Solved

Cross Certificates When Using App for First Time -- Way to Turn them off?

Posted on 2008-10-15
5
320 Views
Last Modified: 2013-12-18
I developed a small application for my husband's company.  Every time a new user goes to do an execute command (submitting, etc.), it gives them a cross certificate in which they have to grant permission, etc.  I believe 4 things in the application will make these pop up.

Is there something I can do to shut off the cross certificates OR something their IT department can do to create a global trust certificate so the users don't have to see these?  The users are not very tech-savy, see these and think they are viruses.  Seriously....
0
Comment
Question by:onederwomyn
  • 3
  • 2
5 Comments
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 250 total points
ID: 22725773
Yep: have someone ate the company sign the design of the application. It's in the Admin client, under Files. Select the database, then right-click the database and select Sign. The Admin is the ideal user to sign a design. He should know what he's doing of course, because signing an agent with your "virus" in it will be executed in his name...

PS He/His=She/Her of course
0
 

Author Comment

by:onederwomyn
ID: 22730584
Thanks!  Two follow up questions, though.  Will the admin have to go in and sign it every time they replace design?  They are asking for some changes and we have been moving them once a week or so.  Also, will this signature just replace my companies?  Or, does it have to be unsigned before doing this?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 22730882
How to do this:
- make a copy of your template (not a replica)
- sign all design elements in the new copy using the admin's or server's idea
- test
- test
- test again ;-)
- replace or refresh the operational database

Re your f-u-questions:
- yes, they'd have to re-sign every time you deliver an updated template
- yes, all signatures will be replaced, don't worry

If they don't want to re-sign every time, they could also give you a developer .id file. Prolly too expensive for them... and signing is definitely clearer: it's the transfer or responsibility.
0
 

Author Comment

by:onederwomyn
ID: 22731012
Sorry to be a pain.  I for the most part, get it.  But, can you clarify, this:

- sign all design elements in the new copy using the admin's or server's idea
I have no idea how to sign all the design elements -- I thought it automatically did it in developer.  And what do you mean their idea?  If something is unsigned, how do you sign it or change signature?

Also, last night I had my husband replace design (he has that authority, but is not an ADM) and when he went to open the database, an error popped up and he got all the certificates again.  EVEN THOUGH, he already had a certificate for my companies name.  The only thing I did between the last version and this version is have to reload Domino Designer/Lotus Notes on my PC.  I am pretty sure I set it up the same, why would my certificate be different?  Usually when he replaces design, he doesn't get certificates because he has already marked them as trusted??
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 22744915
I suppose it's a lot clearer now, since you closed this question. Certificates are a difficult subject. Every design element always has a signature, usually of the last person who saved the element. A scheduled agent runs as if started by the person with the signature in that agent. Usually, that is not the best way to do things, because that means that that person would need more rights on the server than necessary. In many cases, those agents need to do a lot of administration in the database, and require the rights to do that. That's why a template is usually signed by one of the organisation's admins (or servers), since they have administrative rights on all databases.

So a person usually has ONE certificate (or very few), but can have MANY cross-certificates. A cross-certificate is a copy of a certificate of someone else, who has in turn a copy of your certificate, mutually trusting one another. The messages he gets are probably the consequence of the new template that wasn't signed by a person who was already trusted by your husband.

There's a great book on the security of Notes that describes this much better than I ever could. It's in the redbooks on Domino, on the IBM site somewhere.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

IBM Notes offer Encryption feature using which the user can secure its NSF emails or entire database easily. In this section we will discuss about the process to Encrypt Incoming and Outgoing Mails in depth.
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now