3. @Lotusevangelist keith@b2bwhisperer.com
Keith Brooks
CEO B2B Whisperer
keith@b2bwhisperer.com
HCL Ambassador, IBM Champion
Dabbling in Notes & Domino Administration for 30 years
Really miss Quickr & Domino.Doc
Blog: https://blog.vanessabrooks.com
Twitter: @Lotusevangelist
3
4. @Lotusevangelist keith@b2bwhisperer.com
HUGE Thank You to HCL Support
Rajib
Sooraj P
Neha Bansal
Without their help, and
patience, with me, and my
client's issues, some of this
session would not be so helpful
4
https://keepcalms.com/p/thank-you-for-everything-and-sorry-for-my-mistakes/
5. @Lotusevangelist keith@b2bwhisperer.com
The Plan For Today
5
What is this MFA
thing? And why
you might need it
TOTP Planning and
Prerequisites
How do we
configure TOTP
Troubleshooting
when the TOTP
configuration does
not work
User instructions
to setup TOTP on
their end
Managing Your
TOTP Environment
Resetting a User’s
TOTP Details
Extra Credit:
Customizing the
TOTP Form Login
Pages
Links for
Everything
6. @Lotusevangelist keith@b2bwhisperer.com
What is
this MFA
Thing?
– MFA (Multi-Factor Authentication)
– OTP (One Time Password)
– HOTP/HMAC OTP (Hash-Based
Message Authentication
Code/Counter)
– TOTP (Time-Based One-Time
Password)
• Is SSO a form of MFA?
• Are Notes ID files a form of MFA?
• Is SSO really a secure idea?
• Why do you, or your customers, need TOTP
6
What
is this
MFA Thing?
7. @Lotusevangelist keith@b2bwhisperer.com
Planning
is
a
MUST
• iNotes is the most common TOTP requirement
– iNotes Redirector works with TOTP
• Web applications also are a top TOTP requirement
• What if you also have Traveler/Verse users?
– https://help.hcltechsw.com/traveler/12.0.0/mobile_support_totp.html
• You may need some secondary domains(Internet
Site Documents) because Traveler users will not want
to login every time to check their mail.
7
8. @Lotusevangelist keith@b2bwhisperer.com
Prerequisites
8
• User’s IDs need to be in the ID Vault that is setup
and working
• Server must be R12
– Mail templates do not need to be on R12,
but should be if possible
• Need a cert.id file accessible in the server Data
directory
– If putting it there now, you may need to
restart the server to recognize it properly
• SSL should be enabled, most companies have
done this, if you have not, creating SSL
certificates is included in R12 for free*
9. @Lotusevangelist keith@b2bwhisperer.com
Configuration
Step
1
9
• Go to the server console (easier from the
Admin client) and type:
– mfamgmt create trustcert */O=domain cert.id certpassword
• Replicate Directory across your domain
• In the Directory, check the Certificates
view for a Multi-Factor Authentication
Certificate section
– From a server console type: show idvault
– Look for a the following:
• Administration Server: DOM1/Domain
• /DOMAIN trusts this vault
• /Domain trusts /Domain for MFA
COMMAND SENT: sh idvault
ID Vault /VBI_ID (IBM_ID_VAULTVBI_ID.nsf)
Vault Name: /VBI_ID
Description: VBI ID Vault
Administrators: Keith Brooks/VBI
Servers: Music/Server/VBI
Administration Server: Music/Server/VBI
/VBI trusts this vault
/VBI trusts /VBI for MFA
Setting VBI_IDVaultSetting uses this vault
10. @Lotusevangelist keith@b2bwhisperer.com
Configuration
Step
2
10
1. From the Admin client, open the
Configuration tab
2. Go to the Messaging section
3. Open the default Configuration
Settings document or the server
specific one that will handle the
TOTP
4. Open Security tab
5. Configure the MFA options (See next
screen for example)
6. Save the page and close it
12. @Lotusevangelist keith@b2bwhisperer.com
Configuration - Step 3 (Web Site Document)
From the Directory go
to the Configuration-
Web-Internet Sites
In the web site
document go to the
Domino Web Engine
tab
Set Session
Authentication to
Single Server
Go to the
Configuration tab
In the Domino
Access Services
section select TOTP
from the drop down
In the Allowed
Methods section,
you must check
Delete and Put
Go to the Security tab
Select the TOTP
option in both Name
and Password fields
Save your changes
12
13. @Lotusevangelist keith@b2bwhisperer.com
Configuration
Step
4A
(Secure Mail
Operations)
Note: When you enable this feature, the ability for iNotes
users to upload and download their IDs to and from the vault
is disabled.
– Open the Security Settings Policy document and click
the ID Vault tab.
– In the section TOTP-based ID Downloads,
select Yes in the Allow TOTP authentication with the
ID vault field.
– To allow web users who do not use TOTP to continue
to download their Notes IDs for secure mail
operations, select Yes in the Allow password
authentication with the ID vault.
– To require that all web users use TOTP in order to
download their Notes IDs, select No.
13
14. @Lotusevangelist keith@b2bwhisperer.com
Configuration
Step 4B
(Secure Mail
Operations)
In the vault Configuration document of the
idvault.nsf (IBM_ID_Vault folder), specify the
servers that use the ID vault and are enabled
for TOTP and secure mail operations.
– Open the vault database.
– Open the Configuration document.
– In the TOTP authenticated vault
login section, specify all of the Domino
web mail server names in the Trusted
servers field.
14
15. @Lotusevangelist keith@b2bwhisperer.com
Configuration
Step 5A
(The TOTP
Login Form)
15
NOTE: If you have a domcfg file, you can skip this and go to
the next page
How to Create the Domino Web Server Configuration
database (DOMCFG.NSF):
1. From the Domino Administrator choose
File > Application > New
2. Enter the name of the Web server in the Server field
3. Select Show Advanced Templates
4. Select the Domino Web Server Configuration template
(DOMCFG5.NTF)
5. Enter a Title for the database
6. For the File name field, you MUST enter DOMCFG.NSF
7. Click OK
16. @Lotusevangelist keith@b2bwhisperer.com
Configuration
Step 5B
(The TOTP
Login Form)
Need to Specify the $$LoginUserFormMFA as the log-in form:
– Open the DOMCFG.NSF and open the Sign In Form
Mappings view.
1. Click Add Mapping.
2. Under Site Information, choose either: All Web
Sites/Entire Server or Specific Web Sites/Virtual Servers
– To use the custom log-in form for all Web Sites on the
server, or for the entire Web server
– Or to map the custom log-in form to specific Web Site
documents or Virtual Servers.
– Under Form Mapping, for Target Database specify
DOMCFG.NSF
– And for Target Form, specify $$LoginUserFormMFA.
16
18. @Lotusevangelist keith@b2bwhisperer.com
Notes.ini – Optional Settings
Setting Description
TOTP_STEPSIZE=seconds
If you feel your users require more time,
this is where you change the default
How long, in seconds, a TOTP token is valid. Without the
setting, tokens are valid for 30 seconds before they expire.
NOTE: Not all TOTP applications honor this setting.
TOTP_TIMESKEW_STEPS=TOTP_STEPSIZE factor Additional time allowed to accommodate time differences
between the ID vault server and the user devices.
Specify the TOTP_STEPSIZE factor to add before and after the
TOTPStepSize.
By default, the value is a factor of 1, meaning assuming default
TOTP_STEPSIZE value of 30 seconds, by default an allowance of
30 seconds is added before and after.
ENABLE_IDV_CROSSDOMAIN_AUTHENTICATION=1 If directory assistance is configured for cross-domain directory
lookups, add the notes.ini setting to your Domino servers. Then,
when a user accesses a Domino server and the user is registered
in a secondary domain, the server is able to access the ID vault
in the secondary domain to manage TOTP authentication.
DEBUG_TOTP=2
DEBUG_IDV_TOTP_TRANS=1
DEBUG_IDV_TRUSTCERT=1
To help troubleshoot TOTP problems, use these settings to
enable debug logging in console.log.
If you need DA Cross-Domain
lookup support add this one
18
Very Detailed
info to help you
Notes.ini
Optional
Settings
These
Require a
Server
Restart
19. @Lotusevangelist keith@b2bwhisperer.com
How to put
ID Files
in the
ID Vault
19
Most common way is once the ID Vault is running, the IDs
go there automatically when created or recertified
But what if you already have 1,000s of people registered
and now created the ID Vault?
The process is a mix of Registering users via a .txt file
coupled with some automatic settings
Due to time constraints, I have provided links to blog posts
from myself and Ales Lichtenberg that explain how to do
this and can be found at the end of this presentation
20. @Lotusevangelist keith@b2bwhisperer.com
If you do not see “Upload ID Files to ID Vault”
when you right click on a user in the Directory, or
when selecting Actions from the menu bar, you
may have a “no update” People view customization
in your directory
One way to fix this, open your Directory in the
Designer client and find the People View and in the
Properties –Design box below, uncheck “Prohibit
design refresh or replace to modify”
20
Unable
to
Upload
ID Files
21. @Lotusevangelist keith@b2bwhisperer.com
21
If you see this message your
ID Vault was not properly
setup.
1. Delete the Vault Trust and
Multi-Factor certificates,
Security-Certificates
section of the Directory
2. Then recreate the ID Vault
and run the mfamgmt
command again
ID Vault
Creation
Error
22. @Lotusevangelist keith@b2bwhisperer.com
Another
ID Vault
Error
This points to ID Vault corruption
1. Delete the Vault Trust and Multi-
Factor certificates, Security-
Certificates section of the Directory
2. Then recreate the ID Vault and then
run the mfamgmt command
22
Another
ID Vault
Error
Message
23. @Lotusevangelist keith@b2bwhisperer.com
If
The MFA
Is
Not Allowing
User Setup
23
• You may see the login page, that is preset in
the domcfg.nsf
• But it may not take you to the setup after
you try to login with your name and
password
• Or if you try to click on MFA it will not do
anything
• This means you may have to redo the
console command: mfamgmt create
trustcert
• And/or you may need to say NO in the
Configuration document where it asks “Allow
TOTP authentication with the ID vault field”
24. @Lotusevangelist keith@b2bwhisperer.com
How
Users
Set up
TOTP
24
• Users need to install on their device, one of the
common authenticator applications
– Duo, Google, Microsoft, Authy, PingID, etc.
• Go to the Login page with the TOTP and then login
as usual
• The system will bring them to the MFA setup
• User enters a name for the account and then scans
the bar code shown on the screen or enters the
code into their Authenticator
• Afterwards they enter the code from the
Authenticator
• They receive scratch codes for emergencies then
select Done
• They login as usual, but now include the
authenticator code
25. @Lotusevangelist keith@b2bwhisperer.com
Managing TOTP
Your friends, while testing, and afterwards:
1. The Internet Password Lockout database
2. The ID Vault database
• Users lock themselves out and you will
need to clear them from the lockout
database
• The ID Vault database can tell you who
has setup TOTP and more details
25
Managing
TOTP
26. @Lotusevangelist keith@b2bwhisperer.com
Resetting
the
Users TOTP
26
You MUST log on as a vault administrator and
then use one of these two options to reset a
user's TOTP details:
• From the Vault database
– In the Vault Users view, select a user
– Select from the Actions menu “Reset
TOTP Items”
• From the Domino Administrator client,
People & Groups tab
– Select Tools then ID Vaults
– Select the person document in question
– Select Reset TOTP Configuration
27. @Lotusevangelist keith@b2bwhisperer.com
Customizing the Login Page Graphic
Open the
DOMCFG5.NTF file
in the Designer
client
Go to Resources-
Images
Export the
MFASetup1.png file to
your PC and open in
your graphic editor
Add your company logo
or any text on the LEFT
side of the graphic,
about an inch or 2 away
from the border
Save the file to your
local desktop using
a different #
(MFASetup2.png)
Upload the file by
clicking “Import Image
Resource” from the
Designer Client
Rename the original
to #3
Change the original
Alias in Basic
properties as well
to #3
Rename the
uploaded file to
MFASetup1.png
Set the alias in the
Properties-Basics box,
to MFASetup1.png
also
Save your changes,
replace domcfg.nsf
design and then
refresh your login page
27
28. @Lotusevangelist keith@b2bwhisperer.com
Customizing
the
Login Page
TEXT
28
One client asked to remove the HCL Domino from
being displayed
A different client asked for us to move it.
• To edit the login form, open Designer client
• Open domcfg5.NTF
• Go to the Forms list and open
$$LoginUserFormMFA
• Edit the HTML
• Replace the domcfg.NSF design
• Refresh your browser
• Remember to test it!
– It may not appear where you think, or how you
expect it to be seen, if you are adding text