wissel.net

Usability - Productivity - Business - The web - Singapore & Twins

This article is part of a mini series. Read them all:

Domino Administration - Back to Basics

Domino Administration - Back to Basics (Part 1) - Certificates


Domino is different, a lot of its concepts predate the internet and quite often inspired the standards. This is not an step-by-step instruction, but an introduction into concepts. The "step by step" approach is another story for another time.

In the beginning was the Certificate

Notes and Domino run using ID files. This are not merly files that can arbitrarily reconstructed, but cryptographically created Public Private key pairs. To avoid naming collisions the key names are hierarchical (Since R2), so anyone can call their server Server1 without confusion (sort of). This hierarchy is achieved using X400 naming conventions, an early competitor to DNS naming. A X400 name can consist out of multiple parts, these are the ones Domino is using:

X500 Name

So the minimum is a common name and an Org. The starting point of each Domino journey is the creation of the OrgID. All other parts depend on it. Note: there isn't a country ID, even if country mentioned after the Org. When you create your OrgID (while setting up the very first server), you can specify the country and it becomes part of the OrgID.

In practise however I haven't seen many OrgIDs that would carry a country code in them. So you can skip that part.

Signing Ids

Using the OrgID as signing certificat, one can go and create server and user certificates. E.g using the OrgID /O=Acme one can create /CN=Coyotee/O=Acme. For convenience the qualifiers are usually omitted, their meaning results from the position (and the fact that country is 2 letter if present and Orgs have 3 or more). So instead of /CN=Coyotee/O=Acme one can write Coyotee/Acme.

In practise however more enlightened organisation use their OrgCert as cautiously as root certificates in the X509 world and only register/sign Organizational Unit (/OU=) Ids which then can be used to sign server and user certificates.

Trust between certificate is hierarchical, similar to Internet certificates, so IDs having the same root (/O) certifier recognizse each other. The hierachy can be used in Access Control (another story for another time) to grant access to all IDs at a given level e.g. /OU=Management/O=Acme

Types of ID files

As mentioned there are 3 types of Ids:

  • Certifiers (on /O and /OU level)
  • Server Id
  • Person Id

The distinction becomes relevant in access control where access can be granted to users or servers only. Person and Server IDs can occur on any level. Typically we see servers either on the org level or in their own OU.

Certifiers and IDs

Selecting OU levels is not an easy decisions. We see models of organisations like /OU=Sales, /OU=Board but also geography like /OU=Gernay and /OU=Singapore. This can be very deliberate. Someone moving (department or location) would get the userid recertified with the new OU. What needs careful planning: what document access is won/lost with such a move (That's a business decision, Domino can handle all scenarios when planned properly).

Cross Certification

To include certificates with a different root one uses Cross Certificates which are captured in the directory (and/or local addressbook, the user's personal directory). When one creates a cross-certification for an /O id, all the decendants (/OU/OU/O) are recognized too.

Insights

In no specific order:

  • In Notes/Domino the terms ID and certificate are loosely used interchangable
  • The concepts are similar to Internet certificates. Main difference: the parts are named and limited how long the chain can be (6 parts max). In practise you rarely see 6 level deep internet domains or Notes Names
  • The 4th level of /OU doesn't need a certifier. It is mainly recommended to distinguish multiple "John Doe"
  • Notes names are separated by /, Internet names separate the common name with @ and the domain parts with .
  • Internet names have a central naming registry run by IANA, while Domino's central registy Notes.net never took off. So you can create as many /O=Acme certifiers as you like (technically you can do that with your own CA too)
  • Creating Certificates with the same name does NOT create the same public/private key pair. All trust relations will not work. IDs signed with the old certifier will throw a trust error for the new one. Also all cross-certificates break
  • Cleaning up Name conflicts is a huge mess. So don't do that
  • Notes IDs can hold X509 certificates for signing internet messages
  • A personal Notes address book or the Domino directory can hold external X509 public keys to validate signatures or encrypt outgoing messages
  • To minimize the hassle for handling certificates Domino provides a Certificate Authority and an ID-Vault. Set them up. Saves headaches!
  • ID Files, both on the server and the client are used to encrypt databases. Loose the ID, loose access! A well managed IDVault is your life insurance
  • Back things up. Make sure they are save! One organisation I encountered printed hex dumps of all cert and server ids and locked them in their corporate vault. Smart move. I wonder if they repeated that, as they should, at key rollover time
  • Certificates don't live forever. They need to roll over keys. Plan that well and use an IDVault - and back up everything before you start
  • Pro Tip: If you are shure your server's future DNS name won't change, you can name the CN part after the full qualified DNS name. E.g CN=lion.exoticpets.org/OU=Servers/O=Pets4Us. It will help as you will learn in Part 2
  • Really: use an IDVault
  • Did I mention: use an IDVault

What are your insights or concepts you like to know?


Posted by on 04 February 2020 | Comments (3) | categories: Domino

Comments

  1. posted by Norman Carnovale on Tuesday 04 February 2020 AD:

    Of additional value to this article would be instructions on actually how to set up the ID Vault.


  2. posted by Stephan Wissel on Tuesday 04 February 2020 AD:

    Patience, Norman, patience - and thx for stopping by.
    I just got started. Practical How-To are on the list once the core concepts are explained. Not too long. Stay tuned!


  3. posted by Richard Schwartz on Tuesday 04 February 2020 AD:

    You might want to mention right up near the beginning that id files can be user id files, server id files, or cert id files and that cert id files are required to create user and server id files.

    Also, the naming convention is similar to, but not exactly like the X.400/500 naming convention, which survives to this day as the LDAP naming convention. DNS is really a different animal entirely.