Recently in Domino Category
I should have known this. Greyhawk saves the day with his post on default ACL groups for your templates. Domino can have such a steep learning curve at times. You just don't know what you don't know. Now you know.
Objective: Secure Domino web applications/email with SSL utilizing an inexpensive solution with no inconvenience to the end user.
Historically, SSL has been used to secure business transactions involving credit cards on commerce sites. It's becoming increasingly important to secure business communications/applications as well. For securing web sessions with SSL you have a few options with Domino.
You can sign your own SSL certificate via Domino. This costs nothing, but there are shortcomings. No browser will trust your certificate. This will result in the user receiving an error message when they access the site. You can install the certificate into the browser to eliminate the message. In some corporate environments, this might be acceptable. You can customize the builds of your browser on corporate machines to trust the certificate. Your outside partners and/or customers should not have to figure out how to install a certificate. For our environment, this was not acceptable. I believe that Domino offers this functionality mostly for testing. The next option is to purchase a SSL certificate from a provider such as Verisign, GeoTrust, Thawte or GoDaddy. I ended up going with GoDaddy. The certificate cost $30 for one year. Verisign cost $900 for one year. Here's a few things to look for when purchasing a SSL Certificate:
Trusted Root or Intermediate Certificate? Verisign is one of many providers that is listed as a trusted root in most browsers. The GoDaddy SSL Certificate is a 'chained certificate.' This means that it requires an intermediate certificate in order to be recognized by the browser. GoDaddy has a subsidiary, Starfield, that issues its SSL Certificates. Starfield purchased an intermediate certificate from ValiCert, who is a trusted root. This adds an extra layer, which some see as problematic. GoDaddy is at the whim of ValiCert, and doesn't control its own trusted root certificate. Despite some people being down on chained certificates, I didn't consider the issues to be material for use on a corporate network. Besides, the certificate only cost $30.
High Assurance or Turbo? GoDaddy offers two flavors of SSL Certificates. The High Assurance certificate requires that your identity has been thoroughly validated by an independent authority. This takes longer to process than a Turbo Certificate, where they only validate that you have control of the domain for which you are using the SSL Certificate.
One of the functions of an SSL Certificate is to prove that website is authentic, meaning that the end user is getting his email from the server that it says it is. This is part of the reason that Verisign has been successful. There's a bit of branding that goes along with that Verisign seal. This doesn't apply in a corporate environment where the objective is not to prove to a potential customer that you're a trustworthy merchant to do business with. The objective is to secure the communication between web server and web browser. Your end users aren't going to go somewhere else to get their email or submit a time card. For these reasons, we went with the Turbo. The Turbo was also a bit cheaper.
Browser Ubiquity Make sure you have an understanding of what browsers support the Trusted Root of your certificate. GoDaddy supports all of the major browsers. They are listed on their website in the SSL FAQ.
For an excellent write up on SSL, see http://www.hostpronto.com/article/11/1.
Back to Domino. Here's how you install a GoDaddy Turbo SSL Certificate on Domino. We are running 6.5, but I think this applies to any R5+ server.
Create a Key Ring
Open certsrv.nsf on the server.
Select 'Create Key Rings & Certificates' on the left nav bar.
Click 'Create Key Ring'
Make note of where your key ring file will be saved. Save the file to your local machine. Most likely in the Notes Data directory. You can rename the file to be whatever you want, emailserver.kyr, for example.
Provide a password. I made mine a random 12 alpha-numeric character password. You will have to re-type the password several times.
Set the key size to 1024. If you are using international versions of Domino this may cause issues. Consult the Domino Admin Help for more info.
The Common Name is the URL of the website you are securing. For example, intranet.example.com or mail.example.com. Do not include 'http://.' Also note, that example.com is not the same as www.example.com.
Fill in the rest of the fields. They are fairly self-explanatory.
Click Create Key Ring
Create a Server Certificate Request (CSR)
Next, select option 2 in the Server Certificate Admin database, Create Certificate Request.
Ensure the Key Ring File Name is pointing to the key ring you just created.
Set Log Certificate Request to yes.
Set the Method to Paste into from on CA's site.
Click 'Create Certificate Request'
Provide your key ring password.
In the pop up, copy the text, which is the CSR, and paste into a text file temporarily.
Purchase Certificate
Go to godaddy.com and purchase a Turbo SSL certificate. Follow the instructions to purchase. You will be prompted for the server type. Select 'other'. After purchasing go the SSL section of your account on GoDaddy and set up the certificate. You will need to create an account with Starfield, the SSL subsidiary of GoDaddy. Follow the instructions and paste the CSR into the proper field. Submit the certificate application.
Validate The CSR
GoDaddy will email the domain administrator, as listed in the domain Whois, to verify the certificate request. Follow the instructions to validate the CSR. This usually requires clicking a link and clicking the approve button.
Install Trusted Root and Intermediate Certificates
The ValiCert Root Certificate, valicertclass2root.crt, and Starfield Secure Server Certificate (Intermediate Certificate), sf_issuing.crt, must both be installed in to the key ring. They may be obtained from http://certificates.starfieldtech.com/Repository.go. Download the certificates. The following will have to be done for both certificates. Install the root certificate first, and then the intermediate certificate.
In Notes, open the Domino Server Certificate Admin database (certsrv.nsf). Select option 3, Install Trusted Root Certificate into Key Ring. Ensure the Key Ring File Name field is pointing to your key ring. Input a label. You have two options for the certificate source. Select clipboard. (This is a person preference of mine) Open the downloaded certificate in notepad and copy and paste its contents in to the Certificate from Clipboard field. Click Merge Trusted Root Certificate into Key Ring button. Rinse and repeat.
Install the SSL Certificate
Open the Domino Server Certificate Admin database and select option 4, Install Certificate into Key Ring. Ensure the Key Ring File Name field is pointing to your key ring. Again, select clipboard as the Certificate Source. Open the SSL certificate that GoDaddy emailed you in NotePad. The certificate should be named something like yourserver.com.crt. Copy the contents and paste them into the Certificate from Clipboard file. Click the Merge Certificate into Key Ring button.
Move Key Ring to the Server
Copy your key ring file, the default name is keyfile.kyr, and the sth file, default name keyfile.sth to the data directory on your server.
Configure Domino
Open the Server Config Document for your server. Go to the Ports tab and Select the Internet Ports tab. Set the SSL key file name to be the name of your key ring. Do not include the path. Just the file name. On the Web tab below, ensure that you set a port number for SSL, 443 by default, and ensure that the port is enabled. Make sure this port is open on your firewall. Save the config document and re-boot the server.
Test
Test your SSL connection by visiting a page in your domain via https:// instead of http://.
Re-Direct Web Traffic to SSL
This can be done server wide or at the database level. This discussion will focus on re-directing web traffic server wide. From the Domino Admin help'
- From the Domino Administrator, click the Configuration tab, and open the Server document.
- Click the Ports - Internet Ports tab.
- Click the tab for the protocol for which you want to require SSL.
- In the TCP/IP port status field, select "Redirect to SSL."
Re-start the HTTP task. All requests for http:// pages should now re-direct to https://.
The Domino help file states that, 'For Domino 6 servers, use a Web Site document for requiring SSL connections for HTTP clients. For IMAP and LDAP, you do this in the Server document.' I didn't do that and it's working. I'm not sure what that means. Any clarification would be appreciated.
Comments and corrections are welcome.
