snocross
asked on
Security Concerns
Hi everyone,
I have a new boss not familiar with Lotus Notes and he is inquiring into how secure my Domino Web applications are. I told him Notes has several layers of security from database, view, document, section, field, etc but he was concerned because I didn't have any SSL connection and that somebody could intercept a persons Username and Password when they signon to one of my web apps. I don't know much about SSL but is it possible for somebody to intercept an authentication signon?? Is there other security I should be looking into besides Notes built in security I mentioned??
Thanks,
-Patrick
I have a new boss not familiar with Lotus Notes and he is inquiring into how secure my Domino Web applications are. I told him Notes has several layers of security from database, view, document, section, field, etc but he was concerned because I didn't have any SSL connection and that somebody could intercept a persons Username and Password when they signon to one of my web apps. I don't know much about SSL but is it possible for somebody to intercept an authentication signon?? Is there other security I should be looking into besides Notes built in security I mentioned??
Thanks,
-Patrick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also, can I set up SSL for just ONE single database on my server so I can test it without affecting all of my current applications?
Thanks!
Thanks!
If someone can intercept your logon, he can also capture the whole session if you logon using a secure method and switch to ordinary HTTP. How secure do you want it to be? That's for you to answer :)
The server must be enabled for SSL, not a database. Then the user will be offered the choice to use http:// or https://, the latter being Secure HTTP. There is an option in the Database Properties, under Web Access, that you can set: Require SSL connection, so the server will automatically switch to SSL.
The server must be enabled for SSL, not a database. Then the user will be offered the choice to use http:// or https://, the latter being Secure HTTP. There is an option in the Database Properties, under Web Access, that you can set: Require SSL connection, so the server will automatically switch to SSL.
ASKER
Very interesting... well I don't think it is such a concern but my boss I'm sure will want it as secure as possible... I'm just afraid to play with this on our production box.
So you have a test system as well? Read in the Admin Help, in the Index, goto SSL Servers, and look in setting up application, Setting up the Server Certificate Admin application. All the info required is also there.
It's fairly straightforward, and normally all other Domino-stuff should continue to work. You can test if SSL is already enabled by trying to use https:// on a valid URL on your system. It will probably timeout...
Why "normally"? It's Notes, ain't it? Hope the others here will agree with me.
Sjef :)
It's fairly straightforward, and normally all other Domino-stuff should continue to work. You can test if SSL is already enabled by trying to use https:// on a valid URL on your system. It will probably timeout...
Why "normally"? It's Notes, ain't it? Hope the others here will agree with me.
Sjef :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello Sno,
what version is your Domino where you want this SSL to run?
what version is your Domino where you want this SSL to run?
ASKER
I believe it's 5.12
ASKER
...and hello back!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Crak, wow that's a lot to read... I actually have to leave for the day to pick up my truck at the shop so I will read this further tomorrow morning. I will write you too Zvo...
Thanks
-Snocross
Thanks
-Snocross
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Man this is going to be hard to grade with so many good comments... I have finally found the IBM redbook which is giving me all the details I think I need... posting it here for others looking in the future;
Lotus Notes and Domino R5.0 Security Infrastructure Revealed
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245341.html?OpenDocument
Lotus Notes and Domino R5.0 Security Infrastructure Revealed
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245341.html?OpenDocument
Actually, there is a newer version of the Lotus Security redbook, which pertains to version 6, includes additional products and goes into greater details on all the security features that can be used to secured Domino applications both for Notes and the Web. I've co-written both, so I should know (try to figure which author I am).
Lotus Security Handbook
http://searchdomino.techtarget.com/originalContent/0,289142,sid4_gci850152,00.html
Lotus Security Handbook
http://searchdomino.techtarget.com/originalContent/0,289142,sid4_gci850152,00.html
ASKER
Thanks for the interesting article.
Chuck, have you been lurking?
Or, is that Fred Dahm, since there isn't anyone else listed on both redbooks?
ASKER