S 5.86 Use of encryption procedures with browser access to Lotus Notes

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The Notes proprietary port encryption cannot be used to protect communications between Domino server and Web client (see S 5.84 Use of encryption procedures for Lotus Notes communication), as browsers do not support this type of encryption. However, with Secure Socket Layer (SSL) a method of protecting communications is available even for the Web interface.

Where SSL encryption is used to protect communications between Notes server and browser, the following points should be considered:

• In order that SSL can be used, the Domino server must be configured for the use of SSL. The server must be issued with an SSL certificate, with which it authenticates itself to a browser during establishment of an SSL connection.

• Administration of the certificates must be configured on the server ("certsrv.nfs" from the template "certsrv.ntf"). The certificate administration function can be used to administer the key files and certificates of the server.

• There are two basic possibilities for issuing a server SSL certificate:

• A self-certificate is issued by the server's certificate administration module. However, this variant, which is the simplest, has the drawback that this certificate is not embedded in any trust hierarchy.

• The SSL certificate is created by a certification authority. A separate certification authority within the organisation can serve as the issuing body. For example, a Notes certification authority can be created and implemented using the Notes template database "csrv50.ntf". Alternatively an external certification authority can be used. The significance of the various certificates is quite different, and it is necessary to obtain information on this from the certification authorities.

If the Notes certification authority is not used, the compatibility of the certificates and the possibility of importing certificates must be checked.

• In order that the server certificate can be verified by the browser, the root certificate for the certification authority must also be imported into the browser. This generally requires action on the part of the user or else automatic distribution, e.g. on installation of the browser software.

• If the Web client is authenticated using a certificate during establishment of an SSL connection (see also S 4.124 Configuration of authentication mechanisms with browser access to Lotus Notes), all the users must be provided with a corresponding certificate. The certificate must be imported into the certificate database of the browser. Once again the user may have to become actively involved, which presupposes that he has the relevant expertise. In addition steps must be taken to ensure that at least version 3 of the SSL protocol is used, as earlier versions do not support client authentication.

• To enable communications to be protected once the SSL connection has been initialised, client and server must have compatible cryptographic procedures (so-called cipher suites). In particular, it is necessary to ensure that the option "No encryption" is not permitted when an SSL connection is established.

• The choice of cryptographic procedures (and their key lengths) can be limited both in the Web server and also in the browser. Such restrictions should not be permitted. Generally only browsers which can process strong cryptographic algorithms should be used.

Additional controls:

• Are the Administrators trained in the use of SSL encryption and setting up certification hierarchies?

• Do the users know what factors to look out for when using SSL?