id vault - implementation, security and troubleshooting - for ibm notes and domino

Download ID Vault - Implementation, Security and Troubleshooting - for IBM Notes and Domino

Post on 14-May-2015

9.242 views

Category:

Technology

3 download

Embed Size (px)

DESCRIPTION

You want to implement ID Vault ? You already have ID Vault up and running but you have not collected all users id file ? You need to have a more detailed understanding how ID Vault security is implemented and why you should not create new replicas of your ID Vault database ? This session will give you a detailed technical understanding how ID Vault works and what are the best practices to implement. It provides security recommendations and covers how to do troubleshooting typical ID Vault situations.

TRANSCRIPT

  • 1.MWLUG 2013 ID Vault ID Vault Implementation, Security and Troubleshooting Olaf Boerner, BCC

2. MWLUG 2013 ID Vault About @olafboerner CEO and founder of BCC Working with Lotus Notes since Version 3 in 1993 I am working with large enterprise customers as Senior Architect 1. To reduce Total cost of Ownership of Notes/Domino 2. To secure and optimize IBM Domino infrastructures 3. MWLUG 2013 ID Vault ID Vault History 8.5 Initial Release 8.5.1 Integration with iNotes, Traveler and Blackberry 8.52 C API exposed 8.53 Citrix Support Why so late ? Maybe too late ! 4. MWLUG 2013 ID Vault ID Vault Architecture ID Vault Server: Domino 8.5 or higher Only ID Vault Server must run on 8.5 dedicated ID Vault Server or Home Server Lotus Notes Client Notes 8.5 or higher 8.53 recommended client asks its home server for a list of servers that have a replica of the vault 5. MWLUG 2013 ID Vault ID Vault Architecture ID Vault Database One Database for each ID-Vault on a Server Replicas on ID Vault Servers You must use Admin client -> Do not just create a replica One ID Vault Document for each User Notes ID as an attached file without password - Authentication Data Fields contain Download information etc. ID Vault Documents are not signed !!! Access to ID Vault Notes Client does not have access to ID Vault nserver.exe is acting as an application proxy 6. MWLUG 2013 ID Vault ID Vault based on Notes PKI ID Vault is using Notes certificates ID Vault is creating a vault certifier (Notes Cross Certificate) Each ID Vault uses his own vault certifier Trust Relationships ID Vault uses cross certification with current certifier Collecting ID Files only with valid cross certification ID Files public key must match its certifier Password resets Only User with cross certification can reset passwords DEMO 7. MWLUG 2013 ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for Auditor 8. MWLUG 2013 ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for Auditor 9. MWLUG 2013 ID Vault ID Vault provisioning / deployment Use this feature for initial client setup ! User ID must be in ID Vault Database Upload during / after registration Notes.ini must contain KeyFileName_Owner=CN=Peter Parker/O=BCC_AdminTool If you want to have userspecific filename KEYFILENAME=C:Lotus Notesdatapparker.id 10. MWLUG 2013 ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for Auditor 11. MWLUG 2013 ID Vault Collect existing ID Files -> Vault Policy Policies are essential for implementing ID Vault If you still not using policies ? now you have to ! They are signed ! Security Setting Document Assign ID Vault Enforce password change after password has been reset Allow automatic ID downloads: Yes If No Allow ID downloads for: x days Security Setting need to be in the clients personal NAB ! 12. MWLUG 2013 ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for Auditor 13. MWLUG 2013 ID Vault ID Vault Synchronizing ID Files Changes to a local id file Internet certificate Secret encryption key Notes Client will trigger an immediate resynchronization with the ID vault If he has an online connection Other Clients will check for changes and synchronize Checks local ID against fields in ID Vault Document IDModHash and IDModTime IMPORTANT: Password must be the same 14. MWLUG 2013 ID Vault ID Vault Synchronizing Passwords User changes Notes Password on Desktop PC Immediate synchronization with ID Vault User uses Laptop PC at Home He should use the new password But he can use the old password ! ID will become out of sync 44 | 2012 IBM Corpora Changing Passwords Desktop Client ID files 1. User changes password on desktop client ...triggering an immediate resynchronization with the ID vault. ID file ID file 15. MWLUG 2013 ID Vault Two Password: ID File and in Vault Source: IBM internal Presentation 16. MWLUG 2013 ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for Auditor 17. MWLUG 2013 ID Vault Central password reset Works in 3 Steps 1. Change Password in ID Vault 2. User is using ID with new passwords 3. User needs to use new password with all his id files Direct Online connection is required For offline support you still need to use the old recovery key procedure 18. MWLUG 2013 ID Vault Central password reset Again Be careful User must use the same password for all copies of your ID files If passwords do not match, IDs cannot be resynchronized anymore !!! Do not force your users to change password with central password reset !!! Password settings is the right tool ! 19. MWLUG 2013 ID Vault Changing password What happens when the user changes the password ? PW change will be synchronized with ID Vault immediately if he has an online connection If not it will synchronized at next server connection But he can still use other id files with the old password Example Changing password at your Desktop / Citrix Client Working with your old password on your notebook ID Files will not synchronize anymore 20. MWLUG 2013 ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for Auditor 21. MWLUG 2013 ID Vault ID Vault Auditor Extract ID Files for an Auditor Auditor Role in ID Vault ACL Requires Admin client DEMO How to prevent ? Control ID Vault ACL SECURE_DISABLE_AUDITOR = 1 on ID Vault Server I do not like this function !!! Why not using a trust certificate similar to password reset 22. MWLUG 2013 ID Vault ID Vault Makes life easier Key Rollover Reading encrypted mails on mobile devices Using iNotes with ID Files Notes Shared Login Rename without user involvement 23. MWLUG 2013 ID Vault ID Vault Integration with external programs Using ID Vault with Traveler, iNotes and Blackberry 24. MWLUG 2013 ID Vault ID Vault Integration Released in 8.51 Security Setting Document Allow Notes-based programs to use the Notes ID Vault: Yes Provides ID Handling and synchronize changes Deploy ID Password Reset & Change Rename Supports Traveler, Blackberry and iNotes GOOD does not support provisioning ID from ID Vault 25. MWLUG 2013 ID Vault ID Vault Integration uncovered ID Vault is supporting Mailfile Profile ProfileNoteName = "$shimmerid" ProfileNoteName = "$rimid" ID File is not a working attachment due encryption Internal Usage To create the profile using C-API: SECAttachIdFileToDB - Attach an ID file to a profile note and create /overwrite existing profile To Use that ID SECExtractIdFileFromDB - Extract an ID file from a profile note Current Password must provided 26. MWLUG 2013 ID Vault ID Vault Log & Monitoring 27. MWLUG 2013 ID Vault ID Vault Log Client: Log.nsf Server Log.nsf DDM.nsf all Server error messages IDVault Log 28. MWLUG 2013 ID Vault ID Vault Server Log Log.nsf - Security Events ID vault creation, ID Upload, ID downloads ID extracts Password resets View Security Events 29. MWLUG 2013 ID Vault Typical Log Entries What is logged when the user changes something in his ID file (such as adding a new document encryption key,) triggering a synchronization with the vault? Client log: 10/01/2008 02:00:28 PM ID 'C:Program FilesLotusNotesDatauser.id' successfully synchronized with vault 'O=third' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'. Server log: 10/01/2008 02:00:28 PM ID successfully synchronized with vault 'O=third' for 'Samantha Daryn/RECompany' (IP Address 9.33.163.219:1313). What is logged when the user recovers from a forgotten password by using the new password? Client log: 10/01/2008 03:53:32 PM ID 'C:Program FilesLotusNotesDatauser.id' successfully synchronized with vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'. Server log: 10/01/2008 03:53:31 PM ID successfully synchronized with vault 'O=newest' for 'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2406). 30. MWLUG 2013 ID Vault Typical Log Entries What is logged when the user lost his ID file, but the Notes client automatically recovers from a lost ID file? Client log: 10/01/2008 03:37:36 PM ID 'C:Program FilesLotusNotesDatauser.id' successfully downloaded from vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'. Server log: 10/01/2008 03:37:36 PM ID successfully downloaded from vault 'O=newest' by 'Samantha Daryn/RECompany' (IP address 9.33.164.153:2350). 31. MWLUG 2013 ID Vault Some Log Entries are client based only !! What is logged when a new ID vault administrator is added? Client log: 10/01/2008 02:31:43 PM Adding administrator Joe Blow/RECompany to this vault Joe Blow/RECompany was successfully added. Server log: Nothing is logged on the server. What is logged when an ID vault administrator is removed? Client log: 10/01/2008 02:39:56 PM Adding administrator Joe Blow/RECompany to this vault Joe Blow/RECompany was successfully removed. Server log: Nothing is logged on the server. Note: Client log should say "Removing administrator Joe Blow/RECompany from this vault... 32. MWLUG 2013 ID Vault Some Log Entries are only client based What is logged when a Password Reset Authority is added? Client log: 10/01/2008 03:04:50 PM PasswordReset Authority/RECompany will be able to reset passwords for users in organization /RECompany Server log: Nothing is logged on the server. What is logged when a Password Reset Authority is removed? Client log: 10/01/2008 02:4

Recommended

View more >