You want to implement ID Vault ? You already have ID Vault up and running but you have not collected all users id file ? You need to have a more detailed understanding how ID Vault security is implemented and why you should not create new replicas of your ID Vault database ? This session will give you a detailed technical understanding how ID Vault works and what are the best practices to implement. It provides security recommendations and covers how to do troubleshooting typical ID Vault situations.
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
ID Vault - Implementation, Security and Troubleshooting - for IBM Notes and Domino
1. MWLUG 2013 – ID Vault
ID Vault
Implementation, Security and
Troubleshooting
Olaf Boerner, BCC
2. MWLUG 2013 – ID Vault
About @olafboerner
CEO and founder of BCC
Working with Lotus Notes
since Version 3 in 1993
I am working with large enterprise customers as
Senior Architect
1. To reduce Total cost of Ownership of Notes/Domino
2. To secure and optimize IBM Domino infrastructures
3. MWLUG 2013 – ID Vault
ID Vault
History
• 8.5 Initial Release
• 8.5.1 Integration with iNotes, Traveler and
Blackberry
• 8.52 C API exposed
• 8.53 Citrix Support
Why so late ?
Maybe too late !
4. MWLUG 2013 – ID Vault
ID Vault – Architecture
ID Vault Server:
• Domino 8.5 or higher
• Only ID Vault Server must run on 8.5
• dedicated ID Vault Server or Home Server
Lotus Notes Client
• Notes 8.5 or higher – 8.53 recommended
• client asks its home server for a list of servers that
have a replica of the vault
5. MWLUG 2013 – ID Vault
ID Vault Architecture
ID Vault Database
• One Database for each ID-Vault on a Server
• Replicas on ID Vault Servers
• You must use Admin client -> Do not just create a replica
One ID Vault Document for each User
• Notes ID as an „attached“ file
• without password - „Authentication Data“
• Fields contain Download information etc.
• ID Vault Documents are not signed !!!
Access to ID Vault
• Notes Client does not have access to ID Vault
• nserver.exe is acting as an „application proxy“
6. MWLUG 2013 – ID Vault
ID Vault based on Notes PKI
ID Vault is using Notes certificates
• ID Vault is creating a „vault certifier“ („Notes Cross
Certificate“)
• Each ID Vault uses his own „vault certifier“
Trust Relationships
• ID Vault uses cross certification with current certifier
• Collecting ID Files
• only with valid cross certification
• ID Files public key must match its certifier
• Password resets
• Only User with cross certification can reset passwords
DEMO
7. MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File
provisioning /
deployment
Collect existing ID
Files
Synchronize ID
files
Central password
reset
Extract ID Files for
„Auditor“
8. MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File
provisioning /
deployment
Collect existing ID
Files
Synchronize ID
files
Central password
reset
Extract ID Files for
„Auditor“
9. MWLUG 2013 – ID Vault
ID Vault provisioning / deployment
Use this feature for initial client setup !
User ID must be in ID Vault Database
• Upload during / after registration
Notes.ini must contain
• KeyFileName_Owner=CN=Peter Parker/O=BCC_AdminTool
If you want to have userspecific filename
• KEYFILENAME=C:Lotus Notesdatapparker.id
10. MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File
provisioning /
deployment
Collect existing ID
Files
Synchronize ID
files
Central password
reset
Extract ID Files for
„Auditor“
11. MWLUG 2013 – ID Vault
Collect existing ID Files -> Vault Policy
Policies are essential for implementing ID Vault
If you still not using policies ?
• now you have to !
• They are signed !
Security Setting Document
• Assign ID Vault
• Enforce password change after password has been reset
• Allow automatic ID downloads: Yes
• If No Allow ID downloads for: x days
• Security Setting need to be in the clients personal NAB !
12. MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File
provisioning /
deployment
Collect existing ID
Files
Synchronize ID
files
Central password
reset
Extract ID Files for
„Auditor“
13. MWLUG 2013 – ID Vault
ID Vault Synchronizing ID Files
Changes to a local id file
• Internet certificate
• Secret encryption key
Notes Client will trigger an immediate resynchronization
with the ID vault
• If he has an online connection
Other Clients will check for changes and synchronize
• Checks local ID against fields in ID Vault Document
• IDModHash and
• IDModTime
• IMPORTANT: Password must be the same
15. MWLUG 2013 – ID Vault
„Two Password“: ID File and in Vault
Source: IBM internal Presentation
16. MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File
provisioning /
deployment
Collect existing ID
Files
Synchronize ID
files
Central password
reset
Extract ID Files for
„Auditor“
17. MWLUG 2013 – ID Vault
Central password reset
Works in 3 Steps
• 1. Change Password in ID Vault
• 2. User is using ID with new passwords
• 3. User needs to use new password with all his id
files
Direct Online connection is required
For offline support you still need to use the old
recovery key procedure
18. MWLUG 2013 – ID Vault
Central password reset
Again Be careful
• User must use the same password for all copies of
your ID files
• If passwords do not match, IDs cannot be
resynchronized anymore !!!
Do not force your users to change password with
central password reset !!!
• Password settings is the right tool !
19. MWLUG 2013 – ID Vault
Changing password
What happens when the user changes the password ?
• PW change will be synchronized with ID Vault
immediately
• if he has an online connection
• If not it will synchronized at next server connection
• But he can still use other id files with the old password
Example
• Changing password at your Desktop / Citrix Client
• Working with your old password on your notebook
• ID Files will not synchronize anymore
20. MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File
provisioning /
deployment
Collect existing ID
Files
Synchronize ID
files
Central password
reset
Extract ID Files for
„Auditor“
21. MWLUG 2013 – ID Vault
ID Vault Auditor
Extract ID Files for an „Auditor“
• Auditor Role in ID Vault ACL
• Requires Admin client
DEMO
How to prevent ?
• Control ID Vault ACL
• SECURE_DISABLE_AUDITOR = 1 on ID Vault Server
I do not like this function !!! Why not using a trust
certificate similar to password reset
22. MWLUG 2013 – ID Vault
ID Vault – Makes life easier
Key Rollover
Reading encrypted
mails on mobile
devices
Using iNotes with
ID Files
Notes Shared
Login
Rename without
user involvement
23. MWLUG 2013 – ID Vault
ID Vault Integration with „external
programs“
Using ID Vault with Traveler, iNotes and
Blackberry
24. MWLUG 2013 – ID Vault
ID Vault Integration
Released in 8.51
Security Setting Document
• Allow Notes-based programs to use the Notes ID
Vault: Yes
Provides ID Handling and synchronize changes
• Deploy ID
• Password Reset & Change
• Rename
Supports Traveler, Blackberry and iNotes
GOOD does not support provisioning ID from ID Vault
25. MWLUG 2013 – ID Vault
ID Vault Integration – „uncovered“
ID Vault is supporting Mailfile Profile
• ProfileNoteName = "$shimmerid"
• ProfileNoteName = "$rimid"
ID File is not a „working“ attachment due encryption
Internal Usage
• To create the profile using C-API: SECAttachIdFileToDB -
Attach an ID file to a profile note and create /overwrite
existing profile
• To Use that ID SECExtractIdFileFromDB - Extract an ID
file from a profile note
• Current Password must provided
27. MWLUG 2013 – ID Vault
ID Vault Log
Client:
Log.nsf
Server
Log.nsf
DDM.nsf
all Server
error
messages
IDVault
Log
28. MWLUG 2013 – ID Vault
ID Vault – Server Log
Log.nsf - Security Events
• ID vault creation, ID Upload, ID downloads
• ID extracts
• Password resets
View Security Events
29. MWLUG 2013 – ID Vault
Typical Log Entries
What is logged when the user changes something in his ID file (such as adding a new
document encryption key,) triggering a synchronization with the vault?
• Client log: 10/01/2008 02:00:28 PM ID 'C:Program
FilesLotusNotesDatauser.id' successfully synchronized with vault 'O=third' on
server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
• Server log: 10/01/2008 02:00:28 PM ID successfully synchronized with vault
'O=third' for 'Samantha Daryn/RECompany' (IP Address 9.33.163.219:1313).
What is logged when the user recovers from a forgotten password by using the new
password?
• Client log: 10/01/2008 03:53:32 PM ID 'C:Program
FilesLotusNotesDatauser.id' successfully synchronized with vault 'O=newest' on
server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
• Server log: 10/01/2008 03:53:31 PM ID successfully synchronized with vault
'O=newest' for 'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2406).
30. MWLUG 2013 – ID Vault
Typical Log Entries
What is logged when the user lost his ID file, but the
Notes client automatically recovers from a lost ID file?
• Client log: 10/01/2008 03:37:36 PM ID 'C:Program
FilesLotusNotesDatauser.id' successfully
downloaded from vault 'O=newest' on server
'CN=pm1/O=RECompany' by 'Samantha
Daryn/RECompany'.
• Server log: 10/01/2008 03:37:36 PM ID successfully
downloaded from vault 'O=newest' by 'Samantha
Daryn/RECompany' (IP address 9.33.164.153:2350).
31. MWLUG 2013 – ID Vault
Some Log Entries are client based only !!
What is logged when a new ID vault administrator is added?
• Client log: 10/01/2008 02:31:43 PM Adding administrator
Joe Blow/RECompany to this vault Joe Blow/RECompany
was successfully added.
• Server log: Nothing is logged on the server.
What is logged when an ID vault administrator is removed?
• Client log: 10/01/2008 02:39:56 PM Adding administrator
Joe Blow/RECompany to this vault Joe Blow/RECompany
was successfully removed.
• Server log: Nothing is logged on the server. Note: Client
log should say "Removing administrator Joe
Blow/RECompany from this vault...“
32. MWLUG 2013 – ID Vault
Some Log Entries are only client based
What is logged when a Password Reset Authority is added?
• Client log: 10/01/2008 03:04:50 PM PasswordReset
Authority/RECompany will be able to reset passwords for
users in organization /RECompany
• Server log: Nothing is logged on the server.
What is logged when a Password Reset Authority is removed?
• Client log: 10/01/2008 02:44:00 PM PasswordReset
Authority/RECompany will no longer be able to reset
passwords for users in organization /RECompany
• Server log: Nothing is logged on the server.
33. MWLUG 2013 – ID Vault
ID Vault – Monitoring
Domino Domain Monitoring > ddm.nsf
• All server error messages are reported to
Domino Server Console
• Sh idvault
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-
logging-for-8.5-faq
34. MWLUG 2013 – ID Vault
ID Vault – Monitoring
Troubleshooting
Domain monitoring: DDM database
35. MWLUG 2013 – ID Vault
ID Vault – Client Monitoring
ID Vault is using local log.nsf
• Check Security Events
• debug setting will enable text file logging
ID Vault Client Notes.ini
• IDVAULT_COUNT1=0
• IDVAULT_STAMP1=13.03.2013 11:49:30
• IDVaultLastServer=CN=Demo Server/O=BCC_AdminTool
• IDVaultLastFlushTime=06.02.2013 20:04:27
37. MWLUG 2013 – ID Vault
ID Vault Security
You have a central ID „inventory“
Security requirements are getting critical
I assume that you already have some basic security
concepts in place
• Secure Access to Certifier files: more than one
password !
• Restricted access to server file system: you can not
copy your data directory
38. MWLUG 2013 – ID Vault
ID Vault Security
2048bit RSA Vault Operation Key (VO) (RSA)
• will be created during initial setup (based on vault
certifier)
• Single VO Key for each ID Vault
The Encryption Chain
• ID Files have no password
• Each ID File is encrypted with its own symmetric 256 Bit
AES storage encryption key
• Each SE Key is encrypted with VO Key
• Check for field VOKeyName in person document
• How to encrypt VO Key ?
39. MWLUG 2013 – ID Vault
How to encrypt VO Key ?
VO Key is important for Security
• Decrypt it and you have access to an ID File
• ID Files do not have passwords
Until now symmetric encryption has been used:
Password or any Other key
Other Key Using Notes PKI :
• Switch to asymmetric Encryption
• Private Key in Server ID
• Stored in each profile document
40. MWLUG 2013 – ID Vault
Server ID is your weak spot !
Protect your Server ID with passwords !
• IBM Recommendation
• Paul Mooney – AdminBlast
41. MWLUG 2013 – ID Vault
ID Vault: Why secure your server ID
IBM Recommendation: Securing the server ID file
„We understand that most Domino servers are not password-
protected to make unattended reboots simpler, but the vault
server's ID file is a key element in the security of your ID vault.“
„..a sophisticated attacker with a vault database and one of the
corresponding server Ids ... would have all of the cryptographic
information needed to masquerade as the vault server and
decrypt all of the ID files stored in the vault.
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vault-server
42. MWLUG 2013 – ID Vault
ID Vault: Why secure your ID Vault ACL
Everyone with Role Auditor and
Admin client is able to download
ID Files from ID Vault
ACL Change ?
• Full Access Admins are able to might do this
• Server based Script Agents
ID Vault Document change ?
• Resetting Download Flag
Preventing unwanted changes in ID
Vault is mandatory
43. MWLUG 2013 – ID Vault
ID Vault: Why secure your log.nsf
ID Vault Operations will be written to log.nsf
• Download IDs
• Extract ID‘s
Security Events
• ID for User successfully extracted from Vault
„O=Demo“ by auditor „Admin“ (IP Address)
• ID for „User“ IP Address ..... In Vault O=Demo was
not downloaded because the wrong password was
supplied
44. MWLUG 2013 – ID Vault
Password protected server ID file
45. MWLUG 2013 – ID Vault
ID Vault: Security Recommendations
Log Database
Limit Access and prevent document deletion / modification
ID Vault Database
Monitor ACL change (DDM ) Prevent document changes
Server ID with password
Limit Access to file system to prevent a „private snapshot“ copy
46. MWLUG 2013 – ID Vault
Reset Passwords with ID Vault
What is the best way ?
47. MWLUG 2013 – ID Vault
Password Reset using Admin client
48. MWLUG 2013 – ID Vault
Password Reset using Admin client
Requires
• Access for Admin client
• Assigned Password Reset Certificate
• NO access level for Password Reset to ID Vault
Audit / Log
• Log.nsf Security Events
• „Password for 'Admin Domino/BCCVM' with 0
downloads was reset by 'Admin Domino/BCCVM' (IP
Address 192.168.74.140:1202) from process nserver
50. MWLUG 2013 – ID Vault
Self Service Password Resets
Sample Database: pwdResetSample.nsf
51. MWLUG 2013 – ID Vault
Password Reset – Best practices
Send to a
trusted person
Print out email
No access to id
file
Send password
to user
as SMS to mobile
phone
to a private
email adress
Requires that
you have these
data in your
„application“
Tell him on
the phone
Secret
Authentification
questions should
be provided
Self Service
Application
Create password
or User enters
password
Check complexity
Send Mail to
defined address
52. MWLUG 2013 – ID Vault
Programming Password Reset -> C-API,
Lotusscript
Password Reset
• C API SECidvResetPassword
• LotusScript, Java
notesSession.ResetUserPassword( servername,
username, password[, downloadcount ] )
• Password: New password for username's ID.
• Downloadcount: "Allow automatic ID downloads" set
to "No", -> Set to 2
CheckOut Sample Database: pwdResetSample.nsf
53. MWLUG 2013 – ID Vault
Programming Password Reset -> Security
Signer of
Lotus
Script
Agent
the server ID
on which the
application
is running
must
Password reset
certificates
need to be
issued with
„programming
flag“ to
55. MWLUG 2013 – ID Vault
Troubleshooting Whose ID Files have been
collected ?
IBM ID Vault Database Scanner
• Agent Code
• Compare all person entries in your Domino Dir
• Create a report about IDs missing from ID Vault
• http://www-
10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Lotus_Notes_I
D_Vault_Database_Scannercol_An_overview
Hey IBM: Why not include in ID Vault template ?
56. MWLUG 2013 – ID Vault
Troubleshooting ID Upload
Clear 'IDVault‘ entries from 'notes.ini‘ and restart
• upload process is being carried out in a random manner – so
wait !
• Check if user has direct access to ID Vault Server
Check KeyFileName' parameter in 'notes.ini'
• should be same as the id file
• „Rename to User.id might help“
Check if policy document is assigned to user
• Check local personal address book
• Template 8.5.x
• View ($Policies) contains Security Setting ?
Check if Public Keys of User ID and Certifier ID are matching
57. MWLUG 2013 – ID Vault
Troubleshooting
Roaming
• ID in local NAB will interfere with ID Vault
• IBM provides a utility
ID Vault requires network connection
Notes Client trying to connect to first available ID vault
server in list
• The server name is cached.
• (Notes.ini variable IDVaultLastServer)
• Set ID vault notes.ini variables to capture additional
information.
59. MWLUG 2013 – ID Vault
ID Vault Limitations
However
ID Vault
is great
No cross domain
vaults are
supported
Tightly
integrated with
policies even
using API
Setting up ID
Vault requires
Admin client and
manual steps
Working offline
can create issues
60. MWLUG 2013 – ID Vault
BCC
Olaf Boerner
olaf_boerner@bcc.biz
Thank You!