S 4.123 Configuration of SSL-protected browser access to Lotus Notes

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

Web access to a Domino Server can occur unprotected using the HTTP protocol (HyperText Transfer Protocol) or protected with the SSL-protected version of this, the HTTPS protocol (SSL stands for Secure Socket Layer). In general a server can support both variants simultaneously. If the use of unprotected access is possible, it is still possible to request SSL protection when required, for example where a database whose data has to be protected during transmission is to be accessed or protected authentication is necessary. For this purpose it is possible to specify in the properties of a database that an SSL connection is necessary for access (see S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).

For SSL access to be possible at all, the server's SSL port must be enabled. This requires that in the server document the status of the SSL port is set to "Enabled". However, this setting only releases the SSL port for use. In order for an SSL connection to be established, the server must be prepared for SSL use by having an SSL certificate issued for it (see S 5.86 Use of encryption procedures with browser access to Lotus Notes).

If any Web clients are to access a server exclusively over SSL-protected connections, this can be achieved in two ways:

1. The unprotected HTTP port is disabled by setting the status of the HTTP-TCP/IP port to "Disabled" in the server document. This setting causes client requests to the unprotected port to be rejected and no more unencrypted connections can be established.

2. The unprotected HTTP port is redirected to the protected SSL port. This requires that in the server document the status of the HTTP-TCP/IP port is set to "Redirect to SSL". This setting has the advantage that client requests over unprotected connections are no longer rejected but are answered over a protected connection, assuming that the client supports SSL.

Which configuration should be used will depend on the intended operational scenarios (see S 2.210 Planning the use of Lotus Notes in an intranet with browser access) and must be decided on a case-by-case basis.

Examples:

1. The table below shows the settings in the server document which permit unprotected anonymous accesses as well as protected authenticated and anonymous accesses.

The requirement for protected authentication is implemented through enabling of the database property "Web access: Require SSL connection" (see S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).

If access to such a database is not to be anonymous, then in addition an ACL entry for "Anonymous" with the access level "No Access" should be configured (see S 4.120 Configuration of access control lists for Lotus Notes databases).

2. The next table shows the settings in the server document which enforce SSL protection for Web access, either by redirecting all requests to the unprotected port to the SSL-protected port ("Redirect to SSL") or by not answering requests on the unprotected port ("Disable").