IBM Support

Quick guide to securing a Domino server with SSL using the CA process

Technote (FAQ)


Question

This technote explains the steps to configure a Lotus Domino server to secure it by using SSL. You configure the Domino server as a Certificate Authority (CA), setting up a Domino server-based certification authority. You then create an SSL key ring file and tell the server to use the newly created SSL key ring file.

To complete the setup, you can modify port preferences, authentication options, and security settings in your Server document (Ports - Internet Ports). Preferences for protocols that use SSL, such as HTTP (Web), LDAP and Mail, can be configured here.

Note:

  • This technote describes steps briefly, with little background information. For more extensive information and detailed steps, refer to the Domino Administrator Help section "Domino server-based certification authority" or "Lotus Domino Certification Authority Tutorial" (#7006424).
  • You can also configure SSL with Domino as the Certificate Authority without using the CA process. For information on that procedure, refer to the Domino Administrator Help section "Using a Domino 5 certificate authority" or "Quick Guide to Setting Up SSL using Domino as the Certificate Authority" (#1114148). To learn about the differences between the CA process and the Domino 5 certificate authority, refer to the Domino Administrator help topic "Setting up an Internet certificate authority."

Answer


Requirements

You need to have access to an Administrator's ID file and password. At least one Domino Administrator client and one Domino server are needed.

Procedure Steps

    Register Internet Certifier

1. Launch the Domino Administrator client using the Administrator's ID file. Select the correct Domain and Server, then go to the Configuration tab.

2. On the Configuration tab, expand the Tools area if needed, select Registration, then select Internet Certifier (or from the menu, select Configuration > Registration > Internet Certifier). Select "I want to register a new Internet certifier that uses the CA process." Then click OK.

3. When the "Register a New Internet Certifier" dialog box appears, click Create Certifier Name and fill in a Common Name (such as "MyCompany CA").
    All other fields are optional; however, it is usually helpful to fill in an Organization Name (for example: MyCompany). You can also fill in a State or Province (such as "Massachusetts") and a two-character Country Code (for example: "US").
    Click OK once the required field and any optional fields are filled in.

4. Choose the server on which you wish to put the certifier for the CA.

5. You can use the default Issued Certificate List (ICL) database name or modify it, if you wish (for example: "icl\icl_MyCompany.nsf").

6. Choose one of the following options for the "Encrypt Certifier ID with" settings:
    a. Encrypt ID with Server ID: lowest security, no password required
    b. Encrypt ID with Server ID and Require password to activate certifier
    c. Encrypt ID with Locking ID and choose the person whose ID will be used to secure the new CA

7. You may select an additional person to be a CA and/or RA, but that is optional. Defaults may be used for the rest of the settings. Click OK and you should see a "Success..." message.

    Run the CA task
8. On the server console, enter "load ca" (if the task is not already running). If the CA task is already running, enter "tell ca refresh".
    You may also wish to enter "tell adminp process all" to ensure that your new CA is ready for use.
    Note: If your new CA does not show up in the list when you enter "tell ca stat", try using "tell adminp process all", then "tell ca refresh" again. After that, enter "tell ca stat" to verify that the new CA has been properly initialized.

    Tip: If you have decided to use a password and your CA is not active, use the following console command to activate it:
      tell ca activate certifier number password

    You can obtain the actual value for certifier number by using the command "tell ca stat". Each CA is listed with a number before it; that number is how you identify a specific CA when using a "tell" command.

    Create and set up Certificate Request database
9. Choose File - Database - New, then select your server.

10. Fill in a Title and File Name, for example, "Certificate Requests" and "certreq.nsf".
    Note: Each Internet Certifier requires a unique Certificate Requests database. If you are going to create additional Internet CAs in the future, give the Certificate Requests database an appropriate unique title for its associated CA, for example "Cert Req MyCompany", and a file name such as "CR_myco.nsf". Keep the file name somewhat short so that it is easier to enter as part of a URL for a Web browser.

11. Make sure the template server is set to the server, not "local." Select "Show Advanced Templates" and select the template name "Certificate Requests (6)" with the file name certreq.ntf. Click OK to create the Certificate Requests database.

12. After the database has been created, close the "About..." document. The Database Configuration form should automatically appear.
    Select your server (usually the Administration Server; it should be the one that is running the CA Process for the supported CA).

    Select the CA you created in the previous steps ("Certifier").

    Choose the intended purpose(s) of this CA: "Server Certificates Only" or "Both Client and Server Certificates."
      Note: "Client Certificates Only" should not be chosen if you wish to create a Server Key Ring for SSL.

13. Customize the Server (and Client) settings if you wish. Then select a Processing Method ("Automatic" means less user intervention). You may choose an "Automatic Transfer Server" (optional), then choose whether or not you wish to have the confirmations mailed to the applicant. Click Save & Close.

Note: If you select the Automatic" method, the person who has been designated as an RA (often the same one who creates the Certificate Requests database - certreq.nsf) must appear in the list of people who can "Run unrestricted methods and operations" in the Administration Server's Server document. To verify this or to make the necessary change, open the Domino Directory, go to the Server/Servers view, open the appropriate Server document, and go to the Security section to see this field. If you do not set this field properly, the agents in the Certificate Requests database are unable to run.

    Create Key Ring
14. In the Certificate Requests database, choose "Domino Key Ring Management" then "Create Key Ring."

15. Fill in a file name for the Key Ring file, leaving the ".kyr" extension. Fill in a password (twice), and select a Key Size. Fill in your server's Common Name (use the fully qualified host name, for example, server.company.com), Organization name, then State (or Province) and Country. The other two fields are optional. Click Create Key Ring.

16. When the "Key Ring Created" dialog box appears, verify the information, then click OK to automatically add your CA as a trusted root and to generate a certificate request for your server.
    Note: You can postpone this step and choose "Certify Key Ring" later, if you wish.

17. After you click OK, a "Merge Trusted Root Certificate Confirmation" dialog box should appear. Verify the information and click OK.

18. You should see a "Certificate received into key ring and designated as trusted root" confirmation screen; click OK. Another message should appear: "Certificate Request Successfully Submitted for Key Ring." Click OK to dismiss the message.

19. The Certificate Requests database should still be open. Go to the Pending/Submitted Requests view and press F9 to refresh the view if your request does not appear.
    If the request already indicates that it has been "Submitted to Administration Process," go to step 20.
    If it is still in the "Pending Submission" state, select the request and click Submit Selected Requests. You should see a "Successfully submitted 1 request(s) to the Administration Process" message. Click OK.

    Leave the Certificate Requests database open because you will be returning to it soon.

20. Open the Administration Requests database (Admin4.nsf), go to the Certification Authority Requests/Certificate Requests view, and find your new request.

21. Double-click the request to open it, click Edit Request, and verify the information in it. You may leave the default settings for all fields, if you wish. Once you have verified the information and finished making any optional changes, click Approve Request.

Press F9 until the request goes from the "New" state to the "Issued" state (you may also notice an interim "Approved" state, before it reaches the "Issued" state).

22. Close the Administration Requests database and return to the Certificate Requests database. Go to the Pending/Submitted Requests view and locate your request.

You may need to press F9 to refresh the view. If you press F9 and the certificate request "disappears" from the view, you will probably find it in the Issued/Rejected Certificates view. This indicates that it has already been issued. If the request does not appear in the Issued/Rejected view, click Pull Selected Request(s).
    Note: You may be prompted to Cross Certify. This prompting occurs because the Internet Certificate is seen as being in a different domain than the Domino server. If this prompting happens and you would rather NOT create an Internet Cross Certificate in the Domino Directory, then leave the default settings and click Cross Certify. An Internet Cross Certificate will be created in your Personal Address Book. If you would rather create the Internet Cross Certificate in the Domino Directory, do the following:

    a. Click the Certifier button and the "Choose a Certifier" screen will appear. Click the Server button and choose your server (not "Local") then click OK.

    b. If you have migrated your Notes certifier to the CA Process, you may choose "Use the CA Process" and select your CA configured certifier, then click OK. If not, choose "Supply certifier ID and password," browse to your Notes Certifier ID file, select it, click Open, then click OK. Enter the Certifier ID password when prompted and click OK.

    c. When the correct Notes Certifier, Server, and Subject Name (the name of your new Internet CA) all appear in the appropriate fields, click Cross Certify.

    d. If you chose "Use the CA Process," a message will appear telling you that "A certificate request has been submitted." Click OK to dismiss the message.

    e. When you see a "Successfully pulled 1 request(s) from the Administration Process" message, click OK to dismiss the message.

23. Next, you may choose to do one of the following to copy the Request ID (also called pickup ID) to the clipboard:
    • Open the Administrator's mail file, locate then open a memo entitled "Your certificate request has been approved." Copy the pickup ID to the clipboard.
    • Or, from the Certificate Requests database, go to the Issued/Rejected Certificates view, then open the issued server request, and copy the Request ID to the clipboard. Press Esc to close the "Certificate Pickup" document.

24. While still in the Certificate Requests database, choose "Domino Key Ring Management" then "Pickup Key Ring Certificate."

25. Fill in the key ring file name which was used in Step 15, enter the key ring password. Paste the pickup ID into the form (from the clipboard), and click Pickup Certificate.

26. When a "Merge Signed Certificate Confirmation" dialog box appears, verify the information and click OK. A "Certificate received into key ring" confirmation box should appear. Click OK.

27. Copy the new Key Ring file and its associated ".sth" file to your server's data directory (for UNIX servers use FTP in binary mode to transfer the files).

    Configure port
28. Open the Domino Directory and find your server's document in the Server/Servers view. Open the Server document, click Edit Server, go to the Ports - Internet Ports section, then fill in the name of your new Key Ring file. Note: Do not include the full path to the key ring file, only the file name.
    Scroll down the page until you locate the "SSL Port Status" field, and change it from Disabled to Enabled.

29. If HTTP is already running, enter "tell http restart" on the server console to enable SSL on the server. Use "show task" from the server console to verify that the HTTP server is now listening on ports 80 and 443.

    Test and configure Web browser
30. To confirm that SSL is working on your server, open a browser and fill in a URL similar to this:
    http s://<server>.<company>.com/<CR_myco.nsf>

31. If using Netscape, a "New Site Certificate" screen should appear. Click Next.
    a. When the next screen appears, click the More Info button to verify the information (optional), then click Next.

    b. Decide whether or not to accept the new site certificate and for how long, then click Next.

    c. Decide whether or not you wish to see a warning every time you access your new site, then click Next. When the last screen appears, click Finish.

    A "Security Information" dialog box may appear. If it does, decide whether or not you wish to have Netscape "Show This Alert Next Time" (which it will do every time you access the site, until you clear the box), then click Continue.
    If the Security indicator (a padlock near the top of the Netscape window) is closed (locked), you have successfully established a secure session over SSL.

32. If using Microsoft Internet Explorer, you will probably see the following "Security Alert" screen:



Choose View Certificate, then Install Certificate.
    a. When the "Certificate Import Wizard" screen appears, click Next.
    b. When the "Certificate Store" screen appears, you may use the default selection: "Automatically select the certificate store based on the type of certificate", then click Next.
    c. When the "Completing the Certificate Import Wizard" screen appears, click Finish. A small message box with this message should appear: "The import was successful."

    d. Exit from the dialog box which is probably still displaying the Install Certificate button (click OK). You should see the Security Alert message box again. Click Yes to proceed.

33. The Certificate Requests database should open and you should see a closed padlock near the lower-right corner of the screen. This indicates that you have successfully established a secure session over SSL.

Document information

More support for: Lotus End of Support Products
Lotus Domino

Software version: 6.0, 6.5, 7.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1193730

Modified date: 30 June 2008