id vault - implementation, security and troubleshooting - for ibm notes and domino

MWLUG 2013 – ID Vault

ID Vault Implementation, Security and

Troubleshooting

Olaf Boerner, BCC


About @olafboerner

CEO and founder of BCC

Working with Lotus Notes

since Version 3 in 1993

I am working with large enterprise customers as

Senior Architect

1. To reduce Total cost of Ownership of Notes/Domino

2. To secure and optimize IBM Domino infrastructures


ID Vault

History

• 8.5 Initial Release

• 8.5.1 Integration with iNotes, Traveler and

Blackberry

• 8.52 C API exposed

• 8.53 Citrix Support

Why so late ?

Maybe too late !


ID Vault – Architecture

ID Vault Server:

• Domino 8.5 or higher

• Only ID Vault Server must run on 8.5

• dedicated ID Vault Server or Home Server

Lotus Notes Client

• Notes 8.5 or higher – 8.53 recommended

• client asks its home server for a list of servers that

have a replica of the vault


ID Vault Architecture

ID Vault Database

• One Database for each ID-Vault on a Server

• Replicas on ID Vault Servers

• You must use Admin client -> Do not just create a replica

One ID Vault Document for each User

• Notes ID as an „attached“ file

• without password - „Authentication Data“

• Fields contain Download information etc.

• ID Vault Documents are not signed !!!

Access to ID Vault

• Notes Client does not have access to ID Vault

• nserver.exe is acting as an „application proxy“


ID Vault based on Notes PKI

ID Vault is using Notes certificates

• ID Vault is creating a „vault certifier“ („Notes Cross Certificate“)

• Each ID Vault uses his own „vault certifier“

Trust Relationships

• ID Vault uses cross certification with current certifier

• Collecting ID Files

• only with valid cross certification

• ID Files public key must match its certifier

• Password resets

• Only User with cross certification can reset passwords

DEMO


ID Vault - Core functions

ID File provisioning / deployment

Collect existing ID Files

Synchronize ID files

Central password reset

Extract ID Files for „Auditor“


ID Vault provisioning / deployment

Use this feature for initial client setup !

User ID must be in ID Vault Database

• Upload during / after registration

Notes.ini must contain

• KeyFileName_Owner=CN=Peter Parker/O=BCC_AdminTool

If you want to have userspecific filename

• KEYFILENAME=C:\Lotus Notes\data\pparker.id


Collect existing ID Files -> Vault Policy

Policies are essential for implementing ID Vault

If you still not using policies ?

• now you have to !

• They are signed !

Security Setting Document

• Assign ID Vault

• Enforce password change after password has been reset

• Allow automatic ID downloads: Yes

• If No Allow ID downloads for: x days

• Security Setting need to be in the clients personal NAB !


ID Vault Synchronizing ID Files

Changes to a local id file

• Internet certificate

• Secret encryption key

Notes Client will trigger an immediate resynchronization with the ID vault

• If he has an online connection

Other Clients will check for changes and synchronize

• Checks local ID against fields in ID Vault Document

• IDModHash and

• IDModTime

• IMPORTANT: Password must be the same


ID Vault Synchronizing Passwords

User changes Notes Password on Desktop PC

• Immediate synchronization with ID Vault

User uses Laptop PC at Home

• He „should“ use the new password

• But he can use the old password !

• ID will become out of sync 44 | © 2012 IBM Corporation

Changing Passwords

Desktop

Client ID

files

1. User changes password on desktop client

...triggering an immediate resynchronization with the ID vault.

ID

file

ID

file


„Two Password“: ID File and in Vault

Source: IBM internal Presentation



Works in 3 Steps

• 1. Change Password in ID Vault

• 2. User is using ID with new passwords

• 3. User needs to use new password with all his id

files

Direct Online connection is required

For offline support you still need to use the old recovery key procedure



Again Be careful

• User must use the same password for all copies of

your ID files

• If passwords do not match, IDs cannot be

resynchronized anymore !!!

Do not force your users to change password with central password reset !!!

• Password settings is the right tool !


Changing password

What happens when the user changes the password ?

• PW change will be synchronized with ID Vault

immediately

• if he has an online connection

• If not it will synchronized at next server connection

• But he can still use other id files with the old password

Example

• Changing password at your Desktop / Citrix Client

• Working with your old password on your notebook

• ID Files will not synchronize anymore


ID Vault Auditor

Extract ID Files for an „Auditor“

• Auditor Role in ID Vault ACL

• Requires Admin client

DEMO

How to prevent ?

• Control ID Vault ACL

• SECURE_DISABLE_AUDITOR = 1 on ID Vault Server

I do not like this function !!! Why not using a trust certificate similar to password reset


ID Vault – Makes life easier

Key Rollover

Reading encrypted mails on mobile

devices

Using iNotes with ID Files

Notes Shared Login

Rename without user involvement


ID Vault Integration with „external

programs“

Using ID Vault with Traveler, iNotes and Blackberry


ID Vault Integration

Released in 8.51

Security Setting Document

• Allow Notes-based programs to use the Notes ID

Vault: Yes

Provides ID Handling and synchronize changes

• Deploy ID

• Password Reset & Change

• Rename

Supports Traveler, Blackberry and iNotes

GOOD does not support provisioning ID from ID Vault


ID Vault Integration – „uncovered“

ID Vault is supporting Mailfile Profile

• ProfileNoteName = "$shimmerid"

• ProfileNoteName = "$rimid"

ID File is not a „working“ attachment due encryption

Internal Usage

• To create the profile using C-API: SECAttachIdFileToDB - Attach an ID file to a profile note and create /overwrite existing profile

• To Use that ID SECExtractIdFileFromDB - Extract an ID file from a profile note

• Current Password must provided


ID Vault Log & Monitoring


ID Vault Log

Client: Log.nsf

Server Log.nsf

DDM.nsf all Server

error messages

IDVault Log


ID Vault – Server Log

Log.nsf - Security Events

• ID vault creation, ID Upload, ID downloads

• ID extracts

• Password resets

View Security Events


Typical Log Entries

What is logged when the user changes something in his ID file (such as adding a new

document encryption key,) triggering a synchronization with the vault?

• Client log: 10/01/2008 02:00:28 PM ID 'C:\Program Files\Lotus\Notes\Data\user.id' successfully synchronized with vault 'O=third' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.

• Server log: 10/01/2008 02:00:28 PM ID successfully synchronized with vault 'O=third' for 'Samantha Daryn/RECompany' (IP Address 9.33.163.219:1313).

What is logged when the user recovers from a forgotten password by using the new

password?

• Client log: 10/01/2008 03:53:32 PM ID 'C:\Program Files\Lotus\Notes\Data\user.id' successfully synchronized with vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.

• Server log: 10/01/2008 03:53:31 PM ID successfully synchronized with vault 'O=newest' for 'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2406).


Typical Log Entries

What is logged when the user lost his ID file, but the Notes client automatically recovers from a lost ID file?

• Client log: 10/01/2008 03:37:36 PM ID 'C:\Program

Files\Lotus\Notes\Data\user.id' successfully

downloaded from vault 'O=newest' on server

'CN=pm1/O=RECompany' by 'Samantha

Daryn/RECompany'.

• Server log: 10/01/2008 03:37:36 PM ID successfully

downloaded from vault 'O=newest' by 'Samantha

Daryn/RECompany' (IP address 9.33.164.153:2350).


Some Log Entries are client based only !!

What is logged when a new ID vault administrator is added?

• Client log: 10/01/2008 02:31:43 PM Adding administrator

Joe Blow/RECompany to this vault Joe Blow/RECompany

was successfully added.

• Server log: Nothing is logged on the server.

What is logged when an ID vault administrator is removed?

• Client log: 10/01/2008 02:39:56 PM Adding administrator

Joe Blow/RECompany to this vault Joe Blow/RECompany

was successfully removed.

• Server log: Nothing is logged on the server. Note: Client

log should say "Removing administrator Joe

Blow/RECompany from this vault...“


Some Log Entries are only client based

What is logged when a Password Reset Authority is added?

• Client log: 10/01/2008 03:04:50 PM PasswordReset

Authority/RECompany will be able to reset passwords for

users in organization /RECompany


What is logged when a Password Reset Authority is removed?

• Client log: 10/01/2008 02:44:00 PM PasswordReset

Authority/RECompany will no longer be able to reset

passwords for users in organization /RECompany



ID Vault – Monitoring

Domino Domain Monitoring > ddm.nsf

• All server error messages are reported to

Domino Server Console

• Sh idvault

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-

logging-for-8.5-faq

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-logging-for-8.5-faq














ID Vault – Monitoring

Troubleshooting

Domain monitoring: DDM database


ID Vault – Client Monitoring

ID Vault is using local log.nsf

• Check Security Events

• debug setting will enable text file logging

ID Vault Client Notes.ini

• IDVAULT_COUNT1=0

• IDVAULT_STAMP1=13.03.2013 11:49:30

• IDVaultLastServer=CN=Demo Server/O=BCC_AdminTool

• IDVaultLastFlushTime=06.02.2013 20:04:27


ID Vault Security


ID Vault Security

You have a central ID „inventory“

Security requirements are getting critical

I assume that you already have some basic security concepts in place

• Secure Access to Certifier files: more than one

password !

• Restricted access to server file system: you can not

copy your data directory


ID Vault Security

2048bit RSA Vault Operation Key (VO) (RSA)

• will be created during initial setup (based on vault

certifier)

• Single VO Key for each ID Vault

The Encryption Chain

• ID Files have no password

• Each ID File is encrypted with its own symmetric 256 Bit

AES storage encryption key

• Each SE Key is encrypted with VO Key

• Check for field VOKeyName in person document

• How to encrypt VO Key ?


How to encrypt VO Key ?

VO Key is important for Security

• Decrypt it and you have access to an ID File

• ID Files do not have passwords

Until now symmetric encryption has been used: Password or any Other key

Other Key Using Notes PKI :

• Switch to asymmetric Encryption

• Private Key in Server ID

• Stored in each profile document


Server ID is your weak spot !

Protect your Server ID with passwords !

• IBM Recommendation • Paul Mooney – AdminBlast


ID Vault: Why secure your server ID

IBM Recommendation: Securing the server ID file

„We understand that most Domino servers are not password-

protected to make unattended reboots simpler, but the vault

server's ID file is a key element in the security of your ID vault.“

„..a sophisticated attacker with a vault database and one of the

corresponding server Ids ... would have all of the cryptographic

information needed to masquerade as the vault server and

decrypt all of the ID files stored in the vault.

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vault-server















ID Vault: Why secure your ID Vault ACL Everyone with Role Auditor and Admin client is able to download ID Files from ID Vault

ACL Change ?

• Full Access Admins are able to might do this

• Server based Script Agents

ID Vault Document change ?

• Resetting Download Flag

Preventing unwanted changes in ID Vault is mandatory


ID Vault: Why secure your log.nsf

ID Vault Operations will be written to log.nsf

• Download IDs

• Extract ID‘s

Security Events

• ID for User successfully extracted from Vault

„O=Demo“ by auditor „Admin“ (IP Address)

• ID for „User“ IP Address ..... In Vault O=Demo was

not downloaded because the wrong password was

supplied


Password protected server ID file


ID Vault: Security Recommendations

Log Database

Limit Access and prevent document deletion / modification

ID Vault Database

Monitor ACL change (DDM ) Prevent document changes

Server ID with password

Limit Access to file system to prevent a „private snapshot“ copy


Reset Passwords with ID Vault

What is the best way ?


Password Reset using Admin client


Password Reset using Admin client

Requires

• Access for Admin client

• Assigned Password Reset Certificate

• NO access level for Password Reset to ID Vault

Audit / Log

• Log.nsf Security Events

• „Password for 'Admin Domino/BCCVM' with 0

downloads was reset by 'Admin Domino/BCCVM' (IP

Address 192.168.74.140:1202) from process nserver


Using an application


Self Service Password Resets

Sample Database: pwdResetSample.nsf


Password Reset – Best practices

Send to a trusted person

Print out email

No access to id file

Send password to user

as SMS to mobile phone

to a private email adress

Requires that you have these

data in your „application“

Tell him on the phone

Secret Authentification questions should

be provided

Self Service Application

Create password or User enters

password

Check complexity

Send Mail to defined address


Programming Password Reset -> C-API,

Lotusscript Password Reset

• C API SECidvResetPassword

• LotusScript, Java

notesSession.ResetUserPassword( servername,

username, password[, downloadcount ] )

• Password: New password for username's ID.

• Downloadcount: "Allow automatic ID downloads" set

to "No", -> Set to 2

CheckOut Sample Database: pwdResetSample.nsf


Programming Password Reset -> Security

Signer of Lotus Script Agent

the server ID on which the application is running

must

Password reset certificates need to be issued with

„programming flag“ to


Troubleshooting ID Vault


Troubleshooting Whose ID Files have been

collected ?

IBM ID Vault Database Scanner

• Agent Code

• Compare all person entries in your Domino Dir

• Create a report about IDs missing from ID Vault

• http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Lotus_Notes_ID_Vault_Database_Scannercol_An_overview

Hey IBM: Why not include in ID Vault template ?

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Lotus_Notes_ID_Vault_Database_Scannercol_An_overview





Troubleshooting ID Upload

Clear 'IDVault‘ entries from 'notes.ini‘ and restart

• upload process is being carried out in a random manner – so wait !

• Check if user has direct access to ID Vault Server

Check KeyFileName' parameter in 'notes.ini'

• should be same as the id file

• „Rename to User.id might help“

Check if policy document is assigned to user

• Check local personal address book

• Template 8.5.x

• View ($Policies) contains Security Setting ?

Check if Public Keys of User ID and Certifier ID are matching


Troubleshooting

Roaming

• ID in local NAB will interfere with ID Vault

• IBM provides a utility

ID Vault requires network connection

Notes Client trying to connect to first available ID vault server in list

• The server name is cached.

• (Notes.ini variable IDVaultLastServer)

• Set ID vault notes.ini variables to capture additional

information.


Debug Settings for ID Vault

Client: notes.ini

• DEBUG_IDV_TRACE

• DEBUG_IDV_TRUSTCERT

• DEBUG_IDVAULT_SERVER_SELECTION

• Debug_Namelookup=1 ->

• Console_log_enabled=1

Server: notes.ini

• DEBUG_IDV_CONNECT

• DEBUG_IDV_TRUSTCERT

• DEBUG_IDV_UPDATE

• Debug_threadid=1


ID Vault Limitations

However ID Vault is great

No cross domain vaults are supported

Tightly integrated with policies even

using API

Setting up ID Vault requires

Admin client and manual steps

Working offline can create issues


BCC

Olaf Boerner

[email protected]

Thank You!

id vault - implementation, security and troubleshooting - for ibm notes and domino

Technology

id vault id vault history

id vault user

id vault servers

id file id file

user id

id vault documents

id vault immed

id vault central password