Vasco Digipass Plug-In Lotus Domino, M&S Installation guide

Brand: Vasco

Model: Digipass Plug-In Lotus Domino, M&S

Category: Security management software

Type: Installation guide

This manual is also suitable for

Digipass Plug-In Lotus Domino

www.VASCO.com

www.vasco.com

The world’s leading software company specializing in Internet Security

Quick Installation Guide:

DIGIPASS Plug-in for Lotus Domino

www.VASCO.com

www.vasco.com

Table of Contents

1. Overview ..................................................................................................................................................3

2. Problem Description ..................................................................................................................................3

3. Solutions ...................................................................................................................................................3

3.1 Lotus Domino Replication .................................................................................................................3

Features ...........................................................................................................................................3

Disadvantages ..................................................................................................................................3

3.2 Lotus Domino Web Access ................................................................................................................4

Features ...........................................................................................................................................4

4. Technical Concept .....................................................................................................................................5

4.1. General Overview .............................................................................................................................5

4.2. Conﬁguration of Lotus Domino ..........................................................................................................5

5. Supported platforms and conﬁgurations ..................................................................................................18

6. Conclusion ..............................................................................................................................................18

About VASCO ..............................................................................................................................................18

For more info .............................................................................................................................................18

All information contained in this document is provided ‘as is’; VASCO Data Security assumes no responsibility for

its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the

information contained in this document.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any

means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of

VASCO Data Security.

TRADEMARKS

DIGIPASS and VACMAN are trademarks of VASCO Data Security.

All other trademarks are trademarks of their respective owners.

Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

www.VASCO.com

www.vasco.com

1. Overview

The purpose of this document is to show how the Plug-In for Lotus Domino can easily enhance the security of your

roaming users connecting to their Lotus Notes data using Domino Web Services. This guide is an example of how

the plug-in may be installed, since there are different, more advanced conﬁgurations possible.

2. Problem Description

Most of people in their work need to access data anytime, from anywhere using the most global network, the

Internet.It’s a perfect tool for roaming users but is also very well known for its security weaknesses.

Vasco’s goal with this Plug-In for Lotus Domino is to secure the authentication of roaming users so that their

credentials cannot be reused or hacked.

The weakest link in any security infrastructure is the use of static passwords, hence there is a need for strong user

authentication, based on 2-factors: something you have and something you know.

3. Solutions

Lotus Domino allows remote users to access their Lotus Domino databases (such as email, pricelist, corporate

application etc.) using a web interface.

In order to allow users to remotely access their Domino documents, such as mails or Notes data, there are several

solutions listed below.

3.1 Lotus Domino Replication

Lotus Notes users have the possibility to create a local replica copy of their mail ﬁle on their laptop either using

Dial Up direct connection or using Internet.

This method uses the regular Notes ID File to provide the secured environment.

FEATURES

•Fullaccesstothemaille

•Secure:communicationmaybeencrypted.AccesstothedatabaseisprotectedbytheLotusDominosecurity

integrated mechanism

DISADVANTAGES

•Mayonlybeusedfromtheuser’sPC.CannotbeusedfromanInternetkioskPC

•MakinganInternetconnectioncouldbetoodifcultfortheaverageend-user.ThePCmuststillbeconnected

to a phone line or to a LAN. An Internet POP must be known. The user must have an account with the foreign

Internet Service Provider. TCP/IP settings must be conﬁgured

•Replicationmaytaketoomuchtime

•IfDialupsolutionisinvolved,otherdisadvantagesappears:

o Connecting a PC to a phone line may be too difﬁcult for the average user, especially when traveling to foreign

countries

o High communication costs

o It is not always possible to connect a PC to a phone line in a hotel room

o The Domino server requires a dedicated modem pool

www.VASCO.com

www.vasco.com

Accessing a Domino server over HTTP is a very good option in terms of deployment ease and costs. However, such

a solution does not use the standard Notes security model. Instead of using a Notes user-id a simple username and

password model is used. Of course this limits the security of the system and security focused companies are not willing

to expose the employee’s mail ﬁles to the web when simply protected with a static password.

With the Vasco Plug-In for Lotus Domino, roaming users can access protected resources using their Web Access UserID

and rely on the genuine Lotus Notes Access Control List, the Vasco solution proposes to use a dynamically generated

One-Time Password instead of any static password.

You can still enforce the security model with server-based certiﬁcates.

FEATURES

•EasyaccesstothefullmaillefromanyInternetconnectedPC:publicPC,PCfromacustomerorsupplier,hotel

room television. No need to install any ﬁle on the client. Cookies are not required

•Lowcommunicationcharges

•Noneedtoreplicate:justopenthemailmessagesyouneedtoread

•Easytouse:mostpeopleknowhowtouseabrowser

•Secureaccess:dataowisencrypted,server’sidentityguaranteedbySSL,randompasswords

•NoagentsormailrulesrequiredontheDominoserver

•Noriskofinnitemailloops.AllmailiskeptontheDominoserverlocatedintheDMZ

•Completemailhistory:theend-userisalwaysusingthesamemaille.Allreceivedandsentmessagesarekeptina

single ﬁle

•Compatiblewithstandardandsessionbasedauthentication

•Selectivedeploymentispossible:notallusersusingHTTPaccessmusthaveaVascotoken

•BasedonprovenVascotechnology

•Scalablesolution–payasyougrow

•Compatiblewith5.X,6.X,7.Xand8.Xservers

•Nousertrainingrequired

•MaybeusedwithanyDominodirectoryconguration:singledirectory,multipledirectories,directoryassistance

•ThePlug-InforLotusDominoisactiveduringtheauthenticationphase.OnceauthenticatedtheDominosecurity

model protects all resources: ACL, realm settings, ﬁle access parameters, …

•MaybeusedtoprotecttheaccesstoanyNotesdatabase–notjustthemaille

•Noneedtomodifytherewall.Onlyhttporhttpstrafcowsbetweentheuserandtheserver

Hence, the Plug-In for Lotus Domino will secure HTTP(S) based authentications so that remote users can access their

Domino applications, databases or mailbox safely.

ByusingDIGIPASSpatentedtechnology,youeliminatetheweakestlinkinanysecurityinfrastructure;theuseofstatic

passwords that are easily stolen, guessed, reused, or shared.

It can be deployed as a small hand-held device, as a smart card reader, as software for computers, laptops, PDA’s or

cell phones.

3.2 Lotus Domino Web Access

www.VASCO.com

www.vasco.com

4. Technical Concept

4.1. General Overview

The Plug-In for Lotus Domino mainly resides in a Lotus Domino (.nsf) database for administration tasks (such as

DIGIPASS import, assignment etc.). Some runtimes will be executed when accessing a Notes database via the Web

interface. The runtimes are called by the Domino HTTP task when the credentials of a web user must be validated.

When the user is authenticated by the Vasco runtimes he may access all Domino resources in the traditional way.

Administrative task rights rely on Lotus Notes embedded ACL’s, as well as further NSF consultations or updates. The

Plug-In for Lotus Domino solution is 100% Domino based. There is no need to install any additional hardware or software.

4.2. Conﬁguration of Lotus Domino

•CopytheHelpDatabase(.nsf)andtheVascoPlug-inforLotusDominotemplate(.ntf)intotheLotusClient

working directory, ideally it should be at the DATA root of the Domino server.

•OpentheLotusAdministratoranduseittoopentheLOCALserver.

User

Database

HTTP

HTTPS

Lotus Domino

VASCO NSF

Database

NSF

Document

NSF

Document

NSF

Document

HTTP Service

VASCO

Runtimes

©2007-2008VASCODataSecurity.Allrightsreserved.  Page5of18

www.VASCO.com

www.vasco.com

•SelecttheFILEtabandselectdatabasestosign.

•SelectTOOLSintherightpanetheninthedocumentbase,selectSIGN.

©2007-2008VASCODataSecurity.Allrightsreserved.  Page6of18

www.VASCO.com

www.vasco.com

•SelecttheActiveUserIDtosigntheNSFandvalidateallconrmations.

•LaunchLotusDesigner,opentheVascoPlug-inforLotusDominotemplate(.ntfle)andsettheproperACLforit,

using the File/Database/Access Control menu.

•CreateanNSFBasefromthetemplate:

o Launch Lotus Notes Client, Go to File/Database/New menu,

o Select From Template, browse to the Vasco Plug-in for Lotus Domino Template

www.VASCO.com

www.vasco.com

•ThePlug-inforLotusDominocongurationdatabasewillopenandallowyoutogofurtheronintheprocess.

•SelectFile/Database/AccessControlandsetyourAdminRoles.

www.VASCO.com

www.vasco.com

•InstallRuntimelibraries

To install runtime libraries you have to detach them from the DIGIPASS Pack for Lotus Domino database to the

speciﬁed folders, such as c:\lotus\notes and c:\lotus\domino. Select System/Installation from the navigator.

 Thedocument‘RuntimeFiles’containstherequiredruntimelibraries.

Detaching Runtimes ﬁles and saving them to relevant folders.

www.VASCO.com

www.vasco.com

•UpdateNotes.iniinordertoreectthesechanges.TheNotes.iniislocatedinDominobinariesfolder.

 o STDBFilename

This parameter speciﬁes the location of the Vacman Middleware for Lotus Domino application database.

This database resides in the Domino data directory or one of its subdirectories.

  Example:STDBFileName=Vacman\VascoKey.nsf

 o STDBServer

This parameter speciﬁes the hierarchical name of the Domino server where the active application

database resides.

  Example: STDBServer=Acme/SVR/Comp

o STDebugLevel

This numeric parameter speciﬁes the amount of logging to the Domino log ﬁle and console that will be

generated by the DSAPI ﬁlter.

  Example:STDebugLevel=0(nologgingatallupto63wherelogisfull)

 o CheckCacheBeforeDSAPI=1

  ThisparameterisonlyrelatedtotheLotusDominoFixtoIssue#SPRMBAB4MKP9CinLotusKnowledge

  BaseinordertoallowaconsistentDSAPIltersbehavior,pleaserefertotheLotusDominoKnowledgebase

for further details.

www.VASCO.com

www.vasco.com

• AddDSAPIinserverdocumentsothatanauthenticationrequestwillbehandledbyVASCOdynamic

authentication. To add a DSAPI ﬁlter, open Lotus Notes Administrator, go to the Conﬁguration Tab, browse in ‘All

server Documents’ and select ‘Server Document’.

Switch to edit mode and add the DSAPI ﬁlter name (ndpld.dll) in the HTTP part.

Adding DSAPI ﬁlter

Verify that the Domino hierarchical name gets properly resolved into an IP address. This may be achieved by using

Domino connection documents, DNS entries, host ﬁles or by specifying the IP address or FQDN of the Windows

machine that runs the Domino software. In the print screen the name resolution is achieved by entering the FQDN

of the Windows machine in the server document. (tab Ports/Notes network ports)

www.VASCO.com

www.vasco.com

• Selectsystem/licensesandclicktheactionTools/Newlicensetocreateanewlicensedocument.Incaseofa

 demolicense,theserialnumbercanbefoundintheREADME.TXTprovidedwiththepackage.

First open the Plug-in for Lotus Domino conﬁguration database, go to Parameter and Licensing, in the TOOLS

option, select ‘generate activation request’

License settings in Application

www.VASCO.com

www.vasco.com

• CopythisActivationrequestandgotohttps://www.vasco.com/dpdomino/licensing.

 FillintheformandyouwillreceiveaLICENSE.DATFilethatyouwillbeabletoimportandactivate.

Licensing web page

Once the licensing process is completed your Plug-In for Lotus Domino is fully installed and ready to run.

RestartHTTPdaemonusingthesecommandsintheLotusConsole:

TELLHTTPQUIT

LOAD HTTP

Result of a HTTP task restart

www.VASCO.com

www.vasco.com

• InAPPLICATIONPARAMETERS,updatetheinformationeldsinordertobeabletoimportcorrectlytheDIGIPASS

 denitionles(.DPX)

Application Parameters Details

• Saveandclosetheapplicationprole.Navigatetothe“tokens>allsectioninthenavigatorandclickthe

 actionbuttonTools>Importtokens.

www.VASCO.com

www.vasco.com

Ifyouusethedemo.dpx,theapplicationnamewillbe‘APPLI1’andtheInitialisationKeywillbe

‘11111111111111111111111111111111’ (32 times 1).

Import a DPX ﬁle.

Import a DPX ﬁle successful.

www.VASCO.com

www.vasco.com

•YoucannowlistthefreeDIGIPASSpresentinyourDatabase,selectoneandassigntoauser(Tools>Options>Assign).

Detail of a DIGIPASS Assignment

DIGIPASS list with users assigned.

www.VASCO.com

www.vasco.com

LaunchyourBrowserandentertheURLofaprotectedLotusDominodocument,thesessionAuthenticationform(orthe

Authentication popup) will appear.

Session Based Authentication screen and Basic Authentication popup.

EnteryourregularuserIDandtheOne-TimePasswordgeneratedbyyourDIGIPASSinsteadofthestaticpassword.

TheauthenticationprocessissafefromnowonthankstotheVASCOdynamicauthenticationscheme.Only“ResponseOnly”

operating modes are supported by the Plug-in for Lotus Domino. Please contact your Vasco representative, or visit the Vasco

Web site for further details about DIGIPASS operating modes.

www.VASCO.com

www.vasco.com

5. Supported platforms and conﬁgurations

The current version of the Plug-in for Lotus Domino has been tested on Windows 2000/2003 for Intel platforms.

ThesoftwarerequiresaDomino5.X,6.X,7.Xor8.Xserverandadministrativeworkstation.

Duetoaknownissue-seeLotusKnowledgeDatabasenr187794-theDSAPIlterdoesnotruninreleases5.0.7and

5.0.8.

LotusDomino6maybeconguredin3modes:

A-basic authentication

 B-sessionbasedauthenticationsingleserver

C-session based authentication multi server

OptionBisnotsupported,butyoucancongureoptionC,evenifyouareworkinginasingleserverenvironment.

6. Conclusion

Lotus Domino with Plug-In for Lotus Domino authentication solutions provides roaming users an easy to deploy and secure

access to corporate published applications anywhere, anytime, anyhow.

VACMAN

,IDENTIKEY

,aXsGUARD

, and DIGIPASS

are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners.

VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable.

BOSTON (North America)

phone:+1.508.366.3400

email: [email protected]

SYDNEY (Pacific)

phone:+61.2.8920.9666

email: [email protected]

SINGAPORE (Asia)

phone:+65.6323.0906

email: [email protected]

BRUSSELS (Europe)

phone:+32.2.609.97.00

email: [email protected]