Lotus Domino Administrator 8 Help - Configuring a port for SSL

SECURITY

Configuring a port for SSL
You can configure a port to use only server authentication or to use both server and client authentication.

If you are using Internet Site documents, see the topic Setting up security for Internet Site documents.

To configure a port for SSL in the Server document

1. From the IBM® Lotus® Domino™ Administrator, click Configuration - Servers, and open the Server document.

2. Click the Ports - Internet Ports tabs.

3. Complete these fields:

Field Enter

SSL key file The file name of the server key ring file that the server uses.
Note Domino does not use this field for IIOP, which uses a separate key ring file. You cannot change the name of the IIOP key ring file.

SSL protocol version Choose one:

V2.0 only to allow only SSL 2.0 connections.
V3.0 handshake to attempt an SSL 3.0 connection. If this fails and the requester detects SSL 2.0, then attempts to connect using SSL 2.0.
V3.0 only to allow only SSL 3.0 connections.
V3.0 and V2.0 handshake to attempt an SSL 3.0 connection, but start with an SSL.2.0 handshake, which displays relevant error messages. Makes an SSL 3.0 connection, if possible.
Negotiated (default) to attempt an SSL 3.0 connection. If it fails, the server attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions.
Note Domino does not use this field for HTTP.

Accept SSL site certificates Choose one:

Yes to allow this server to accept the site certificate and use SSL to access an Internet server, even if the Domino server does not have a certificate in common with the Internet server.
No to not allow this server to accept site certificates.

Accept expired SSL certificates Choose one:

Yes to allow clients to access the server, even if the client certificate is expired.
No to not allow clients to access the server with expired client certificates.

4. Click the tab for the protocol that you want to configure, and then complete these fields:

Field Enter

SSL port number Enter the port number on which Domino listens for SSL requests. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view.
Note If you change the default port number, clients must change their configurations as well. The default port number is usually changed only if a firewall proxy uses the reserved port number.

SSL port status Choose Enabled to allow SSL connections on the port. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view.
Note Since a Domino server can be either an SMTP server or an SMTP client, you have two choices for the SSL port status field. To set up a Domino server as an SSL-enabled SMTP server, choose Enabled in the SMTP Inbound field.

Client certificate Choose one:

No to not use client authentication.
Yes to use client authentication.
Note SMTP and IIOP do not support client authentication.

Name & password Choose one:

No to not use name-and-password authentication.
Yes to use name-and-password authentication.

Anonymous Choose one:

Yes to allow anonymous access. You must choose Yes if you want users to connect using server authentication only.
No to prevent anonymous access.
If you choose Yes for both Anonymous and Client certificate, Domino first tries to authenticate the client. If that fails, Domino tries to connect the user anonymously.
If you choose Yes for Anonymous, Client certificate, and Name & password, Domino first tries to authenticate the client using the client certificate. If that fails, Domino tries to use name-and-password authentication. If that fails, Domino tries to connect the user anonymously.
LDAP must be configured to allow anonymous SSL connections in order to do name lookups.
IMAP, POP3, and SMTP do not support anonymous access.

For information on how Domino authenticates clients when anonymous, client authentication, and name and password are enabled, see the topic Validation and authentication for Internet/intranet clients.

For information on how Domino authenticates clients when anonymous, client authentication, and name and password are enabled, see the chapter "Setting Up Name-and-Password and Anonymous Access to Domino Servers."

See also

SSL port configuration

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Enter
SSL key file	The file name of the server key ring file that the server uses. Note Domino does not use this field for IIOP, which uses a separate key ring file. You cannot change the name of the IIOP key ring file.
SSL protocol version	Choose one: V2.0 only to allow only SSL 2.0 connections. V3.0 handshake to attempt an SSL 3.0 connection. If this fails and the requester detects SSL 2.0, then attempts to connect using SSL 2.0. V3.0 only to allow only SSL 3.0 connections. V3.0 and V2.0 handshake to attempt an SSL 3.0 connection, but start with an SSL.2.0 handshake, which displays relevant error messages. Makes an SSL 3.0 connection, if possible. Negotiated (default) to attempt an SSL 3.0 connection. If it fails, the server attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions. Note Domino does not use this field for HTTP.
Accept SSL site certificates	Choose one: Yes to allow this server to accept the site certificate and use SSL to access an Internet server, even if the Domino server does not have a certificate in common with the Internet server. No to not allow this server to accept site certificates.
Accept expired SSL certificates	Choose one: Yes to allow clients to access the server, even if the client certificate is expired. No to not allow clients to access the server with expired client certificates.

Field	Enter
SSL port number	Enter the port number on which Domino listens for SSL requests. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view. Note If you change the default port number, clients must change their configurations as well. The default port number is usually changed only if a firewall proxy uses the reserved port number.
SSL port status	Choose Enabled to allow SSL connections on the port. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view. Note Since a Domino server can be either an SMTP server or an SMTP client, you have two choices for the SSL port status field. To set up a Domino server as an SSL-enabled SMTP server, choose Enabled in the SMTP Inbound field.
Client certificate	Choose one: No to not use client authentication. Yes to use client authentication. Note SMTP and IIOP do not support client authentication.
Name & password	Choose one: No to not use name-and-password authentication. Yes to use name-and-password authentication.
Anonymous	Choose one: Yes to allow anonymous access. You must choose Yes if you want users to connect using server authentication only. No to prevent anonymous access. If you choose Yes for both Anonymous and Client certificate, Domino first tries to authenticate the client. If that fails, Domino tries to connect the user anonymously. If you choose Yes for Anonymous, Client certificate, and Name & password, Domino first tries to authenticate the client using the client certificate. If that fails, Domino tries to use name-and-password authentication. If that fails, Domino tries to connect the user anonymously. LDAP must be configured to allow anonymous SSL connections in order to do name lookups. IMAP, POP3, and SMTP do not support anonymous access.