PDF

swipe to navigate

Managing Notes ID File Passwords With Password Manager

Just as most organizations do manually, Password Manager simulates administrative password resets by extracting an old copy of the user's ID file from a repository, changing the password on that ID file and delivering the new, replacement ID file to the user. This approach leverages the infrastructure already in place in the majority of organizations.

Supported versions of Lotus Notes

Lotus Notes ID file password management has been tested with the following versions of Lotus Notes: 6.x, 7.x, 8 and 8.5. It should continue to work with future versions as well, which are tested by Hitachi ID for compatibility as they become available.

Variation between Password Manager installations

While the basic process for Lotus Notes ID file password management is the same in all Password Manager installations, the location and structure of the ID file repository, as well as the mechanisms used to maintain the repository and to deliver updated ID files to users are variable.

Gathering and Delivering Lotus Notes ID Files

As mentioned earlier, resetting Lotus Notes ID file passwords using Password Manager is accomplished by fetching an older copy of the user's ID file from a repository, changing its password, and delivering the new ID file to the user.

This process hinges on movement of ID files:

  • Collection, which copies the user's ID file into the repository, for future use.

  • Delivery, which copies a newly updated ID file from the Password Manager server to the user.

These processes are normally inter-related, and their detailed implementation depends on available IT infrastructure. The following sections describe available solutions to collecting and delivering Lotus Notes ID files.

E-mail Delivery of Updated Lotus Notes ID Files

In environments where Lotus Notes is not used to deliver e-mail, ID files can be sent by the Password Manager server to end users as e-mail attachments.

Advantages

  • No special infrastructure is required for this method.

Disadvantages

  • Most organizations that use Lotus Notes use it for e-mail, so cannot use this approach.

  • The process is visible to users, who must actively participate.

  • Education is required for users to understand how to detach the ID file from an e-mail and properly install it.

  • This solution does not address the problem of building and maintaining the ID file repository.

Copying ID Files Directly to/from Workstation Shares

Where users store their ID files in a single, standard location, and that location is accessible over the network through a standardized share on every workstation, the Password Manager server can mount this share and either collect an existing ID files or deliver a new ID file when required.

Advantages

  • This method is transparent to users.
  • Updated ID files are delivered immediately after a password change.
  • No client software is installed on user workstations.

Disadvantages

  • The Password Manager server must be able to determine the hostname or IP address of each user workstation, and to reach that workstation.

  • The share name, credentials and location of the ID file must be consistent or predictable on every workstation.

  • This solution may be unworkable for users with multiple copies of the same ID file.

  • This solution does not work for users protected by firewalls, that prevent the Password Manager server from connecting to the user's workstation.

  • This solution does not work when multiple users share a single workstation.

Maintaining Lotus Notes ID Files on the Network

Users who do not work with Lotus Notes while off-line can configure their Notes client to access their ID file on a network share, such as their network home directory. In an environment like this, the Password Manager server can attach to this share and either collect existing ID files or deliver new ID files.

Advantages

  • This method is transparent to users.
  • No client software is installed on user workstations.
  • There is no need for workstations to have open shares, or for the existence of well-known credentials to workstation shares.

Disadvantages

  • This method requires that users do, in fact, use a network share to hold their ID files.
  • Keeping ID files on a network share makes it impossible for users to work with Lotus Notes while mobile or off-line.

File Synchronization of ID Files to a Staging Directory

A process can be implemented to synchronize ID files between user PCs and a shared staging directory on the network.

The staging directory may be shared among all users (e.g., a public share) or may be specific to each user (e.g., each user's network home directory).

This process works by periodically comparing the ID file on the user's PC with the one on the staging directory and if they differ replacing the older file with the newer.

Password Manager can collect current ID files from users by retrieving them from the staging directory and can deliver new ID files to users by placing them in the staging directory.

The process of enrolling users (collecting their ID/password pairs) using a shared staging directory is illustrated in Figure [link].

Collecting ID files and passwords from users: No client software

Collecting ID files and passwords from users: No client software

The process of resetting Notes ID file passwords and delivering the updated ID file to users, using a shared staging directory is illustrated in Figure [link].

Changing a Lotus Notes ID file password: No client software

Changing a Lotus Notes ID file password: No client software

Advantages

  • This method is transparent to users.
  • Updated ID files are delivered immediately after a password change.
  • No client software is installed on user PCs.
  • Mobile users are able to work with Lotus Notes when they are off-line or remote (they would not be able to do so if the ID file was only stored on the staging directory and not on their PC).
  • This method works for users that use multiple PCs.

Disadvantages

  • It must be feasible to implement a file synchronization process. Since such a process most often runs from the network login script, this method requires that all users do execute a network login script regularly.

  • If network login scripts are used to launch the process, delivery will be unreliable for users who rarely log off or who log in from mobile connections and consequently do not always execute a network login script.

Lotus Notes Client Extension DLL

A Lotus Notes extension DLL can be installed on user PCs, which automatically installs new ID files on user PCs when they launch the notes.exe client software and automatically sends updated ID files and matching passwords to the Password Manager server whenever users shut down the Lotus Notes client.

The process of enrolling users (collecting their ID/password pairs) using a client-installed Notes extension DLL is illustrated in Figure [link].

Collecting ID files and passwords from users: Notes Extension DLL

Collecting ID files and passwords from users: Notes Extension DLL

The process of resetting Notes ID file passwords and delivering the updated ID file to users when they launch the notes.exe client is illustrated in Figure [link].

Changing a Lotus Notes ID file password: Notes Extension DLL

Changing a Lotus Notes ID file password: Notes Extension DLL

Advantages

  • This method is transparent to users.
  • Enrollment in and maintenance of the ID file repository is fully automatic, ongoing (whenever a user changes their ID file) and transparent to users.
  • New ID files are delivered whenever required, not just when users log into their PCs.
  • This method works for users with multiple copies of their ID file, on multiple PCs.

Disadvantages

  • Client software (the extension DLL) must be installed on every user PC.

Lotus Notes Roaming Profiles

Version 6.0.1 of Lotus Notes introduced roaming profiles. When roaming profiles are activated for a user, their ID file and other personal directories (mail folders, preferences, etc.) are copied to a Lotus Notes server.

Whenever a user launches the Notes client, the local copies of these files may be updated from newer copies on the server.

Whenever a user closes the Notes client, the local copies of these files may be copied to the server, to bring it up to date.

Roaming profiles can be used to track changes to user ID files, and to trigger a request for registration.

Since users must type their old password to sign into Notes before getting a copy of a possibly new ID file from the roaming profile, this facility is not suitable for administrative password resets, which may have been triggered by a user forgetting their old password. As a result, it is not a recommended method for delivering updated ID files to users after a password reset.

Advantages

  • Users can roam between multiple workstations, and their entire profile (not just the ID file) is always available.

  • Information in roaming profiles can detect changed ID files, and can be used by Password Manager to prompt these users to re-register to update their entries in the ID file repository.

Disadvantages

  • All users must upgrade to Lotus Notes 6.0.1 or later.

  • All Notes servers must be upgraded to Lotus Notes 6.0.1 or later.

  • This method is suitable for user ID file registration, but not for delivering updated ID files to users, especially after a password reset.

  • Each user must be explicitly enabled to use roaming profiles.

  • Roaming profiles can be huge -- at least 8MB per user. This consumes a lot of disk space and bandwidth.

Other Approaches to Delivering Lotus Notes ID Files

Another approach sometimes proposed by Hitachi ID customers is to use a default document within Lotus Notes to deliver ID files.

This approach is not recommended, principally because it requires that users know and type their current ID file password before getting a copy of the new ID file, which will use the new password. This is counter-intuitive to users, and does not work in the context of a password reset, where users may have forgotten their previous Notes ID file password.

PDF

Comment via LinkedIn