3.13 Domino HTTP Server Security 

Table of Contents

If you have secured your Domino data for use with the Lotus Notes client, then your data is also secured when accessed from a browser. However; there are additional considerations after you enabled the Domino web server (http task). This article assists new Domino administrators with basic security recommendations and concepts when granting internet access to your Domino server. Items included are how to enforce server access settings and controlling anonymous access as well as links to great resources for Internet password lockout, SSL and more.

Server Access

The HTTP server honors the database access control list as well as document access such as readers and authors fields. When authenticating via HTTP, a Notes certificate is not required. In order to be able to access Domino information via a browser, the user must have a valid person document with an internet password or token if using single sign on (SSO). The user must also be allowed access to the server. By default, anyone listed in the Domino directory can access the Domino server via HTTP, but this can be controlled via the server access settings. Specifically in the server document, security tab, you can define who can access the Domino server as shown in figure 1.



By default, these settings are not honored by HTTP. To force HTTP to honor those settings, set Enforce server access settings to Yes in the Ports → Internet Ports… → Web tab of the server document as shown in figure 2. You can also choose whether or not to allow Anonymous access to the server.

User Security and Authentication

To protect the integrity of your users and their passwords, Domino provides you with an "Internet Password Lockout" function. This allows the system to "lock out" a user after a certain number of failed log in attempts. For more information on Internet password lockout refer to the article Securing an IBM Lotus Domino Web server: Using the new Internet lockout feature.

The Domino server caches user names and passwords for 2 days. For that reason, you may observe that when the internet password is changed there is a period of time when both the old and new password will be accepted. If this is unacceptable in your organization, you can control the cache by using the NOTES.INI setting HTTP_Pwd_Change_Cache_Hours=<# of hours>. You should be aware that restarting the HTTP task will rebuild the cache and thus cause the server to no longer accept the old password no matter how many hours are specified by HTTP_Pwd_Change_Cache_Hours. If you have multiple web servers, you must also consider your replication topology as it may take some time for the new password to replicate throughout your environment.

Many times, you may want users that are not defined directly in your directory (names.nsf) to be able to access data on the web. Alternately, you may have a user directory already configured that is used throughout your enterprise. Domino provides this functionality through directory assistance. For information on directory assistance refer to How to set up Directory Assistance in Domino or 3.4 Multiple Directories.

Domino has multiple authentication types. You can choose to enable session authentication to minimize the number of log-in prompts presented to the user at both a single server and multi-server level. Here are some resources related to authentication and single sign on (SSO):

• Name-and-password authentication for Web clients
• Preventing multiple password prompts in Lotus iNotes
• Webserver Authentication Troubleshooting
• Session-based authentication (single sign-on)
• How the Domino HTTP session authentication configuration affects which login prompt is sent to Web browsers
• Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
• DWA with Sametime integration
• Hints and Tips for Troubleshooting Single Sign-on and Authentication Issues with Domino and WebSphere
• Troubleshooting WebSphere Portal, Domino Extended Products, and Domino SSO issues

Database Security

When looking into Database security, there are typically several questions Domino administrators ask. Can anonymous users access the data? Is there a way to force SSL access to this data? How do I control what page is displayed when the database is opened? Can I prevent certain databases from being viewed with a browser? You will now learn how to answer these questions.

Anonymous Access to Domino data

For additional protection, Domino has an additional level of security within the Access Control List (ACL) of databases when accessing using a web based protocol such as HTTP, DIIOP, POP3 or IMAP. Any Domino database located on a server running the HTTP task should have an anonymous entry in the ACL. While you can disable anonymous access at the server level as seen above in figure 2, it is best practice to add an anonymous entry to the ACL of each database on the server. If anonymous is not present in the ACL, then the “Default” access will be granted to anonymous users. Add the anonymous entry is especially important on mail databases to prevent anonymous users from accessing public calendar documents as many users allow or delegate read access to their calendar to everyone. You can also set a maximum authority value when accessing data from the internet. For example, if you have an application you want visible from the web, but do not want anyone to edit the data from the web, you could set the Maximum Internet name and password to reader. This means that when anyone access the Domino database using one of the web based protocols, they will only be granted reader access, even if they are specifically listed in the ACL of the database with greater access. For mail files, the recommended Maximum Internet name and password setting is editor.

The Domino Administrator client makes it easy to modify the ACL of many databases at once. For example, to modify the ACL for all files in the mail directory, you can right click on the folder and select Access Control → Manage…. The Manage Multiple ACLs window will display. You can then see that at the top of the screen how many databases you will be modifying. From there you can use the Add… button and enter the value of anonymous with an access level of No Access. Once added you should see anonymous listed in the Apply these changes to all X databases as seen in figure 3.



You can then select the Advanced tab to modify the Maximum Internet name and password setting to Editor as shown in figure 4.



Once you click OK, the client will then connection and modify the ACL for any selected database that you as the administrator have authority to modify or all databases if using “full access administration” authority. When finished, the client will tell you if the process completed successfully or if there were any errors as seen in figure 5.



It is important to note that any database that already contains an entry for anonymous will be listed in error. You can review the log or the status bar to see why an error occurred. See figure 6.



If this happens to you, you can run the tool again this type changing the anonymous entry. This way you can be certain that all databases are set to “no access” without verifying each database.

SSL Access to Domino data

As an administrator you can force SSL access at the server level. For information on configuring SSL refer to the technote How to set up SSL using a third-party Certificate Authority (CA) or the Redbooks publication Domino Certification Authority and SSL Certificates. However; most companies have public data that does not need to be secured with SSL and private data that must be secured. In order to satisfy both requirements you must force SSL connections at the database level. If you do want to force SSL at the server level, you can do that by simply setting the TCP/IP port status to Redirect to SSL as shown in figure 7.



To force SSL at the database level you need to set the database property Require SSL connection. This is found on the basics tab as shown in figure 8. With this property enabled, if a user attempts to access the database without SSL, they will be automatically redirected to a secure connection. If you are planning to set this field on your mail files, it is best to reference the users to the mail file with a secure connection using the iNotes redirect application. Otherwise, the mail may not properly load for you due to the different connection type between the mail file and the forms85.nsf. Forms85.nsf access is needed in order for iNotes to display properly.



For more information about SSL refer to technote Frequently Asked Questions: Using Secure Socket Layer (SSL) with Notes/Domino.

Additional Database Properties

There are other database properties that affect how your database can be accessed from the web including:

• Use JavaScript when generating pages
• Don't allow URL open
• Enable enhanced HTML generation
• When opened in a browser / Database launch properties

File System Security

Do you have sensitive data or pieces of your web application within the data directory of your Domino server? If so, the Domino server can access it and thus so can a user with a browser. To be sure your files are safe, review the article Building Web applications in Domino 6: Accessing and protecting the file system which is still technically accurate for Domino 8.5.x environments.