica, this step also adds the name of the new ID vault server to the ID vault document in the Domino Directory replica on the Domino Directory administration server.
Note:
The ID vault is not operational until the Domino Directory changes made on the US administration server replicate to the ID vault server.
10. Upgrade Notes clients in the Australia offices to Release 8.5 at the desired pace.

All references to Renovations refer to a fictitious company name and are designed for illustration purposes only.

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)Apr 27, 2021, 6:45:55 PMMichael Stewart  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility