Re: Lotus Cross-Certification

[Philip Storry <phil () philipstorry net>]

Hello ullmic,

Monday, April 28, 2003, 6:26:41 PM, you wrote:

u> Hi everybody,

u> we are using Lotus Notes as mail tool and we have a lot of contact
u> to a large external company that also uses Lotus Notes. My idea to
u> secure the e-mail communication between our two companies to a
u> reasonable level (without rolling out PGP or S/MIME-certificates)
u> is to propose a cross-certification of Lotus Notes certificates
u> between our companies so that we can at least use Notes encryption.
u> We already have a good level of trust with confidentiality
u> agreements a.s.o. So in my eye it is only a technical
u> implementation of a given trust relationship. Has anybody on this
u> list experience with such a Notes-to-Notes cross-certification? Any
u> hints what to look out for, how to avoid typical mistakes?


(You haven't mentioned a Domino version - I'm assuming it's R5, but
most of my advice is version-independant anyway.)

What you want to do will be fine. The only things to look out for are:


1. Ensure that you do not cross-certify at the wrong level.

It's very easy to cross-certify at the top level - /Org. And this may
indeed be what you need. But if you both have organisational units,
you may find that there's one - based on region, company division or
whatever - that suits your needs better.
For instance, if the purpose of the cross-certification is to allow
your marketing people to talk to theirs, and you both have
organisational units, you may only need to cross-certify:
  /Marketing/YourOrg with /Marketing/TheirOrg
  and
  /Servers/YourOrg with /Servers/TheirOrg
(If you have separate server organisational units as well, that is.
Watch out for that kind of problem. Remember that servers need to be
in ACL's too for native Domino to Domino communication.)

If you both have a rather flat organisation (everyone under /OrgName -
i.e. "Joe Bloggs/OrgName") then you can ignore this, and if the whole
company needs the link then you cvan also ignore this.

But as it's good practive to never give more access than is needed, I
thought this should be number one on your considerations. Maybe you
should have a chat with the admins at the other company?


2. Only ever give them safe-copies to cross certify with.

Yeah, I know it sounds stupid. After all, this is what safe copies are
for.

But time after time, the number one goof I got when handling
cross-certifications with customers was being sent the actual ID file
instead of safe copies. Take a moment to know that you're sending the
right file, or you may look like a bit of a fool. :-)


3. Remember that cross-certification does not equal access.

Cross certification is equal to granting authentication of an identity
or group of identities. It does not automatically grant access to your
systems. (Although, naturally, its absence will deny access as they
cannot authenticate anyway.)

Therefore, I recommend you check all your ACL's. They should have no
access to anything but mail.box if they are just transferring mail. If
they need to replicate a database, ensure that they only have access
to the databases they need. You can accomplish this with the supplied
group "OtherDomainServers" group - this group is usually listed with
No Access on ACL's for Lotus-supplied templates anyway.

However, I find this an unwieldy solution, as it tends to blanket deny
access. Instead, add their servers to a new group and then add that
group to all databases with No Access. Where the servers need access
to a database (like mail.box or application databases they must
replicate), simply move that group's access to an appropriate level
such as Reader or Editor. The advantage of this over the
OtherDomainServers group is that you can use the OtherDomainServers
group to deny access to other servers that they may have, to prevent
any unauthorised access. It also means you don't need to change
OtherDomainServers from No Access on all your databases - which could
be handy if you find yourself in a similar situation with another
company in future.

Also, if you have more than one server, ensure that they only have
access to your bridgehead server and any other servers they may
require. Pay particular attention to making sure your Passthru access
is secured. (Check the Domino Administrator help for details on
that.)


4. Given that you wish to exchange email, you should also consider
exchanging Domino Directory information.

If at all possible, try to replicate as little of your Domino
Directory as you can. Use replication formulas to restrict them to
replicating only documents from the People and Groups views.

This is because the Domino Directory contains information on how your
servers are configured. It also (potentially) contains information on
your network addressing (via DNS addresses/NetBIOS names/IP addresses)
and how your WANs/LANs may be set up could be inferred from this. You
trust these people now, but how about in three year's time?
Only the paranoid survive. :-)

The replica will still work for email addressing without problems,
even with replication formulas in place. It just won't contain any
server or domain documents - which is fine, as they need to add such
documents to their own Domino Directory to get the routing working -
not to see yours. The same applies to you, naturally. *grins*

(By the way, you don't have to type in a formula - you can just
select the views you want to replicate to and from the server. I hate
to be repetitive, but the Domino Administrator help can tell you all
about selective replication... *grins*)

You should use Domino Directory Assistance to make the replicated
Domino Directory databases available to your end users for email
addressing. This is, again, documented in the Domino Administrator
Help.


5. Ensure you are certain of the encryption you require.

You say you want encryption. And that's a fine thing. But Notes/Domino
port encryption (enabled on either server making the connection) only
requires a cross-certification and will encrypt all traffic. It's not
quite as modern an algorithm as you might find in a VPN, but it'll
certainly stop any casual sniffing of traffic.

However, I suspect that you were hoping for the encryption of emails.

That's going to REQUIRE Domino Directory Assistance and the
replication of the Domino Directory to each server. (Well, you may not
have to replicate - they could access each other's Domino Directory's
on-demand, but replication would probably be more convenient and take
less bandwidth.)

And remember that the encryption will require the Notes Certificate
field to be populated for each recipient in their Person document.
That's something beyond your control, as it's not actually your Domino
Directory to edit. So make sure you have good communication with the
other company's administrators, so that empty certificate fields can
be quickly solved. I'm sure they'll be happy to provide quick fixes if
you return the courtesy. So maybe you should make sure that all users
have a Notes Certificate in the right field before you let them take a
replica, eh? *grins*


6. On anything you are unsure of...

Read the Domino Administrator help database! Consider indexing it, and
use it as your Domino admin bible. It's a very good resource. I'm not
trying to fob you off here - if you want something it says clarified,
by all means feel free to ask me. It's not an infallible resource, and
it certainly won't have advised you on the sorts of things I just
have.

But it will give you the procedural advice for "How do I do that". I'm
more than happy to answer any "Why do I do that" type of questions you
may have, but I do so hate retyping the help database for "How do I do
that" queries... *grins*



I think that's all. But I'm rather tired (It's 03:50 as I type this
where I am) and I suppose I could have missed something...

-- 
Best regards,
 Philip                            mailto:phil () philipstorry net


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------