What is the ID vault?
The Notes® ID vault is an optional, server-based application that holds
protected copies of Notes user IDs. An ID vault allows administrators and
users to easily manage Notes user IDs, reducing user downtime and help
desk costs. Users are assigned to a vault through policy configuration,
and copies of user IDs are uploaded to a vault automatically once the policy
has taken effect.
The benefits of using an ID vault include:
- Ability for authorized personnel to change
(reset) passwords on IDs stored in a vault when users forget them, without
access to the ID files or the vault database
- Support for the use of a custom application
to reset passwords
- Easy recovery of lost or damaged user IDs
- Automatic synchronization of multiple ID
copies
- No user involvement during ID renames or
ID key rollover. The use of an ID file with Notes is made virtually transparent.
- “Auditor” function to extract ID files
for legal discovery/access to encrypted data
How is the ID vault configured?
To create and configure an ID vault, you perform the following required
steps from the Domino Administrator:
- Create the vault database on a server
- Create the vault ID file, which is initially
stored on the local computer.
The vault ID file should be treated as securely as a certifier ID. Back
up copies should be securely stored.
- Specify at least one vault administrator.
Additional administrators are recommended for administrative backup.
- Specify which user organizations trust the
vault . At least one user organization certifier or organizational unit
certifier issues a Vault Trust Certificate to the vault.
- Assign password reset authority. Password
Reset Certificates are issued by the certifiers that also have issued Vault
Trust Certificates.
- Use Security Settings policy configuration
to assign users to the vault. To be assigned to a vault, users must be
in an organization that has issued a Vault Trust Certificate.
Optionally you can replicate the vault (add vault servers), specify forgotten
password instructions to display in the Notes login prompt, specify whether
users must change passwords that have been reset, and require authorization
for ID file downloads from the vault.
How does password reset work?
A benefit of the vault is the ability to easily reset passwords on IDs
when users forget them. There are two models available for resetting passwords:
authorized personnel can use the Domino Administrator to reset passwords
for users, or users or authorized personnel can reset passwords using a
custom application. One or both models may be implemented.
People who log in to the Domino Administrator under an identity with password
reset authority can reset user passwords using the Reset Password tool
in the Domino Administrator. To give password reset authority to these
people, a Domino administrator creates Password Reset Certificates for
individuals or organizational units. This step requires use of the certifier
ID.
People who reset passwords through Domino Administrator have two options
for conveying the new passwords to users. They can pick the new password
or generate a random one and then inform the user of it themselves. It's
important that they have a method to confirm the user's identity. Alternatively,
they can generate a random new password and send it by encrypted e-mail
to someone, for example a user's manager,who could then convey the password
to the user.
Developers can use the ResetUserPassword method available in C, Java®,
JavaScript® or LotusScript® to develop a custom application for resetting
passwords. This can be a self-service application that allows users to
reset their own passwords or an application that help desk personnel use
to reset user passwords. Domino comes with a sample self-service application
that uses the ResetUserPassword method in a LotusScript agent that you
can customize for your environment.
How will this save time and money?
The Notes ID vault can replace time-consuming, expensive ID file and password
recovery systems. Administrators provide instructions in the Notes login
window (which can include a URL link to a Web site) for users who have
forgotten their passwords. Passwords are easily reset using the Domino
Administrator or a custom application, and users can use the new passwords
automatically from any computer. If ID files are lost or damaged, users
are not hindered because copies of the IDs are immediately downloaded from
the vault when users provide the passwords.
In addition, tasks involving the ID file, such as ID file synchronization,
user renames, and user key rollovers, will no longer require any user involvement
and will automatically be handled by the ID vault, reducing complexity
and saving time.
The "Auditor” function can be used to extract ID files for legal
discovery/access to encrypted data, preventing the loss of any valuable
information.
What release of Domino and Notes is required to use an ID vault?
To use a vault IBM® Lotus® Notes® clients must run Release 8.5 or later.
Vault servers must run Release 8.5 or later. A user's home server or at
least one server in a home server cluster must run Release 8.5 or later
but does not have to be a vault server. The Domino Directory administration
server must run Release 8.5 or later but does not have to be a vault server.