quick installation guide: digipass plug-in for lotus domino · quick installation guide: digipass...

www.VASCO.comwww.vasco.comThe world’s leading software company specializing in Internet Security

Quick Installation Guide: DIGIPASS Plug-in for Lotus Domino

www.VASCO.comwww.vasco.com© VASCO Data Security. All rights reserved. QIG 201109 - v2 of 18

Table of Contents1. Overview ..................................................................................................................................................32. Problem Description ..................................................................................................................................33. Solutions ...................................................................................................................................................3 3.1 Lotus Domino Replication .................................................................................................................3 Features ...........................................................................................................................................3 Disadvantages ..................................................................................................................................3 3.2 Lotus Domino Web Access ................................................................................................................4 Features ...........................................................................................................................................44. Technical Concept .....................................................................................................................................5 4.1. General Overview .............................................................................................................................5 4.2. Configuration of Lotus Domino ..........................................................................................................55. Supported platforms and configurations ..................................................................................................186. Conclusion ..............................................................................................................................................18

About VASCO ..............................................................................................................................................18For more info .............................................................................................................................................18

All information contained in this document is provided ‘as is’; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document.

COPYRIGHT

Copyright © 2011 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security.

TRADEMARKS

VASCO®, Vacman®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries.

VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.

DisclaimerDisclaimer of Warranties and Limitation of Liabilities

www.VASCO.comwww.vasco.com© VASCO Data Security. All rights reserved. QIG 201109 - v2

1. OverviewThe purpose of this document is to show how the Plug-In for Lotus Domino can easily enhance the security of your roaming users connecting to their Lotus Notes data using Domino Web Services. This guide is an example of how the plug-in may be installed, since there are different, more advanced configurations possible.

2. Problem DescriptionMost of people in their work need to access data anytime, from anywhere using the most global network, the Internet.It’s a perfect tool for roaming users but is also very well known for its security weaknesses.Vasco’s goal with this Plug-In for Lotus Domino is to secure the authentication of roaming users so that their credentials cannot be reused or hacked.The weakest link in any security infrastructure is the use of static passwords, hence there is a need for strong user authentication, based on 2-factors: something you have and something you know.

3. SolutionsLotus Domino allows remote users to access their Lotus Domino databases (such as email, pricelist, corporate application etc.) using a web interface.In order to allow users to remotely access their Domino documents, such as mails or Notes data, there are several solutions listed below.

3.1 Lotus Domino ReplicationLotus Notes users have the possibility to create a local replica copy of their mail file on their laptop either using Dial Up direct connection or using Internet.This method uses the regular Notes ID File to provide the secured environment.

FEATURES•Fullaccesstothemailfile•Secure:communicationmaybeencrypted.AccesstothedatabaseisprotectedbytheLotusDominosecurity integrated mechanism

DISADVANTAGES•Mayonlybeusedfromtheuser’sPC.CannotbeusedfromanInternetkioskPC•MakinganInternetconnectioncouldbetoodifficultfortheaverageend-user.ThePCmuststillbeconnected to a phone line or to a LAN. An Internet POP must be known. The user must have an account with the foreign Internet Service Provider. TCP/IP settings must be configured•Replicationmaytaketoomuchtime•IfDialupsolutionisinvolved,otherdisadvantagesappears: o Connecting a PC to a phone line may be too difficult for the average user, especially when traveling to foreign countries o High communication costs o It is not always possible to connect a PC to a phone line in a hotel room o The Domino server requires a dedicated modem pool

of 18


Accessing a Domino server over HTTP is a very good option in terms of deployment ease and costs. However, such a solution does not use the standard Notes security model. Instead of using a Notes user-id a simple username and password model is used. Of course this limits the security of the system and security focused companies are not willing to expose the employee’s mail files to the web when simply protected with a static password.

With the Vasco Plug-In for Lotus Domino, roaming users can access protected resources using their Web Access UserID and rely on the genuine Lotus Notes Access Control List, the Vasco solution proposes to use a dynamically generated One-Time Password instead of any static password.You can still enforce the security model with server-based certificates.

FEATURES•EasyaccesstothefullmailfilefromanyInternetconnectedPC:publicPC,PCfromacustomerorsupplier,hotel room television. No need to install any file on the client. Cookies are not required•Lowcommunicationcharges•Noneedtoreplicate:justopenthemailmessagesyouneedtoread•Easytouse:mostpeopleknowhowtouseabrowser•Secureaccess:dataflowisencrypted,server’sidentityguaranteedbySSL,randompasswords•NoagentsormailrulesrequiredontheDominoserver•Noriskofinfinitemailloops.AllmailiskeptontheDominoserverlocatedintheDMZ•Completemailhistory:theend-userisalwaysusingthesamemailfile.Allreceivedandsentmessagesarekeptina single file•Compatiblewithstandardandsessionbasedauthentication•Selectivedeploymentispossible:notallusersusingHTTPaccessmusthaveaVascotoken•BasedonprovenVascotechnology•Scalablesolution–payasyougrow•Compatiblewith5.X,6.X,7.Xand8.Xservers•Nousertrainingrequired•MaybeusedwithanyDominodirectoryconfiguration:singledirectory,multipledirectories,directoryassistance•ThePlug-InforLotusDominoisactiveduringtheauthenticationphase.OnceauthenticatedtheDominosecurity model protects all resources: ACL, realm settings, file access parameters, …•MaybeusedtoprotecttheaccesstoanyNotesdatabase–notjustthemailfile•Noneedtomodifythefirewall.Onlyhttporhttpstrafficflowsbetweentheuserandtheserver

Hence, the Plug-In for Lotus Domino will secure HTTP(S) based authentications so that remote users can access their Domino applications, databases or mailbox safely.

ByusingDIGIPASSpatentedtechnology,youeliminatetheweakestlinkinanysecurityinfrastructure;theuseofstaticpasswords that are easily stolen, guessed, reused, or shared.

It can be deployed as a small hand-held device, as a smart card reader, as software for computers, laptops, PDA’s or cell phones.

3.2 Lotus Domino Web Access

of 18


4. Technical Concept4.1. General OverviewThe Plug-In for Lotus Domino mainly resides in a Lotus Domino (.nsf) database for administration tasks (such as DIGIPASS import, assignment etc.). Some runtimes will be executed when accessing a Notes database via the Web interface. The runtimes are called by the Domino HTTP task when the credentials of a web user must be validated. When the user is authenticated by the Vasco runtimes he may access all Domino resources in the traditional way.

Administrative task rights rely on Lotus Notes embedded ACL’s, as well as further NSF consultations or updates. The Plug-In for Lotus Domino solution is 100% Domino based. There is no need to install any additional hardware or software.

4.2. Configuration of Lotus Domino•CopytheHelpDatabase(.nsf)andtheVascoPlug-inforLotusDominotemplate(.ntf)intotheLotusClient working directory, ideally it should be at the DATA root of the Domino server.•OpentheLotusAdministratoranduseittoopentheLOCALserver.

User Database

HTTPHTTPS

Lotus Domino

VASCO NSF Database

NSFDocument NSF

Document

NSFDocument

HTTP Service

VASCO Runtimes

Page5of18


•SelecttheFILEtabandselectdatabasestosign.

•SelectTOOLSintherightpanetheninthedocumentbase,selectSIGN.

Page6of18


•SelecttheActiveUserIDtosigntheNSFandvalidateallconfirmations.

•LaunchLotusDesigner,opentheVascoPlug-inforLotusDominotemplate(.ntffile)andsettheproperACLforit, using the File/Database/Access Control menu.

•CreateanNSFBasefromthetemplate: o Launch Lotus Notes Client, Go to File/Database/New menu, o Select From Template, browse to the Vasco Plug-in for Lotus Domino Template

Page7of18


•ThePlug-inforLotusDominoconfigurationdatabasewillopenandallowyoutogofurtheronintheprocess.

•SelectFile/Database/AccessControlandsetyourAdminRoles.

of 18


•InstallRuntimelibraries To install runtime libraries you have to detach them from the DIGIPASS Pack for Lotus Domino database to the specified folders, such as c:\lotus\notes and c:\lotus\domino. Select System/Installation from the navigator. The document ‘Runtime Files’ contains the required runtime libraries.

Detaching Runtimes files and saving them to relevant folders.

of 18


•UpdateNotes.iniinordertoreflectthesechanges.TheNotes.iniislocatedinDominobinariesfolder.

o STDBFilename This parameter specifies the location of the Vacman Middleware for Lotus Domino application database. This database resides in the Domino data directory or one of its subdirectories.

Example: STDBFileName=Vacman\VascoKey.nsf

o STDBServer This parameter specifies the hierarchical name of the Domino server where the active application database resides.

Example: STDBServer=Acme/SVR/Comp

o STDebugLevel This numeric parameter specifies the amount of logging to the Domino log file and console that will be generated by the DSAPI filter.

Example: STDebugLevel=0(nologgingatallupto63wherelogisfull)

o CheckCacheBeforeDSAPI=1 ThisparameterisonlyrelatedtotheLotusDominoFixtoIssue#SPRMBAB4MKP9CinLotusKnowledge BaseinordertoallowaconsistentDSAPIfiltersbehavior,pleaserefertotheLotusDominoKnowledgebase for further details.

of 18


• AddDSAPIinserverdocumentsothatanauthenticationrequestwillbehandledbyVASCOdynamic authentication. To add a DSAPI filter, open Lotus Notes Administrator, go to the Configuration Tab, browse in ‘All server Documents’ and select ‘Server Document’. Switch to edit mode and add the DSAPI filter name (ndpld.dll) in the HTTP part.

Adding DSAPI filter

Verify that the Domino hierarchical name gets properly resolved into an IP address. This may be achieved by using Domino connection documents, DNS entries, host files or by specifying the IP address or FQDN of the Windows machine that runs the Domino software. In the print screen the name resolution is achieved by entering the FQDN of the Windows machine in the server document. (tab Ports/Notes network ports)

of 18


• Selectsystem/licensesandclicktheactionTools/Newlicensetocreateanewlicensedocument.Incaseofa demo license, the serial number can be found in the README.TXT provided with the package.

First open the Plug-in for Lotus Domino configuration database, go to Parameter and Licensing, in the TOOLS option, select ‘generate activation request’

License settings in Application

of 18


• UsetheActivationRequestCodetoobtainalicensebysendingtherequesttogetherwiththe Virtual IP to VASCO Support at [email protected].

Once the licensing process is completed your Plug-In for Lotus Domino is fully installed and ready to run.Restart HTTP daemon using these commands in the Lotus Console:

TELL HTTP QUITLOAD HTTP

Result of a HTTP task restart

of 18


Application Parameters Details

• Saveandclosetheapplicationprofile.Navigatetothe“tokens>allsectioninthenavigatorandclickthe actionbuttonTools>Importtokens.

of 18


If you use the demo.dpx, the application name will be ‘APPLI 1’ and the Initialisation Key will be ‘11111111111111111111111111111111’ (32 times 1).

Import a DPX file.

Import a DPX file successful.

Page15of18


•YoucannowlistthefreeDIGIPASSpresentinyourDatabase,selectoneandassigntoauser(Tools>Options>Assign).

Detail of a DIGIPASS Assignment

DIGIPASS list with users assigned.

Page16of18


LaunchyourBrowserandentertheURLofaprotectedLotusDominodocument,thesessionAuthenticationform(ortheAuthentication popup) will appear.

Session Based Authentication screen and Basic Authentication popup.

Enter your regular user ID and the One-Time Password generated by your DIGIPASS instead of the static password.

TheauthenticationprocessissafefromnowonthankstotheVASCOdynamicauthenticationscheme.Only“ResponseOnly”operating modes are supported by the Plug-in for Lotus Domino. Please contact your Vasco representative, or visit the Vasco Web site for further details about DIGIPASS operating modes.

Page17of18

BOSTON (Nor th Amer i ca )phone : +1 .508 .366 .3400ema i l : i n f o - u sa@vasco . c om

SYDNEY (Pac i f i c )phone :+61 .2 .8061 .3700ema i l : i n f o - aus t r a l i a@vasco . c om

S INGAPORE (As ia )phone :+65 .6323 .0906ema i l : i n f o - a s i a@vasco . c om

BR USSELS (Eu rope )phone :+32 .2 .609 .97 .00ema i l : i n f o - eu r ope@vasco . c om

www.vasco.com

VASCO designs, develops, markets and supports patented DIGIPASS®, DIGIPASS PLUS®, VACMAN®, IDENTIKEY® and aXs GUARD® authentication products for the financial world, remote access, e-business and e-commerce. With tens of millions of products sold, VASCO has established itself as the world leader inStrongUserAuthenticationfore-BankingandEnterpriseSecurityforblue-chipcorporationsandgovernmentsworldwide.

About VASCO

5. Supported platforms and configurationsThe current version of the Plug-in for Lotus Domino has been tested on Windows 2000 Server, 32-bits Windows Server 2003 and 32-bits Windows Server 2008 OS for Intel platforms.

ThesoftwarerequiresaDomino5.X,6.X,7.Xor8.Xserverandadministrativeworkstation.Duetoaknownissue-seeLotusKnowledgeDatabasenr187794-theDSAPIfilterdoesnotruninreleases5.0.7and5.0.8.

LotusDomino6maybeconfiguredin3modes:•A-basic authentication•B-sessionbasedauthenticationsingleserver•C-session based authentication multi server

OptionBisnotsupported,butyoucanconfigureoptionC,evenifyouareworkinginasingleserverenvironment.

6. ConclusionLotus Domino with Plug-In for Lotus Domino authentication solutions provides roaming users an easy to deploy and secure access to corporate published applications anywhere, anytime, anyhow.

Copyright © 2011 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD®, DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. QIG201109-v2