Book Image

Domino 7 Application Development

Book Image

Domino 7 Application Development

Overview of this book

Written by Lotus insiders, the book provides a practical guide to developing applications making use of the important features and enhancements introduced in Notes/Domino 7. These experienced experts use their own experiences to map out the benefits you could gain, and the dangers you may face, as you develop Domino applications in your business. Written by specific experts, edited and overseen by Lotus content generator Dick McCarrick, this book is the definitive guide to developing Domino 7 applications. TECHNOLOGY Domino is an application server that can be used as a standalone web server or as the server component of IBM's Lotus Domino product which provides a powerful collaborative platform for development of customized business applications. It also provides enterprise-grade email, messaging, and scheduling capabilities.
Table of Contents (18 chapters)
Domino 7 Application Development
Credits
Foreword
About the Authors
About the Reviewer
Preface
Free Chapter
1
A Short History of Notes and Domino

PistolStar Password Power 8 Plug-Ins


PistolStar Inc. is a password management software solutions provider specializing in IBM software platforms, with a core focus on the Lotus software suite. Many of PistolStar's senior-level developers are from Iris and Lotus, bringing in-depth knowledge and first hand experience to Password Power 8 plug-ins.

PistolStar's Password Power 8 plug-ins expand the authentication and password management capabilities of Lotus Domino 7. The Domino plug-in offers HTTP SSO to Domino and seamless redirection of HTTP authentication to LDAP-compliant directories (for example, Microsoft Active Directory, Novell eDirectory), while the Web Set Password plug-in (WSP) offers great control over the management of the Domino Internet password if it is vital to the current authentication processes. This section outlines the functionality available with each of PistolStar's Password Power 8 plug-ins as they pertain to Lotus Domino7.

To achieve PistolStar's definition of Single Sign-On (SSO), we start at the desktop with the Windows session. We leverage Microsoft Active Directory and Novell eDirectory — both significant technologies in Windows-centric computer environments — by enabling use of either of their passwords at the initial computer login to access all Domino server applications in multiple domains and the Notes client. With this capability, the number of times an end-user must supply logon information during a Windows session is reduced to a single instance.

Password Power 8 Domino Plug-In

The Domino plug-in provides end-users with SSO access to all applications on Domino servers in multiple DNS domains (for example, sametime.pistolstar.com and sametime.pistolstar.us), creating convenience and saving login time. To enable SSO to Domino HTTP servers, a web browser toolbar creates client-side cookies with encrypted credentials for each of the Domino servers listed in the Password Power configuration file. Accessing a Domino server through a web browser automatically sends the corresponding cookie with the request. These same cookies can also be used to grant SSO to:

  • IBM Lotus QuickPlace

  • IBM Lotus Sametime

  • IBM WebSphere

  • IBM WebSphere Portal

  • SAP Netweaver

These in-memory session cookies have a configurable expiration interval that defaults to 12 hours. When the end-user closes the browser, logs out, or shuts down Windows, the cookies are automatically destroyed.

The Domino plug-in also allows the end-user to log in to Domino HTTP with their network login or LDAP-compliant directory credentials. This functionality solves many of the username mapping issues associated with Directory Assistance without requiring changes to the LDAP server accounts, Domino Directory, Domino groups, or ACLs. Redirecting web-authentication requests from the Domino Directory to a different LDAP directory also eliminates the need to maintain or synchronize the Domino Internet password, as its presence and upkeep are no longer required. This functionality extends to affect all Domino HTTP authentication including QuickPlace and Sametime.

Password Power 8 Web Set Password Plug-In

This plug-in synchronizes multiple passwords via a web browser. This allows end-users to synchronize Windows, HTTP, LDAP passwords, and Notes ID File. This increases security because having only one password to commit to memory decreases the likelihood that end-users will write it down and become a target for internal intruders.

Security

The Password Power 8 Web Set Password plug-in (WSP) offers the following security features:

  • Force an SSL connection for logins: WSP can ensure that end-users' credentials are submitted via SSL. If an end-user tries to log in through HTTP instead of HTTPS, WSP forces login with HTTPS by redirecting the end-user to a HTTPS connection.

  • Dictionary lookup functionality: This allows administrators to enable a dictionary lookup to prevent users from setting pre-specified (unacceptable or easily guessed) passwords such as the company name. The lookup can be added in three ways: Notes database, JavaScript, or both Notes database and a list accessed through JavaScript.

  • Password quality: With WSP, administrators can configure 12 fully customizable password "strength" rules:

    • Minimum length

    • Password cannot contain the username

    • Password cannot be on a customized list of words

    • Password cannot be similar to current password

    • Password must contain a configurable number of numeric characters

    • Password must contain a "special" character (from a customizable list)

    • Password must contain a configurable number of lower characters

    • Password must contain a configurable number of upper characters

    • Password cannot be a previously used password

    • Password cannot be any variant of the end-user's username

    • Password cannot be a dictionary word (used for lists of 10,000+ words)

    • Minimum "quality" as defined by @PasswordQuality formula

  • Password quality checks on both client and server sides: With WSP, client-side checking does not access the server, and is done through JavaScript requiring less server load and network traffic. Server-side checking can use @PasswordQuality instead of JavaScript (requires a trip to the server) to determine if a new password is acceptable. This allows administrators to set minimum password quality (0-16) and any new password must, as a minimum, equal this quality.

  • Maintain HTTP password history: Configurable history limits allow administrators to set how many times an end-user must choose a new password before they can reuse an old one, preventing the end-user from using the same password over and over again.

  • Disqualify username as password: Administrators can prevent new passwords from containing variations of the end-user's username, a typical password choice that is easily guessed by network intruders.

  • Configurable "Expire on First Login": This ensures that end-users will not continue to use the password issued by the administrator when the end-user account was first set up.

  • Configurable password expiration intervals: This allows administrators to set intervals between end-users' password resets (for example, every 15 or 30 days).

  • Password expiration grace period: WSP lets administrators select a grace period or a time frame in which end-users must change their passwords.

  • Strikeout limit functionality: WSP allows administrators to set how many login attempts can be made before the end-user strikes out, preventing dictionary attacks and identifying accounts that have been denied server access.

  • Disable Internet Explorer auto-complete: Administrators can prevent Internet Explorer's auto-complete feature from offering a list of previously used entries. When enabled, this applies to all WSP fields, and only affects IS5.0 and higher. This feature prevents internal intruders from easily accessing the password from the drop-down menu of previously used passwords.

  • Prevent similar password use: WSP's "Prevent Similar Passwords" JavaScript Rule checking disallows use of similar passwords during password resets.

  • Confirmation requirement for self-registration. With WSP, an email is sent to the end-user with a link to a confirmation page for self-registration. On this page, end-users are prompted for their email address, which affects creation of the Person document in the Domino Directory.

Auditing Features

WSP also includes auditing features. These include:

  • Store last login date and time: Administrators can track the date and time an end-user last logged in data that is stored as a new field in the Person document. Administrators can also elect to record more detailed information to be sent to the WSP database, such as username, end-user's IP address, URL requested, and server name.

  • Enable strikeout logging functionality: Strikeouts can be logged to a database so that administrators can see when failed attempts occurred.

  • Store "set password" date and time: Administrators can track the date and time an end-user last set his or her HTTP password — data stored as a new field in the Person document.

  • Log passwords used: With WSP, administrators can enable logging of 'Password Used' when a Strikeout, Strike, or Invalid Username event is logged to the mail-in database.

  • Log invalid usernames: Administrators can enable logging of invalid usernames to the mail-in database. The information included in this report is: IP address of the computer that made the request

    • URL requested by the user

    • Username used

    • Password given

    • The WSP-specific function the user attempted to accomplish (log in, set password, and so on)

    • The server on which the attempt occurred

    • The time the attempt occurred

  • Enable "set password" logging. In WSP, administrators can enable logging of successful "Set Password" events to the mail-in database.

Help Desk

WSP also includes Help Desk productivity features. For example, WSP's Help Desk Manager Utility allows Help Desk personnel to manage end-user passwords without full access to WSP's configuration data. This database includes seven action buttons:

  • Unlock User: unlocks end-user accounts that have been locked by WSP's strikeout function utility.

  • Email Random Password: generates random value passwords and emails them to the end-user. This can also be used to automatically send multiple end-users' blank passwords.

  • Reset Password: resets the HTTP password to a new value when an end-user does not have an HTTP password, has forgotten it, is unable to reset it themselves, and does not have a Notes client.

  • Expire Password: forces end-users to change their HTTP password the next time they log in to Domino through a web browser. This is useful when password policies change.

  • Reset WSP Fields: resets end-user accounts as if they had never accessed WSP.

  • Set Expiration Date: provides a one-time override of WSP's expiration functionality. This is useful for exempting end-users from resetting a password.

  • Unlock Agent: unlocks end-users automatically every x number of hours.

In addition, WSP offers the following features designed to assist Help Desk personnel:

  • Enable customized HTML: With WSP, administrators can write customized messages to end-users to prompt them through the login process, reducing end-user confusion and subsequent Help Desk calls.

  • Email Random Password Functionality: Administrators can generate random passwords that are automatically emailed to new end-users. This is both an administrative time-saver as well as a security feature because the administrator never sees the password. WSP enables customizable expiration options for the new password as well.

  • Support localization: Administrators can configure all UI screens in any language without the use/knowledge of Domino Designer. Administrators can easily modify logon screens to ensure that customized messages and prompts are understood by the end-user. Localization reduces Help Desk calls by minimizing end-user confusion.

  • Enable customized disclaimer messages: Administrators can create a disclaimer message that the end-user sees upon login. This feature can be used to display corporate network usage instructions for sensitive websites and resources (that are password protected).

  • Easily configurable user interface: All WSP screens seen by the end-user are configurable without the knowledge/use of Domino Designer. Through a user-friendly interface, c\screens can be modified with logo insertion, font and color selection, and editing of HTML seen by the user.

  • WSP Unlock Utility: WSP's strikeout functionality is an important part of securing the authentication process. When enabled, the end-user is no longer able to log in after a preset number of attempts. The WSP Unlock Utility allows Help Desk personnel who do not have editor-level access to the Domino directories to unlock end-users who have struck out.

You can now delegate unlocking of strikeouts to Help Desk personnel with less security clearance. This is especially beneficial to companies with employees in different time zones, when employing Help Desk personnel with a high-level of security clearance around the clock is costly. The end-user does not have to wait for support, and the company can maintain security by granting editor-level access to fewer personnel.

End-Users

WSP also offers end-user productivity features. For instance, WSP's challenge, question, and answer functionality allows the end-user to recover passwords without Help Desk assistance. This feature stems potential security breaches that occur when administrators email passwords to end-users or when they give out passwords to end-users over the phone. Challenge questions are customizable.

WSP also allows end-users to create their own user accounts without administrator involvement. If more complex workflow around account verification is necessary, self-registrations can be set to require either end-user confirmation (to prevent automated account creation bots) or approval by an internal user.

System Requirements

PistolStar's Password Power 8 plug-ins have the following system requirements:

Web Set Password Plug-In

  • Lotus Domino 5/6/7

  • Microsoft Windows NT, 2000, 2003

  • IBM AIX 5.1 and higher

  • IBM System i-V5R3 and higher

  • All x86 Linux distributions

  • Sun Solaris SPARC 8 and higher

  • Lotus Sametime 3.1, 6.5.1, 7 (optional)

  • Lotus QuickPlace 3.1, 6.5.1, 7 (optional)

  • Domino.doc 6.5.1, 7 (optional)

Domino SSO and Authentication Redirection Plug-In

  • Lotus Domino 5/6/7

  • Microsoft Windows NT, 2000, 2003

  • IBM AIX 5.1 and higher

  • IBM System i-V5R3 and higher

  • All x86 Linux distributions

  • Sun Solaris SPARC 9 and higher

  • LDAP Server : Microsoft Active Directory, Novell eDirectory, SunONE/iPlanet, Domino

  • SAP NetWeaver 2004 (optional)

  • WebSphere 5.1+ (optional)

  • WebSphere Portal 5.1+ (optional)

Single Sign-On Cookies

  • Windows 2000 Professional or XP Professional

  • Microsoft GINA or Novell Netware client

  • Lotus Notes client 5/6/7 for Windows (optional)

For more information about PistolStar and Password Power 8 plug-ins, visit www.pistolstar.com.