Frequently Asked Questions: Using Secure Socket Layer (SSL) with Notes/Domino
This document answers the most frequently-asked questions about using Secure Socket Layer (SSL) and the Certificate Authority (CA) process with Notes/ Domino, with links to additional resources.
What is SSL?
SSL is a security feature that uses public and private encryption to secure data between web browsers and web servers. SSL allows encryption of traffic between a client and server over several protocols, such as HTTP, LDAP, SMTP, POP3, IMAP, and DIIOP. SSL communicates over publicly-available protocols.
NOTE: Notes Remote Procedure Call (NRPC) is not used with SSL because it is already encrypted.
What versions of Domino can use SSL?
SSL is supported in Domino versions 5, 6, 7, and 8. Customers should use the latest available version, if possible.
Were there any major changes in SSL between Domino versions?
No. The basic functionality of SSL has not changed. However, there have been some issues addressed in Domino concerning SSL, mostly in the areas of memory, crashes, and corruption.
What kinds of certificates are available?
Both Domino and third-party certificates can be used. The most commonly used third-party certificates are Verisign and Thawte. For more information, visit each company's web site: http://www.verisign.com/ and http://www.thawte.com/
What is a trusted root?
Document#1093167: "What is a Trusted Root?"
Where can you find instructions to work with SSL?
Your first resource will be the Domino Administrator Online Help guide which you can access from the Domino Administrator client.
Here are some detailed technotes on common SSL processes:
Using Domino as a free Certificate Authority:
- Document #1114148: "Quick guide to setting up SSL using Domino as the Certificate Authority"
- Document #1193730: "Quick guide to securing a Domino server with SSL using the CA process"
Using a third-party as a Certificate Authority:
- Document #1268695: "How to set up SSL using a third-party Certificate Authority (CA)".
- Document #1210804: "How to renew an SSL certificate stamped by a third-party Certificate Authority"
What are some of the common problems encountered while setting up and using SSL on a Domino Server?
- Document# 1099310: " Domino Administrator client crashes when creating an SSL keyring" (SPR# NSUA4FQPTN)
KYR and STH files on the server:
- Document# 1109822: "Web server error: Keyring File access error or Page cannot be displayed"
- Document# 1104908: "Error: 'SSL Error: Keyring file not found' on Domino when enabling SSL"
Issues with Keyfile permissions:
- Document# 1104908: "Error: 'SSL Error: Keyring file not found' on Domino when enabling SSL
- Document# 1109822: "Web server error: Keyring File access error or Page cannot be displayed"
Setting up Client Certificates instead of username & password authentication in browsers:
- Document# 1195107: " What is the Certificate Publications Request (CERTPUB) database?"
What problems with SSL have been fixed?
Below is a partial list of SSL and CA Process SPRs that are fixed in Notes/Domino.
- NSUA4FQPTN: "A crash encountered while creating Key Ring file" This issue is scheduled to be addressed in a future release of the Domino 6 codestream. The error does not occur in Domino 7
- MROE5HYS3H: "Error: No Trusted Root Certificate" This issue has been address in Domino 7.0.
- WRAY5HVRUM: "SSL Handshake errors causing server log to grow very large" This issue was fixed in 6.0.3
- NORK5TLPM9: Error "SSL Port is enabled, but there are no Internet Site Documents allowing SSL for this server" This issue was addressed in 6.0.5/6.5.4 and 7.0
- HPES5ZZN6X: "Security Review Probe: Server Documents have been analyzed" This issue was addressed in Domino 7.0.
- SPRT4W5LAH: "IOCP: The LDAP status from SH STAT LDAP have incorrect information" This SPR was addressed in 6.0.
- DKEN4V2UTW: "SSL Client Certificate Authentication doesn't work with NTI\SSLPlus SSL stack" This SPR was addressed in Domino 6.0.
- DKEN4WBRXV: "Enabling 'Accept SSL site certificates' on the server breaks client cert authentication" This issue was addressed in 6.0.
- DMEA5KZQR2: "SSL Port Number is missing for non-standard ports on SSL-required databases through HTTP access" The SPR was addressed in 6.0.5/6.5.3 and 7.0
- DCOY5XTKJB: "HTTP Web Server: 'SSL Connection Required Exception - Access to this resource requires an SSL connection'" This SPR was fixed in 6.0.5/6.5.3 and 7.0 .
- BDAS5BBT9A: "Make requirement of SSL when decrypting mail optional" This SPR was addressed in 6.0.1.
- STER5R5BG8: "(Proxy) cannot decrypt encrypted mail with SSL proxy, SSL Domino and require SSL=both" This issue was address in 7.0.
- CCAY5M6STJ: "SSL (LDAP)-TESTNSF LDAP scripts don't work over SSL port" This issue was fixed in 6.5.0.
- SONL4R5S87: "SSL fails with the LDAP gateway - Cannot bind to host" This issue was fixed in 6.0.
- TCHL5MKRJ2: "Modify SSL design to allow System SSL and SSLPlus to run simultaneously" This SPR was addressed in 6.5.0.
- CVEO52JHNS: "HTTP Server: SSL handshake failure, IP address [x.xx.xx.xx], Key Ring [keyringname.kyr], error status " This issue was addressed in 6.0
- SONL522J6J: "SSL V2 Ciphers are not working as specified in the Server document" This SPR was addressed in 6.0.
- CVEO4SWSVX: "IMAP Server: SSL Handshake failure: SSL Error: No local certificate if explicit path is not set for Keyfile in server record" This issue was addressed in Domino 6.0.
- SONL4H7QKX: "Regression: nHTTP crashes using SSL with authentication" This issue was addressed in 6.0.
- MALR4USUHW: "Memory leak in NTI with connections over SSL" This issue was fixed in 5.0.9 and indirectly fixed in 7.0.
- STER5RJ4HJ: "Error when resending signed mail from NDR using HTTP" This issue was fixed in 6.0.4/6.5.1 and does not occur in 7.0.
- DYHG6B54KQ: "SSL: Signed/encrypted meeting: Check name/Cancel does not redirect to SSL" This SPR was address in 7.0.
- RGET66EUT4: "HTTP Thread logs, no indication of SSL handshake failure, no end of request marker" This issue was fixed in 7.0.
- MMII5CEARL: "Security warning when accessing Web Admin via SSL" This issue was resolved in 6.0.
- CCAY53SP2M: "SSL-No longer necessary to get Internet cross certificates on Notes client doing SSL LDAP-Cert is not being checked" This SPR was addressed in 6.0.
- DKEN4V2V6X: "SSL server does not shut down cleanly on error states" This issue was addressed in 6.0.
- DKEN4YRTS9: "Single-time memory leak in SSL session resumption" This SPR was fixed in 6.0.
- DKEN55C4E6: "SSL can try to resume a session with a different cipher" This issue was fixed in 6.0.
Where can you get more information on SSL and the CA Process?
IBM® Redbooks™ publication: " Lotus Security Handbook (SG24-7017-00) "
This Redbooks publication provides the best practices and guidance for building a secure collaboration infrastructure utilizing IBM/Lotus technologies. It is the third Lotus security-oriented Redbooks publication to be published. Unlike the previous two Redbooks in this series ("The Domino Defense: Security in Lotus Notes 4.5 and the Internet [SG24-4848]" and "Lotus Notes and Domino 5.0 Security Infrastructure Revealed [SG24-5341]"), this book focuses not just on Notes/Domino but on all IBM/Lotus collaborative products as well as general security best practices for any infrastructure. The book should be considered essential reading for anyone responsible for Lotus technology-based applications, systems, and infrastructures.
Of specific interest is Chapter 6, "Public Key Infrastructures", 6.2.5: "Secure Sockets Layer".
To test certificate based authentication, it is necessary to create keyrings to hold certificates for HTTP servers and for the browsers used to access the servers. This is most conveniently done by creating a certification authority to create and administer the necessary SSL certificates.
This Redpaper describes in detail how to set up Domino as a Certification Authority (CA), how to create a server keyring, and how to merge/install certificates into the keyring. Also described is how to issue client certificates from the newly created CA. This involves all the steps in accepting the CA as a rusted root in the browser, requesting a certificate, approving the request, accepting the issued certificate into the browser keyring, and finally requesting registration of the client certificate.
Article: SSL: It's not just for commerce anymore
SSL was created to add certificate-authenticated encryption to HTTP transmissions. This article discusses what SSL is, how it coexists with existing Domino and Notes security protocols, and how Domino implements SSL support.
IBM Redbooks publication: " Domino Defense: Security in Notes 4.5 & the Internet (SG24-4848-01) "
The Domino server joins together the secure and well-managed environment of Notes with the universal access of the web. This IBM® Redbooks publication helps the reader understand the security facilities provided by Notes and the web, and then illustrates the value that the Domino Web Server brings to the area of security by joining together these two environments. This publication provides an example application to show a practical implementation of these concepts. The book also assists the reader in determining the correct placement of Domino servers within an Internet firewall, again using detailed examples.
IBM Redbooks publication: " Lotus Notes and Domino R5 Security Infrastructure Revealed (SG24-5341-00) "
This Redbooks publication describes how to build a secure infrastructure with Notes/Domino as follows:
-- The strong security infrastructure that has always been part of Notes/Domino.
-- How Notes/Domino supports today's open Internet security standards (X.509).
-- How Domino can be part of full security solutions that go beyond single systems, single platforms, and single companies
This Redbooks publication is written for Domino technical specialists and administrators, customers, business partners, and members of the IBM/Lotus community who need a technical understanding of how to deploy Notes/Domino in a secure environment.