Security Fundamentals for IBM Lotus Domino 7

Lesson Using the CA Process

Practice Activity: Use the Certication Authority Process

Conditions: Verify that your assigned server is running. In the activity, you will be using both your Lotus Domino Administrator, your Lotus Notes client, and your default Web browser. You might need to register additional user IDs as you work through the activity. Scenario Worldwide Corporation has charged you with migrating the companys certiers to the CA Process. To do so, you will need to set up an Issued Certicate List (ICL) database and congure its certicate duration. In addition, for Internet certiers, you will need to congure key usage information for the certicate. There is another administrator who needs to be added as a Domino certicate authority and registration authority administrator. Once you have migrated a certier, you will add the certier to the CA process and test that the certier has been added. Once that is complete, you will automate the loading of the CA process on your Domino server. Once the CA process migration is complete, you will be able to perform other administrative tasks that you have been assigned:

Register users with the CA process. Deploy Internet certicates to users. Enable and test SSL for a Domino Web site. Revoke certicates from the ICL.
Note: As you perform this activity, refer to Lotus Domino Administrator 7 and Lotus Notes 7 online help as necessary for the detailed procedures for various tasks.

Migrate a certier 1. From Domino Administrator, begin the process of migrating the

/WWCorp certier to the CA process, to run on the Hub/SVR/WWCorp server. On the Basics page, name the ICL database icl\icl_hub.nsf

2. Encrypt the certier ID with the Server ID.

Copyright IBM Corporation 2007.

Page 1

Lesson Using the CA Process 3. Add another administrator and the Hub/SVR/WWCorp server to the

Administrators list as both a Domino Certicate Authority Administrator (CAA) and a Registration Authority Administrator (RA).

4. On the Certicates page, set the certicate duration for both the EE

certicate and the CA certicate to a Default value of 12 months, a Minimum value of 1 month, and a Maximum of 24 months.
Add the certier to the CA process 5. After the migration, load the CA process and add the newly-created cer-

Make sure the students understand the difference between migrating the certier and adding it to the CA process.

tier to the CA process.

6. Verify that the new certier has been added. Automate the CA process load

Step 5: Students will need to issue console commands: load ca (if the process is not running); tell adminp process all (to process the request for the new certicate without waiting for the default 12-hour refresh period); tell ca refresh

7. Automate the loading of the CA process by adding it to the Notes.ini le

for your server.

Register a user with the CA process. 8. Verify that the HTTP task is running on the server, and register a new

user using the Web Administrator database (Access the WebAdmin database using this URL: http://servers fully qualied domain name /webadmin.nsf) and the certier that was migrated to the CA process.
Register a new Internet certier

Step 6: Students should issue the tell ca status console command.

9. From Domino Administrator, use the CA process to register a new

Internet certier as CN=Web/O=WWCorp. Encrypt the certier with the server ID and add Hub/SVR/WWCorp as a CAA and RA.

10. After the registration, add the newly-created registered Internet certier

to the CA process and verify that the certier has been added.
Students should issue the same commands as done in steps 5 and 6.

36Page 2

Copyright IBM Corporation 2007.

Security Fundamentals for IBM Lotus Domino 7

Lesson Using the CA Process Enable SSL for a Domino Web site 11. Use the certreq.ntf template to create the Certication Requests (certreq.

Provide an of enabling SSL for a Domino Web site before the students begin this task (use Help as a guide).

nsf) database on your server.

12. In the newly-created database, complete the Database Conguration

section as follows:

Supported CA server: Hub/SVR/WWCorp Supported CA certier: CN=Web/O=WWCorp Support both types of certicates: server and client Congure the Client Request Validity Period as one year, with key usages of digital signature and key encipherment and extended key usages of client authentication, email protection and time stamping. Congure the Server Request Validity Period as one year with key usages of digital signature and key encipherment and extended key usages of server authentication and code signing. Process requests automatically on the Hub/SVR/WWCorp server and receive mail notication.

Note: The administrator (the signer of the agent) must be listed in the group of users who can run unrestricted methods and operations on the server. This can be set on the Security tab in the Server document.

13. Create a server key ring le to store the server certicate and merge the

CA certicate as a trusted root into the server key ring le.

Keyring le name: webkeyfile.kyr Password: lotusnotes Common name: wwcorp.com Organization: WWCorp in New York, US

14. Approve the new request in the Certication Authority Requests/

Certicate Requests view of the Administration Requests database. Verify that the new request has a status of Issued.

Copyright IBM Corporation 2007.

Page 337

Lesson Using the CA Process 15. Transfer the certicate request out of the Administration Requests data-

base to the Certicate Requests database by opening the Pending/ Submitted Certicates view, locating the request, and clicking Pull Selected Request(s).

16. After the CA signs the request for a server certicate and noties you to

pick up the certicate, open your mail le, locate and open a message with the subject Your certicate request has been approved, and copy the pickup ID to the Clipboard. Then, in the Certicate Requests database, choose Domino Key Ring ManagementPickup Key Ring Certicate. Enter the key ring le name and password, paste the pickup ID into the form, and click Pickup Certicate.

17. Merge the approved server certicate into the key ring le by copying

the new key ring le and its associated .sth le to the servers data directory.

18. To congure the port for SSL in the Domino Directory, edit the Server

document, and in the Ports/Internet Ports section enter the name of the new key ring le and enable the SSL Port.

Note: As an optional step, while editing the Server document, enable Session authentication in the Internet Protocols/Domino Web Engine section. This ensures that HTTP sessions will time out in the number of minutes that are specied in the Idle session timeout eld. You can also specify the Maximum active sessions.

19. Restart the HTTP task to enable SSL on the server. Test SSL on the Domino Web site 20. Issue the server console command tell http show security to

verify SSL status. Issue the server console command show tasks to verify that the HTTP server is listening on ports 80 and 443.

21. To conrm that SSL is working, open a browser, and enter your servers

URL; for example, https://hub.wwcorp.com/certreq.nsf. Respond to any prompts as appropriate. For example, you can decide whether or not to accept the new site certicate, and whether or not you want to see a warning every time you want to access the new site.

38Page 4

Copyright IBM Corporation 2007.

Security Fundamentals for IBM Lotus Domino 7

Lesson Using the CA Process 22. Verify that the Security indicator in the status bar appears as a closed

padlock. This indicates that you have established a secure session over SSL.
Revoke a certicate 23. Open the ICL for the certier that issued the certicate you need to

revoke.

Step 23: Remind students that this will be the Web certier in this case.

24. In the Issued Certicates\By Subject Name view, open the Issued

Certicate document and click Revoke Certicate.

Copyright IBM Corporation 2007.

Page 539