Skip to main content

Software  >  Lotus  >  

Replay and Questions/Answers from the Open Mic "Lotus Domino ID Vault" call of October 22 2009
 News
 
Abstract
This document contains a link to the replay and questions/answers from the Open Mic session about the Lotus Domino ID Vault, held on Thursday, October 22, 2009 at 10 AM Eastern Time (2:00 GMT).
 
Content
The IBM Lotus Domino team hosted an Open Mic Question and Answer session about the Lotus Domino ID Vault on Thursday, October 22, 2009 at 10 AM Eastern Time (2:00 GMT). This document contains a link to the replay and questions/answers submitted prior to and during the call.
************************************

Link to replay of the call (.mp3 file on FTP) (14.7MB):
ftp://public.dhe.ibm.com/software/lotus/info/Domino/OpenMic-2009-10-22-ND-ID-Vault.mp3

************************************

Questions/Answers:
Q1 (forum): We are running Domino 8.0.2 on our production servers with a test server in the domain running 8.5. Is it possible to use ID Vault in this environment?
A1: You have to have clients and servers up to at least 8.5 to get the benefits of ID Vault. You can run in a mixed environment but those clients under 8.5 will not synchronize locally with what is in the vault.

Q2 (forum): An ID file in a mail file allows encryption and other functionality in DWA. Does ID Vault provide that same functionality? And is there a batch type process to import existing ID files into the vault?
A2: There is currently no existing API to allow ID files to be directly imported to ID Vault. There is no integration in 8.5 to allow DWA users to sync their ID file stored in their mail files with what is stored in the vault. In 8.5.1, there is a way through a policy to enable users to sync their ID file stored in a mail file with what is stored in the vault. There is more information about this in the Notes/Domino wiki.

Q3 (forum): We have about 3200 users using DWA 8.01 who do not have access to Notes. Can ID Vault be made to 'capture' the ID files for all these users. Our environment is version 8.01 across-the-board.
A3: You would have to upgrade servers to 8.5.1, apply a policy to all the DWA users to turn it on, and then at the first secure mail action in DWA by the user, the ID file will be sent to the vault at that point. Prior to 8.5.1, there is no way to integrate what is in the ID file stored in mail with what is stored in the vault. Pre-8.5 clients do not get the benefit of ID Vault.

Q4 (John): When you delete someone from the Domino Directory, is that person automatically deleted from the ID Vault?
A4: No, an administrator will have to go into the vault and mark that ID file as inactive which takes them out of certain views but maintains the ID file in the vault for auditor access.

Follow-up question: Can you recertify users directly in the vault?
Answer: During authentication, the ID on their desktop will be updated with the new certificate and then updated

Q5 (Jason): We use a third party product from HelpSoft and have ID files from registration go in that product's vault. In the new ID Vault in Notes 8.5, will we be able to integrate the existing ID files in the HelpSoft product with those that we have in the ID Vault database?
A5: Currently, the product has no way to do this. In 8.5.1, there are SDK APIs available to a couple of third party products. There are future ideas to build more SDK APIs to integrate and provision ID files but there are not actual plans for this to date. The third party product will not interfere with ID Vault but the customer is responsible for keeping the two in sync.

Q6 (Alex): Follow-up to the earlier DWA question: Is there a minimum template requirement? We have a few users on 6.5.6 clients on a 8.5.1 server. Will they be able to use ID Vault as well?
A6: As long as the Domino server is running 8.5.1 and the client has the policy assigned to them, it should sync if they are iNotes users.

Q7 (William): Using password recovery and ID Vault. Question is around users who have not finished the Client Configuration Wizard. For example, a user goes to a new computer with a roaming profile but they don't remember what his/her password is. It is in their roaming profile but they don't remember what it is. Will ID Vault handle this?
A7: Make sure the ID is uploaded to the vault from the first client they are on. Then when they move to the second machine, they can download the ID from the vault and use the password they just set when uploading it to the vault.

Follow-up scenario: I've got a teller who uses PC1. He changed the password and has already forgotten what he changed it to. He goes to PC2 at another location and can't remember it. Password recovery doesn't work because Client Configuration Wizard was never completed. If I were to click on the person's name, give them a new password and they go through the wizard, will that person be prompted to change the temporary password to allow the user who forgot his password to use it in the meantime?

Follow-up Answer: If the ID file is present in ID Vault similar to a new user being set up and an admin registered that user, and at that point stored a copy of the ID file in the vault, when the user goes to initially set up the client, he should be able to enter the password stored in the ID in the vault. But the user has no clue what the password is at this point. A manager or password resetter would have to reset it using the vault password and that will be pushed out.

Q8 (Joey): We just moved from 6.5.6 to 8.5 and were previously using ID storage by creating a database in which IDs were attached. We're moving to a password recovery process. If we move from password recovery to the ID Vault, what are the known differences and advantages of using ID Vault? Are there possibilities of password recovery not working?
A8: The old password recovery works independently of the Notes ID Vault so one will not cause a problem with the other. You can have both running at the same time. ID Vault allows you to reset user passwords and from the vault have IDs brought out from the central repository when needed. You don't have to search through the Recovery Repository database for ID files. You can quickly identify the user and use the admin tools for whatever is needed for that user. ID Vault should be much faster to get users back up and running if they lost their ID files or lost passwords. There are a number of improvements over previous mechanisms.

Follow-up question: If we are using both methods (ID Vault and a storage database), will it take a lot of work to sync and convert everything to the vault after the fact? How much work will it take to sync? Can we keep ID Vault, the database, and password recovery all at once?
Answer: You can maintain the old password recovery mechanism but all you have to do is set a policy setting so that when users access their 8.5+ servers, it will harvest their ID files. Leave the existing process in place and add ID Vault on top of it. When comfortable with ID Vault, you can remove any old ways of storing IDs.

Follow-up question: Is there documentation online about migrating?
Answer: There is no migration but we will post documentation to the forum after the call.

Q9 (John): This is a follow-up to the 3200 DWA users question: ID Vault will capture and sync ID files after the first secure mail action but our DWA users have no ID files and cannot do any encryption. We had a vendor come in who is no longer with us and have some evidence that ID files were created but stored on local laptops. However, the only ID files we have are admin IDs. We thought we could use ID Vault to capture all existing ID files and properly store them.
A9: There is no way to do this unless the ID file can be restructured to store in the vault. Specifically, the private keys must be captured and we cannot restructure them unless we have the private key. One thing to check is to see if the ID files are in the user mail files. If so, they can get uploaded to the vault. If those laptops belong to the vendor and they are now gone, ID Vault will not create the IDs for them. You must re-register those IDs.

Q10 (Colleen): This is a follow-up question where ID's are not deleted from ID Vault when deleted from the directory. We have a bunch of contractors and will run into problems where same name is being used. Will the ID Vault be overwritten or will I be prompted?
A10: Clarification from earlier: When you delete a user from the directory, if the person is vaulted, you receive a dialog box with an option to delete the user from the vault, or you can mark them as inactive in ID Vault. If you run into problems with duplicate names, delete them from the vault instead of just marking them inactive. Marking them inactive allows the record for this person to be kept in case there are legal reasons down the road for an admin to use that ID file for some reason.

Follow-up question: When registering a new user and a name is chosen that already has been used, will I be prompted to create a new user name or will that name be overwritten. What will it do?
Answer: The new ID file won't make it into the vault because there is already an ID there by that name. You will receive an error that the ID file cannot be uploaded to the vault during the registration process. The ID Vault stores the hierarchical name but the file itself is called user.ID. If you change the hierarchical name on the ID, both can be stored in the vault.

Q11 (Mike): This is a follow-up to an earlier point: We have a valid Notes user list that is a subset of a valid computer list. We are given daily updates to this list. How much of the ID Vault is programmatically available for customization? We now use a homegrown process to make these changes to the valid list of users.
A11: You don't have to go into the vault to mark them inactive or delete. This can be done through the directory. The customer is using LotusScript which is circumventing the dialog box that asks whether to mark someone inactive or delete them. There is no current way to call from LotusScript to make changes to UI. We are entering an enhancement request because customization is not possible at this time. IBM does this through the UI. Pre-ID Vault was done by a set of agents, similar to what the customer is doing now.

Q12 (Victor): When IDs are created, they are stored with the user.ID so when the client is configured, the ID is pulled from the vault and loaded locally as user.ID. When the user changes the ID password, it is then pushed back to the vault?
A12: Yes. Any other 8.5 Notes' clients will be able to sync their ID files. You only have to change it on one system and it will sync with the others. The name of the ID itself doesn't get uploaded so if it is "user.ID" locally, it will store a keyfilename in the attachment in the vault so you don't have to worry about multiple user.IDs. The hierarchical name is what is important.

Q13 (William): Follow-up question: You said earlier that only ID Vault is needed from this point forward but when users are offline when they need their password recovered, is the old password recovery used? <Customer asked by panel how he does this offline now?> Over the phone, the admin would offer the password to the user so he/she could download the ID.
A13: If offline, they would have to use a similar process.

Q14 (Alex): Certification authority issue with 8.5: The ID Vault would not automatically accept an ID file created from CA. Has this been fixed in 8.5.1?
A14: Yes, in 8.5.1, when you register new users using the certifier in the CA process, the ID files are uploaded to the vault. For users registered in 8.5, you must wait for the CA to sign the certificate, have the user authenticate to pull the certificate, and at that point if using ID Vault, the ID file will be harvested from the Notes client and pushed into vault.

Q15 (Rodney): Can the ID Vault process be used to help recertify users whose IDs expired?
A15: You can recertify users from the View level in the Directory and when that user goes to authenticate, it will automatically update the ID file on the desktop. This is no different with ID Vault. This already existed and still exists. <panel is discussing - pause in the recording>. The user no longer has a local copy of the ID file on the client and ID Vault has gone stale because the certificate has expired. It will work if you recertify the user in the directory and now when the user accesses the mail server, the ID will get downloaded. During authentication, the ID Vault file will be updated with the new certification information and then synchronized. It doesn't get automatically recertified in the vault. The recertified ID file will make its way into the vault but it goes through the user's workstation to do it.

Q16 (Todd): Heard a reference in an earlier question about checking to see if an ID file is in the mail file. Customer never heard about how an ID file is embedded in the mail file. Please explain more.
A16: For iNotes/DWA users or offline users, when registered, they are given the option to upload the ID file to the mail file so when they access their mail from a browser they can do secure mail operations. This happens right at registration. This can also happen if a policy is set to allow integration and put the mail file in the vault, then at first action, can push to the mail file.

Q17 (Scott): We have Citrix users and their ID files reside on a network drive. Will ID Vault harvest their IDs?
A17: The location of the ID file is irrelevant as long as the notes.ini file on the client is pointing to valid location.

Follow-up comment: Everybody seems to be harvesting except people running Citrix.
Answer: We are not aware of Citrix testing. Directed the customer to follow-up in the forum for any Citrix specific requirements. Perhaps there is something specific with Citrix.

Q18 (Bill): This is a follow-up to the earlier user.ID filename question: Our testing indicates that when an ID file is dropped from the vault to the client in which there is not already an ID, it comes down as user.ID and the keyfilename is changed from whatever it was (for example, shortname to user.ID). Is there a way to change this so that it maintains the original filename? And what happens when you get more than one person using that same PC?
Scenario: End user deleted his ID file. We have shared login turned on by a policy and when the user.ID file was not there, a new user ID file was deployed from the vault to the desktop (called user.ID). The notes.ini was changed to use the keyfilename
A18: We would expect that when the ID comes down, it would reflect the name of the user in the notes.ini. If that not happening, open a PMR to troubleshoot this.

Q19 (Lisa): Using Windows shared login and ID Vault in 8.5. We enabled Windows shared login so that users are not having to keep track of two passwords and we are also having the Notes client update their HTTP password to be the same so that all passwords are the same. How does ID Vault fit into this type of password scheme?

Clarifying: Were you synching the Windows password with the HTTP password? By policy, we have the Windows shared login enabled and it keeps the Windows Active Directory and Notes password together. In the iNotes policy, there is a place for you to tell that you want the user password to be updating the HTTP password in your Person Document. We expected that the three things would flow, meaning from Active Directory to the client to the Person Document.
A 19: This could be around the HTTP password which if vaulted OR Notes shared login. ID Vault does not bring any advantage to this. When sharing a Windows password and Notes password, Notes doesn't know the HTTP value and can no longer sync with HTTP because it doesn't know the value as it changes. ID files are not in mail files for DWA users so they need the HTTP password in this case. Currently, Notes does not know value of the HTTP password so they cannot sync. There is nothing currently available to make Notes sync with an HTTP password.

Q20: It seems a user has the ability to read encrypted mail of a colleague if he only knows the name and password of that colleague. Can he can access this information?
A20: There is a setting on the vault to limit the number of times the ID can be downloaded. If you set that to 1, the next person trying to access will not be able to. It is possible to set this so that merely knowing the name and password won't allow them access. They would have to have the ID locally.

Q21 (Michael): We're on 7.0.3 now and upgrading to 8.5.1. Can you give a quick outline of how ID Vault gets implemented?
A21: When you upgrade to 8.5, you create a policy and assign ID Vault to it. Then assign a policy to users to make use of that ID Vault. When users are upgraded to 8.5+, when they log in, their IDs will be uploaded at that point into the vault and will get all those benefits. Users won't even know it. In 8.5.1, all of this is available by default. You can go into the admin client and see a tab where all settings are located and can create your vault. If you look in the Admin Help under Security and ID Vault, there is a step-by-step procedure.

Q22: Follow-up to the Shared login and HTTP password sync: Are there plans for future releases? We want to make use of shared login so users don't have to type in their passwords and they are forced to change passwords every 50 days.
A22: Currently there are no plans. Sounds like what is needed is synchronizing between Windows password and HTTP password. Push through Lotus Support or your AVL to get an enhancement request created.

Q23: This has been asked before but is there any way to programmatically add IDs to the vault?
A23: Push through Lotus Support or your AVL to get an enhancement request created.

************************************
Visit the Lotus support Open Mic tech exchange landing page for a list of calls and events.
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Messaging Applications
 Advanced Messaging
 Lotus Domino
 Lotus Domino Server
 Operating system(s):
  AIX, Linux, Solaris, Windows, i5/OS, z/OS
 Software version:
  8.0, 8.5
 Reference #:
  1407232
 IBM Group:
 Software Group
 Modified date:
 2009-11-05

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.