Académique Documents
Professionnel Documents
Culture Documents
Agenda
Configuration Best Practices Hints and Tips Self Service Password Reset Authority Best Practices
Planning ID Vault
Youll want to have the following information available when configuring your ID Vault[s]
How many [different] ID Vaults will you need for your environment? How many replicas of a single ID Vault will you have available?
What servers will host these replicas?
Whose ID files will be stored in each vault? Who will need to Administer the ID Vault? Who will need to reset passwords for users? Will you be implementing the Self-Service password application?
How many [different] ID Vaults will you need for your environment?
ID Vaults can not [currently] span multiple Domino Domains.
A Domino Domain is defined as a group of users and servers which share a single Domino Directory. A Domino Domain is not impacted by multiple OU/Orgs or DNS Domains [aka DNS Suffixes].
How many [different] ID Vaults will you need for your environment?
Consider a company with users spread across multiple continents.
It doesnt make sense to have users in Europe/Asia accessing an ID Vault based in the US. Especially if this is a costly or unreliable link. If you have a single vault and place a replica in the US and a Replica in Europe/Asia, you cannot guarantee that the US users will be accessing the US replica of the vault. Having a multiple ID Vaults, in US and Europe and/or Asia ID allows control over what ID Vault servers clients connect to.
How many [different] ID Vaults will you need for your environment?
Within a domain, users are assigned to vaults based on Policies.
In order to have multiple vaults in a single domain, there needs to be a way to assign different users to different vaults via policies.
Well cover some strategies for this tomorrow in our policy Best Practices Discussion Bottom line, if there is not an easy way to divide users based on policies, it may not be easy to assign/maintain multiple vaults.
How many [different] ID Vaults will you need for your environment?
What can't I do with multiple ID Vaults in the same Domino Domain?
The Password Reset Authority is Cross Certified at an OU/Org layer. If a users from a single OU/Org are assigned to different ID Vaults, it is NOT possible to assign a person Password Reset Authority for one vault and not the other.
Example:
You would like your Tier 1 Help Desk to have the ability to reset passwords for users. You do not want your Tier 1 Help Desk to be able to reset passwords for Executives and Domino Administrators While it makes sense to have multiple vaults for this purpose, Password Reset Authority is NOT configured on a per vault basis. This can only be accomplished by having a separate OU/Org for Executive and/or Administrators and does not require an additional ID Vault.
How many [different] ID Vaults will you need for your environment?
Another possible justification for multiple ID Vaults in a single Domino Domain
Significant number of users in a single domain No hard stats/numbers but as Domino Administrators you know:
At a certain point, databases start taking longer to backup and run maintenance on Certain size databases/number of documents can become more susceptible to corruption and other issues. As Domino Administrators, you should be familiar with these types of limits relative to your own environments.
My own personal experience as FSS, customers with 30-45K users have successfully enabled ID Vault with a single instance [multiple replicas] of an ID Vault.
This is only a considerable factor if you have around or more than this number of users. Not specific to ID Vault, just overall factors such as Database size, number of documents etc.
Your worst-case scenario if ID Vault were unavailable is that a password change may not get picked up by a client.
Each company needs to evaluate their own worst-case scenario For most environments, 3 Vault Replica servers should be sufficient.
Primary, Backup, Disaster Recovery
An ID vault outage may mean several users being unable to login/access Lotus Notes
Can you assure that the replicas on Server 1 and Server 2 are consistent and have replicated between the user moving machines ? Can you configure this type of replication for all of the home servers in your environment. Some customers Ive visited have had difficulties keeping their names.nsf and admin4.nsf [and other databases like events4.nsf] replicating frequently and consistently in their environments.
Imagine having a 5 minute threshold to keeping every replica of ID Vault in synch across all of your servers. This can get quite messy when more than 3-4 [replica] servers are involved and they may not all be in the same cluster.
Dont Do That
A users ID File has to be included in an OU/Org which is ALLOWED [cross certified] with an ID Vault The ID Vault needs to included in a policy which is assigned to that user.
It may be the case that an OU/Org level policy is being used, in which all users of a specific OU/Org would always meet both criteria, however it does not have to work out that way.
Regardless of which OU/Orgs you select, NOTHING will be vaulted until you configure a policy.
The policy DOES NOT have to be an OU/Org level policy.
Select any OU/Org which is applicable to users that will be vaulted during the Vault Setup.
This is ONLY for security purposes, think What OU/Orgs are ALLOWED to use this vault
Give other users permission to extract IDs from the vault with the Auditor Role Access/Open the Vault Database
You need manager access in the ACL of the ID Vault Database to assign the Auditor Role to other users. This is controlled via the ID Vault Database ACL Note: Most functionality does not require opening the vault database, however if someone did need to open the vault database, they DO NOT need to be configured as a vault administrator. As long as the users OU/Org is cross certified with the ID Vault, any Administrator with permission to create/modify policies, can assign additional users to an ID Vault.
Cross certify additional OU/Orgs to be cross certified with the ID Vault. Create/remove additional vault replica Servers
Note: Always use the Administration Client Manage ID Vault to create/remove ID Vault Replica Servers. Do not manually create or remove replicas of the ID Vault.
Add/Remove OTHER Vault Administrators Be VERY careful when assigning Vault Administrators
Keep Security and Accountability in Mind
Most customers usually will have one list of people who will need to reset passwords for an entire Org.
There exists the ability to assign specific lists of people the ability to reset passwords for a specific OU/Org and NOT allow them to reset password for other OU/Orgs IF you have such a requirement.
The group will be expanded [at the time of configuration] and cross certificates will be created for all of the current members of that group. This is NOT a dynamic function. Users removed from a group WILL not have their cross certificates revoked. Users added to a group will not have cross certificates created for them. A Vault Administrator is responsible for maintaining the password reset authority.
Summary of Configuration
The previous slides should help to walk through the ID Vault Configuration steps.
Thee steps can be re-accessed at any time and modified by a Vault Administrator Always use the Admin Client Vault Administrator when making changes to Vault Configurations
Do not try to manually create/delete vault related cross certificates.
Configuration Questions?
The auditor sets THEIR own password on the extracted copy of the ID file which DOES NOT synch with the ID Vault. Using this process to recover ID files for users, means you are providing them with a copy of their ID file which DOES NOT synch with the ID Vault.
The user [or someone acting on behalf of the user] should use the download process to have a proper ID file created from the ID Vault. Note: The attachment files within the ID Vault Database Documents are not valid ID files when attempting to directly detach.
The only way to obtain a working valid copy of a users ID file is through the download process.
Service ID files:
As a Domino Administrator, you want to vault the ID for backup, recovery and reset purposes. End users dont want the password to synch across all of their copies.
Usually used to run an agent or a service-type machine may use the ID file to generate email.
These are also ID files Domino Administrators may want to vault, however not have actively synching to avoid potential software interaction issues.
Once the ID file is harvested, go into the ID vault and mark the ID file inactive. Inactive prevents the ID file from being synched with multiple copies.
Allows a vaulted copy of the ID file to be retained/backed up etc as part of the ID Vault
Validation
If HTTP Password synching is enabled, and users forgot or do not know their Notes password, they likely may not know their http password as well. Consider using a 3rd party LDAP system, Security Question Model, Authorization Number Model etc
A password reset will fail with the ID Vault if the new password does not meet password requirements including: Your application needs to validate that the password qualities are being met properly, or the password reset will fail on the back-end and the user may not be aware or understand why
Custom Password Requirements