ID Vault - Implementation, Security and Troubleshooting - for IBM Notes and Domino

0 views
11,738 views

Published on

You want to implement ID Vault ? You already have ID Vault up and running but you have not collected all users id file ? You need to have a more detailed understanding how ID Vault security is implemented and why you should not create new replicas of your ID Vault database ? This session will give you a detailed technical understanding how ID Vault works and what are the best practices to implement. It provides security recommendations and covers how to do troubleshooting typical ID Vault situations.

Published in: Technology, Business

ID Vault - Implementation, Security and Troubleshooting - for IBM Notes and Domino

  1. 1. MWLUG 2013 – ID Vault ID Vault Implementation, Security and Troubleshooting Olaf Boerner, BCC
  2. 2. MWLUG 2013 – ID Vault About @olafboerner CEO and founder of BCC Working with Lotus Notes since Version 3 in 1993 I am working with large enterprise customers as Senior Architect 1. To reduce Total cost of Ownership of Notes/Domino 2. To secure and optimize IBM Domino infrastructures
  3. 3. MWLUG 2013 – ID Vault ID Vault History • 8.5 Initial Release • 8.5.1 Integration with iNotes, Traveler and Blackberry • 8.52 C API exposed • 8.53 Citrix Support Why so late ? Maybe too late !
  4. 4. MWLUG 2013 – ID Vault ID Vault – Architecture ID Vault Server: • Domino 8.5 or higher • Only ID Vault Server must run on 8.5 • dedicated ID Vault Server or Home Server Lotus Notes Client • Notes 8.5 or higher – 8.53 recommended • client asks its home server for a list of servers that have a replica of the vault
  5. 5. MWLUG 2013 – ID Vault ID Vault Architecture ID Vault Database • One Database for each ID-Vault on a Server • Replicas on ID Vault Servers • You must use Admin client -> Do not just create a replica One ID Vault Document for each User • Notes ID as an „attached“ file • without password - „Authentication Data“ • Fields contain Download information etc. • ID Vault Documents are not signed !!! Access to ID Vault • Notes Client does not have access to ID Vault • nserver.exe is acting as an „application proxy“
  6. 6. MWLUG 2013 – ID Vault ID Vault based on Notes PKI ID Vault is using Notes certificates • ID Vault is creating a „vault certifier“ („Notes Cross Certificate“) • Each ID Vault uses his own „vault certifier“ Trust Relationships • ID Vault uses cross certification with current certifier • Collecting ID Files • only with valid cross certification • ID Files public key must match its certifier • Password resets • Only User with cross certification can reset passwords DEMO
  7. 7. MWLUG 2013 – ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for „Auditor“
  8. 8. MWLUG 2013 – ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for „Auditor“
  9. 9. MWLUG 2013 – ID Vault ID Vault provisioning / deployment Use this feature for initial client setup ! User ID must be in ID Vault Database • Upload during / after registration Notes.ini must contain • KeyFileName_Owner=CN=Peter Parker/O=BCC_AdminTool If you want to have userspecific filename • KEYFILENAME=C:Lotus Notesdatapparker.id
  10. 10. MWLUG 2013 – ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for „Auditor“
  11. 11. MWLUG 2013 – ID Vault Collect existing ID Files -> Vault Policy Policies are essential for implementing ID Vault If you still not using policies ? • now you have to ! • They are signed ! Security Setting Document • Assign ID Vault • Enforce password change after password has been reset • Allow automatic ID downloads: Yes • If No Allow ID downloads for: x days • Security Setting need to be in the clients personal NAB !
  12. 12. MWLUG 2013 – ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for „Auditor“
  13. 13. MWLUG 2013 – ID Vault ID Vault Synchronizing ID Files Changes to a local id file • Internet certificate • Secret encryption key Notes Client will trigger an immediate resynchronization with the ID vault • If he has an online connection Other Clients will check for changes and synchronize • Checks local ID against fields in ID Vault Document • IDModHash and • IDModTime • IMPORTANT: Password must be the same
  14. 14. MWLUG 2013 – ID Vault ID Vault Synchronizing Passwords User changes Notes Password on Desktop PC • Immediate synchronization with ID Vault User uses Laptop PC at Home • He „should“ use the new password • But he can use the old password !  • ID will become out of sync 44 | © 2012 IBM Corpora Changing Passwords Desktop Client ID files 1. User changes password on desktop client ...triggering an immediate resynchronization with the ID vault. ID file ID file
  15. 15. MWLUG 2013 – ID Vault „Two Password“: ID File and in Vault Source: IBM internal Presentation
  16. 16. MWLUG 2013 – ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for „Auditor“
  17. 17. MWLUG 2013 – ID Vault Central password reset Works in 3 Steps • 1. Change Password in ID Vault • 2. User is using ID with new passwords • 3. User needs to use new password with all his id files Direct Online connection is required For offline support you still need to use the old recovery key procedure
  18. 18. MWLUG 2013 – ID Vault Central password reset Again Be careful • User must use the same password for all copies of your ID files • If passwords do not match, IDs cannot be resynchronized anymore !!! Do not force your users to change password with central password reset !!! • Password settings is the right tool !
  19. 19. MWLUG 2013 – ID Vault Changing password What happens when the user changes the password ? • PW change will be synchronized with ID Vault immediately • if he has an online connection • If not it will synchronized at next server connection • But he can still use other id files with the old password Example • Changing password at your Desktop / Citrix Client • Working with your old password on your notebook • ID Files will not synchronize anymore
  20. 20. MWLUG 2013 – ID Vault ID Vault - Core functions ID File provisioning / deployment Collect existing ID Files Synchronize ID files Central password reset Extract ID Files for „Auditor“
  21. 21. MWLUG 2013 – ID Vault ID Vault Auditor Extract ID Files for an „Auditor“ • Auditor Role in ID Vault ACL • Requires Admin client DEMO How to prevent ? • Control ID Vault ACL • SECURE_DISABLE_AUDITOR = 1 on ID Vault Server I do not like this function !!! Why not using a trust certificate similar to password reset
  22. 22. MWLUG 2013 – ID Vault ID Vault – Makes life easier Key Rollover Reading encrypted mails on mobile devices Using iNotes with ID Files Notes Shared Login Rename without user involvement
  23. 23. MWLUG 2013 – ID Vault ID Vault Integration with „external programs“ Using ID Vault with Traveler, iNotes and Blackberry
  24. 24. MWLUG 2013 – ID Vault ID Vault Integration Released in 8.51 Security Setting Document • Allow Notes-based programs to use the Notes ID Vault: Yes Provides ID Handling and synchronize changes • Deploy ID • Password Reset & Change • Rename Supports Traveler, Blackberry and iNotes GOOD does not support provisioning ID from ID Vault
  25. 25. MWLUG 2013 – ID Vault ID Vault Integration – „uncovered“ ID Vault is supporting Mailfile Profile • ProfileNoteName = "$shimmerid" • ProfileNoteName = "$rimid" ID File is not a „working“ attachment due encryption Internal Usage • To create the profile using C-API: SECAttachIdFileToDB - Attach an ID file to a profile note and create /overwrite existing profile • To Use that ID SECExtractIdFileFromDB - Extract an ID file from a profile note • Current Password must provided
  26. 26. MWLUG 2013 – ID Vault ID Vault Log & Monitoring
  27. 27. MWLUG 2013 – ID Vault ID Vault Log Client: Log.nsf Server Log.nsf DDM.nsf all Server error messages IDVault Log
  28. 28. MWLUG 2013 – ID Vault ID Vault – Server Log Log.nsf - Security Events • ID vault creation, ID Upload, ID downloads • ID extracts • Password resets View Security Events
  29. 29. MWLUG 2013 – ID Vault Typical Log Entries What is logged when the user changes something in his ID file (such as adding a new document encryption key,) triggering a synchronization with the vault? • Client log: 10/01/2008 02:00:28 PM ID 'C:Program FilesLotusNotesDatauser.id' successfully synchronized with vault 'O=third' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'. • Server log: 10/01/2008 02:00:28 PM ID successfully synchronized with vault 'O=third' for 'Samantha Daryn/RECompany' (IP Address 9.33.163.219:1313). What is logged when the user recovers from a forgotten password by using the new password? • Client log: 10/01/2008 03:53:32 PM ID 'C:Program FilesLotusNotesDatauser.id' successfully synchronized with vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'. • Server log: 10/01/2008 03:53:31 PM ID successfully synchronized with vault 'O=newest' for 'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2406).
  30. 30. MWLUG 2013 – ID Vault Typical Log Entries What is logged when the user lost his ID file, but the Notes client automatically recovers from a lost ID file? • Client log: 10/01/2008 03:37:36 PM ID 'C:Program FilesLotusNotesDatauser.id' successfully downloaded from vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'. • Server log: 10/01/2008 03:37:36 PM ID successfully downloaded from vault 'O=newest' by 'Samantha Daryn/RECompany' (IP address 9.33.164.153:2350).
  31. 31. MWLUG 2013 – ID Vault Some Log Entries are client based only !! What is logged when a new ID vault administrator is added? • Client log: 10/01/2008 02:31:43 PM Adding administrator Joe Blow/RECompany to this vault Joe Blow/RECompany was successfully added. • Server log: Nothing is logged on the server. What is logged when an ID vault administrator is removed? • Client log: 10/01/2008 02:39:56 PM Adding administrator Joe Blow/RECompany to this vault Joe Blow/RECompany was successfully removed. • Server log: Nothing is logged on the server. 
Note: Client log should say "Removing administrator Joe Blow/RECompany from this vault...“
  32. 32. MWLUG 2013 – ID Vault Some Log Entries are only client based What is logged when a Password Reset Authority is added? • Client log: 
10/01/2008 03:04:50 PM PasswordReset Authority/RECompany will be able to reset passwords for users in organization /RECompany • Server log: 
Nothing is logged on the server. What is logged when a Password Reset Authority is removed? • Client log: 
10/01/2008 02:44:00 PM PasswordReset Authority/RECompany will no longer be able to reset passwords for users in organization /RECompany • Server log: 
Nothing is logged on the server.
  33. 33. MWLUG 2013 – ID Vault ID Vault – Monitoring Domino Domain Monitoring > ddm.nsf • All server error messages are reported to Domino Server Console • Sh idvault http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault- logging-for-8.5-faq
  34. 34. MWLUG 2013 – ID Vault ID Vault – Monitoring Troubleshooting Domain monitoring: DDM database
  35. 35. MWLUG 2013 – ID Vault ID Vault – Client Monitoring ID Vault is using local log.nsf • Check Security Events • debug setting will enable text file logging ID Vault Client Notes.ini • IDVAULT_COUNT1=0 • IDVAULT_STAMP1=13.03.2013 11:49:30 • IDVaultLastServer=CN=Demo Server/O=BCC_AdminTool • IDVaultLastFlushTime=06.02.2013 20:04:27
  36. 36. MWLUG 2013 – ID Vault ID Vault Security
  37. 37. MWLUG 2013 – ID Vault ID Vault Security You have a central ID „inventory“ Security requirements are getting critical I assume that you already have some basic security concepts in place • Secure Access to Certifier files: more than one password ! • Restricted access to server file system: you can not copy your data directory
  38. 38. MWLUG 2013 – ID Vault ID Vault Security 2048bit RSA Vault Operation Key (VO) (RSA) • will be created during initial setup (based on vault certifier) • Single VO Key for each ID Vault The Encryption Chain • ID Files have no password • Each ID File is encrypted with its own symmetric 256 Bit AES storage encryption key • Each SE Key is encrypted with VO Key • Check for field VOKeyName in person document • How to encrypt VO Key ?
  39. 39. MWLUG 2013 – ID Vault How to encrypt VO Key ? VO Key is important for Security • Decrypt it and you have access to an ID File • ID Files do not have passwords Until now symmetric encryption has been used: Password or any Other key Other Key  Using Notes PKI : • Switch to asymmetric Encryption • Private Key in Server ID • Stored in each profile document
  40. 40. MWLUG 2013 – ID Vault Server ID is your weak spot ! Protect your Server ID with passwords ! • IBM Recommendation • Paul Mooney – AdminBlast
  41. 41. MWLUG 2013 – ID Vault ID Vault: Why secure your server ID IBM Recommendation: Securing the server ID file „We understand that most Domino servers are not password- protected to make unattended reboots simpler, but the vault server's ID file is a key element in the security of your ID vault.“ „..a sophisticated attacker with a vault database and one of the corresponding server Ids ... would have all of the cryptographic information needed to masquerade as the vault server and decrypt all of the ID files stored in the vault. http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vault-server
  42. 42. MWLUG 2013 – ID Vault ID Vault: Why secure your ID Vault ACL Everyone with Role Auditor and Admin client is able to download ID Files from ID Vault ACL Change ? • Full Access Admins are able to might do this • Server based Script Agents ID Vault Document change ? • Resetting Download Flag Preventing unwanted changes in ID Vault is mandatory
  43. 43. MWLUG 2013 – ID Vault ID Vault: Why secure your log.nsf ID Vault Operations will be written to log.nsf • Download IDs • Extract ID‘s Security Events • ID for User successfully extracted from Vault „O=Demo“ by auditor „Admin“ (IP Address) • ID for „User“ IP Address ..... In Vault O=Demo was not downloaded because the wrong password was supplied
  44. 44. MWLUG 2013 – ID Vault Password protected server ID file
  45. 45. MWLUG 2013 – ID Vault ID Vault: Security Recommendations Log Database Limit Access and prevent document deletion / modification ID Vault Database Monitor ACL change (DDM ) Prevent document changes Server ID with password Limit Access to file system to prevent a „private snapshot“ copy
  46. 46. MWLUG 2013 – ID Vault Reset Passwords with ID Vault What is the best way ?
  47. 47. MWLUG 2013 – ID Vault Password Reset using Admin client
  48. 48. MWLUG 2013 – ID Vault Password Reset using Admin client Requires • Access for Admin client • Assigned Password Reset Certificate • NO access level for Password Reset to ID Vault Audit / Log • Log.nsf Security Events • „Password for 'Admin Domino/BCCVM' with 0 downloads was reset by 'Admin Domino/BCCVM' (IP Address 192.168.74.140:1202) from process nserver
  49. 49. MWLUG 2013 – ID Vault Using an application
  50. 50. MWLUG 2013 – ID Vault Self Service Password Resets Sample Database: pwdResetSample.nsf
  51. 51. MWLUG 2013 – ID Vault Password Reset – Best practices Send to a trusted person Print out email No access to id file Send password to user as SMS to mobile phone to a private email adress Requires that you have these data in your „application“ Tell him on the phone Secret Authentification questions should be provided Self Service Application Create password or User enters password Check complexity Send Mail to defined address
  52. 52. MWLUG 2013 – ID Vault Programming Password Reset -> C-API, Lotusscript Password Reset • C API SECidvResetPassword • LotusScript, Java notesSession.ResetUserPassword( servername, username, password[, downloadcount ] ) • Password: New password for username's ID. • Downloadcount: "Allow automatic ID downloads" set to "No", -> Set to 2 CheckOut Sample Database: pwdResetSample.nsf
  53. 53. MWLUG 2013 – ID Vault Programming Password Reset -> Security Signer of Lotus Script Agent the server ID on which the application is running must Password reset certificates need to be issued with „programming flag“ to
  54. 54. MWLUG 2013 – ID Vault Troubleshooting ID Vault
  55. 55. MWLUG 2013 – ID Vault Troubleshooting Whose ID Files have been collected ? IBM ID Vault Database Scanner • Agent Code • Compare all person entries in your Domino Dir • Create a report about IDs missing from ID Vault • http://www- 10.lotus.com/ldd/dominowiki.nsf/dx/IBM_Lotus_Notes_I D_Vault_Database_Scannercol_An_overview Hey IBM: Why not include in ID Vault template ?
  56. 56. MWLUG 2013 – ID Vault Troubleshooting ID Upload Clear 'IDVault‘ entries from 'notes.ini‘ and restart • upload process is being carried out in a random manner – so wait ! • Check if user has direct access to ID Vault Server Check KeyFileName' parameter in 'notes.ini' • should be same as the id file • „Rename to User.id might help“ Check if policy document is assigned to user • Check local personal address book • Template 8.5.x • View ($Policies) contains Security Setting ? Check if Public Keys of User ID and Certifier ID are matching
  57. 57. MWLUG 2013 – ID Vault Troubleshooting Roaming • ID in local NAB will interfere with ID Vault • IBM provides a utility ID Vault requires network connection Notes Client trying to connect to first available ID vault server in list • The server name is cached. • (Notes.ini variable IDVaultLastServer) • Set ID vault notes.ini variables to capture additional information.
  58. 58. MWLUG 2013 – ID Vault Debug Settings for ID Vault Client: notes.ini • DEBUG_IDV_TRACE • DEBUG_IDV_TRUSTCERT • DEBUG_IDVAULT_SERVER_SELECTION • Debug_Namelookup=1 -> • Console_log_enabled=1 Server: notes.ini • DEBUG_IDV_CONNECT • DEBUG_IDV_TRUSTCERT • DEBUG_IDV_UPDATE • Debug_threadid=1
  59. 59. MWLUG 2013 – ID Vault ID Vault Limitations However ID Vault is great No cross domain vaults are supported Tightly integrated with policies even using API Setting up ID Vault requires Admin client and manual steps Working offline can create issues
  60. 60. MWLUG 2013 – ID Vault BCC Olaf Boerner olaf_boerner@bcc.biz Thank You!

×