Lotus Domino Administrator 8 Help - SSL port configuration

SECURITY

SSL port configuration
The SSL protocol always provides an encrypted, integrity-checked, communications channel and authenticated server identity. SSL servers can be optionally configured to request various forms of client identity authentication.

You must enable SSL on a protocol-by-protocol basis. Some Internet protocols do not support client certificate authentication.

To set up a port for SSL authentication, do the following:

1. Configure the port.

2. Determine whether you require users to access the server using only SSL or both SSL and TCP/IP.

If you are using Internet Site documents, you configure most SSL port parameters in the Internet Site document for each protocol. However, you must still configure the following settings in the Server document for each Internet protocol: TCP/IP port and status, SSL port and status. You must also specify whether you want to enforce server access settings for the TCP/IP port of a given protocol.

Using server authentication only

Server authentication encrypts data and authenticates server identity. To control access to databases on the server by user name, set up name-and-password authentication. To enable SSL for server authentication only:

The server must have a certificate from an IBM® Lotus® Domino™ or third-party CA.
The clients must have the server's CA certificate marked as a trusted root. Clients can also trust the SSL server certificate directly, by creating a cross-certificate for it.
If you are using a IBM® Lotus® Notes® client, the Lotus Notes client must have a cross-certificate for the server CA or the SSL server's certificate.

For more information on name-and-password authentication, see the topic Name-and-password authentication for Internet/intranet clients.

Using client certificate authentication

In addition to the security provided by server authentication, client certificate authentication verifies the client's identity through the use of Internet (x.509) client certificates. Using server and client certificate authentication, you can control access to databases by specifying individual client user names in the database ACLs. To enable SSL for client certificate authentication:

Complete the above requirements for server authentication.
The clients must have certificates from a Domino or third-party CA.
The server must have the client's CA certificate marked as a trusted root.
Each client must have a Person document in the Domino Directory that contains the SSL public key from the client certificate.

For more information on setting up client authentication, see SSL and S/MIME for clients.

See also

Setting up SSL on a Domino server

Setting up security for Internet Site documents

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary