MWLUG 2013 – ID Vault
ID Vault Implementation, Security and
Troubleshooting
Olaf Boerner, BCC
MWLUG 2013 – ID Vault
About @olafboerner
CEO and founder of BCC
Working with Lotus Notes
since Version 3 in 1993
I am working with large enterprise customers as
Senior Architect
1. To reduce Total cost of Ownership of Notes/Domino
2. To secure and optimize IBM Domino infrastructures
MWLUG 2013 – ID Vault
ID Vault
History
• 8.5 Initial Release
• 8.5.1 Integration with iNotes, Traveler and
Blackberry
• 8.52 C API exposed
• 8.53 Citrix Support
Why so late ?
Maybe too late !
MWLUG 2013 – ID Vault
ID Vault – Architecture
ID Vault Server:
• Domino 8.5 or higher
• Only ID Vault Server must run on 8.5
• dedicated ID Vault Server or Home Server
Lotus Notes Client
• Notes 8.5 or higher – 8.53 recommended
• client asks its home server for a list of servers that
have a replica of the vault
MWLUG 2013 – ID Vault
ID Vault Architecture
ID Vault Database
• One Database for each ID-Vault on a Server
• Replicas on ID Vault Servers
• You must use Admin client -> Do not just create a replica
One ID Vault Document for each User
• Notes ID as an „attached“ file
• without password - „Authentication Data“
• Fields contain Download information etc.
• ID Vault Documents are not signed !!!
Access to ID Vault
• Notes Client does not have access to ID Vault
• nserver.exe is acting as an „application proxy“
MWLUG 2013 – ID Vault
ID Vault based on Notes PKI
ID Vault is using Notes certificates
• ID Vault is creating a „vault certifier“ („Notes Cross Certificate“)
• Each ID Vault uses his own „vault certifier“
Trust Relationships
• ID Vault uses cross certification with current certifier
• Collecting ID Files
• only with valid cross certification
• ID Files public key must match its certifier
• Password resets
• Only User with cross certification can reset passwords
DEMO
MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File provisioning / deployment
Collect existing ID Files
Synchronize ID files
Central password reset
Extract ID Files for „Auditor“
MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File provisioning / deployment
Collect existing ID Files
Synchronize ID files
Central password reset
Extract ID Files for „Auditor“
MWLUG 2013 – ID Vault
ID Vault provisioning / deployment
Use this feature for initial client setup !
User ID must be in ID Vault Database
• Upload during / after registration
Notes.ini must contain
• KeyFileName_Owner=CN=Peter Parker/O=BCC_AdminTool
If you want to have userspecific filename
• KEYFILENAME=C:\Lotus Notes\data\pparker.id
MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File provisioning / deployment
Collect existing ID Files
Synchronize ID files
Central password reset
Extract ID Files for „Auditor“
MWLUG 2013 – ID Vault
Collect existing ID Files -> Vault Policy
Policies are essential for implementing ID Vault
If you still not using policies ?
• now you have to !
• They are signed !
Security Setting Document
• Assign ID Vault
• Enforce password change after password has been reset
• Allow automatic ID downloads: Yes
• If No Allow ID downloads for: x days
• Security Setting need to be in the clients personal NAB !
MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File provisioning / deployment
Collect existing ID Files
Synchronize ID files
Central password reset
Extract ID Files for „Auditor“
MWLUG 2013 – ID Vault
ID Vault Synchronizing ID Files
Changes to a local id file
• Internet certificate
• Secret encryption key
Notes Client will trigger an immediate resynchronization with the ID vault
• If he has an online connection
Other Clients will check for changes and synchronize
• Checks local ID against fields in ID Vault Document
• IDModHash and
• IDModTime
• IMPORTANT: Password must be the same
MWLUG 2013 – ID Vault
ID Vault Synchronizing Passwords
User changes Notes Password on Desktop PC
• Immediate synchronization with ID Vault
User uses Laptop PC at Home
• He „should“ use the new password
• But he can use the old password !
• ID will become out of sync 44 | © 2012 IBM Corporation
Changing Passwords
Desktop
Client ID
files
1. User changes password on desktop client
...triggering an immediate resynchronization with the ID vault.
ID
file
ID
file
MWLUG 2013 – ID Vault
„Two Password“: ID File and in Vault
Source: IBM internal Presentation
MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File provisioning / deployment
Collect existing ID Files
Synchronize ID files
Central password reset
Extract ID Files for „Auditor“
MWLUG 2013 – ID Vault
Central password reset
Works in 3 Steps
• 1. Change Password in ID Vault
• 2. User is using ID with new passwords
• 3. User needs to use new password with all his id
files
Direct Online connection is required
For offline support you still need to use the old recovery key procedure
MWLUG 2013 – ID Vault
Central password reset
Again Be careful
• User must use the same password for all copies of
your ID files
• If passwords do not match, IDs cannot be
resynchronized anymore !!!
Do not force your users to change password with central password reset !!!
• Password settings is the right tool !
MWLUG 2013 – ID Vault
Changing password
What happens when the user changes the password ?
• PW change will be synchronized with ID Vault
immediately
• if he has an online connection
• If not it will synchronized at next server connection
• But he can still use other id files with the old password
Example
• Changing password at your Desktop / Citrix Client
• Working with your old password on your notebook
• ID Files will not synchronize anymore
MWLUG 2013 – ID Vault
ID Vault - Core functions
ID File provisioning / deployment
Collect existing ID Files
Synchronize ID files
Central password reset
Extract ID Files for „Auditor“
MWLUG 2013 – ID Vault
ID Vault Auditor
Extract ID Files for an „Auditor“
• Auditor Role in ID Vault ACL
• Requires Admin client
DEMO
How to prevent ?
• Control ID Vault ACL
• SECURE_DISABLE_AUDITOR = 1 on ID Vault Server
I do not like this function !!! Why not using a trust certificate similar to password reset
MWLUG 2013 – ID Vault
ID Vault – Makes life easier
Key Rollover
Reading encrypted mails on mobile
devices
Using iNotes with ID Files
Notes Shared Login
Rename without user involvement
MWLUG 2013 – ID Vault
ID Vault Integration with „external
programs“
Using ID Vault with Traveler, iNotes and Blackberry
MWLUG 2013 – ID Vault
ID Vault Integration
Released in 8.51
Security Setting Document
• Allow Notes-based programs to use the Notes ID
Vault: Yes
Provides ID Handling and synchronize changes
• Deploy ID
• Password Reset & Change
• Rename
Supports Traveler, Blackberry and iNotes
GOOD does not support provisioning ID from ID Vault
MWLUG 2013 – ID Vault
ID Vault Integration – „uncovered“
ID Vault is supporting Mailfile Profile
• ProfileNoteName = "$shimmerid"
• ProfileNoteName = "$rimid"
ID File is not a „working“ attachment due encryption
Internal Usage
• To create the profile using C-API: SECAttachIdFileToDB - Attach an ID file to a profile note and create /overwrite existing profile
• To Use that ID SECExtractIdFileFromDB - Extract an ID file from a profile note
• Current Password must provided
MWLUG 2013 – ID Vault
ID Vault Log & Monitoring
MWLUG 2013 – ID Vault
ID Vault Log
Client: Log.nsf
Server Log.nsf
DDM.nsf all Server
error messages
IDVault Log
MWLUG 2013 – ID Vault
ID Vault – Server Log
Log.nsf - Security Events
• ID vault creation, ID Upload, ID downloads
• ID extracts
• Password resets
View Security Events
MWLUG 2013 – ID Vault
Typical Log Entries
What is logged when the user changes something in his ID file (such as adding a new
document encryption key,) triggering a synchronization with the vault?
• Client log: 10/01/2008 02:00:28 PM ID 'C:\Program Files\Lotus\Notes\Data\user.id' successfully synchronized with vault 'O=third' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
• Server log: 10/01/2008 02:00:28 PM ID successfully synchronized with vault 'O=third' for 'Samantha Daryn/RECompany' (IP Address 9.33.163.219:1313).
What is logged when the user recovers from a forgotten password by using the new
password?
• Client log: 10/01/2008 03:53:32 PM ID 'C:\Program Files\Lotus\Notes\Data\user.id' successfully synchronized with vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
• Server log: 10/01/2008 03:53:31 PM ID successfully synchronized with vault 'O=newest' for 'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2406).
MWLUG 2013 – ID Vault
Typical Log Entries
What is logged when the user lost his ID file, but the Notes client automatically recovers from a lost ID file?
• Client log: 10/01/2008 03:37:36 PM ID 'C:\Program
Files\Lotus\Notes\Data\user.id' successfully
downloaded from vault 'O=newest' on server
'CN=pm1/O=RECompany' by 'Samantha
Daryn/RECompany'.
• Server log: 10/01/2008 03:37:36 PM ID successfully
downloaded from vault 'O=newest' by 'Samantha
Daryn/RECompany' (IP address 9.33.164.153:2350).
MWLUG 2013 – ID Vault
Some Log Entries are client based only !!
What is logged when a new ID vault administrator is added?
• Client log: 10/01/2008 02:31:43 PM Adding administrator
Joe Blow/RECompany to this vault Joe Blow/RECompany
was successfully added.
• Server log: Nothing is logged on the server.
What is logged when an ID vault administrator is removed?
• Client log: 10/01/2008 02:39:56 PM Adding administrator
Joe Blow/RECompany to this vault Joe Blow/RECompany
was successfully removed.
• Server log: Nothing is logged on the server. Note: Client
log should say "Removing administrator Joe
Blow/RECompany from this vault...“
MWLUG 2013 – ID Vault
Some Log Entries are only client based
What is logged when a Password Reset Authority is added?
• Client log: 10/01/2008 03:04:50 PM PasswordReset
Authority/RECompany will be able to reset passwords for
users in organization /RECompany
• Server log: Nothing is logged on the server.
What is logged when a Password Reset Authority is removed?
• Client log: 10/01/2008 02:44:00 PM PasswordReset
Authority/RECompany will no longer be able to reset
passwords for users in organization /RECompany
• Server log: Nothing is logged on the server.
MWLUG 2013 – ID Vault
ID Vault – Monitoring
Domino Domain Monitoring > ddm.nsf
• All server error messages are reported to
Domino Server Console
• Sh idvault
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-
logging-for-8.5-faq
MWLUG 2013 – ID Vault
ID Vault – Monitoring
Troubleshooting
Domain monitoring: DDM database
MWLUG 2013 – ID Vault
ID Vault – Client Monitoring
ID Vault is using local log.nsf
• Check Security Events
• debug setting will enable text file logging
ID Vault Client Notes.ini
• IDVAULT_COUNT1=0
• IDVAULT_STAMP1=13.03.2013 11:49:30
• IDVaultLastServer=CN=Demo Server/O=BCC_AdminTool
• IDVaultLastFlushTime=06.02.2013 20:04:27
MWLUG 2013 – ID Vault
ID Vault Security
MWLUG 2013 – ID Vault
ID Vault Security
You have a central ID „inventory“
Security requirements are getting critical
I assume that you already have some basic security concepts in place
• Secure Access to Certifier files: more than one
password !
• Restricted access to server file system: you can not
copy your data directory
MWLUG 2013 – ID Vault
ID Vault Security
2048bit RSA Vault Operation Key (VO) (RSA)
• will be created during initial setup (based on vault
certifier)
• Single VO Key for each ID Vault
The Encryption Chain
• ID Files have no password
• Each ID File is encrypted with its own symmetric 256 Bit
AES storage encryption key
• Each SE Key is encrypted with VO Key
• Check for field VOKeyName in person document
• How to encrypt VO Key ?
MWLUG 2013 – ID Vault
How to encrypt VO Key ?
VO Key is important for Security
• Decrypt it and you have access to an ID File
• ID Files do not have passwords
Until now symmetric encryption has been used: Password or any Other key
Other Key Using Notes PKI :
• Switch to asymmetric Encryption
• Private Key in Server ID
• Stored in each profile document
MWLUG 2013 – ID Vault
Server ID is your weak spot !
Protect your Server ID with passwords !
• IBM Recommendation • Paul Mooney – AdminBlast
MWLUG 2013 – ID Vault
ID Vault: Why secure your server ID
IBM Recommendation: Securing the server ID file
„We understand that most Domino servers are not password-
protected to make unattended reboots simpler, but the vault
server's ID file is a key element in the security of your ID vault.“
„..a sophisticated attacker with a vault database and one of the
corresponding server Ids ... would have all of the cryptographic
information needed to masquerade as the vault server and
decrypt all of the ID files stored in the vault.
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vault-server
MWLUG 2013 – ID Vault
ID Vault: Why secure your ID Vault ACL Everyone with Role Auditor and Admin client is able to download ID Files from ID Vault
ACL Change ?
• Full Access Admins are able to might do this
• Server based Script Agents
ID Vault Document change ?
• Resetting Download Flag
Preventing unwanted changes in ID Vault is mandatory
MWLUG 2013 – ID Vault
ID Vault: Why secure your log.nsf
ID Vault Operations will be written to log.nsf
• Download IDs
• Extract ID‘s
Security Events
• ID for User successfully extracted from Vault
„O=Demo“ by auditor „Admin“ (IP Address)
• ID for „User“ IP Address ..... In Vault O=Demo was
not downloaded because the wrong password was
supplied
MWLUG 2013 – ID Vault
Password protected server ID file
MWLUG 2013 – ID Vault
ID Vault: Security Recommendations
Log Database
Limit Access and prevent document deletion / modification
ID Vault Database
Monitor ACL change (DDM ) Prevent document changes
Server ID with password
Limit Access to file system to prevent a „private snapshot“ copy
MWLUG 2013 – ID Vault
Reset Passwords with ID Vault
What is the best way ?
MWLUG 2013 – ID Vault
Password Reset using Admin client
MWLUG 2013 – ID Vault
Password Reset using Admin client
Requires
• Access for Admin client
• Assigned Password Reset Certificate
• NO access level for Password Reset to ID Vault
Audit / Log
• Log.nsf Security Events
• „Password for 'Admin Domino/BCCVM' with 0
downloads was reset by 'Admin Domino/BCCVM' (IP
Address 192.168.74.140:1202) from process nserver
MWLUG 2013 – ID Vault
Using an application
MWLUG 2013 – ID Vault
Self Service Password Resets
Sample Database: pwdResetSample.nsf
MWLUG 2013 – ID Vault
Password Reset – Best practices
Send to a trusted person
Print out email
No access to id file
Send password to user
as SMS to mobile phone
to a private email adress
Requires that you have these
data in your „application“
Tell him on the phone
Secret Authentification questions should
be provided
Self Service Application
Create password or User enters
password
Check complexity
Send Mail to defined address
MWLUG 2013 – ID Vault
Programming Password Reset -> C-API,
Lotusscript Password Reset
• C API SECidvResetPassword
• LotusScript, Java
notesSession.ResetUserPassword( servername,
username, password[, downloadcount ] )
• Password: New password for username's ID.
• Downloadcount: "Allow automatic ID downloads" set
to "No", -> Set to 2
CheckOut Sample Database: pwdResetSample.nsf
MWLUG 2013 – ID Vault
Programming Password Reset -> Security
Signer of Lotus Script Agent
the server ID on which the application is running
must
Password reset certificates need to be issued with
„programming flag“ to
MWLUG 2013 – ID Vault
Troubleshooting ID Vault
MWLUG 2013 – ID Vault
Troubleshooting Whose ID Files have been
collected ?
IBM ID Vault Database Scanner
• Agent Code
• Compare all person entries in your Domino Dir
• Create a report about IDs missing from ID Vault
• http://www-10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Lotus_Notes_ID_Vault_Database_Scannercol_An_overview
Hey IBM: Why not include in ID Vault template ?
MWLUG 2013 – ID Vault
Troubleshooting ID Upload
Clear 'IDVault‘ entries from 'notes.ini‘ and restart
• upload process is being carried out in a random manner – so wait !
• Check if user has direct access to ID Vault Server
Check KeyFileName' parameter in 'notes.ini'
• should be same as the id file
• „Rename to User.id might help“
Check if policy document is assigned to user
• Check local personal address book
• Template 8.5.x
• View ($Policies) contains Security Setting ?
Check if Public Keys of User ID and Certifier ID are matching
MWLUG 2013 – ID Vault
Troubleshooting
Roaming
• ID in local NAB will interfere with ID Vault
• IBM provides a utility
ID Vault requires network connection
Notes Client trying to connect to first available ID vault server in list
• The server name is cached.
• (Notes.ini variable IDVaultLastServer)
• Set ID vault notes.ini variables to capture additional
information.
MWLUG 2013 – ID Vault
Debug Settings for ID Vault
Client: notes.ini
• DEBUG_IDV_TRACE
• DEBUG_IDV_TRUSTCERT
• DEBUG_IDVAULT_SERVER_SELECTION
• Debug_Namelookup=1 ->
• Console_log_enabled=1
Server: notes.ini
• DEBUG_IDV_CONNECT
• DEBUG_IDV_TRUSTCERT
• DEBUG_IDV_UPDATE
• Debug_threadid=1
MWLUG 2013 – ID Vault
ID Vault Limitations
However ID Vault is great
No cross domain vaults are supported
Tightly integrated with policies even
using API
Setting up ID Vault requires
Admin client and manual steps
Working offline can create issues
Top Related