Although you can implement either or both the ID vault and ID Recovery
management features in your environment, replacing ID Recovery with the ID
vault is recommended. The ID vault provides all of the functionality of ID
Recovery, such as ID backup and recovery from lost passwords, and is much
easier to use and administer.
When switching from ID Recovery to the ID vault, there is no need to remove
recovery information prior to enabling the ID vault. Using ID vault policies,
an ID file with recovery information can be uploaded successfully from the
user's Notes client to the ID vault. Backups to the recovery database are still
triggered. (However, see Known Issue #1 below.)
To disable ID Recovery, use the Admin Client to edit recovery information for
each of the certifier IDs and remove all the recovery authorities. However, we
currently recommend you to delay disabling ID Recovery until 8.5.1, in which
Known Issue #2 (described below) is addressed.
To remove recovery information, an administrator with access to the certifier
ID completes these steps:
- From the IBM® Lotus® Domino® Administrator, click the Configuration tab,
and then click Certification.
- Click Edit Recovery Information.
- In the Choose a Certifier dialog box, if the correct server name does not
appear, click Server and select the registration server name from the Domino
Directory.
- Choose the certifier for which you are creating recovery information.
- If you are using a server-based CA, click "Use the CA process"
and select a certifier from the drop-down list.
- If you are not using a server-based CA, click "Supply certifier
ID and password." If the certifier ID path and file name does not appear, click
Certifier ID and select the certifier ID file and enter the password.
- In the Edit Master Recovery Authority List dialog box, set the value for
"How many Recovery Authorities Do You Require" to "0". Remove all Recovery
Authorities in the "Current Recovery Authorities" list. Click OK.
- When prompted "Do you want to save recovery information changes to the
current certifier?" select Yes.
- Enter the certifier password if prompted.
- On the server console, execute the command "tell adminp p a" to refresh the
certifier record. After this change has replicated to all home servers, the
server will remove the ID recovery info from the user's local ID file the next
time the user authenticates to his or her home server.
After the recovery information has been removed from the user's ID file, the
"Mail Recovery ID" button in the User Security Panel will be become inactive.
Known Issues:
- There is a known issue with triggering ID Recovery backups for vault users
- if the ID file has already been backed up to the ID vault, the ID file will
not be backed up to the recovery database. However, the user may manually
trigger the backup by clicking on the "Mail Recovery ID" button in the User
Security Panel. Customers can use SPR ID# NEKO7SWMNS to track this issue.
- There is a known issue fixed in 8.5.1 in disabling ID Recovery, and it is
recommended to delay disabling ID Recovery until 8.5.1 to ensure the task is
performed cleanly and completely.
FAQ
After enabling the ID vault, are all of the IDs from the ID recovery database
directly loaded into the ID vault?
No, the IDs from the ID recovery database are not directly loaded into the ID
vault. However, you may use available ID Recovery and ID vault C APIs to
accomplish this. See APIs "SECRecoverIDFile" and "SECidfPut." Download the Lotus C
API toolkit from IBM developerWorks.