In this appendix, we look at several vendor offerings that could extend your Lotus Notes/Domino 8 environment. The information contained in this appendix is provided by the vendors themselves. For more information, consult the respective vendor's website.
Strengthening Authentication to Adapt to Changing Circumstances™
PistolStar, Inc. specializes in tailored authentication, providing software products and services that fit with the customer's environment, as well as optimize authentication processes and address requirements for enhanced usability, security, auditing, and compliance. With its comprehensive solution set, PistolStar responds to an organization's need to secure access to information and ensure regulatory compliance, while simplifying the login process and reducing the IT staff's burden of managing passwords and tracking login threats. Launched in 1999, PistolStar is a pioneer in enabling authentication via Microsoft Active Directory and is an authority on authentication using Active Directory and Kerberos.
PistolStar has experienced phenomenal growth, attributing its success to an understanding of customers' pain, having the ability to demonstrate a positive return on investment, and differentiating itself from the competition by delivering flexible solutions with full technical support from the developers.
PistolStar's Password Power 8 plugins expands the authentication and password management capabilities of Lotus Notes/Domino 8. The Notes ID plugin offers SSO and seamless redirection of the Notes ID file's authentication to LDAP-compliant directories (for example. Microsoft Active Directory, Novell eDirectory, Tivoli Directory Server). Likewise, the Domino plugin offers HTTP SSO to Domino and seamless redirection of HTTP authentication to LDAP-compliant directories as well. PortalGuard (PG) offers great control over the management of the Domino Internet password if it is vital to the current authentication processes. Below is an outline of the functionality available with each of PistolStar's Password Power 8 plugins as they pertain to Lotus Notes and Domino 8.
To achieve PistolStar's definition of Single Sign-On (SSO), we start at the desktop with the Windows session. We leverage Microsoft Active Directory and Novell eDirectory—both significant technologies in Windows-centric computer environments, by enabling use of either of their passwords at the initial computer login to access all Domino server applications in multiple domains and the Notes client. With this capability, the number of times an end user must supply login information during a Windows session is reduced to a single instance.
The Domino plugin provides end users with SSO access to all applications on Domino servers, creating convenience and saving login time. The Domino plugin offers many methods for SSO capabilities: Kerberos, NTLM, or proprietary cookies, all of which optionally allow authentication utilizing a Personless NAB.
Enabling SSO to Domino HTTP servers via Kerberos requires connectivity to a central Key Distribution Center (KDC). In Windows, each Active Directory domain controller acts as a KDC. Users authenticate themselves to services (for example, Domino servers) by first authenticating to their Windows machine using a domain account, then requesting encrypted service tickets from the KDC for the specific services they wish to use. This last step is performed automatically by the user's web browser. Only the service (and the KDC) can decrypt the service ticket to get the user's information. Because only the KDC could have created the service ticket, the service knows that the user must have also authenticated to the KDC, so it can trust the user credentials in that ticket. With both Kerberos and NTLM SSO, no client-side software is required.
Alternatively, to enable SSO to Domino HTTP servers, a web browser toolbar creates client-side cookies with encrypted credentials for each of the Domino servers listed in the Password Power configuration file. Accessing a Domino server through a web browser automatically sends the corresponding cookie with the request. These same cookies can also be used to grant SSO to IBM Lotus QuickPlace and Sametime, IBM WebSphere and WebSphere Portal, and SAP NetWeaver. These in-memory session cookies have a configurable expiration interval that defaults to 12 hours. When the end user closes the browser, logs out, or shuts down Windows, the cookies are automatically destroyed.
SSO from a Blackberry device is also possible using browser-based cookies, but instead of a requiring a browser toolbar, the SSO cookie is created within the Blackberry browser after the user successfully enrolls for SSO by first logging into the Domino server manually after the Domino plugin has been installed and configured to provide this service.
The Domino plugin also supports a Personless NAB allowing the end user to logon to Domino HTTP with their network directory (for example, Microsoft Active Directory) credentials to access all Domino HTTP solutions, including Lotus iNotes, Sametime, QuickPlace, and Domino Web Applications. Browser-only end users no longer need a duplicate set of Person documents, as the Domino plugin requires that the end user be defined only once — in Active Directory (users of the standalone Notes client would still need Person documents to support encryption and signatures). The Personless NAB approach also leverages Domino's Directory Assistance, which allows an end user an access token that contains their Active Directory name and any Active Directory groups to which they belong. The central role in this approach is performed by a DSAPI filter, which can give SSO and overrides the normal authentication process that checks the username and password against the Domino Directory.
This functionality solves many of the username mapping issues associated with authenticating against remote directories without requiring changes to the LDAP server accounts or Domino Directory. Redirecting web authentication requests from the Domino Directory to a different LDAP directory also eliminates the need to maintain or synchronize the Domino Internet password, as its presence and upkeep are no longer required. This functionality extends to affect all Domino authentication, which leverages the HTTP password including QuickPlace, Sametime, IMAP, POP3, and DIIOP.
- Lotus Domino 6/7/8/8.5
- Microsoft Windows Server 2000, 2003, 2008
- IBM AIX 5.1 or higher
- IBM System i V5R3 or higher
- All x86 Linux distributions
- Sun Solaris SPARC 9 or higher
- LDAP Server: Microsoft Active Directory, Novell eDirectory, Sun ONE/iPlanet, Domino, Tivoli Directory Server
- SAP NetWeaver 2004 (optional)
- WebSphere 5.1+ (optional)
- WebSphere Portal 5.1+ (optional)
PistolStar's Password Power Notes ID plugin removes the need for separate passwords and repositories for the Notes ID file by configuring the Active Directory as the central password authentication point for accessing the Lotus Notes Client, thus eliminating the need to separately maintain the Notes ID password.
The Notes ID plugin provides synchronization between Active Directory and the Notes ID file and allows forgotten Notes ID file passwords to be automatically recovered and resynchronized with the Active Directory.
With PistolStar's Password Power Notes ID plugin, a successful authentication to Microsoft Active Directory, Novell eDirectory, Lotus Domino LDAP, Tivoli Directory Server, or Sun ONE LDAP grants access to the Lotus Notes client. This effectively eliminates the manual Notes ID password recovery by allowing a reset of the LDAP password to restore access to Lotus Notes. Password synchronization between LDAP and the Notes ID file is always performed for times when the LDAP server is unreachable.
PortalGuard is a password authentication and security solution that allows end users to authenticate and manage a portal password directly from a web browser, while providing administrators with functionality to meet or exceed their security objectives. With PortalGuard, administrators can implement best practices for ensuring stronger and consistently secure authentication.
- Lotus Domino 6/7/8/8.5
- Microsoft Windows 2000, 2003, 2008
- IBM AIX 5.1 or higher
- IBM System i V5R3 or higher
- All x86 Linux distributions
- Sun Solaris SPARC 8 or higher
- Lotus Sametime 6.5.1, 7, 7.5.x, 8, 8.0.x (optional)
- Lotus QuickPlace 6.5.1, 7 (optional)
- Lotus Quickr 8, 8.x (optional)
- Domino.doc 6.5.1, 7 (optional)
PortalGuard offers the following security features:
- Force an SSL connection for logins: Ensures end users' credentials are submitted via SSL. If an end user tries to login through HTTP instead of HTTPS, PG forces login with HTTPS by redirecting the end user to a HTTPS connection.
- Dictionary lookup functionality: Allows administrators to enable a dictionary lookup to prevent users from setting prespecified (unacceptable or easily guessed) passwords, such as company name. The lookup can be added in three ways: Notes database, JavaScript, or both Notes database and a list accessed through JavaScript.
- Password quality: Administrators can configure several fully customizable password "strength" rules.
- Password quality check on both client and server sides: Client-side checking does not access server and is done through JavaScript requiring less server load and network traffic. Server side checking can use @PasswordQuality instead of JavaScript (requires a trip to the server) to determine if a new password is acceptable. This allows administrators to set minimum password quality (0-16) and any new password must, at a minimum, equal this quality.
- Disqualify username as password: Administrators can prevent new passwords from containing variations of the end user's username, a typical password choice that is easily guessed by network intruders.
- Password expiration grace period: Administrators can select a grace period or a timeframe by which end users must change their passwords.
- Disable Internet Explorer Auto Complete: Administrators can prevent Internet Explorer Auto Complete feature from offering a list of previously used entries. When enabled, this applies to all PG fields and only affects IE 5.0 and higher. This feature prevents internal intruders from easily accessing the password from the drop-down menu of previously used passwords.
- Prevent similar password use: The "Prevent Similar Passwords" JavaScript rule checking disallows use of similar passwords during password resets.
- Confirmation requirement for self-registration: An email is sent to the end user with a link to a confirmation page for self-registration. On this page, end users are prompted for their email address, which affects creation of the Person Document in the Domino Directory.
PortalGuard also includes auditing features. These include:
- Store last login date and time: Allows Administrators to track the date and time an end user last logged in—data that is stored as a new field in the Person Document. Administrators can also select to record more detailed information to be sent to the WSP database, such as username, end user's IP address, URL requested and server name.
- Enable strikeout logging functionality: Strikeouts can be logged to a database so Administrators see when failed attempts occurred.
- Log invalid usernames: Administrators can enable logging of invalid usernames to the mail-in database. The information included in this report is:
- IP address of computer that made the request
- URL requested by the user
- Username used
- Password given
- The WSP-specific function the user attempted to accomplish (log in, set password, and so on)
- The server on which the attempt occurred
- The time the attempt occurred
- Enable "set password" logging: Administrators can enable logging of successful "Set Password" events to the mail-in database.
PortalGuard also includes Help Desk productivity features. For example, its Help Desk Manager Utility allows Help Desk personnel to manage end user passwords without full access to PortalGuard's configuration data. This database includes several actions:
- Unlock User unlocks end user accounts that have been locked by PG 's strikeout function utility.
- E-mail Random Password generates random value passwords and e-mails them to the end user. This can also be used to automatically send multiple end user's blank passwords.
- Reset Password resets the HTTP password to a new value when an end user does not have an HTTP password, has forgotten it, is unable to reset it themselves, or does not have a Notes client.
- Expire Password forces end users to change their HTTP password the next time they log in to Domino through a web browser. This is useful when password policies change.
- Reset PG Fields resets end user accounts as if they had never accessed PG.
- Set Expiration Date provides a one-time override of PG's expiration functionality. This is useful for exempting end users from resetting a password.
- Unlock Agent unlocks end users automatically every x number of minutes.
In addition, PG offers the following features designed to assist Help Desk personnel:
- Enable customized HTML: Administrators can write customized messages to end users to prompt them through the login process, reducing end user confusion and subsequent Help Desk calls.
- E-mail Random Password functionality: Allows Administrators to generate random passwords that are automatically emailed to new end users. This is both an administrative time saver as well as a security feature because the administrator never sees the password. PG enables customizable expiration options for the new password as well.
- Support localization: Administrators can configure all UI screens in any language without use/knowledge of Domino Designer. Administrators can easily modify logon screens to ensure that customized messages and prompts are understood by the end user. Localization reduces Help Desk calls by minimizing end user confusion.
- Enable customized disclaimer messages: Administrators can create a disclaimer message that the end user sees upon logon. This feature can be used to display corporate network usage instructions for sensitive websites and resources (that is, password protected).
- Easily configurable user interface: All PG screens seen by the end user are configurable without knowledge/use of Domino Designer. Through a user-friendly interface, screens can be modified with logo insertion, font and color selection, and editing of HTML seen by user.
You can now delegate unlocking of strikeouts to Help Desk personnel with less security clearance. This is especially beneficial to companies with employees in different time zones, when employing Help Desk personnel with a high level of security clearance around the clock is costly. The end user does not have to wait for support and the company can maintain security by granting Editor-level access to fewer personnel.
PortalGuard also offers end user productivity features. For instance, the challenge question and answer functionality allows the end user to recover passwords without Help Desk assistance. This feature stems potential security breaches that occur when Administrators e-mail passwords to end users or when they give out passwords to end users over the phone. Challenge questions are customizable.
PortalGuard also allows end users to create their own user accounts without administrator involvement. If more complex workflow around account verification is necessary, self-registrations can be set to require either end user confirmation (to prevent automated account creation bots) or approval by an internal user.
PistolStar is privately-funded and based in Amherst, NH, yet it maintains a global presence through relationships with international resellers. Since introduced, the company has sold its software to over 400 enterprises in the U.S. and abroad, comprising millions of users. Customers include Campbell Soup, Citigroup, Commonwealth of Australia, Deloitte LLP, Discovery Communications, Duke Energy, DuPont, European Patent Office, Fresenius Medical Care, Henkel, Hertz, Johnson Controls, PricewaterhouseCoopers, Sanofi-Aventis, Siemens, Southern California Edison, U.S. Army and U.S. Navy, among others. While PistolStar continues to expand its presence in the enterprise market, it also provides its products to the small-to-medium business (SMB) market.
For more information about PistolStar's products and services please visit our website www.pistolstar.com. Or you may contact:
PistolStar, Inc.
PO Box 1226
Amherst, NH 03031 US
(603) 547-1200