Technote Number: 1188583
Problem:
This issue was reported to Quality Engineering as SPR#JCOS666MLZ and has been
fixed in 6.5.4, 6.0.5 and 7.0.
Excerpt from the Lotus Notes and Domino Release 6.5.4 and 6.0.5 MR fix list
(available at http://www.ibm.com/developerworks/lotus/):
Security
SPR# JCOS666MLZ - Fixed a problem where the client is not prompted for
certificate expiration and is locked out without warning. This regression was
introduced in 6.5.2.
If, in your environment, you use the Certification Log (optional with Domino
R5.x) , you will be able to identify which users' certificates will expire on
what date and take action to recertify the IDs before the certificates expire.
The Certification Log (certlog.nsf) contains a By Expiration date view that
sorts and displays all users who were certified after the Certification Log was
created. Note that there is no record of the date of user certifications that
were done prior to creation of the Certification Log or if the Certification
Log is not being used.
The section below contains the entries "Recertifying a user ID" and "Domino 5
registration servers and the Certification Log" from the Admin Client Online
Help. These entries describe how to set up the Certification Log as well as
how to recertify a user ID.
Supporting Information:
From the Admin Client On-line Help, "Recertifying a user ID" entry:
Before a user ID reaches its expiration date, recertify the user ID using the
original certifier ID. The user ID is recertified without renaming the user.
Use the Certificate expiration view to determine which certifiers need to be
recertified. Access this view from Files - Certlog.nsf - By Expiration date.
All certifiers are listed by expiration date.
Note To recertify a user ID using a certifier other than the certifier used to
create the user ID, see "Moving a user name in the name hierarchy" in this
chapter.
To recertify a user ID
Follow these steps to use the Administration Process to recertify a
hierarchical ID that is about to expire.
1. To recertify a user ID, you must have:
Author with Create documents access and the UserModifier role, or Editor access
to the Domino Directory
At least Author with Create documents access to the Certification Log
(CERTLOG.NSF)
2. From the Domino Administrator, click the People & Groups tab.
3. Select the user to be recertified with the same certifier.
4. From the tools pane, select People - Recertify.
5. Complete these fields:
Field
Action
Server
Do one of these:
If you are using the Lotus Domino 6 server-based CA, choose the server that is
used to access the Domino Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the server that is used to locate
the list of certifiers so that the Certifier ID file can be updated with the
latest set of certificates for itself and all of its ancestors. This is also
the server on which CERTLOG.NSF is updated.
Use the CA process
Choose this option if you have configured the Lotus Domino 6 server-based CA.
Select a CA configured certifier from the list and click OK.
Supply certifier ID and password
Choose this option if you are using a certifier ID and password.
Choose the certifier ID that certified the user's ID and click Open. For
example, to rename Joe Smith/Sales/NYC/ACME, use the certifier ID named
SALES.ID.
Click "Certifier ID" to select an ID other than the one displayed.
Enter the password for the certifier ID and click OK.
6. Verify the certifying ID information and complete the following fields:
Field
Action
New certificate expiration date
(Optional) Specify a certifier ID expiration date other than the default two
years from the current date.
Only renew certificates that will expire before
(Optional) Enter a date to recertify only a subset of selected user IDs,
according to their current expiration dates.
Edit or inspect each entry before submitting request
(Optional) Select the option to edit or inspect each entry before submitting
the request if you want to view each certificate before it is renewed.
7. If you selected the option to view each entry prior to its being
submitted, the Recertify Person dialog box appears with non-modifiable
information in the primary and common name fields. Review the information that
displays, then select one of the following:
OK - to submit the name change.
Skip - if you are recertifying more than one user ID and you want to continue
to the next without submitting a recertification for the current name.
Cancel Remaining Entries - to cancel this recertification, as well as those for
any other names you selected and have not yet submitted.
8. When the Processing Statistics dialog box appears, review the information
to verify that all name changes have succeeded. Click OK. If any fail, check
the Certifier Log (certlog.nsf) to determine the reason for the failure.
From the Admin Client On-line Help, "Domino 5 registration servers and the
Certification Log" entry:
The Certification Log records registration and user name information for a
domain. In Domino 5, the Certification Log was optional. In Domino 6, the log
is required. If you upgrade a Domino 5 registration server without a
Certification Log, then you need to create a log manually. If you upgrade a
Domino 5 server with a Certification Log, Domino 6 upgrades the log
automatically.
After you create the log, replicate it to other registration servers in your
domain and to every server with a Domino Directory that is used for user
management.
To create a Certification Log
1. From the Domino Administrator, choose File - Database - New.
2. In the Server field, select the name of the server on which to create the
log.
3. Enter Certification Log as the database title.
4. Enter CERTLOG.NSF as the database file name.
5. Choose a server that has the Certification Log template.
6. Click Show Advanced Templates, select Certification Log as the template,
and then click OK.
7. Choose File - Database - Access Control, and assign Editor access to all
administrators who register users and servers and recertify IDs.
For more information about the Certification Log, see the topic "The
Certification Log". More >
|  |
|
|
|
|
|