Search This Blog

Sunday, November 6, 2011

Setting up ID Vault operations in Notes/Domino 8.5

ID Vault in Lotus Notes/Domino 8.5 solves many problems found in the previous password recovery feature. Given the interest in the ID Vault, this tip details how to set up the ID Vault from scratch and documents all the steps. You'll find detailed instructions for several ID Vault operations -- including how to store new and existing users in the vault and how to reset a password -- as well as the solutions to gotchas I encountered along the way.
I set up the ID Vault on a Linux/Domino 8.5 server, using Domino Administrator 8.5.1 on Windows. After creating the vault, I stored some ID files in the vault, then used the vault to recover an ID file and reset a password.

  To create the ID Vault  

  1. From Domino Administrator, File -> Open Server to select the target server.

  2. Go to the Configuration tab and choose ID Vaults -> Create, on the far right side, which starts a very helpful wizard to guide you through the whole process.

  3. Set the Notes ID Vault Name to something short and simple. This will be the name of a new organization certifier, which will manage the vault. Something like AcmeVault works well enough.

  4. Set the description of the ID Vault. This will become the database title of the vault .nsf file. You can use something like Acme Corp ID Vault.

  5. Set a strong and secure vault password. Next, Make sure the vault server is correct.

  6. Your name will automatically be listed as one of the vault administrators. Normally, you'd want to add some other administrators, unless you work for a very small organization. These administrators will be able to control the vault itself, specifically adding and removing other administrators. This is not the list of people who can reset a password; that will come later in the tip.

  7. Select the organizations that will trust this vault by choosing their certifier ID files. Usually, this is your top-level organization, such as /Acme. But it may also be one or more of your organization units, such as /Accounting/Acme or /IT/Acme.
  8. Be sure to just choose certain organizations units if you're setting up other ID vaults for other organization units. Note that you must have the certifier ID for the organization(s) and know their passwords.

  9. Individual users are assigned to an ID Vault by the Security Settings document within the relevant policy. The next step allows you to perform this setup with several options, depending on whether you already have an organization policy, want to start a new policy or would like to set up the policy later. I chose to create a new policy for my entire organization.

  10. The last screen of the wizard displays all the choices you've made, so you can double-check them before any real action is taken. Some of the choices cannot be undone later, so be sure to read the screen carefully.

  11. After verifying your choices, press the button to create the ID Vault. During this process, you'll be asked to find the certifier IDs and to enter their passwords.

  12. The wizard creates an on-screen log file of its work, with the option to copy the entire text to the clipboard when it's done. I suggest copying it, then saving the log somewhere for later reference.

  To store a new user ID in the vault  

  1. Make sure that the relevant policy -- in my case, a single organization-wide policy -- contains setting documents for both registration and security. Also make sure that the security setting specifies the ID Vault. By default, the built-in ID Vault wizard creates a policy without registration settings. Note: This caused a new user registration to fail during my test. The fix was simple. I added a standard registration settings document to the organization policy containing two entries: a setting name and the server name.

  2. New users will now automatically have their ID files uploaded to the ID Vault during the user registration process.

  To store an existing user ID in the vault  

  1. Make sure that existing users are covered by a policy -- in my case a single organization-wide policy -- and that this policy contains a security setting which specifies the ID Vault.

  2. When the above condition is met, existing user ID files will be uploaded to the ID Vault automatically.

  3. Be aware that Notes/Domino does not immediately upload existing ID files to the vault. The client and server work together to perform the upload on a reasonable schedule, so that the server doesn't get swamped when a new vault is created.

  4. You can force an ID file to be uploaded immediately by switching IDs on a workstation, then switching back to the original ID.

  To recover a lost ID file  

  1. To recover a lost ID file completely -- not just reset its password -- the administrator doing the recovery must have the [Auditor] role in the access control list (ACL) of the ID Vault database.

  2. Using the Domino Administrator client, select the name of the person with the missing ID file in the People view.

  3. On the right-hand side of the screen, under Tools -> ID Vaults, select Extract ID From Vault and follow the prompts. You should be able to override the default filename of the ID file, so that it's something like instead of

  To reset a Lotus Notes user's password  

  1. To reset the password of a Notes ID file, the person doing the reset must have password reset authority for that group of users. This is controlled by the ID Vault administrator and is set with Tools -> ID Vaults -> Password Reset Authority.

  2. Using the Domino Administrator client, select the name of the person who needs a password reset in the People view.

  3. On the right-hand side of the screen, under Tools -> ID Vaults, select Reset Password and follow the prompts
Chuck Connell

No comments:

Post a Comment