Security Concerns

Hi everyone,

I have a new boss not familiar with Lotus Notes and he is inquiring into how secure my Domino Web applications are.  I told him Notes has several layers of security from database, view, document, section, field, etc but he was concerned because I didn't have any SSL connection and that somebody could intercept a persons Username and Password when they signon to one of my web apps.  I don't know much about SSL but is it possible for somebody to intercept an authentication signon??  Is there other security I should be looking into besides Notes built in security I mentioned??  


Who is Participating?
Sjef BosmanConnect With a Mentor Groupware ConsultantCommented:
Yes it is possible to intercept the logon. Notes has SSL capabilities, it doesn't take that much to set it up. Please check your Admin Help on SSL and Internet keys. You don't have to set up the whole rigmarole for SSL to work.
snocrossAuthor Commented:
Ok so is the login the only real problem area?  I've seen some other posts where users are using SSL for just login (somehow) because of performance issues.  Once authenticated is there still a need for SSL?
snocrossAuthor Commented:
Also, can I set up SSL for just ONE single database on my server so I can test it without affecting all of my current applications?

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Sjef BosmanGroupware ConsultantCommented:
If someone can intercept your logon, he can also capture the whole session if you logon using a secure method and switch to ordinary HTTP. How secure do you want it to be? That's for you to answer :)

The server must be enabled for SSL, not a database. Then the user will be offered the choice to use http:// or https://, the latter being Secure HTTP. There is an option in the Database Properties, under Web Access, that you can set: Require SSL connection, so the server will automatically switch to SSL.
snocrossAuthor Commented:
Very interesting... well I don't think it is such a concern but my boss I'm sure will want it as secure as possible... I'm just afraid to play with this on our production box.
Sjef BosmanGroupware ConsultantCommented:
So you have a test system as well? Read in the Admin Help, in the Index, goto SSL Servers, and look in setting up application, Setting up the Server Certificate Admin application. All the info required is also there.

It's fairly straightforward, and normally all other Domino-stuff should continue to work. You can test if SSL is already enabled by trying to use https:// on a valid URL on your system. It will probably timeout...

Why "normally"? It's Notes, ain't it? Hope the others here will agree with me.

Sjef :)
qwaleteeConnect With a Mentor Commented:
The only big dea with SSL is teh source of your certificate.  Do you want to pay for a commercial one?  Do you want to self-generate... but then your users haveto accept the certificate, which can be ugly?

The only other things you will run into:

1) If you disable HTTP altogether, then any links from the outside will still point to HTTP, and they will fail -- and you may even have internal links

1) If you allow both HTTP and HTTPS, those links will work,but you have a potential hole where the HTTP traffic can still be accepted
ZvonkoSystems architectCommented:
Hello Sno,
what version is your Domino where you want this SSL to run?

snocrossAuthor Commented:
I believe it's 5.12
snocrossAuthor Commented:
...and hello back!
ZvonkoConnect With a Mentor Systems architectCommented:

I have a wonderful application for SSL certificate requests workflow, but it is running with R6 :(

I lost all email addresses. Send me an email to

CRAKConnect With a Mentor Commented:
Hey bro!
Have you been out for a while?

I used to do projects at a bank (R4.5 / 4.6 era). Because of this issue we weren't allowed to distribute "critical" data over the intranet, using Notes/Domino. I don't know if SSL was ever considered and why it wasn't applied.

For the company that I actually work for, we've applied RSA's Secure ID to protect our data:
(haven't seen any R6 related doc's easy to reach yet!)

There's an article about our protected applications too:
The company's name "Time/Share" was later changed into "E'liantie".

Each user requires token. We used keyrings, but credit card like devices or software tokens are available too.
When the user logs on to the domino server, he/she will first get a customised login screen. This will ask for (if I remember correct) a user id and a number.
This number is generated every certain amount of time (20sec?) by an algorithm in the token, looking quite random. The username is linked to his/het tokens serial no. The server is fed with these id's and their logic, so the server is capable to generate just that number.
When the client and the server come up with a different no. their times may be off sync. The user is then required to enter the next displayed number. That's enough to get them synced again.
If the two have a matching username & token number, the user moves on to the next level: notes username (must be identical as the previous username; case sensitive too!) and domino http password.
Part of this procedure is -I believe- transmitted over SSL.

Tokens operate for about 2 years. I have never been involved with purchase (fortunately), but back then they were (again: I believe) about $80.

IFAIK we currently no longer use the tokens. A number of tokens arrived or were returned by our customers broken. They didn't look damaged, but sometimes the LCD display didn't show all digits correctly. Our customers could no longer login to our nerwork and as a result had trouble continuing their businesses. Perhaps the software tokens are more stable....
Mine died after about 3 years: flat battery. Can't replace those!

Your domino server is (was?) supposed to run on NT or 2000. Additional software installed (applets?) providing you with an administration tool for the tokens and the server side validation of token numbers.

Hope that wasn't too confusing. As long as the tokens are ok, the system works pretty good. I'm not a hacker, never tried to bypass the security (other than using my notes id with manager access to databases) and I must admit: if the price is no objection, then it'll get your system secure as... ehhhh.... Fort Knox???
snocrossAuthor Commented:
Hi Crak, wow that's a lot to read... I actually have to leave for the day to pick up my truck at the shop so I will read this further tomorrow morning.  I will write you too Zvo...

Bozzie4Connect With a Mentor Commented:
Create a self-certified certificate for use on your servers, and SSL is set up.  It's as simple as that.

If you use session based authentication, then it's correct that you don't send any clear-text passwords over the line, so you could only authenticate over SSL , and then work further over HTTP .  I don't recommend doing that, however.

If you want to 'see' what's transmitted over the line (and what a hacker would potentially use to break in), use ethereal or some other sniffer to check the network.  Also, do the same after you set up SSL.

A solution we sometimes use, is a SSL - Reverse proxy.  That way , the Domino servers only serve HTTP , and the Reverse Proxy puts this into an ssl tunnel .  This is possible using Apache, but there are also hardware solutions (Netscreen has one) and Websphere Edge Server (or something ) can do this too.

SSL won't protect you against brute password attacks, nor against user with bad passwords (too short, too simple), it only protects the 'transport' between the webserver and the client.  If your boss is really into security, you'll also want to build in checks against brute force attacks, policies against bad passwords, or even (as Crak mentioned) use a security token.  A good Linux system engineer can set up Apache running an SSL capable reverse proxy for your webservers in a day , hardened against some common attacks ...


madheeswarConnect With a Mentor Commented:
here is the link on how to achieve SSL:

Hope it helps.

snocrossAuthor Commented:
Man this is going to be hard to grade with so many good comments... I have finally found the IBM redbook which is giving me all the details I think I need... posting it here for others looking in the future;

Lotus Notes and Domino R5.0 Security Infrastructure Revealed
Actually, there is a newer version of the Lotus Security redbook, which pertains to version 6, includes additional products and goes into greater details on all the security features that can be used to secured Domino applications both for Notes and the Web. I've co-written both, so I should know (try to figure which author I am).

Lotus Security Handbook,289142,sid4_gci850152,00.html
snocrossAuthor Commented:
Thanks for the interesting article.
Chuck, have you been lurking?
Or, is that Fred Dahm, since there isn't anyone else listed on both redbooks?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.