SlideShare a Scribd company logo

Yes, It's Number One it's TOTP!

Download as PPTX, PDF
Keith Brooks
Keith Brooks

Time-Based One-Time Passwords as implemented in HCL Domino R12 with details on how to configure it, troubleshoot it, and customize the login page.

Technology
1 of 31
@Lotusevangelist keith@b2bwhisperer.com SEC107 Yes, It's #1 on the List, it's TOTP! (Time-Based One-Time Password) Keith Brooks CEO - B2B Whisperer @Lotusevangelist Keith@b2bwhisperer.com
@Lotusevangelist keith@b2bwhisperer.com Please Interact with and Thank Our Sponsors 2
@Lotusevangelist keith@b2bwhisperer.com Keith Brooks CEO B2B Whisperer keith@b2bwhisperer.com HCL Ambassador, IBM Champion Dabbling in Notes & Domino Administration for 30 years Really miss Quickr & Domino.Doc Blog: https://blog.vanessabrooks.com Twitter: @Lotusevangelist 3
@Lotusevangelist keith@b2bwhisperer.com HUGE Thank You to HCL Support Rajib Sooraj P Neha Bansal Without their help, and patience, with me, and my client's issues, some of this session would not be so helpful 4 https://keepcalms.com/p/thank-you-for-everything-and-sorry-for-my-mistakes/
@Lotusevangelist keith@b2bwhisperer.com The Plan For Today 5 What is this MFA thing? And why you might need it TOTP Planning and Prerequisites How do we configure TOTP Troubleshooting when the TOTP configuration does not work User instructions to setup TOTP on their end Managing Your TOTP Environment Resetting a User’s TOTP Details Extra Credit: Customizing the TOTP Form Login Pages Links for Everything
@Lotusevangelist keith@b2bwhisperer.com What is this MFA Thing? – MFA (Multi-Factor Authentication) – OTP (One Time Password) – HOTP/HMAC OTP (Hash-Based Message Authentication Code/Counter) – TOTP (Time-Based One-Time Password) • Is SSO a form of MFA? • Are Notes ID files a form of MFA? • Is SSO really a secure idea? • Why do you, or your customers, need TOTP 6 What is this MFA Thing?
@Lotusevangelist keith@b2bwhisperer.com Planning is a MUST • iNotes is the most common TOTP requirement – iNotes Redirector works with TOTP • Web applications also are a top TOTP requirement • What if you also have Traveler/Verse users? – https://help.hcltechsw.com/traveler/12.0.0/mobile_support_totp.html • You may need some secondary domains(Internet Site Documents) because Traveler users will not want to login every time to check their mail. 7
@Lotusevangelist keith@b2bwhisperer.com Prerequisites 8 • User’s IDs need to be in the ID Vault that is setup and working • Server must be R12 – Mail templates do not need to be on R12, but should be if possible • Need a cert.id file accessible in the server Data directory – If putting it there now, you may need to restart the server to recognize it properly • SSL should be enabled, most companies have done this, if you have not, creating SSL certificates is included in R12 for free*
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 1 9 • Go to the server console (easier from the Admin client) and type: – mfamgmt create trustcert */O=domain cert.id certpassword • Replicate Directory across your domain • In the Directory, check the Certificates view for a Multi-Factor Authentication Certificate section – From a server console type: show idvault – Look for a the following: • Administration Server: DOM1/Domain • /DOMAIN trusts this vault • /Domain trusts /Domain for MFA COMMAND SENT: sh idvault ID Vault /VBI_ID (IBM_ID_VAULTVBI_ID.nsf) Vault Name: /VBI_ID Description: VBI ID Vault Administrators: Keith Brooks/VBI Servers: Music/Server/VBI Administration Server: Music/Server/VBI /VBI trusts this vault /VBI trusts /VBI for MFA Setting VBI_IDVaultSetting uses this vault
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 2 10 1. From the Admin client, open the Configuration tab 2. Go to the Messaging section 3. Open the default Configuration Settings document or the server specific one that will handle the TOTP 4. Open Security tab 5. Configure the MFA options (See next screen for example) 6. Save the page and close it
@Lotusevangelist keith@b2bwhisperer.com This supports Google, PingID. Authy, Duo, Microsoft use HMAC-SHA1 # of Devices: pc, phone, ipad Select this 11
@Lotusevangelist keith@b2bwhisperer.com Configuration - Step 3 (Web Site Document) From the Directory go to the Configuration- Web-Internet Sites In the web site document go to the Domino Web Engine tab Set Session Authentication to Single Server Go to the Configuration tab In the Domino Access Services section select TOTP from the drop down In the Allowed Methods section, you must check Delete and Put Go to the Security tab Select the TOTP option in both Name and Password fields Save your changes 12
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 4A (Secure Mail Operations) Note: When you enable this feature, the ability for iNotes users to upload and download their IDs to and from the vault is disabled. – Open the Security Settings Policy document and click the ID Vault tab. – In the section TOTP-based ID Downloads, select Yes in the Allow TOTP authentication with the ID vault field. – To allow web users who do not use TOTP to continue to download their Notes IDs for secure mail operations, select Yes in the Allow password authentication with the ID vault. – To require that all web users use TOTP in order to download their Notes IDs, select No. 13
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 4B (Secure Mail Operations) In the vault Configuration document of the idvault.nsf (IBM_ID_Vault folder), specify the servers that use the ID vault and are enabled for TOTP and secure mail operations. – Open the vault database. – Open the Configuration document. – In the TOTP authenticated vault login section, specify all of the Domino web mail server names in the Trusted servers field. 14
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 5A (The TOTP Login Form) 15 NOTE: If you have a domcfg file, you can skip this and go to the next page How to Create the Domino Web Server Configuration database (DOMCFG.NSF): 1. From the Domino Administrator choose File > Application > New 2. Enter the name of the Web server in the Server field 3. Select Show Advanced Templates 4. Select the Domino Web Server Configuration template (DOMCFG5.NTF) 5. Enter a Title for the database 6. For the File name field, you MUST enter DOMCFG.NSF 7. Click OK
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 5B (The TOTP Login Form) Need to Specify the $$LoginUserFormMFA as the log-in form: – Open the DOMCFG.NSF and open the Sign In Form Mappings view. 1. Click Add Mapping. 2. Under Site Information, choose either: All Web Sites/Entire Server or Specific Web Sites/Virtual Servers – To use the custom log-in form for all Web Sites on the server, or for the entire Web server – Or to map the custom log-in form to specific Web Site documents or Virtual Servers. – Under Form Mapping, for Target Database specify DOMCFG.NSF – And for Target Form, specify $$LoginUserFormMFA. 16
@Lotusevangelist keith@b2bwhisperer.com Configuration Step 5C (ACL and Restart) Make sure you set the ACL properly for the domcfg.nsf And then restart your server 17
@Lotusevangelist keith@b2bwhisperer.com Notes.ini – Optional Settings Setting Description TOTP_STEPSIZE=seconds If you feel your users require more time, this is where you change the default How long, in seconds, a TOTP token is valid. Without the setting, tokens are valid for 30 seconds before they expire. NOTE: Not all TOTP applications honor this setting. TOTP_TIMESKEW_STEPS=TOTP_STEPSIZE factor Additional time allowed to accommodate time differences between the ID vault server and the user devices. Specify the TOTP_STEPSIZE factor to add before and after the TOTPStepSize. By default, the value is a factor of 1, meaning assuming default TOTP_STEPSIZE value of 30 seconds, by default an allowance of 30 seconds is added before and after. ENABLE_IDV_CROSSDOMAIN_AUTHENTICATION=1 If directory assistance is configured for cross-domain directory lookups, add the notes.ini setting to your Domino servers. Then, when a user accesses a Domino server and the user is registered in a secondary domain, the server is able to access the ID vault in the secondary domain to manage TOTP authentication. DEBUG_TOTP=2 DEBUG_IDV_TOTP_TRANS=1 DEBUG_IDV_TRUSTCERT=1 To help troubleshoot TOTP problems, use these settings to enable debug logging in console.log. If you need DA Cross-Domain lookup support add this one 18 Very Detailed info to help you Notes.ini Optional Settings These Require a Server Restart
@Lotusevangelist keith@b2bwhisperer.com How to put ID Files in the ID Vault 19 Most common way is once the ID Vault is running, the IDs go there automatically when created or recertified But what if you already have 1,000s of people registered and now created the ID Vault? The process is a mix of Registering users via a .txt file coupled with some automatic settings Due to time constraints, I have provided links to blog posts from myself and Ales Lichtenberg that explain how to do this and can be found at the end of this presentation
@Lotusevangelist keith@b2bwhisperer.com If you do not see “Upload ID Files to ID Vault” when you right click on a user in the Directory, or when selecting Actions from the menu bar, you may have a “no update” People view customization in your directory One way to fix this, open your Directory in the Designer client and find the People View and in the Properties –Design box below, uncheck “Prohibit design refresh or replace to modify” 20 Unable to Upload ID Files
@Lotusevangelist keith@b2bwhisperer.com 21 If you see this message your ID Vault was not properly setup. 1. Delete the Vault Trust and Multi-Factor certificates, Security-Certificates section of the Directory 2. Then recreate the ID Vault and run the mfamgmt command again ID Vault Creation Error
@Lotusevangelist keith@b2bwhisperer.com Another ID Vault Error This points to ID Vault corruption 1. Delete the Vault Trust and Multi- Factor certificates, Security- Certificates section of the Directory 2. Then recreate the ID Vault and then run the mfamgmt command 22 Another ID Vault Error Message
@Lotusevangelist keith@b2bwhisperer.com If The MFA Is Not Allowing User Setup 23 • You may see the login page, that is preset in the domcfg.nsf • But it may not take you to the setup after you try to login with your name and password • Or if you try to click on MFA it will not do anything • This means you may have to redo the console command: mfamgmt create trustcert • And/or you may need to say NO in the Configuration document where it asks “Allow TOTP authentication with the ID vault field”
@Lotusevangelist keith@b2bwhisperer.com How Users Set up TOTP 24 • Users need to install on their device, one of the common authenticator applications – Duo, Google, Microsoft, Authy, PingID, etc. • Go to the Login page with the TOTP and then login as usual • The system will bring them to the MFA setup • User enters a name for the account and then scans the bar code shown on the screen or enters the code into their Authenticator • Afterwards they enter the code from the Authenticator • They receive scratch codes for emergencies then select Done • They login as usual, but now include the authenticator code
@Lotusevangelist keith@b2bwhisperer.com Managing TOTP Your friends, while testing, and afterwards: 1. The Internet Password Lockout database 2. The ID Vault database • Users lock themselves out and you will need to clear them from the lockout database • The ID Vault database can tell you who has setup TOTP and more details 25 Managing TOTP
@Lotusevangelist keith@b2bwhisperer.com Resetting the Users TOTP 26 You MUST log on as a vault administrator and then use one of these two options to reset a user's TOTP details: • From the Vault database – In the Vault Users view, select a user – Select from the Actions menu “Reset TOTP Items” • From the Domino Administrator client, People & Groups tab – Select Tools then ID Vaults – Select the person document in question – Select Reset TOTP Configuration
@Lotusevangelist keith@b2bwhisperer.com Customizing the Login Page Graphic Open the DOMCFG5.NTF file in the Designer client Go to Resources- Images Export the MFASetup1.png file to your PC and open in your graphic editor Add your company logo or any text on the LEFT side of the graphic, about an inch or 2 away from the border Save the file to your local desktop using a different # (MFASetup2.png) Upload the file by clicking “Import Image Resource” from the Designer Client Rename the original to #3 Change the original Alias in Basic properties as well to #3 Rename the uploaded file to MFASetup1.png Set the alias in the Properties-Basics box, to MFASetup1.png also Save your changes, replace domcfg.nsf design and then refresh your login page 27
@Lotusevangelist keith@b2bwhisperer.com Customizing the Login Page TEXT 28 One client asked to remove the HCL Domino from being displayed A different client asked for us to move it. • To edit the login form, open Designer client • Open domcfg5.NTF • Go to the Forms list and open $$LoginUserFormMFA • Edit the HTML • Replace the domcfg.NSF design • Refresh your browser • Remember to test it! – It may not appear where you think, or how you expect it to be seen, if you are adding text
@Lotusevangelist keith@b2bwhisperer.com 29
@Lotusevangelist keith@b2bwhisperer.com Official Documentation and Links • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_overview.ht ml • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_configuring. html • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_how_users_ setup_totp.html • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_resetting_us ers_secret_keys.html • https://blog.vanessabrooks.com/2021/10/sntt-changing-some-but-not-all- users.html • https://help.hcltechsw.com/domino/12.0.0/admin/conf_registeringusersfr omatextfile_t.html?hl=registering%2Cusers%2Ctext%2Cfile • https://help.hcltechsw.com/traveler/12.0.0/mobile_support_totp.html • https://blog.vanessabrooks.com/2021/10/sntt-totp-needs-id-file-in-id- vault-to.html • https://blog.vanessabrooks.com/2010/06/id-registration-via-text-file.html • https://alichtenberg.cz/how-to-register-notes-users-from-a-file/ 30
@Lotusevangelist keith@b2bwhisperer.com

Recommended

HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
jayeshpar2006
 
Engage.UG 2022 - Domino TOTP/2FA - Best Practices and Pitfalls
Engage.UG 2022 - Domino TOTP/2FA - Best Practices and PitfallsEngage.UG 2022 - Domino TOTP/2FA - Best Practices and Pitfalls
Engage.UG 2022 - Domino TOTP/2FA - Best Practices and Pitfalls
Milan Matejic
 
Understanding domino memory 2017
Understanding domino memory 2017Understanding domino memory 2017
Understanding domino memory 2017
mJOBrr
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
IBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tipsIBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tips
jayeshpar2006
 

Recommended

HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
June OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification ManagerJune OpenNTF Webinar - Domino V12 Certification Manager
June OpenNTF Webinar - Domino V12 Certification Manager
Howard Greenberg
 
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
IBM Notes Traveler Administration and Log Troubleshooting tips - Part 2
jayeshpar2006
 
Engage.UG 2022 - Domino TOTP/2FA - Best Practices and Pitfalls
Engage.UG 2022 - Domino TOTP/2FA - Best Practices and PitfallsEngage.UG 2022 - Domino TOTP/2FA - Best Practices and Pitfalls
Engage.UG 2022 - Domino TOTP/2FA - Best Practices and Pitfalls
Milan Matejic
 
Understanding domino memory 2017
Understanding domino memory 2017Understanding domino memory 2017
Understanding domino memory 2017
mJOBrr
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
IBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tipsIBM Notes Traveler administration and Log troubleshooting tips
IBM Notes Traveler administration and Log troubleshooting tips
jayeshpar2006
 
HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
Ales Lichtenberg
 
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notesHow to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
andrewscott01
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)
Slobodan Lohja
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
Austin Chang
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
Ales Lichtenberg
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts Edition
Keith Brooks
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratoren
panagenda
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Christoph Adler
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
Gabriella Davis
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
Bill Buchan
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
Luis Guirigay
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
MongoDB
 

More Related Content

What's hot

Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratoren
panagenda
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
Bill Buchan
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 

What's hot (20)

HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
 
HCL Sametime V11 installation - tips
HCL Sametime V11 installation - tipsHCL Sametime V11 installation - tips
HCL Sametime V11 installation - tips
 
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notesHow to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
How to fix ‘database is corrupt: cannot allocate space’ error in lotus notes
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)Enable Domino Data Access Services (DAS)
Enable Domino Data Access Services (DAS)
 
IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)IBM Lotus Domino Domain Monitoring (DDM)
IBM Lotus Domino Domain Monitoring (DDM)
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
HCL Sametime 12.0 – Converting from native Domino Directory to LDAP and Migra...
 
Domino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts EditionDomino Administration Wizardry - Dark Arts Edition
Domino Administration Wizardry - Dark Arts Edition
 
Die ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web AdministratorenDie ultimative Anleitung für HCL Nomad Web Administratoren
Die ultimative Anleitung für HCL Nomad Web Administratoren
 
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesDomino Tech School - Upgrading to Notes/Domino V10: Best Practices
Domino Tech School - Upgrading to Notes/Domino V10: Best Practices
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
 
IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning IBM Domino / IBM Notes Performance Tuning
IBM Domino / IBM Notes Performance Tuning
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 

Similar to Yes, It's Number One it's TOTP!

Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
Luis Guirigay
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
MongoDB
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
Howard Greenberg
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
MongoDB
 
I notes and sametime integration open mic_2013
I notes and sametime integration open mic_2013I notes and sametime integration open mic_2013
I notes and sametime integration open mic_2013
Ranjit Rai
 
"Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment""Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment"
webhostingguy
 
Creating child-domain-controller-windows-server-8
Creating child-domain-controller-windows-server-8Creating child-domain-controller-windows-server-8
Creating child-domain-controller-windows-server-8
Le Thi
 

Similar to Yes, It's Number One it's TOTP! (20)

Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
 
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
Implementing Your Full Stack App with MongoDB Stitch (Tutorial)
 
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
October OpenNTF Webinar - What we like about Domino/Notes 12, recommended new...
 
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptxSH 2 - SES 1 - Stitch_Workshop_TLV.pptx
SH 2 - SES 1 - Stitch_Workshop_TLV.pptx
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
I notes and sametime integration open mic_2013
I notes and sametime integration open mic_2013I notes and sametime integration open mic_2013
I notes and sametime integration open mic_2013
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
190 957
190 957190 957
190 957
 
190 982
190 982190 982
190 982
 
Buzzient oracle crmod_integration
Buzzient oracle crmod_integrationBuzzient oracle crmod_integration
Buzzient oracle crmod_integration
 
"Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment""Running CF in a Shared Hosting Environment"
"Running CF in a Shared Hosting Environment"
 
Your notes DNA
Your notes DNAYour notes DNA
Your notes DNA
 
190 956
190 956190 956
190 956
 
Creating child-domain-controller-windows-server-8
Creating child-domain-controller-windows-server-8Creating child-domain-controller-windows-server-8
Creating child-domain-controller-windows-server-8
 
Lug
LugLug
Lug
 
Microsoft dynamics crm 2011 installation
Microsoft dynamics crm 2011 installation Microsoft dynamics crm 2011 installation
Microsoft dynamics crm 2011 installation
 
Sage CRM 2021r1 Release Notes
Sage CRM 2021r1 Release NotesSage CRM 2021r1 Release Notes
Sage CRM 2021r1 Release Notes
 
190 622
190 622190 622
190 622
 
Increase Salesforce Performance using Platform Cache Demo
Increase Salesforce Performance using Platform Cache DemoIncrease Salesforce Performance using Platform Cache Demo
Increase Salesforce Performance using Platform Cache Demo
 
Team lab install_en
Team lab install_enTeam lab install_en
Team lab install_en
 

More from Keith Brooks

More from Keith Brooks (20)

Hacking Administrators
Hacking AdministratorsHacking Administrators
Hacking Administrators
 
Modernizing Rooms and Resources Functionality
Modernizing Rooms and Resources FunctionalityModernizing Rooms and Resources Functionality
Modernizing Rooms and Resources Functionality
 
Shoot me NOW! The Life and Death of an O365 Admin and User
Shoot me NOW! The Life and Death of an O365 Admin and UserShoot me NOW! The Life and Death of an O365 Admin and User
Shoot me NOW! The Life and Death of an O365 Admin and User
 
To Home, To Work, To Home, To Collabsphere!
To Home, To Work, To Home, To Collabsphere!To Home, To Work, To Home, To Collabsphere!
To Home, To Work, To Home, To Collabsphere!
 
Decks Matter, And Other startup Font Tales
Decks Matter, And Other startup Font TalesDecks Matter, And Other startup Font Tales
Decks Matter, And Other startup Font Tales
 
Admin Hacks for Users and Admins Sanity
Admin Hacks for Users and Admins SanityAdmin Hacks for Users and Admins Sanity
Admin Hacks for Users and Admins Sanity
 
ISBG / NCUG Why Didn't Anyone Tell Me Notes Could Do That
ISBG / NCUG Why Didn't Anyone Tell Me Notes Could Do ThatISBG / NCUG Why Didn't Anyone Tell Me Notes Could Do That
ISBG / NCUG Why Didn't Anyone Tell Me Notes Could Do That
 
Why This Global Law Firm Does Not Miss Deadlines
Why This Global Law Firm Does Not Miss DeadlinesWhy This Global Law Firm Does Not Miss Deadlines
Why This Global Law Firm Does Not Miss Deadlines
 
Shout IT Out loud
Shout IT Out loudShout IT Out loud
Shout IT Out loud
 
Pointing Fingers? DDM to the Rescue
Pointing Fingers? DDM to the RescuePointing Fingers? DDM to the Rescue
Pointing Fingers? DDM to the Rescue
 
Breaking the Unwritten Rules to Help Your Users
Breaking the Unwritten Rules to Help Your UsersBreaking the Unwritten Rules to Help Your Users
Breaking the Unwritten Rules to Help Your Users
 
I'm a LEGO Man Living in a Duplo World
I'm a LEGO Man Living in a Duplo WorldI'm a LEGO Man Living in a Duplo World
I'm a LEGO Man Living in a Duplo World
 
Presentation on Soft Skills, Hard Skills, Body Language and More
Presentation on Soft Skills, Hard Skills, Body Language and MorePresentation on Soft Skills, Hard Skills, Body Language and More
Presentation on Soft Skills, Hard Skills, Body Language and More
 
Faster Translations Start With A Faster Computer
Faster Translations Start With A Faster ComputerFaster Translations Start With A Faster Computer
Faster Translations Start With A Faster Computer
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith BrooksIBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
 
One Firm's Wild Ride to The Cloud
One Firm's Wild Ride to The CloudOne Firm's Wild Ride to The Cloud
One Firm's Wild Ride to The Cloud
 
18+ Ways To Help Clients Love You
18+ Ways To Help Clients Love You18+ Ways To Help Clients Love You
18+ Ways To Help Clients Love You
 
Advanced Backups
Advanced BackupsAdvanced Backups
Advanced Backups
 
What were you thinking? Worst Translation Practices
What were you thinking? Worst Translation PracticesWhat were you thinking? Worst Translation Practices
What were you thinking? Worst Translation Practices
 
My Dog Ate My Translation Assignment
My Dog Ate My Translation AssignmentMy Dog Ate My Translation Assignment
My Dog Ate My Translation Assignment
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Yes, It's Number One it's TOTP!

  • 1. @Lotusevangelist keith@b2bwhisperer.com SEC107 Yes, It's #1 on the List, it's TOTP! (Time-Based One-Time Password) Keith Brooks CEO - B2B Whisperer @Lotusevangelist Keith@b2bwhisperer.com
  • 3. @Lotusevangelist keith@b2bwhisperer.com Keith Brooks CEO B2B Whisperer keith@b2bwhisperer.com HCL Ambassador, IBM Champion Dabbling in Notes & Domino Administration for 30 years Really miss Quickr & Domino.Doc Blog: https://blog.vanessabrooks.com Twitter: @Lotusevangelist 3
  • 4. @Lotusevangelist keith@b2bwhisperer.com HUGE Thank You to HCL Support Rajib Sooraj P Neha Bansal Without their help, and patience, with me, and my client's issues, some of this session would not be so helpful 4 https://keepcalms.com/p/thank-you-for-everything-and-sorry-for-my-mistakes/
  • 5. @Lotusevangelist keith@b2bwhisperer.com The Plan For Today 5 What is this MFA thing? And why you might need it TOTP Planning and Prerequisites How do we configure TOTP Troubleshooting when the TOTP configuration does not work User instructions to setup TOTP on their end Managing Your TOTP Environment Resetting a User’s TOTP Details Extra Credit: Customizing the TOTP Form Login Pages Links for Everything
  • 6. @Lotusevangelist keith@b2bwhisperer.com What is this MFA Thing? – MFA (Multi-Factor Authentication) – OTP (One Time Password) – HOTP/HMAC OTP (Hash-Based Message Authentication Code/Counter) – TOTP (Time-Based One-Time Password) • Is SSO a form of MFA? • Are Notes ID files a form of MFA? • Is SSO really a secure idea? • Why do you, or your customers, need TOTP 6 What is this MFA Thing?
  • 7. @Lotusevangelist keith@b2bwhisperer.com Planning is a MUST • iNotes is the most common TOTP requirement – iNotes Redirector works with TOTP • Web applications also are a top TOTP requirement • What if you also have Traveler/Verse users? – https://help.hcltechsw.com/traveler/12.0.0/mobile_support_totp.html • You may need some secondary domains(Internet Site Documents) because Traveler users will not want to login every time to check their mail. 7
  • 8. @Lotusevangelist keith@b2bwhisperer.com Prerequisites 8 • User’s IDs need to be in the ID Vault that is setup and working • Server must be R12 – Mail templates do not need to be on R12, but should be if possible • Need a cert.id file accessible in the server Data directory – If putting it there now, you may need to restart the server to recognize it properly • SSL should be enabled, most companies have done this, if you have not, creating SSL certificates is included in R12 for free*
  • 9. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 1 9 • Go to the server console (easier from the Admin client) and type: – mfamgmt create trustcert */O=domain cert.id certpassword • Replicate Directory across your domain • In the Directory, check the Certificates view for a Multi-Factor Authentication Certificate section – From a server console type: show idvault – Look for a the following: • Administration Server: DOM1/Domain • /DOMAIN trusts this vault • /Domain trusts /Domain for MFA COMMAND SENT: sh idvault ID Vault /VBI_ID (IBM_ID_VAULTVBI_ID.nsf) Vault Name: /VBI_ID Description: VBI ID Vault Administrators: Keith Brooks/VBI Servers: Music/Server/VBI Administration Server: Music/Server/VBI /VBI trusts this vault /VBI trusts /VBI for MFA Setting VBI_IDVaultSetting uses this vault
  • 10. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 2 10 1. From the Admin client, open the Configuration tab 2. Go to the Messaging section 3. Open the default Configuration Settings document or the server specific one that will handle the TOTP 4. Open Security tab 5. Configure the MFA options (See next screen for example) 6. Save the page and close it
  • 11. @Lotusevangelist keith@b2bwhisperer.com This supports Google, PingID. Authy, Duo, Microsoft use HMAC-SHA1 # of Devices: pc, phone, ipad Select this 11
  • 12. @Lotusevangelist keith@b2bwhisperer.com Configuration - Step 3 (Web Site Document) From the Directory go to the Configuration- Web-Internet Sites In the web site document go to the Domino Web Engine tab Set Session Authentication to Single Server Go to the Configuration tab In the Domino Access Services section select TOTP from the drop down In the Allowed Methods section, you must check Delete and Put Go to the Security tab Select the TOTP option in both Name and Password fields Save your changes 12
  • 13. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 4A (Secure Mail Operations) Note: When you enable this feature, the ability for iNotes users to upload and download their IDs to and from the vault is disabled. – Open the Security Settings Policy document and click the ID Vault tab. – In the section TOTP-based ID Downloads, select Yes in the Allow TOTP authentication with the ID vault field. – To allow web users who do not use TOTP to continue to download their Notes IDs for secure mail operations, select Yes in the Allow password authentication with the ID vault. – To require that all web users use TOTP in order to download their Notes IDs, select No. 13
  • 14. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 4B (Secure Mail Operations) In the vault Configuration document of the idvault.nsf (IBM_ID_Vault folder), specify the servers that use the ID vault and are enabled for TOTP and secure mail operations. – Open the vault database. – Open the Configuration document. – In the TOTP authenticated vault login section, specify all of the Domino web mail server names in the Trusted servers field. 14
  • 15. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 5A (The TOTP Login Form) 15 NOTE: If you have a domcfg file, you can skip this and go to the next page How to Create the Domino Web Server Configuration database (DOMCFG.NSF): 1. From the Domino Administrator choose File > Application > New 2. Enter the name of the Web server in the Server field 3. Select Show Advanced Templates 4. Select the Domino Web Server Configuration template (DOMCFG5.NTF) 5. Enter a Title for the database 6. For the File name field, you MUST enter DOMCFG.NSF 7. Click OK
  • 16. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 5B (The TOTP Login Form) Need to Specify the $$LoginUserFormMFA as the log-in form: – Open the DOMCFG.NSF and open the Sign In Form Mappings view. 1. Click Add Mapping. 2. Under Site Information, choose either: All Web Sites/Entire Server or Specific Web Sites/Virtual Servers – To use the custom log-in form for all Web Sites on the server, or for the entire Web server – Or to map the custom log-in form to specific Web Site documents or Virtual Servers. – Under Form Mapping, for Target Database specify DOMCFG.NSF – And for Target Form, specify $$LoginUserFormMFA. 16
  • 17. @Lotusevangelist keith@b2bwhisperer.com Configuration Step 5C (ACL and Restart) Make sure you set the ACL properly for the domcfg.nsf And then restart your server 17
  • 18. @Lotusevangelist keith@b2bwhisperer.com Notes.ini – Optional Settings Setting Description TOTP_STEPSIZE=seconds If you feel your users require more time, this is where you change the default How long, in seconds, a TOTP token is valid. Without the setting, tokens are valid for 30 seconds before they expire. NOTE: Not all TOTP applications honor this setting. TOTP_TIMESKEW_STEPS=TOTP_STEPSIZE factor Additional time allowed to accommodate time differences between the ID vault server and the user devices. Specify the TOTP_STEPSIZE factor to add before and after the TOTPStepSize. By default, the value is a factor of 1, meaning assuming default TOTP_STEPSIZE value of 30 seconds, by default an allowance of 30 seconds is added before and after. ENABLE_IDV_CROSSDOMAIN_AUTHENTICATION=1 If directory assistance is configured for cross-domain directory lookups, add the notes.ini setting to your Domino servers. Then, when a user accesses a Domino server and the user is registered in a secondary domain, the server is able to access the ID vault in the secondary domain to manage TOTP authentication. DEBUG_TOTP=2 DEBUG_IDV_TOTP_TRANS=1 DEBUG_IDV_TRUSTCERT=1 To help troubleshoot TOTP problems, use these settings to enable debug logging in console.log. If you need DA Cross-Domain lookup support add this one 18 Very Detailed info to help you Notes.ini Optional Settings These Require a Server Restart
  • 19. @Lotusevangelist keith@b2bwhisperer.com How to put ID Files in the ID Vault 19 Most common way is once the ID Vault is running, the IDs go there automatically when created or recertified But what if you already have 1,000s of people registered and now created the ID Vault? The process is a mix of Registering users via a .txt file coupled with some automatic settings Due to time constraints, I have provided links to blog posts from myself and Ales Lichtenberg that explain how to do this and can be found at the end of this presentation
  • 20. @Lotusevangelist keith@b2bwhisperer.com If you do not see “Upload ID Files to ID Vault” when you right click on a user in the Directory, or when selecting Actions from the menu bar, you may have a “no update” People view customization in your directory One way to fix this, open your Directory in the Designer client and find the People View and in the Properties –Design box below, uncheck “Prohibit design refresh or replace to modify” 20 Unable to Upload ID Files
  • 21. @Lotusevangelist keith@b2bwhisperer.com 21 If you see this message your ID Vault was not properly setup. 1. Delete the Vault Trust and Multi-Factor certificates, Security-Certificates section of the Directory 2. Then recreate the ID Vault and run the mfamgmt command again ID Vault Creation Error
  • 22. @Lotusevangelist keith@b2bwhisperer.com Another ID Vault Error This points to ID Vault corruption 1. Delete the Vault Trust and Multi- Factor certificates, Security- Certificates section of the Directory 2. Then recreate the ID Vault and then run the mfamgmt command 22 Another ID Vault Error Message
  • 23. @Lotusevangelist keith@b2bwhisperer.com If The MFA Is Not Allowing User Setup 23 • You may see the login page, that is preset in the domcfg.nsf • But it may not take you to the setup after you try to login with your name and password • Or if you try to click on MFA it will not do anything • This means you may have to redo the console command: mfamgmt create trustcert • And/or you may need to say NO in the Configuration document where it asks “Allow TOTP authentication with the ID vault field”
  • 24. @Lotusevangelist keith@b2bwhisperer.com How Users Set up TOTP 24 • Users need to install on their device, one of the common authenticator applications – Duo, Google, Microsoft, Authy, PingID, etc. • Go to the Login page with the TOTP and then login as usual • The system will bring them to the MFA setup • User enters a name for the account and then scans the bar code shown on the screen or enters the code into their Authenticator • Afterwards they enter the code from the Authenticator • They receive scratch codes for emergencies then select Done • They login as usual, but now include the authenticator code
  • 25. @Lotusevangelist keith@b2bwhisperer.com Managing TOTP Your friends, while testing, and afterwards: 1. The Internet Password Lockout database 2. The ID Vault database • Users lock themselves out and you will need to clear them from the lockout database • The ID Vault database can tell you who has setup TOTP and more details 25 Managing TOTP
  • 26. @Lotusevangelist keith@b2bwhisperer.com Resetting the Users TOTP 26 You MUST log on as a vault administrator and then use one of these two options to reset a user's TOTP details: • From the Vault database – In the Vault Users view, select a user – Select from the Actions menu “Reset TOTP Items” • From the Domino Administrator client, People & Groups tab – Select Tools then ID Vaults – Select the person document in question – Select Reset TOTP Configuration
  • 27. @Lotusevangelist keith@b2bwhisperer.com Customizing the Login Page Graphic Open the DOMCFG5.NTF file in the Designer client Go to Resources- Images Export the MFASetup1.png file to your PC and open in your graphic editor Add your company logo or any text on the LEFT side of the graphic, about an inch or 2 away from the border Save the file to your local desktop using a different # (MFASetup2.png) Upload the file by clicking “Import Image Resource” from the Designer Client Rename the original to #3 Change the original Alias in Basic properties as well to #3 Rename the uploaded file to MFASetup1.png Set the alias in the Properties-Basics box, to MFASetup1.png also Save your changes, replace domcfg.nsf design and then refresh your login page 27
  • 28. @Lotusevangelist keith@b2bwhisperer.com Customizing the Login Page TEXT 28 One client asked to remove the HCL Domino from being displayed A different client asked for us to move it. • To edit the login form, open Designer client • Open domcfg5.NTF • Go to the Forms list and open $$LoginUserFormMFA • Edit the HTML • Replace the domcfg.NSF design • Refresh your browser • Remember to test it! – It may not appear where you think, or how you expect it to be seen, if you are adding text
  • 30. @Lotusevangelist keith@b2bwhisperer.com Official Documentation and Links • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_overview.ht ml • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_configuring. html • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_how_users_ setup_totp.html • https://help.hcltechsw.com/domino/12.0.0/admin/conf_totp_resetting_us ers_secret_keys.html • https://blog.vanessabrooks.com/2021/10/sntt-changing-some-but-not-all- users.html • https://help.hcltechsw.com/domino/12.0.0/admin/conf_registeringusersfr omatextfile_t.html?hl=registering%2Cusers%2Ctext%2Cfile • https://help.hcltechsw.com/traveler/12.0.0/mobile_support_totp.html • https://blog.vanessabrooks.com/2021/10/sntt-totp-needs-id-file-in-id- vault-to.html • https://blog.vanessabrooks.com/2010/06/id-registration-via-text-file.html • https://alichtenberg.cz/how-to-register-notes-users-from-a-file/ 30