Issuing a Vault Trust Certificate

You must issue a Vault Trust Certificate from a parent certifier of service users’ Notes ID files to the certifier of the service ID vault. This step is a prerequisite for user provisioning.

Before you begin

After you have configured your company account settings, wait for directory synchronization to replicate the service ID vault document to your on-premises directory. You can confirm that replication has completed in SmartCloud Notes® Administration. Click Account Settings, and then click Directory Sync Server. Under Sync Status, the status should be OK.

Make sure you have a local copy of the certifier ID file of the parent certifier that you will use to create the Vault Trust Certificate. For example, to issue a Vault Trust Certificate that applies to the user Samantha Daryn/Renovations, make sure you have a local copy of the certifier ID file for the /Renovations certifier.

About this task

If users are certified under an organizational unit (OU) certifier, you can use either the OU certifier or the top-level certifier to issue the Vault Trust Certificate. For example, if users are certified under the OU /North/Renovations, issue a Vault Trust Certificate from either /North/Renovations or /Renovations.

If your service users are certified under different top-level organization certifiers, you must issue a Vault Trust Certificate for each organization. For example, if some service users are certified under the organization /Renovations and others are certified under the organization certifier /ZetaBank, issue a Vault Trust Certificate from both organizations.

The Vault Trust Certificate certifies that the parent certifier of Notes user ID files trusts the service ID vault to store the ID files. ID files must be in the vault for administrators to reset the ID passwords for Notes client users. ID files must also be in the vault for web client users and mobile client users to be able to sign, encrypt, and decrypt messages.

Although all user IDs under the parent certifier that issues the Vault Trust Certificate are authorized for storage in the service ID vault, only the IDs of service users can be uploaded to the vault.

For more information about Vault Trust Certificates, see the information about ID vault trust in the IBM® Domino® documentation.

Perform the following steps to issue a Vault Trust Certificate.

Procedure

  1. Log on to a Domino Administrator client that you use for on-premises Domino server administration.
  2. Open an on-premises hub server that you use for directory synchronization.
  3. Click the Configuration tab and then click Security > ID Vaults.
    Note: If you do not see the ID Vaults view, you must upgrade the Domino directory on the server to the template version for 8.5.1 fix pack 2 or later.
  4. Select the ID Vault document for the service ID vault. The format of the document name is /IDVault_customernumber, for example /IDVault_15679841.
  5. Click Tools > ID Vaults > Manage. If a window that describes the ID vault is shown, click Next.
  6. Select the task Add or remove organizations that trust the vault and then click Next.
  7. Click Add or Remove.
  8. Under Available organizations, select a certifier of your service users.
  9. Click Add to add the certifier to Organizations that trust the ID vault, and click OK.

    The certifier is now shown under Organizations.

  10. Click Next and click Configure to confirm the change.
  11. At the Choose a Certifier prompt, browse for and select the certifier ID file of the certifier, for example cert.id, and click OK.
  12. Provide the certifier password and click OK.
  13. In the You have successfully completed the management of the Notes ID vault window, click Done.
  14. From the Configuration tab, click Security > Certificates > Certificates. Expand Vault Trust Certificates and verify that there is a Vault Trust Certificate issued by the parent certifier to the ID vault.
    Note: The Vault Trust Certificate is created on the administration server for the directory. If you issued the certificate on a server that is not the administration server, the certificate will be visible on that server after it replicates from the administration server.

Results

The Vault Trust Certificate replicates to the service during directory synchronization.