|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
Web access to a Domino Server can occur unprotected using the HTTP protocol (HyperText Transfer Protocol) or protected with the SSL-protected version of this, the HTTPS protocol (SSL stands for Secure Socket Layer). In general a server can support both variants simultaneously. If the use of unprotected access is possible, it is still possible to request SSL protection when required, for example where a database whose data has to be protected during transmission is to be accessed or protected authentication is necessary. For this purpose it is possible to specify in the properties of a database that an SSL connection is necessary for access (see S 4.125 Instituting restrictions on access to Lotus Notes databases with browser access).
For SSL access to be possible at all, the server's SSL port must be enabled. This requires that in the server document the status of the SSL port is set to "Enabled". However, this setting only releases the SSL port for use. In order for an SSL connection to be established, the server must be prepared for SSL use by having an SSL certificate issued for it (see S 5.86 Use of encryption procedures with browser access to Lotus Notes).
If any Web clients are to access a server exclusively over SSL-protected connections, this can be achieved in two ways:
Which configuration should be used will depend on the intended operational scenarios (see S 2.210 Planning the use of Lotus Notes in an intranet with browser access) and must be decided on a case-by-case basis.
Examples:
Server document / Ports / Internet ports: |
||
HTTP settings |
TCP/IP port status: |
Enabled |
|
Name & Password: |
No |
|
Anonymous: |
Yes |
HTTPS(SSL) settings |
SSL port status: |
Enabled |
|
Client certificate: |
Enabled |
|
Name & Password: |
Enabled |
|
Anonymous: |
Yes |
Server document / Ports / Internet ports: | ||
HTTP settings | TCP/IP port status: | Redirect to SSL or Disabled |
Name & Password: | No | |
Anonymous: | No | |
HTTPS(SSL) settings | SSL port status: | Enabled |
Client certificate: | Enabled* or Disabled* | |
Name & Password: | Enabled* or Disabled* | |
Anonymous: | Yes* or No* |
* | At least one of the authentication mechanisms must be enabled in order that queries can be accepted by the server. If all the mechanisms are enabled and authentication is necessary for the requested Web page, initially a client certificate is requested. If the client is not in possession of a certificate, user name and password are then requested. |
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |