Hitachi ID Password Manager Lotus Notes / Domino integration

Integration between Hitachi ID Password Manager and Lotus Notes / Domino.

Hitachi ID Password Manager, a component of the Hitachi ID Identity and Access Management Suite, actually supports more than just passwords -- it is, in reality, a platform for managing authentication factors and encryption keys. Password Manager is used by many organizations to reduce the volume of IT support calls relating to passwords and PINs, to improve user productivity by eliminating login problems and to strengthen the security of passwords and of user support processes. Password Manager includes connectors to manage passwords on over 120 kinds of systems and applications.

Lotus Notes Integration

Lotus Notes users have two separate passwords:

  • An HTTPPassword hash in the Domino Directory (formerly the Name and Address Book (NAB)) on one or more Notes / Domino servers

  • A password used to encrypt their Notes ID file, which may be physically stored in one or more locations, including their local hard disk, a network share or even a USB flash drive or iPod.

Managing HTTPPassword hashes is straightforward. Password Manager uses its own ID file to connect to the appropriate Notes server and administratively set a new value on the user's password hash field. Logic is included in the Password Manager Lotus Notes connector to find the most appropriate server (e.g., the user's local mail server) and to also clear the password digest field.

Managing ID file passwords is more challenging, since this password cannot be administratively reset and since delivering an updated ID file to the user depends on non-Lotus infrastructure.

To simulate a Lotus Notes ID file password reset, Password Manager extracts a copy of the user's ID file from a central repository, changes the password on the ID file from a known (archived) value to a desired new value and delivers the new, replacement ID file to the user.

Password Manager includes a built-in repository which can house encrypted copies of each user's ID file and associated password.

ID file delivery can be implemented with a variety of techniques. The most common technique is to deploy an extension DLL to the Notes client installed on user PCs. This DLL checks with the Password Manager server to see if there is a newer ID files for the current OS user whenever notes.exe starts and if so - downloads it before the user signs into Notes. The same DLL also detects local changes to the ID file and uploads fresh copies of the ID file and associated password (e.g., after a Notes-native password change, name change or cross-certification).