Lotus Security Handbook

IBM
International Technical Support Organization
Lotus Security Handbook
William Tworek
George Chiesa
Frederic Dahm
David Hinkle
Amanda Mason
Matthew Milza
Amy Smith
April 2004
Note: Before using this information and the product it supports, read the information
in Notices.
First Edition (April 2004)
Copyright International Business Machines Corporation 2004. All rights reserved.

Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
IBM

Lotus:

2007
. , . , .

IBM Certified Advanced Technical Expert IBM System p5
.
(2004 .)
(2007 .)
IBM Corporation ( International Business Machines Corporation), 2004 .
.
: ,
GSA
ADP Schedule IBM.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 / . . . . . . . . . . . . . 5
1.1.3 CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.3 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1.4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
1.4.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2. . . . . . . . . . . . . . . . . . . . . 43

2.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.2 ISO17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2.2 ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.2.3 ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3 ( 15408) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.4 (MASS, Method for Architecting

Secure Solutions) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
2.4.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.4.8 . . . . . . . . . . . . . . . . . . . 72
2.4.9 . . . . . . . . . . . . . . . . . . . . . . . 73
2.4.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.4.11 (MASS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.5 ISSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.2 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.5.3 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.5.4 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3. . . . . . . . . . . . . . . . . . . . . . . . 91

vi
3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.1.3 , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.4 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.1.6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.2.1 DMZ-: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.2.4 : . . . . . . . . . . . . . . . . . . . . . 141
4.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
4.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
(IP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.4 Lotus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

5.4.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.4.2 HTTP-, Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
vii
5.4.3 URL, Domino

Domino 164

5.5 Lotus Sametime 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

5.5.1 Sametime 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
5.5.2 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
5.5.3 Sametime - . . . . . . . . . . . 168
5.5.4 SSL, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
5.5.5 -
Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
5.5.6 Sametime 3.1 . . . . . . . . . . . . . . 174
5.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
. . . . . . . . . . . 177
IP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
5.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

6.1 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

6.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.1.3 (ID) Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.1.4 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
6.1.5 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6.1.6 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
6.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
6.1.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
6.1.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.1.10 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
6.1.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6.1.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
6.1.13 Notes PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
6.2.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
6.2.2 (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . 221
6.2.3 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
viii
6.2.4 Web- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

6.2.5 SSL (Secure Sockets Layer) . . . . . . . . . . . . . . . . . . 237
6.2.6 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
6.2.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
6.2.8 PGP . . . . . . . . . . . . . . . . . . . . . 254
6.2.9 S/MIME . . . . . . . . . . . . . . . . . . . 255
6.2.10 Lotus Notes 6 S/MIME- . . . . . . . . . . . . . . . . . . . . . 264

6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
7. (Single sign-on) . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

7.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

7.1.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
7.2 LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

7.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
7.2.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
7.2.3 LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
7.3 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

7.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
7.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
7.4 DSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
DSAPI LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
7.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
7.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
7.5 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

7.5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
7.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
7.6 ( ) . . . . . . . . . . . . . . . . . . . . . . . . . 293
7.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

8.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.1.1. LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
8.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
8.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
8.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
8.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
ix
8.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
8.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
8.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
8.3.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
8.3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
ADSync 314
LDAPSync Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
IBM Tivoli Directory Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

8.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
8.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
8.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
9. (hardening) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

9.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
9.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
9.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
9.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
9.2.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
9.2.3 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
9.3 Windows ( NT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

9.3.1 Windows NT 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
9.3.2 Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
9.3.3 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
9.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
9.4 UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
9.4.1 UNIX Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
9.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
9.4.3 inetd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
9.4.4 tcp_wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
9.4.5 sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
9.4.6 , Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
9.4.7 , Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
9.4.8 . . . . . . . . . . . . . . . . . . . . . 385
9.4.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
9.5 AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

9.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
9.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
9.5.3 . . . . . . . . . . . . . . . . . 394
9.5.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
9.5.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
9.5.6 , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
9.5.7 , X11 CDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
9.5.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
9.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
3. Lotus . . . . . . . . . . . . . . . . . . . . . . . . . 401
10. Notes/Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

10.1 Notes/Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
10.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
10.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
10.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
10.3.2 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
11. Domino/Notes 6 . . . . . . . . . . . . . . . . . . . . . . . . . . 415

11.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

11.1.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . 417
11.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
11.1.3 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
11.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
11.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
11.1.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
11.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
11.2 HTTP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

11.2.1 Domino Web Server API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
11.2.2 HTTP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
11.3 (xSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
11.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
11.5 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

11.5.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
11.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
11.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
11.6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
xi
11.6.3 Directory Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

11.6.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
11.6.5 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

11.7 - Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
11.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
11.9 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
11.9.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
11.9.2 (SSO) . . . . . . . . . . . . . . . . . . . . 460
11.9.3 - Domino Directory
LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
11.9.4 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
11.10 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

11.10.1 Notes Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
11.10.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.10.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
11.10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
11.10.5 iNotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
11.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
11.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
11.12.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
11.12.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
11.13 Domino Off-Line Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
11.14 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

11.14.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
11.14.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
12. Lotus . . . . . . . . . . . . . . . . . 519

12.1 Lotus Team Workplace (QuickPlace) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

12.1.1 QuickPlace SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
12.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
12.1.3 QuickPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
12.1.4 QuickPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
12.1.5 . . . . . . . . . . . . . . . . . . 525
12.2 Lotus Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

12.2.1 Sametime Connect . . . . . . . . . . . . . . . . . . . . 526
12.2.2 - Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . 527
12.2.3 Sametime Java Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
12.2.4 Sametime Meeting Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
12.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
xii
12.3 Domino Web Access (iNotes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
12.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
12.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
12.3.3
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
12.3.4 iNotes Web Access Notes . . . . . . . . . . . . . . . . . . . . 536
12.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
12.3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

12.4 Lotus Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
12.5 IBM WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

12.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
12.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
12.5.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
12.5.4 . . . . . . . . . . . . . . . . . . . . . . . . . . 550
12.5.5 Member Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
12.6 Domino Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
12.7 Sametime Everyplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
12.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
13. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

13.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
13.2 1: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
13.3 2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
13.4 3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
13.5 4: . . . . . . . . . . . . . . . . . 569
13.6 5: . . . . . . . . . . . . . . . . . . . . . . . . . 570
13.7 6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
13.8 7: . . . . . . . . . . . . . . . . . . . . . . . . 572
13.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

14.1 (Domino, Sametime QuickPlace) . . . . . . . . . . . . . 574

14.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
14.1.2 Web SSO Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
14.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
14.2 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
14.2.1 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
14.2.2 WebSphere Edge Server ( -) . . . . . . . . . . . 580
14.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
xiii
14.3 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

14.3.1 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
14.3.2 Lotus Domino LDAP- . . . . . . . . . . . . . . . . . . . . . . 588
14.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
14.3.4 Sametime LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . 591
14.3.5 QuickPlace LDAP- . . . . . . . . . . . . . . . . . . . . . . . . 594
14.4 WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

14.4.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
14.4.2 - . . . . . . . . . . . . . . . . . . . 599
14.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
14.5.1 LMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
14.5.2 LMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
14.6 Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

14.6.1 Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
14.6.2 WebSeal Websphere Edge Server . . . . . . . . . . 603
14.6.3 Domino TAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
14.6.4 WebSphere Portal TAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
14.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
. . . . . 611
. DSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
.
Domino 6 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
xiv

, .
IBM , , , . IBM. , IBM
. , ,
IBM.
.
IBM , .
. : IBM Director of Licensing, IBM Corporation, North
Castle Drive Armonk, NY 10504-1785 USA.

, : INTERNATIONAL BUSINESS MACHINES
, , , ( ) , . ,
.
.
, . IBM
/
.

IBM: , , .
- IBM
.

, , -
xv
. IBM
, , . , ,
.
, . , ,
. , .

, . ,
IBM, , , (application programming interface, API) ,
. . IBM ,
. , - IBM, , ,
IBM.

International Business Machines / .
@server
OS/390
DominoTM
@server
OS/400
iNotesTM
RedbooksTM
Lotus Discovery ServerTM
Secure Way
Lotus Notes
SP1
Lotus
SP2
Mobile NotesTM
Redbooks (logo)
AIX
DB2
Everyplace
TM
TM
Extended Services
Tivoli
HACMP
Tivoli Enterprice
QuickPlaceTM
IBM
WebSphere
Sametime
ibm.com
zSeries
Workplace MessagingTM
OS/2
Domino Designer
xvi
TM
Notes
TM
TM
:
Intel, Intel Inside () Intel
/ ;
Microsoft, Windows, Windows NT Windows () Microsoft / ;
Java , Java, Sun Microsystems, Inc. /
;
UNIX The Open Group .
, .
xvii

IBM Redbook
Lotus. Redbooks TM, The Domino Defense: Security in Lotus
Notes 4.5 and the Internet Lotus Notes and Domino R5.0 Security Infrastructure
Revealed, , Lotus. , ,
Notes Domino TM, , , Lotus IBM.
, Lotus Notes Domino,
Lotus. , .

. ,
- .
, . (security zoning),
(single sign-on, SSO), (public key infrastructure, PKI) .
, ,
, , Lotus .
Lotus.
, Lotus Notes Domino 6, Sametime 3,
QuickPlace TM 2.08, Domino Web Access (iNotes TM), WebSphere Portal IBM/Lotus. ,
, Lotus, ,
Lotus.
, ,
Lotus, ,
. ,
, .
xviii
,
Lotus Notes Domino -.
Notes Domino IBM Redbook, Lotus Notes and Domino
R5.0 Security Infrastructure Revealed, SG24-5341, :
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245341.html
,
Redbook , (International Technical Support Organization, ITSO), .
(William Tworek) , , .
, Redbook , IBM Lotus Software. , ITSO,
- , Andersen Consulting/Accenture, IBM Software Services for Lotus. -, .
(George Chiesa, Jorge Garcia-Chiesa,
Giorgio) (Chief Technical Officer, CTO) dotNSF Inc. (http://dotNSF.com). dotNSF - IBM, , ,
/
. -, - (MBA) SDA
(SDA Bocconi University), IBM /
14- Notes. Best Practicies IBM Lotusphere/Symposium , .
(Frederic Dahm) ,
IBM Software Services for Lotus , . 14- , 10
-.
(David Hinkle) - IBM Software Services for
Lotus , (Phoenix, AZ). 19- , Lotus Notes/Domino . Domino, , LDAP (Lightweight Directory Access
Protocol) Web-. LotusSphere
, IBM
Microsoft.
xix
(Amanda Mason) Lotus Software , (Austin, Texas).

Principal CLP , CLS (Collaborative Solutions)
Windows 2000 Microsoft.
(Matthew Milza) -, - (New York, NY). Domino,
Domino. Domino
, : .
(Amy Smith) (Global Development Organization) Lotus Software.
Domino Notes. Lotus
Developer Domain, , 21CFR Part 11 Requirements for Notes and Domino. 20

(high-tech) . Redbook.

:
IBM Lotus Software
Charlie Kaufman, Matthew Flaherty, Mike Kerrigan, Joseph Russo, Mary Ellen Zurko,
Alan Eldridge, Jane Marcus, Kevin Lynch, Rich Epstein, Scott Davidson .
IBM Software Services for Lotus
Tim Speed, David Byrd, Mary LaRoche
IBM International Technical Support Organization
John Bergland, Axel Buecker, Alison Chandler

26- (residency program). IBM Redbook , . , IBM.

. IBM,
.
, :
http://ibm.com/redbooks/residencies.html
xx

!
, Redbooks ,
.
Redbooks :
Contact us :
http:/ibm.com/redbooks

redbook@us.ibm.com
xxi

.
, - , ,

.
1
-
,
Redbooks.
, , , .
, -.
,
, .
:
, -
,
- , ;
, -
;
, -
, , , , Redbooks
.
, ,
- , -, .
1.1
,
, . ,
, , .
1980- . IBM Personal Computer,
. ,
, .
. -,
.
1990- , 20-
(, , ARPANet) Web-. .
. Web- Web-
. , ,
. , ,

, , ,
, - .
1.1.1
. , ,
, . , . , ,
, , .
, , ,
. ,
( ).
: , , (
).

- .
, , , ,
, .
,
-. , -. ; .
,
,
.
1.1.2 /

, ,
:

.

,
.
/ ,
() :
http://www.gocsi.com/forms/fbi/pdf.html

(CSI, Computer Security Institute), 1974 .,
- .
, .
, (FBI, Federal Bureau of Investigation) , ,
(NIPC, National Infrastructure Protection Center), - , (Regional Computer Intrusion
Squads),
. NIPC, -
, . (
, , , ,
).

(Computer Fraud and Abuse Act,
Title 8, Section 1030), ,
,
, ,
.
7
-
.
, .
503
, , ,
, 2002 . (2002 Computer Crime and Security Survey)
, .

2002 .
(
) 12 .
.
( )
. 223 $445,848,000.
,
(26
$170,827,000) (25
$115,753,000).
, , (74%), , (33%).
. ( 1996 . 16% .)
.
:
40% ;
40% ;
78% , ( ,
,
);
85% .
. :
WWW-.
.
12
Web. , ,
.
, ,
. .
( 2000 . 64%).

( 60% 2000 .).
.
( 3% 2000 .).
,
. .
1.1.3 CERT
CERT (CERT/CC) (DARPA, Defense Advanced Research Program Agency) 1988 . ,
. -
,
,
. , , :
,
;
;
, ;
, ;
.
CERT/CC (NSS, Networked
Systems Survivability) (SEI, Software Engineering Institute),
(Carnegie Mellon University). NSS , ,
.
CERT/CC . URL:
http://www.cert.org/annual_rpts/index.html
1988- 2001 .
60,000
52,658
50,000
30,000
21,756
20,000
9,859
10,000
.1-1. 1988- 2001 .

( CERT)
1
20
0
19
99
3,734
19
98
19
97
19
96
19
95
2,340 2,412 2,573 2,134
19
94
1,334
19
93
773
19
9
406
19
9
252
19
90
19
88
132
19
89
20
00
40,000
, , .

1995- 2002 .
4,000
3,000
2,420
2,000
1,090
1,000
345
171
311
427
262
20
02
20
01
0
20
0
19
9
8
19
9
7
19
9
6
19
9
19
9
.1-2. 1995- 2002 .

( CERT)
.
2002 . CERT/CC 204,841 880 , . . 1-1 1988- 2001.
, .
,
. , ( ), . . 1-2 1995- 2002 .
2002 . CERT/CC 4,129 82,094 , .
,
, . , .
-. :
-: , , -,
;
: , ,
, , , (non-repudiation);
: , , , , , .

(. . Notes Domino), , ,
.
1.2
,
, .
1.2.1
Redbooks ,
Notes Domino
(.. 6.0), , .
(, ,
) (. .
).
,
,
. , , .
, ,
.
10
1.2.2
, , , .
:
,
.
, .
,
. [, (, hub) (switch)], Ethernet , , , .
, , . , ( ) , , , , , . .
1.2.3 -
- , .
- , . , , :
( , );
(, );
(, . .).
, - , ,
- (, ).
(extranet). -
, , .
, -
, , , ,
.
11
1.2.4
, (NIST, National Institute
ofStandards and Technology)
: (An Introduction to Computer Security: The NIST
Handbook, Special Publication 800-12). PDF URL-
http://csrc.nist.gov/publicatiuons/nistpubs/800-12/handbook.pdf
5 .
: , ,
, ,
( , ,
, , / ).
,
. - .
()
, , :
, , ;
, ,
.
, , .
( )
- , ,
:
, - ,
-;
, - ,
-.
- , -
,
-.
-, ,
; - ( ) ,
.
12
()
, -, ,
,
, :
, , ;
().
, , .
().
, , ,
().
, , , .
, ( ).
, .
,
(
).
,
, , .
1.2.5
, , ,
.
, ,
(sensitive information). ,
, .

1987 ., 100-235 ( 145), 8 1988 . (Computer Security
Act of 1987, Public Law 100-235 (H.R. 145), January 8, 1988).
(EPIC,
Electronic Privacy Information Center) :
http://www.epic.org/crypto/csa/csa.html
,
3, :
13
() : (4) , , ,
,
, ,
552 ( ),
()
.
, , , . , ,
. , ,
.
, (, , ,
) . , , , , . , .
. ,
( ) . ,
, , : , , , , , ( ) .
. ,
, ,
. Web-
, ,
,
.
(
, )
.
, .
,
, ,
.
. -
.
Web- -
, .
14

, , , , , (
, ). , .
. , Web-, , .

, , . .

,
. ,
(, )
, .

,
, ,
.
1. . . , , .

,
, . . .

. , .
1
,
,
. . ..
15
1.2.6
, ,
,
.
, Web- ,
, . 30-day interest-free loan (30- ) interest-fee loan ( , ). , Web- ( ),
.
1.3
, , ,
.
, ,
IBM (IBM Security Architecture),
ISO1(ISO Security Framework, 7498-2).
IBM , , ,
.

.

(Enterprise-Wide Security Architecture and Solutions Presentation Guide, SG24-4579),
IBM Redbooks. PDF- :
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg244579.html
:
( );
( );
(, ).
1
16
ISO International Standardisation Organisation, . . .
(, );
( ).
, ; ,
.
1.3.1
:
, , , , ,
[INFOSEC-99];
, , , ;
.
IBM ,
.
, ,
-. ,
:
;

;

;
, ;
, , , .
, ,
, , .
, .
. :
;
;
17
,
;
, .
1.3.2
:
, , [INFOSEC-99];
,
,
,
- (-) .
IBM- ,
.
, .
.
ISO (8730, 8731
9564).
1.3.3
(I&A) .
,
.
, , (, , , , ).

. , -, ,
, (, Notes), .
.
18
, , :
, , ID1 .
, .
, ,
-. PGP x.509. , (PKI, Public Key Infrastructure).
, , , -, , -, .

(ATM, automated teller machine) , (PIN, personal identification number).
.
, ,
.
( ),

.
, . , , , . , :
, Notes ID .
- ,
, ,
. - : , 3,5''
( Suns Java TM). ,
, ,
. - , , . , ? ,
.
1
ID identifier, . tx. .
19
-
.
,
(IC, integrated circuit) - . - ( -).
- -, . .
, ,
- -; , -
- . USB-,
USB-, .
1.3.4
. , , - .
.
, , , ID .
,
.
, , , , .
, ,
.
, , .
, , /
.

, .
, ,
, (,
, ).
, , , ,
( ).
20
1.3.5

, ,
, . , , , , .
, , , .
,
, / ,

.
100- , , .
1.4
, , .
, ,
.
,
, . , .
,
:
( );
() ;
() ;
;
.
, , , , , ,
. ,
, ,
RSA , 4.1
(RSA Laboratories Frequently Asked Questions About Todays Cryptography, Version 4.1),
:
http://www.rsasecurity.com/rsalabs/faq/
21
1.4.1
, ,
.
, , . ,
, . ( ,
, ,
, .)
,
. , , ,
. , - , . ,
. ( ,
, .)
.
, , . :
1. , 1
.
2. ,
,
; ;
.
, . .
, , ( ) (
).

. ,
(. . ), , , (. . ).
( ), 2. ,
.
1
2
22
. . .
10 ( ) . . . . .
1.4.2

, .
; ,
. :
:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
:
GHIJKLMNOPQRSTUVWXYZABCDEF
1,
, HELLO WORLD NKRRU CUXRJ.
, , , .
.
,
, . ,
, , , / ( ) (),
.

. 2, .
.
,
, ,
.
, , , , A3.
, , , ,
- ( : ), , ,
.
. ,
, . 1
, ;
. . .
. . .
, , ,
A. , , . . .
. : - . . . . .
23
.
, , . , , .
,

- ,
.
,
, , ; . . .
, 25 ,
.
1, ,
, .
, , 40 256 .
2 39- , -
550,000,000,000 . .

,
, . ,
. . 1-3.
.1-3.
, -
. x x + 1 ( , ).
, ,
, .
, , . ,
, .
1
24
(brute force attack)

. . .

, .
,
.
, A, B C
. , - . ,
, ,
. , .
, , , -, .

(The Alice and Bob after-dinner speech), (John Gordon) 1984 . :
http://www.conceptlabs.co.uk/alicebob.html
, . ,
, , , ,
. . 1-4 , .
"THINK"
"THINK"
M0B4Q4Rg2s
M0B4Q4Rg2s
"THINK"
.1-4.
:
1. .
2. ; , ,
.
3. , ,
.
4. .
25
. .
, ,
.

: . , ,
. .

DES (Data Encryption Standard, )
(FIPS, Federal Information Processing Standard)
46-3 (DEA, Data Encryption Algorithm). DEA ANSI110X3.92. DEA 64-
56- (
64- 8 ).
3DES (Triple-DES, DES) ANSI X9.52
DES, : DES-EDE DES-EEE.
: DES-EDE DES,
(Encryption), (Decryption) (Encryption)
. DES-EEE (Encryption, Encryption, Encryption).
AES (Advanced Encryption Standard, ). FIPS PUB 197 NIST DES, AES 128, 192 256 , 56- , DES. Rijndael, (Joan
Daemen) (Vincent Rijmen),
. AES
: 128- .
RC2 [ (Ron
Rivest); RC Rons Code ( ),
Rivest Cipher ( ). DES].
RC2 64-
- , DES.
Blowfish [ (Bruce Schneier) Counterpane
Systems]. 64- ;
( 448 )
. 32-
, DES.
1
26
ANSI American National Standards Institute, .

. .
Twofish [ (Bruce Schneier) Counterpane

Systems]. AES,
Blowfish. , . , ,
.
IDEA [International Data Encryption Algorithm,
, (Xuejia Lai)
(James Massey)]. PES Proposed Encryption Standard
( ). IPES,
IDEA; , PGP.
64- 128- .
, IDEA DES.
CAST [ , (Carlisle Adams) (Stafford Tavares)]. 64- , 128 . CAST
, Carlisle Adams Stafford Tavares. CAST-128 Entrust Technologies, , . CAST256 CAST-128,
256 128 . CAST-256 AES.

RC4 ( ,
RSA Security).
, Web-, SSL. RC4 2048
(256 ).
SEAL [Software Efficient Algorithm, - , 1993 . (Phil Rogaway) (Don
Coppersmith) IBM]. 5,454,039.
32- , 4
160- . .
WAKE [World Auto Key Encryption algorithm,
. (David J Wheeler)].

. ,
, .
. : RC1
, RC3 RSADSI .
27

, . , , ,
Notes, Domino Lotus. , .
- ,
,
.
, .

,
,
. , , ?
, ,
, .

,
, .
, .
(NSA, National Security Agency).
, :
,
,
;
,
, , , , NSA.
, , , . , , , .
Redbooks,
40 .
28
,
40-
. , 56 , ,
. ( , , -); 56 , , , 40,
2 16- , 65,536 , .
18 1998 .,
. : 56 DES (. . RC2, RC4, RC5 CAST) 1,024 RSA
, , , , ,
, . , .
, , , , - ,
.
, 6 2002 . (BIS, Bureau of Industry and Security) ,
(EAR, Export Administration Regulations) , , 111 2,12
EAR, .

64 , 5A992
5D992 (ECCNs, Export Control Classification
Numbers), (NLR, No License Required) 30- BIS.
5, II ( )
(CCL, Commerce Control List) , ECCN 5B002, License Exception ENC.
, , :
, , :

1
http://w3.access.gpo.gov/bis/fedreg/ear_fedreg.html#67fr38855
-/
, . 1994 . () . 1995 . . .
,
, . . .
29
, , :
http://www.bxa.doc.gov/encryption/EncFactSheet6_17_02.html
, ,
:

http://www.bxa.doc.gov/Wassenaar/Default.htm
1.4.3
, , .
.
, . . , ,
, , .

, . (, , ), (, , ). ,
, .
, , ,
, . , , ,
, , .
,
.
.1-5 , .
"THINK"
"THINK"
M0B4Q4Rg2s
M0B4Q4Rg2s
"THINK"
.1-5. :

30
:
;

( , , );
, , , ;
;
.
. ,
, .

. :
(D-H, DiffieHellman) , (
, )
. ,
.
1975- 1976 .
(Whitfield Diffie), (Martin Hellman)
(Ralph Merkle)
.

GCHQ , GCHQ
1997., . RSA ,
,
.
(RSA, RivestShamirAdleman).
.
1977 . (Ron Rivest),
(Adi Shamir) (Len Adleman); RSA
. (Clifford Cocks), ,
GCHQ, 1973 .
. , , ,
1997 ., . 1983 . (MIT, Massachusetts Institute of Technology). 2000 . -
31
, .
RSA ,
.
. , RSA
1024 64
.
(ECC, Elliptic Curve Cryptography). D-H RSA, ECC , . , D-H
RSA, .
, . ECC ,
, .
. : NIST ANSI X9
1024 RSA 160 ECC, 80-
. NIST ( 80, 112, 128, 192 256).

, . , ,
, Notes, Domino Lotus.
,
.

, . , .
, , , . , ,
.
, , . .

, . , , -
32
. ,

.
1.4.4
. ,
,
.

, . .
, . , . , , Notes, SSL, S/MIME.
.

, .
.
. 1-6, .
"THINK"
"THINK"
M0B4Q4Rg2s
M0B4Q4Rg2s
"THINK"
.1-6. :
33
. :
;
;
(, ,
, ) ( , ,
, , );
.
:
;
() ,
( , ,
) ;
.
1.4.5
, .
,
.
, , , , ( ,
, ).
, ? . ,
,
. .
,
, ( ),
,
, .
-
,
- ( ).

, , - .
. - .
34
, - ,
. , ,
, . :
,
( ).
-
. .
.

. -, -, 1
.
. ,
.
- ? ,
,
. RSA .
, -

.
- . MD5, RSA Data Security,
Inc. Notes. 128-
RFC1321.
, , - (SHS, Secure Hash Standard). 160- , , MD5.

, .
. 1-7. ,
, ,
.
. :
;
, ( ,
, );
;
35
;
.
=?
d'
.1-7.
:
(
, );
, (- );
(
,
- );
.
:
, , : (
) (, 1
).
( ). - -
,
.
, ,
( ), , -
(
).
36
-
- ( -), , MD5 SHA-1.
,
MD5 SHA-1, MD2, MD4 SHA.
MD2 MD5 -, ,
R RSA. , , .
128- . -
RFC 1319-1321. (SHA, Secure
Hash Algorithm) NIST (SHS, FIPS 180, Secure Hash Standard).
MD2 1989 . , ,
16.
16- -.
, , , MD2
. , , , MD2.
MD5 1991 . MD4 , , MD4, .
,
MD4.
SHA-1 SHA, 1994 . SHA.
- MD4. SHA-1 ANSI X9.30
( 2). 264
160- . , MD5,
.
-
, . MD2 MD5,
, MD1, MD3 MD4? : .
MD ( Message Digest, RSADSI) . MD3 MD4 ,
. MD4 ,
. ,
, , MD5, RFC 1321.
, SHA-1, SHA-0? : . SHA
- NIST. NSA 1993 . MD4.
1995- NSA ( SHA-1;
37
SHA-0). , ,
.
, ,
MAC.
MAC (message authentication code) , . (Media Access
Control Layer) OSI.

, ,
, , , , , .

, . ,
(, . .).
(. .
) ( ), . ,
,
.
1.4.6
, .
, , ,
,
. : , , ?
, ,
. (
),
. , .
.
,
, .
, ,
. .
38
, , , , .
. , ,
, SSL Notes.
1.4.7

,
. (PKCS, Public Key Cryptographic Standards).
PKCS ,
1991 . RSA Laboratories Apple, Digital, Lotus,
Microsoft, MIT, Northern Telecom, Novell Sun. 1991 . PKCS ,
Notes Domino.
RSA , , , , ,
.
:
PKCS #1: RSA;
PKCS #2: (. );
PKCS #3: ;
PKCS #4: (. );
PKCS #5: ;
PKCS #6: ;
PKCS #7: ;
PKCS #8: ;
PKCS #9: ;
PKCS #10: ;
PKCS #11: ;
PKCS #12: ;
PKCS #13: ;
PKCS #15 (): .
. PKCS-2 PKCS-4 PKCS-1.
39
PKCS #1, PKCS #7, PKCS #10,

PKCS #11 PKCS #12.
PKCS #1 RSA. , PKCS #7. PKCS #1 RSA. PKCS #1
X.509.
PKCS #7 . ,
. PKCS #7
-
(SMIME, Secure Multipurpose Internet Mail Extension),
. PKCS #7 , , PKCS #12.
PKCS #10 .
, . .
,
X.509.
PKCS #12 -
, , ,
. , Web-,
. - -.
PKCS, ,
RSA :
http://www.rsasecurity.com/products/bsafe/whitepapers/IntroToPKCSstandards.pdf
, FAQ1,13
RSA Security Inc.,
RSA , 4.1 :
http://www.rsasecurity.com/rsalabs/faq/index.html
1.5
-
, .
:
-, , , , , -, ;
1
40
(FAQ, Frequently Asked Questions). . .
, ,
, ,
( );
, , ,
, ,
.
, . . .
,
.
41
2

,
.
,
-, , ,
,
.
,
.
: , . . , .
.
, .
.
43
2.1 -
, ,
(. . , -).
2.1.1
, , , .
, .
, , . , , . , .
(threat) thrat,
, . :
1. , , .
2. .
3. , .

: .
, -
, . , : :
1. ; .
2. , , - , ; , , , :
, ,
( ).
3. ; ,

.
, :
,
, , :
.
.
( 1), - ,
44
( 2), ( 3).
- , . , , .

, .
- .
( ,
) , , .
,
, ,
, ,
.
, , :
(Clifford Stohl: The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage, Mass Market Paperback Reprint edition, July 1995, Pocket Book, ISBN, 0671726889).
, , ,
.
,
, .
.
: , . ,
, ,
. . , .
,
.
,
.
, , .
.
45
2.1.2
. . , -.
, , ,
- , .
, ,
, - - , ,
, . ( , , , .)
(
),
.
,
.
.2-1.
. 2-1, , , ,
, .
, . .
46
, ( )
.
, . .
. /
:
(, , );
( , ,
);
(, , , , );
(. ., , - ).
. ,
(DOS attack, Denial-Of-Service attack) , , , , TCP/IP,
DOS- (, SYN Floods),
, , , , DOS, DOS-. ,
, ,
.
, . . , - (
).
. 2-1, , :
1. , , ,
.
2. ,
.
3. , , ( ), , .
4. , ,
47
, ,
, .
.
,
, ; .
2.1.3
- , .
, , . , , , .
, .
. 2-2 , . 80% ( ), 20%
. , 80% , , 55% , .
. . ,
.
.
.2-2.
, , , .
- ,
,
.

.
48
. , ,
, , ,
-, .
, , ,
, .
, ,
.
2.1.4
,
.

, ,
.
.
, ,
, . ,
,
, .
,
. ,
ISO17799.
2.2 ISO17799
ISO17799 (ISO), 146 ,
: , , , .
ISO : , .
ISO . ,
, , . , , .
ISO
,
, , , .
49
Web- ISO :
http://www.iso.org
ISO 17799 ( ISO/IES 17799:2000)
(Information technology Code of
practice for information security management). (. . ) 71 ,
.
:
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441
&ICS1=35&ICS2=40&ICS3=

, .
[ISO17799]. [BS7799-2].
ISO17799
, , , .
, .
2.2.1
ISO17799 . DTI (United Kingdom, UK), 1995.
BS7799. BS 7799 ,
, , -.
-
BS7799, 2, 1999 . , ISO
BS , .
.
BS 7799 , (British Standards Institution, BSI)
. BS 7799 :
7799-1 ( 1): -
50
.
BS7799-1 , (Information Security Management System, ISMS). BS 7799-1 . , ISO/IEC 17799 (
) BS7799-1.
7799-2 ( 2): , .
BS 7799-2 ISMS, .
ISO/IEC 17799.
BS 7799
, 1999 . , ISO,
2000 . ISO 2002 .
2. ISO 17799 2002 .
ISO 17799 .
ISO-, .
2.2.2 ISO 17799

ISO 17799 ,
. , , , ISO 17799 . , . , , , . ,
. , , 10 , .
:
1.

-, .
2.

; ;
; ; -
51
; .
3.

, ;
, : ,
; , - ; .
4.

,
; ,
; ,
.
5.

, , ; ;
.
6.

, , ; , ,
;
.
7.

; , ; , .
8.

52
; ; ; ; ;
; ,
.
9.

,
.
10.

, ,
.
2.2.3 ISO 17799

ISO 17799 , ,
, , , . ISO 17799,
,
,

. ISO 17799 ,
,
.
2.3 ( 15408)

(CC, Common Criteria for Information Technology Security Evaluation)
-,
. -, -
.
CC
-, .
1980- . (TCSEC, Trusted Computer System Evaluation Criteria).
1990- . (ITSEC, Information Technology Security Evaluation Criteria),
TCSEC. 1990 . ISO
.
CC 1993 ., ( )
-.
-. . 2-3 , .
53
, , .

, .
-.

TSSEC
NIST
CTCPEC
ITSEC
v 1.2
CC
v 0.9
CC
v 1.0
CC
v 2.1
ITSEC
v 1.0
ISO
ISO 15408
.2-3.
, , :
1. . .
-
. 1 -,
- . ,
CC .
2. .

(TOEs, Targets
of Evaluation). 2 , .
54
3. .

TOEs. 3 , . (PPs, Protection Profiles)
(STs, Security Targets) ,
CC
TOEs, (EALs, Evaluation Assurance Levels).
CC
, .
, .
, ( PDF-), :
http://www.commoncriteria.org/
,
.

, .
2.4

(MASS, Method for Architecting Secure Solutions)
IBM , IBM Global Services (IGS) . (MASS, Method for Architecting Secure Solutions).
, -.

IBM (IBM Systems Journal on End-to-End Security,
Volume 40, N 3). :
http://www.research.ibm.com/journal/sj/403/whitmore.html
2.4.1
, , .
IBM Global Services
:
1. -
.
55
2. - .
3. ,
, ,
; , , , .
,
,
.

IBM Global Services, :
, ,
;
-,
;
, ,
,
.
2.4.2
, . ,
,
.
.
,
, .

,
. , , . ,
, .
,
[3].
- , , , -
56
. ,
.
- :
1. ,
.
2.
, , , [4]
[5].
3.
. , -, .
,
ISO 7498-2[6]
-. ,
OSI (Open Systems Interconnection,
) .
5 ,
OSI . 8 OSI,
, .
OSI:
, , ,
-. ISO 7498-2 ,
OSI ,
, , , , OSI.
, OSI.
. . (TCSEC, Trusted Computer System Security Evaluation Criteria).

, ITSEC (Information Technology Security Evaluation Criteria),
, CTCPEC (Canadian Trusted Computer Product Evaluation Criteria). 1996 . , ,
CC (Common Criteria) [7]. 1999 . [7-9].
.
57

.
11 :
;
;
;
;
;
;
;
;
;
;
.
11 66 , . 130 ,
- .

, :
http://www.commoncriteria.org

. , [10], , . . ,
.
. -
.
/

. . -
58
:
, [11].
, , .

[8]:
( TOE, Target Of Evaluation) ; TOE ( TSF, TOE Security Functions) TOE, .
;
.

.
, -,
,
.
, -, .
: .
.
, :
1. , .
2.

.
2.4.3
(Eberhardt Rechtin) ,
(, ), ( , ), ( )
( , ,
, , , , ).
59
- (NIS, Networked Information System). , , NIS,

. NIS- ,
. :
1. .
2. .
3. .
, , . NIS , . , , , NIS
.
, NIS
.

. ;
,
. , ,
, -.
, . 130 NIS-
: , , , , . CC-
. 2-1.
2-1

60

, ,
, , ,
, ,
, , /
, , ,
, /,
. 2-1

/

, , ,
, ,
, /
, , ,
,
, .
.
2.4.4
, , , . , , . 2-1,
, , . ; . . 2-4
, ,
, .

CC- . -
.2-4. -
61
, , , .

,
- , , . ,
.

- ,
,
, -.
, , , .

. ,
, , . , , -
.2-5.
62
, .
:
,
, ;
,
, ;
, , , ;
, .
. 2-5.

- ,

.
,
. ,
.
.
:
;
, , ,
, , , . .;
, , ;
; ;
;
;
;

.
. 2-6.
63

- ,
, , . ,
()
.2-6.
,
.
, , , , .
.
:
;
;
, , ( )
- ;
, ;
64

;
, ,
, , -, .
. 2-7.
.2-7.

-
,
, , .
.

, , , , .
-
65
.
:
;
;
: , , , ,
;
: ();
: ;
- : ,
, , , , .
. 2-8.
:
/
/
/
/
/
.2-8.
66

- , ,
,
, , .
,
, .
.2-9.
,
. ,
, , ,
. :
- ;
;
67
, -;
, : ;
, : ,
;
, ;
;
;
.
. 2-9.

, - , , ,
.
-.
2.4.5
, . ,
,
. . 2-10 .
.
.
-, -, . -.
-, :
1. , -- .
2. ,
(..) -- , .
68
.2-10.
:
,
.
2.4.6 -
. 2-11 - -. ,
, , .
- ,
-,
.

OSI: , , ,
. -.
. ,
.

. , -
69
,
,

- ,

,

( - ( ),
( ),
)
,
,

( )

( ,
)
.2-11. --
.
1.
.
2.
.
3.
.
4. .
5. .
6.
, .
7. - .
70
2.4.7
. . 2-2.
, (), () . .
2-2

, , . . 2-3
.
.
2-3
1 n
1 m
1 k

.
.

.

.
OSI: , ,
, , .

.
.

.

71
2.4.8
,
-. . 2-12 2-13 .
.
,
,
.
. .
,
,
.

,
;

. , ,
.2-12.
72
. .
-
.2-13.

.
2.4.9
. : , , ,

.
73

. .
,
.
(ESS, Enterprise Solutions Structure) .

, . .
.
, .
, , , . . . , - ,
, .
, :
,
, .
:
, ,
;
, , , , ;
, , ;
,
.
2.4.10
. .
,
.
74
1.
. 2-14
,
.

.2-14.
. , . ,
.
;
,
.
.
, ,
.
,
. .
75
2. -
. 2-15 -
, . . -.

.2-15. -
, . .
. ,
, .
. :
1. -,
.
2. , . . .
76
3. ,
,
, .
4. .

, -.
5. ( ) . .
6. , .
7. , -.
, . , , , ,
- .

-, ,

.
3.
(PKI)

, PKI.
-, -,
, , , -,
PKI.
. 2-16 1. 2.
3. 4 , . 5
, 6
, 7 .-
77
1
4
7
3
1
3
.2-16. PKI

. .
, ,
, .

-.
, .
.

. -, ,
, : ,
, , . , , , ,

78
, -
. ,
:
;

-;
, , ;
;
, , ;
.

- . , - . , ,
-.
.
2.4.11 (MASS)
, .
.

:
-.
. ,
.
, , - , .
,
, , IPSec SSL (Secure Socket Layer), ,
. -
79
, , , , , .
,
. ,
. , , , , , .

, , IBM Global
Services. , ,
, . , (MASS), .
, ,
MASS ,
.
2.5 ISSL
IBM Software Services for Lotus (ISSL),
, (,
Blowfish Twofish): , .
ISSL-. ,
. ,
. , , , , , .
2.5.1
, , . . ,

, . , .
, - :
1) ? 2) ? 3) ?
: , .
80
. 2-17, , ,
.
10 , . 2-18.
.
.2-17.
1.
2.
? ?
3.
4.
5.

6.
7.

e ?
8.
, ?
9.
e ,
?
10.
? ?
.2-18. ISSL
81
2.5.2 1.
, .
, . , .
1. -
, .
, , , , , ,
( ), , , . ,
.
:
1. :
a) ;
b) ;
c) ;
d) ;
e) -;
f) ;
g) .
2. :
a) ;
b) .
3. (
).
4. , :
a) ;
b) ;
c) ;
d) ;
e) ;
f) ;
g) ;
h) ;
82
i) ;
j) ;
k) ;
l) ;
m) .
,
, -. -,
, , , . (, .) , .
2.
:
= + + .
, , . , . .
, ,
.
:
1. .
2. .
3. .
4. .
5. .

.
,
.
3.
:
1. ( ).
2. ( ).
, : ? ? -
83
? - ?
:
? ?
( )?
4.
. , (,
, ,
) . - . ,
.
5.
. .
, ,
, - ,
,
-, . ,
.
ISSL ,
.
, , .
, , : ? ? ,
? , ?
, .
, , , ,
,
, , - ,
.
84
2.5.3 2.
. , . . . .
6.
, ,
. (PKI), , , . , , ,
,

.
. ,
; , -. ,
, , .
7.
, , .
4 :
a) ,
, ;
b) ,
;
c) ,
( ,
), , ;
d) , .
2.5.4 3.
, ,
, .
85
8.
.
.
,
. , , ,
, , .
: . , , ,
, -,
. , ,
, , ,
, ,
, .
, , , , , , (
, ),
. , ,

, , , .
9.
. ,
, .
, ,
, ,
.
,
. ,
, , , . ,
.
86
10.
, , ,
, ; ;
, , , . ,
, .
, , . , , , , ,
, , , , , , .
2.6
,
.
:
, ;
;
: ISO 17799, , IBM (MASS);
, IBMs Software Services for Lotus.
.
87
,
. , (single sign-on, SSO), (PKI),
.
, ,
, , Lotus .
, , , .
, T-
.
.
Web-,

.
. :
, ;
(
-).
, ,
( ,
, , ).
()
.
91
3.1

, , .
,
. , .
,
, .
, , . ,
, . , (, ), ,
, , . , ( ), ,
, ,
.

.
, ,
, ,
, . . ,
, ,
. ,
, ,
.
.
, , . , ,
.
, .
.
92
(appropriate) (adequate), . . . .
3.2
. , - , . , , ,
.
, ,
, , .
, , :
;
;
;
;
.
.
,
, , .
3.2.1

:

;
,
, ;
() ;
, ;
Web- (proxy);

(IDS).
93

-, ,

( / ).
, ,
,
. 1.4, , 6, .
-, , .
.
, . , , Notes
Domino. , ,
Domino Domino, . , ,
. Notes
.
, Notes Domino
. Notes ( Domino Notes) , , ,
. ,
(ID), . Domino ,
, , , . 3-1.
( )
, , ,
mymail.nsf
(
)
Domino
!
,

Acme
.
-
.
. 3-1.
94
()
mymail.nsf
(
)
, . , ,
Domino . () .
VPN,
VPN. VPN .

( ). ,
() . , (, Domino) ,
. , ,
.
! , Domino, ,
, ID . ID Domino
( ), ID-
, .
, ID-
Windows- Notes root
Unix.

. ,
, .
, .

.
.
(, firewall).

. .
, , ,
, DNS (Domain Name Services). DNS IP- IP- . IP-, IP-.
95
, ,
.
(MX) . , , :
IP-
IP-. DNS 4, .
,
- .
, . ,
; , ,
. . T- , ,
. , ! , .

,
( ). , . Ethernet- , Ethernet .
Ethernet-
, .
(
, TCP/IP). , , , .
:
1. TCP/IP-. , Ethernet- , .

. TCP/IP , . -
96
,
, (VLAN).
2. , .
. , , , SSL, ,
, ( ,
).
ID , .
Ethernet- 802.11
.
, , , . netstumbler.com ,
Wi-Fi- ,
, ,
. IEEE 802.11i 2004 .,
. , WEP (Wired Equivalent Privacy) , , WPA (Wi-Fi Protected Access),
( - ).
, , , WEP, , ( ) , .
, .

. ()
, .
.
, 8, . ,
, , ,
-
97
. ,
. , , ,
ID- , , . . . ,
, ( ) . ,
,
.
T- , . , . :
?
, ?
, ?
, ,
, , , , . .

.
, . , ,
-, .
( ).
, ,
. :
1. . , . , , ( ), .
2. .
, . : , , , ,
. .
98
3. . , ,
-
.
.
-
-
Web-. , ,
TCP/IP.
, .
HTTP, FTP telnet,
TCP/IP. - . ,
.
, .

-. , , -, .
, , . , ( ), , , . , ,
,
, .
-
, . - ,
, . TCP/IP , (NAT), . - ,

,
.

, ( )
, ,
. -
99
, . , , , , , . . (IDS) ,
( ).
, , , .
TCP/IP
. .
,
, ,
. , Web-, .
, :
? , . ,
, ,
. ,
() . ,
.
,
, (
).
(IDS): (NIDS), , . IDS,
, e-mail- , IDS.
IDS 4.1.5, .

( ). ,
. IDS , ,
, . . ,
, IDS.
.
100

:
1. .
2.
.
3. .
4. .
5. , .
6. , .
7. .

, . :
.
(IP) . ( ) ,
.
, IP- .
; ,

.
, , , , ,
() , .
, .
, .
, ,
( )
. , , .
, ,
.
. () , , .

101
, ( ) .
,
. .

. , .
, , ,
.
,
,
.
,
.
,
. .

.
:
;
, ;

.

. , DoS- ( ) ,
.
, DoS-
-.
, , .
102
,
. ,
, , , .
.
,
, .

, , ,
, . , , , .
:

?

?
,
, ID
? ,
?
, , ID ?
(, ,
), , , ?
, , ?
?

, ?
,
,
103

. , . ,
,
, .
( )
. , ,
,
. , ,
(
). ,
, .

, . , , UNIX- telnet. telnet-, .
telnet-
:
/
telnet;
, , , .
[SSH (Secure Shell)] telnet. SSH .
Cisco SSH , SSH telnet.
, .
, . ,
4, .
104
,
, (, , , )
, .
,
: (exploits).
. ,
, ( )
, .
, , .
, .
DoS- ( ).
. , , . ,
, . , , : ,
. , . , .
, , :
1. .
2. .
3. .
.
, .
, .
, .

.
, , ,
,
, -
105
. , , -,
,
, - . ,
( ), . ,
, . , ,
.
, , ,

, .
. ,
, .
. ,
,
,
. , , , . , ,
,
, ,
. , .
, ,

.
, . , CERT.
Web- :
http://www.cert.org
, () ,
, -
106
, . , , , , . ,

-, , Patchlink Update (www.patchlink.com), BigFix Patch Manager (www.bigfix.com), Security Update Manager (www.configuresoft.com), LANguard Network (www.gfi.com) .

. , ,
().
, .
1. ,
( ) - . ,
.
, . 60 ,
.
2. . , , ( ).
.
3. ,

( , ,
). ,
,
, : ID , , , , , , , NETID.
4. . ,
. , , ,
, .
107
5. , . , , .
,
.

, .
, , ,
.
, ,
.
, , ,
, . ,
, .
.
,
, , .
. , - .
,

.
, , ,
. , ,
, , , , .
3.3
, ,
.
:
108

, .
, .
.
, .
Web- .
,
(IDS).

, .
.

.
.

, .
, .
.
, ,
,
,
.
109

Metagroup . ?
,
. IBM .
, .
. (,
.)
.

, .
( ) ,
.
111
4.1
, .
:
;
, ;
-;
;
;
.
, . ,
, - , , .
4.1.1
The American Heritage Dictionary of the English Language:
(firewall)
1. , .
2. . , .
,
. ,
-
, , ,
IP-.

.
, , , ,
.
:
;
.
112
,
:
;
;
(VLAN);
;
.

IP-
. .
,
( ) ,
. ,
, , :
IP- ;
;
;
, (UDP, TCP, ICMP . .).
.4-1 ,
TCP- 80 .
80
STOP 80

ASYNC 9-16
AUI
ASYNC 1-8
SERIAL 0
SERIAL 1
CON
AUX
2511
.4-1.
, , IP ,
, .
, , , ICMP, IP-.
113
,
,
.
.
, , . ( )

,
-.

; . ,

, .
TCP-

. , , TCP TCP-, . . ,
. .
, 4 ( ), . (ACL) , . -
.
, IP-, ,
, , , . .
, .
114

,
.
, ,
(circuit-level proxies). .
- .
.
,
. . ,
:
http://www.aventail.com

.
,
, .
SOCKS
SOCKS - TCP/IP, IETF- (RFC 1928). SOCKS
.
SOCKSv5 ( 5.0) IETF
(Internet Engineering Task Force) (RFC 1928) -
TCP/IP. SOCKS
.
SOCKS . - SOCKS
, SOCKS
OSI. . SOCKS -
SOCKS SOCKS TCP/IP-. - SOCKS
OSI .4-2.
,
- SOCKS. - . ,
. - , .
SOCKS: v4 v5. , - -
115
SOCKS-
SOCKS
SOCKS
.4-2. SOCKS- SOCKS-1

. , SOCKSv5 . -,
, SOCKS- . SOCKS- SOCKS-.
, SOCKS, ..
SOCKS- TCP/IP SOCKS-. ,
SOCKS- , , , TCP/IP.
IPsec
IPSec IETF ( RFC RFC 2401, RFC, IPSec). O , IPSec, :
1. [Authentication Header (AH)]:
. AH
, IP- . AH , . ,
.
1
116
OSI : 1) (physical); 2) (data link); 3.) (network); 4) (transport); 5) (session); 6) (presentation); 7)

(application). IP- . . . .
2. [Encapsulating Security Payload (ESP)]: .

ESP , .
3. IP [IP payload compression (IPcomp)]: IPcomp ESP.
,
ESP .
4. - [Internet Key Exchange (IKE)]: AH ESP . IKE
.
IPSec IP-. IPSec ,
IP-,
. IPSec
SOCKS, -. IPSec
. , , , , . , IPSec
, SOCKS,
OSI (, ). IPSec
VPN- (VPN )
(, ) , .
4.1.2
. , , Lotus WebSphere
.
, . ,

.
.
,

, . , .
! ,
.
, , ,
.
117
Firewall-1 Check Point

Firewall-1 Check Point ,
. .
. .
Firewall-1 (NAT). Check Point
, (VPN).
Check Point Firewall-1 on
AIX: A cookbook for Stand-Alone and High Availability, SG24-5492 Web-
Check Point:
http://www.checkpoint.com
Cisco PIX
Cisco PIX
Cisco. Cisco PIX ,
. , [ , (DMZ)]
.
,
.
Web- Cisco:
http://www.cisco.com
Raptor Firewall
Raptor Firewall Axent Technologies,
Symantec. Raptor Management Console (RMC) , VPN (IPSec IKE)
,
WWW Internet Usenet. Web-, Symantec:
http://www.symantec.com
IBM SecureWay Firewall

- IBM 1985 . IBM
10 . IBM SecureWay Firewall , , VPN
118
IPSec. . : A Secure Way to

Protect Your Network: IBM Secure Way Firewall for AIX Version 4.1, SG24-5855 Redhat
Linux Integration Guide for IBM eServers xSeries and Netfinity, SG24-5853,
Web-, IBM:
http://www.tivoli.com/products/index/firewall
TIS Firewall Toolkit (FWTK)

Trusted Information Systems, Inc. (TIS) TIS Internet Firewall Toolkit (FWTK),
.

Linux.
:
http://www.fwtk.org/
TIS Network Associates 1998 .
:
http://www.tis.com/ http://www.nai.com/
4.1.3 ,
(routers), (switches) (hubs) , ,
OSI: ,
, . , , , , .
, , , , , . , , -.
, (, FTP).
, , : . ,
.
( )
. .
,

.
119

, ,
. .
. , ,
, , , , . .
,
.
. , - (ISP), .
-
. , ( )
.
,
.
, , .
. ,
, .

Ethernet-
Ethernet, . Ethernet, , . ,
,
. , , .
( ).
NAT
[Network Address Translation (NAT)]
RFC 1918 IETF
IP-.
IP- [ Internet Assigned Numbers Authority (IANA)].
,
120
. IP-,
. NAT RFC 1631.
,
-
. IP- IP-
, - ,
.
NAT IP-
. NAT
IP; IP . . ,
IP- ( ,
), NAT IP-,
IP- . ,
NAT , ,
.
, NAT
TCP UDP. [Internet Control Message Protocol
(ICMP)] NAT-. , ping
ICMP, , , NAT,
NAT-, , IP- .
, NAT
[Port Address Translation (PAT)]. IP . PAT
, .
VLAN
(VLAN) ( 1998 .) , .
. VLAN ,
, , NetBIOS IPX. ,
.
, ,
. , .
121
VLAN
, .
,
.
, ()
. , , Cisco Catalyst,
.
VLAN ,
,
VLAN .
VLAN ,
(, ) , .
, VLAN
.
VLAN, . ,
thernet- MAC- . , VLAN , VLAN .
VLAN IEEE 802.1q :
http://standards.ieee.org/reading/ieee/std/lanman/802.1Q-1998.pdf
, VLAN, VLAN-
. ,
VLAN ,
. , VLAN , . VLAN ( VLAN,
,
ID, VLAN) , , , - VLAN .
122
4.1.4 -

. .

-.
- .
.
:
.
.
- ,
, . ,
( 4), ( 7).
,
, ,
. ,
, , , .
, . , ,
.

,
() .
. . ,
, ,
. .

, , . , , .
123
-
. ,
, 5, -.
4.1.5
, , . [intrusion detection system (IDS)] , .
IDS :
1. [Network intrusion detection systems (NIDS)]. O TCP/IP . DoS- (
). NIDS
.
,
,
. NIDS
. , NIDS
TCP- TCP-. NIDS , . , , , , . ,
NIDS
.
2. .

.
. , , ; ,
. , Tripwire, , , IBM Tivoli Risk Manager Tivoli
Enterprise Console.
: http://tivoli.tripwire.com/
3. .
.
124
. . ,

HTTP
(get) URL.
4. . , (, -, - Web-) . ,
.
, ,
. Web- HTTP-, -
,

. , ,
() , , .
-
Sametime IBM Working with
the Sametime Community Server Toolkit, SG24-6667, . 63-84.
IDS Lotus Sametime. ,
-
. , , ,
, IDS.
IDS ( ), IDS, , Purdue University COAST
(Computer Operations, Audit, and Security Technology):
http://www.cerias.purdue.edu/coast/ids/ids-body.html#systems
IDS , IDS
.
NIDS, ,
, .
IDS
,
(, -).
,
, cookies Web-,
/.
125
4.1.6

,
, . , . , ,

.
IBM Tivoli Tivoli Access Manager,
. IBM Tivoli Access Manager Tivoli , , IBM:
Identity Management Design Guide with IBM Tivoli Identity Manager, SG24-6996
Enterprise Security Architecture using IBM Tivoli, SG24-6014
IBM Tivoli Access Manager for e-business, REDP3677
4.1.7
.
, , DNS DHCP,
- . , , , ,
,
.

:
DNS;
- SMTP;
- FTP.
.
DNS
[domain name service (DNS)]
IP- ,
IP- .
126
, MX- , , SMTP- .
, ,
DNS, , DNS. DNS, , . , DNS
, DNS, . DNS
, IP-.
DNS , .
DNS
( NS) MX. , , , , DNS-.
,
.
. ,
DNS ,
, , Web-, FTP-
-. DNS
, ,
.
DNS ,
. ,
DNS.
,
, , , .
, - , DNS, ,
DNS.
DNS- ,
- . DNS . DNS, , IP-.
- SMTP
- SMTP ,
SMTP- ,
. - SMTP , SMTP,
SMTP- (, UNIX sendmail Domino).
127
SMTP, - .
- SMTP . - - . - , ,
. -
. .4-3 - SMTP,
SMTP .
DNS MX
(mail exchanger), smtp1
acme.com. smtp1 , smtp2.
DNS:
acme.com
acme.com
MX preference = 10, mail exchanger = smtp1.acme.com

DNS
()
SMTP1
FTP-
SMTP2
DNS ( -)
relay.acme.com
relay.acme.com

DNS
()
.4-3. - SMTP
128
, , -, relay.acme.com. DNS MX relay.acme.com,

-,
smtp2. , (). ,
smtp1 smtp2. ; smtp2 ,
smtp1. , DNS -,
. DNS , .
( ) - Lotus Domino 6 spam Survival Guide for IBM e-Server,
SG24-6930.
FTP
FTP- ,
File Transport Protocol (FTP).
(),
- . , FTP- ,
SMTP. , - SMTP .
,
, FTP (
). FTP- , , IP- , .
SSL
[Secure Sockets Layer (SSL)]
. . ,
, SSL. SSL (SSL record protocol) . , () SSL (SSL handshaking protocol),

129
, . SSL .
SSL. SSL SSL. :
1. .
2. .
3. , .
4. ,
,
( , ).
5. .
6. HTTP- HTTP- .
4.2
- ,
, Web-.
Web-, -
(, -, , , . .). , - . ,
, c
.
,
( ) Web- IBM.
, :
1. .
2. .
3. .
4.2.1 DMZ-:
. , ,
DMZ, (demilitarized zone).
DMZ 38- , 1953 .
130
.
, .
, .
DMZ T-
,
, .
DMZ . ,
(. 4-4).

( )
DMZ
( )
()
.4-4. DMZ
DMZ (, ) ,
(. 4-5). , ,
IP-.
DMZ

DMZ .
, , , (,
IP- ) .
, -
131
DMZ, , - .
DMZ .
.

. , DMZ -
.
, , DMZ, . DMZ .
,
, DMZ .
DMZ .
Firewall (filtering)
DMZ
()
.4-5. DMZ
DMZ- DMZ ,
, . : .
, .
Web- (HTTP) , , (FTP),
132
- (). - , , ,
, Web- , - -, . . . DMZ , .
4.2.2
,
,
.
,
, .

. ,
, .

,
. .
, , , , , , , , .

. , .
.

, (root). ,
,
, ,
. , UNIX-
( ); ,
, chroot jail1
. Google chroot
breaking out :
http://www/bpfh.net/simes/computing/chroot-break.html

, .
; UNIX-
chroot. . . .
133
, .
, , ,
.
,
-.
. , , -.
, , :
1. -.
2. -.
3. .
4. -.

, , . , ,

. , , . , ,
, , , ; , . , .

1. -
, , , .
, ,
. ,
; ( , ) , .
- :
- .
- -
.
- -. , , , .
134
2. -
, .
,
- (, DNS, -,
- c , -). - :
. ,
-.
.
,
. , - - ,
, .
IP- .
- -
.
, -,
.
.
.
-
.
, ,
.
( , , , ISDN, ADSL, VPN . .).
3.

, IP- .
- , , , . :
( RFC 1918), IP ,
- -.
135
.
-. ,
.
. .

T-.
.

.
( )
( -).

.
, .
4. -
IP-. . - :
IP- ,
, ,
.

.
.
, ,
-.
, T- .
.
( )
, -
136
(, ).
, ,
. , , .
, - .
- -, , . ,
.
, , .
,
/ .
4.2.3
. ,
. :
, ;
;
, ,
;
, ,
;

, .
.

? . , . ,
. , IP-
, . , . , ,
IP-,
137
. , .
, -
. ,
, . ,

. ,
.
.
,
, . T- ,
.
, ,
,
. ;
IPSec NAT- IPSec NAT-. , -, T-. ,

, T- . T- - .

, . , . ,
.
.
, -,
.
- T-, .
138

.
( ).
.
, ,
.

IP- , .
(NAT).
.
(VPN):
SSH (
);
.
( )
SOCKS V5.
, , .
.
.

, :
, , (). (. 4-6).
, . , . , , . ,
, .4-7
, .
,
. Cisco PIX ,
139
.4-6.
AUI
SERIAL 0
SERIAL 1
ASYNC 1-8
CON
AUX
2509

CISCO SECURITY PIX 535
F
E W
CATALYST 3550
SERIES
MODE
POW ER
SYST EM
RPS
11
STAT
UTIL
DUPLX
SPEED
10
12
AC TIVE
Cisco 3600
SERIES
( )
PS2
ACTIVE
FE
SYSTEM PS1
READY
0/0 0/1
(IDS)
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
CATALYST 3550
1
SYSTEM
RPS
STAT
UT IL
DUPLEX
SPEED
.4-7.
, , , ,
VPN, . ,
140
. ,
.
.
, (),
, .
:
HTTP, ;
DNS;
SMTP.

, .
,
, , ,
.
, , , .
4.2.4 :

,
, , . , .

. - .
. ,
,
.
,
. ?
, , ,
x y. ,
x y
. ,
. .
.
141
- . - , , -.
-, , , ,
, . - ; , - . .4-8 ,
.
()-()
()-()
()-()
.4-8.
, . ,
-.
- (firewall routers) .
, ( )
- . , - ( ) . -. , , -
142

.
.
.4-8: ,
. , -
- ( -). , -.
, ,
- . ;
, .
.4-9 .
- .

. , - -
IP
IP
-
(
)
IP -
IP 1
(
)
(
)

IP 2
IP
-
.4-9.
143
. ,
, ,
.
-, -. 2 1 . , , ,
- . ,
-.
Web- -.
-.
4.2.5
, .
, . , 1.3.3,
.
,
.

, .
-
() . - (challenge-response)
. .509
Notes.
LTPA cookie HTTP. .
, ,
.
-
, . .509 Notes. - (challenge-response). ,
, .
.
144

, ,
. , ,
SSL, Notes Domino Domino Domino
Domino.

1, T-.
, .

, , .
.
. , ;
. , IP-, ,
.
. , , .

.
-, .
, SSL . , . -
.
,
,
Secure Sockets Layer (SSL). ,
. -
145
- .
.
- -
, , .
,
,
. , . ,
-, . ().

.
4.2.6
4.2.3, , ,
, .
,
, .
, .
4.2.4,
: .
/
:
1. ;
2. ;
3. ;
4. ;
5. ;
6. ;
7. ;
8. ;
9. .
. 4-1 4-9
:
146
H ( ; );
(
, ).
.4-10 , , FTP .4-1.
-
FTP: X

FTP: H

.4-10. FTP - -
. . ,
.
1. - -
4-1 - - ()
HTTP
TCP
80
HTTPS
(SSL
TCP
443
FTP
FTP
DNS
TCP
TCP
UDP
20
21
53

X
X
80 , HTTP (DNS, SMTP ..)
X
X

443 ,

HTTP (DNS, SMTP ..)
X
H
FTP-
X
H
FTP-
X
H
H
X

147
2. - -
4-2 - - ()

TCP
25
H
SMTP
DNS
UDP
53
HTTP
TCP
80
HTTPS
(SSL)
TCP
443
( -
SMTP)
DNS DMZ-
NAT-,

NAT-,

H
X
3. -
4-3 - ()
HTTP
TCP
80
SSL
(HTTPS)
DNS
TCP
443
X
-.

X
-
UDP
53
LDAP (SSL)
TCP
636
SMTP
TCP
25
SNMP Trap
UDP
162
NTP
UDP
123
TSM/ADSM
Backups
TCP
1500/1501
H
X
148
-

:

(traps)

.
-
.
- ,

4. -
4-4 - ()
SMTP
SSH
TCP
TCP
25
22

H
H
X
X
LDAP (SSL)
TCP
636
DNS
UDP
53
HTTP
TCP
80
HTTPS
(SSL)
TCP
443

& ;
(
)
-
:
/
DNS
NAT -
/
NAT -
/
H
X
5. -
4-5 - ()
25
SMTP
TCP
UDP
53
NTP
SNMP Trap
UDP
UDP
123
162
H
H
H
H

/ IP-
DNS-,

TMR/GW/Netview
Netview.
(traps)
DNS
Domino
Replication
MQ Series
MQ (HACMP)
DB2
(JDBC -
DPROPR)
TCP
1352
TCP
TCP
TCP
1414
1415
37xx
H
H
H
H
H
H
/
/
3700-371x
H
X
149
6. -
4-6 - ()
FTP
FTP
DNS
SNMP
SNMP Trap
LDAP
DB2 Admin
LDAP (SSL)
TCP
TCP
UDP
UDP
UDP
TCP
TCP
TCP
20
21
53
161
162
389
523
636

X
H
X
H
X
H
H
H
H
H
X
H
X
H
X
H
Domino
Replication
MQ Series
MQ (HACMP)
DB2
(JDBC - DPROPR)
net.commerce
ESM
TCP
1352
TCP
TCP
TCP
1414
1415
37xx
X
X
X
H
H
H
TCP
TCP
X
H
H
X
Tivoli
TCP
4444
5599,
5600,5601
20001
zOS/390
zOS/390
/
/
3700-3719
ESM Mgr Agent Access 5599,

ESM
dmproxy-
H
X
7.
4-7 (-)
HTTP
TCP
80

X
X
HTTPS (SSL) TCP
443
LDAP
TCP
389
LDAP (SSL)
TCP
636
Domino
Replication
TCP
1352
H
X
150
/XML
( )
/XML
( )
(
)
(
)
(
)
8. -
4-8 - () NAT/PAT
HTTP
TCP
HTTPS (SSL) TCP
80
443
NAT/PAT
/
NAT/PAT
/
H
X
9. - -
- -
, , ,
. , - , . , IBM.
, HTTP-
- -, HTTP-.
80 443 - HTTP-.
.4.9 , . ,
, ,
.
4-9 - - ()

TCP
25
SMTP
DNS
UDP
53
HTTP
TCP
80
HTTPS
TCP
443

X
X
SMTP-
X
X
DNS
X
X
Web-
X
X
Web-
H
X
4.3
.
.
151
,
, . .

,
. , :
1.
, .
2.

.
.

. :
1. . ,
- -.
2.
.
.
4.3.1
, . Acme Web- . Lotus Domino. WebSphere. ID , () LDAP.
URL- Tivoli Access Manager.
Acme [ ,
()] . , [ , ()],
. , .
152
.4-11 .
.4-11 , .
.
( )
IP
WebSeal
WebSeal
6
Tivoli Access Manager

2
DNS
- 1
- 2
11
8
8
Websphere
Websphere
Domino
()
Domino
()
10

IBM (LDAP)
12
Websphere
()
.4-11.

153
,
/ . ,
URL-, URL DNS-. URL IP-, IP- - 1. 1
HTTP GET ,
-. ( LTPA), Tivoli Access Manager ( 2) .
(ID , 3),
, Tivoli Access Manager ( 4). Tivoli Access Manager
LDAP ( 5), , - LTPA
GET ( 6) ( 7). WebSphere Domino (8). , , . , , .
1.
-. - LDAP (SSL, 636) Tivoli Access Manager. ,
-, - Tivoli Access Manager,
SSL. LDAP SSL -
. , SSL (-) X.509 .
2. Web- - . SSL, ;
, SSL
- .
-
HTTP . 80 - 1 Web-
1.

Domino . ( 9 .4-11)
Domino Domino ( 10). -
154
Domino ( 11). ,
, :
(Notes ID ) ; -
. Domino ,
.
, . . , .
, ,
, . .
- ,

. , , , , ,
.
4.4
, :
;
;
;
.
, :
1. -.
2. -.
3. .
4. -.
,
, .
,
, .
,
.
155
(IP)
.
( ).
.
NAT ( ).
.
.
IPSec, SOCKS, .

DNS .
- .
- SMTP
.
- ( -)
IP-.
- .
( DoS-
).
(SSL).
.
.

.
.
.
HTTP-.
156
5
-

. , ,
, ,
.
-.
- ( ) ,
.
IP-,
.
( ),
, . , ,
.
-
157
5.1
proxy, , , . , proxy - ( -),
.
,
-,
( ) . ,
, , , ,
. https- 443 http-
80.
,
, , , , ( ) . .
( ), ,
- .
, . ,
( )
() , , ,
.
() . , ,
,
.
5.2
, .
,
( bind), .
, ,
. ,
, , .
, . , ,
158
,
. Notes, Lotus Notes
Notes .
,
-.
5.3
, . , -. , - .
.
, , :
(forward proxies);
(transparent proxies);
(caching proxies);
(security proxies);
(reverse proxies).
5.3.1
-,
,
, ( ) (
, , - ).
, ( )
. .
,
Web- .
( , ) - WAN- ( ),
.
-
159
5.3.2
-, ,
, . Linux/UNIX ,
, . , () , , ,
, .
, ,
, , ( : HTTP) . , proxy.mydomain.com, proxy.mydomain.com, . , (HTTP),
.
, ,
, .
,
. , , , ,
, .
, , .
5.3.3
, , -, , . , , .

, ,
. ,
, , . HTTP- HTTP
cache.
. ,
IBM Edge Server: IBM
Caching Proxy. .5-1
-.
160
1
2
1
1 -
2 -
3 -
4 - /
5 -
6 - Web-
.5-1. ,
5.3.4
- .
( )
.
-. , .
, , - , .

[plug-in ()] ( , IBM Tivoli WebSeal Plug-In IBM WebSphere Edge
Server). , , IBM Tivoli Access Manager for
e-Business, .
4.1.6, .
5.3.5
,
.
, , -
-
161
4
5
x

z

.5-2.
(
, ) , , . ., .
:
!
.

, . -. ,
, .
, , ,
.

. ,
.
,
, .
, .
162

, .
,
. , ,
. , Web- .

[Reverse Proxies Secure Servers (RPSS)] ( ) , .
RPSS
, , .
(blade). ,

IBM Tivoli Access Manager; ,
(WebSeal , WebSeal-lite).
5.4 Lotus
Lotus Domino . Lotus Sametime.
.
Domino
Lotus Domino (Notes/Domino, iNotes, QuickPlace . .).
5.4.1 Domino
, ,
Domino . ,
HTTP.
Domino , .
, ,
, ,
Java- . , Domino
blade () , .,
, IBM Blade Center. . . .
-
163
, -
. - Domino
:
?OpenImageResource
?OpenElement&FieldElemFormat = gif URL
IBM WebSphere Edge Server
(Last Modified Factor).
5.4.2 HTTP-, Domino

HTTP (HTTP Methods) -
, -. , , Domino GET, HEAD
POST. .
5.4.3 URL, Domino

Domino

, Domino. -.
requests for /* go to http://xxx.xxx.xxx.xxx/*
,
,
, .
,
, -
Domino, HTTP.

. ,
Domino, iNotes, :
requests for /mail* go to http://xxx.xxx.xxx.xxx/mail*
requests for /iNotes* go to http://xxx.xxx.xxx.xxx/iNotes*
requests for /inotes5* go to http://xxx.xxx.xxx.xxx/inotes5*
requests for /icons* go to http://xxx.xxx.xxx.xxx/icons*
requests for /domjava* go to http://xxx.xxx.xxx.xxx/domjava*
requests for /names.nsf go to http://xxx.xxx.xxx.xxx/names.nsf
164
/mail*. , ( , /mail[1-3]), .
, , , /pubmail/*.
,
iNotes Web Access.
, ,
/names.nsf, .
Domino Directory, ,
.
URL- Domino . Domino,
/names.nsf?Login. -
Domino. , ,
(Groups) /names.nsf/Groups?Openview /names.
nsf/85255ed5006cafef852556d4006ca21c?OpenView, Domino, - , .
403, .
URL- Domino
- URL, -,
URL .
URL ( IBM WebSphere Edge Server SignificantUrlTerminator)
Domino, URL- Domino ? - URL- .
URL, Domino, :
SignificantUrlTerminator ?OpenImageResource
SignificantUrlTerminator ?OpenElement
SignificantUrlTerminator /?OpenImageResource
SignificantUrlTerminator /?OpenElement
Domino
ReversePass ( ) - 302 Domino
. URL- , , , :
ReversePass http://xxx.xxx.xxx.xxx/* http://proxy.formymailserver.
web/*
-
165

Domino
- Lotus Developer Domain
(LLD) Web- iNotes - WebSphere Edge. LDD :
http://www-10.lotus.com/ldd/today.nsf/62f62847467a8f78052568a80055b380/ ff0e8350
68e03c3685256cda0054a213?OpenDocument&Highlight=0,reverse,proxy
5.5 Lotus Sametime 3.1

Lotus
- , Lotus Instant Messaging and Web Conferencing (Sametime) 3.1.
- HTTP Sametime 3.1, ,
Lotus.
Sametime 3.1 Sametime 3.1 Administrators Guide,
.
Lotus Developer Domain :
http://www.lotus.com/ldd
5.5.1 Sametime 3.1

Sametime 3.1 -, - Sametime
Sametime. Sametime, Sametime
, -.
-
. Sametime -
- Sametime.
- .
5.5.2 -
,
- Sametime 3.1.
URL ( id)
Sametime -,
(affinity-id)
166
( ) URL-, . , -
URL :
http[s]://hostname:port/affinity-id/
hostname
(FQDN) (DNS-) -, affinity-id
, -.
URL
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
st01
(affinity-id). id Sametime
(, sametime.ibm.com), . id -
Sametime.
-
-
, Sametime
-, :
-
DNS-
.

, - reverseproxy.
ibm.com, - reverseproxy.ibm.com. - DNS, Sametime
Sametime, -. Web- -
, (, IBM WebSphere Edge Server).
-
.

-
URL-, Web- -,
Sametime. URL URL- Sametime -, Sametime
Sametime, -.
-
167
- cookies
-, URL- , . - HTML URL-,
.
-.
- ,
URL-
. Sametime -,
.
,
cookies. ,
cookies ,
-.
cookies
- cookie . , cookie
,
Sametime, -.
5.5.3 Sametime
-
Sametime 3.1 -,
Sametime.
JVM
Sametime Sametime -. :
Sametime Meeting Room Sametime Broadcast.

Sametime Meeting Room Sametime Broadcast Sametime - ,

Web- Java- [Java
Virtual Machines (JVM)]:
IE 6 + MS VM Sun Microsystems JVM 1.4.1 + Java Plug-In;
Netscape + Sun Microsystems JVM 1.4.1 ( Java Plug-In).
Sametime Connect (Java- Sametime Connect) Sametime Links,

Sametime.

168
Sametime Connect Sametime Links

Sametime -
, Explorer 6 Netscape 7,
Sun Microsystems JVM 1.4.1.

Sametime Connect Sametime Links

Java, Internet Explorer Microsoft.
. Sametime Connect (Microsoft Windows-

Sametime Connect) Sametime,
-.

Sametime -, :
/. /-
Sametime, Sametime
-.
TeamRoom Discussion. , Sametime -, Sametime TeamRoom Discussion.
Sametime Administration Tool. , Sametime -, Sametime Administration Tool.
Sametime Administration Tool
Sametime Web-. Sametime Administration Tool
Sametime
, HTTP- -.
Sametime Enterprise Meeting Server.
Sametime 1.0 Enterprise Meeting Server, Sametime
3.1, -.
5.5.4 SSL,
Sametime - [Secure Sockets
Layer (SSL)]. SSL , Sametime -. Sametime .
. Web- SSL, Sametime

,
Web- HTTPS Sametime HTTP.
-
169
SSL Sametime, Sametime Java Plug-in Web- ( , . .). Java Plug-in - SSL, SSL.
, , , Java Plug-in, .

- SSL, SSL- ( handshake) Web- SSL . Web- Java 1.4.1
Plug-in (Signer certificate),
(Certificate Authority (CA)), .
Java Plug-in
, . Java Plug-in 1.4.1 Java Plug-in :
1. Windows [Start () Settings
() Control Panel ( )].
2. Java Plug-in 1.4.1 Java Plug-in.
3. Certificates ().
4. Signer CA ( ).
( ) SSL- , - Web- , (CA) .

-
, Java Plug-in 1.4.1 . Java Plug-in Certificates () Java Plug-in.
:
1. Windows
[Start () Settings () Control Panel ( )].
2. Java Plug-in 1.4.1 Java Plug-in.
3. Certificates ().
170
4. Certificates () Secure Site ( ).

5. Import () .
5.5.5 -
Sametime
Sametime -, - .
- ( ) URL-, -, URL Sametime.
Sametime -,
, Sametime .

Sametime HTML . - URL- HTML-, Sametime.
Java- Sametime, Web- , Sametime.
-,
- URL-, Java- Sametime.
, - ( ) URL-
Sametime.

-, Sametime,
URL- (affinity-id) (
).
, URL- Web-
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
- id st01 Sametime, sametime.ibm.com,
id - URL-
:
http[s]://sametime.ibm.com/stcenter.nsf
-
171
Sametime, -, Sametime id, :

http[s]://sametime2.ibm.com/*
/st02/*
http[s]://sametime1.ibm.com/*
/st01/*

Sametime
URL-, Sametime, .
- URL, Sametime, . , ,
URL- Web-:
http[s]://reverseproxy.ibm.com/st01/*
URL- Sametime:
http[s]://sametime.ibm.com/*
,
URL,
Sametime -.
,
Java-
URL-
Java- Sametime Web- Community Services, Meeting Services, Broadcast Services Sametime.
: Community Services, Meeting Services Broadcast Services.
Community Services
,
Java- Community Services.
URL- Java-
http[s]://proxy.ibm.com/st01/communityCBR/
http[s]://proxy.ibm.com/st01/CommunityCBR/

URL- :
http://sametime.ibm.com:8082/communityCBR
http://sametime.ibm.com:8082/CommunityCBR
172
. Community
Services ,
. Java- communityCBR ,
Java- CommunityCBR .
,
.
Meeting Services
,
Java- Meeting Services.
URL- Java-
http[s]://proxy.ibm.com/st01/MeetingCBR/

URL- :
http://sametime.ibm.com:8081/MeetingCBR
Broadcast Services
,
Java- Broadcast Services.
URL- Java-
http[s]://proxy.ibm.com/st01/BroadcastCBR/

URL- :
http://sametime.ibm.com:554/BroadcastCBR
HTTP-, Java-
Sametime HTTP- 80.
Sametime HTTP 80,
Sametime (Community Services,
Meeting Services Broadcast Services), .
HTTP- 80 , Sametime
HTTP-
. , .
Sametime HTTP- 80, Sametime .
-
173
,
Sametime, Sametime
Sametime.
HTTP- 80, Community Services Sametime HTTP- HTTP
Services, Community Services, Meeting Services Broadcast Services Sametime.
Community Services
( 80).
Sametime ( HTTP- 80), Java- . Java-
Sametime ,
.
,
URL- Java- Sametime:
http[s]://proxy.ibm.com/st01/*
- URL-:
http://sametime.ibm.com/*
. Sametime HTTP-
80, ,
Community Services.
5.5.6 Sametime 3.1

Sametime 3.1
, Sametime Sametime Administration Tool Sametime -.
, Sametime HTTP-.

HTTP-,
HTTP.
174
Configuration ()
Sametime Web Admin Connectivity (). Reverse Proxy Support ( ).
-,
(junction name)
Server Alias ( ).
Reverse Proxy Discovery ( )

.
Sametime ,
Sametime -. .
. ,
- Sametime -.
Sametime
.
. , Sametime
-, Sametime
Sametime.
5.6

, - Lotus IBM.

- .
, URL-, HTTP, . ., , .

Domino Web Access (iNotes)
iNotes Web Access
, Web- Lotus Developer Domain
http://www-10.lotus.com/ldd/today.nsf/
62f62847467a8f78052568a80055b380/
a96b7591a013173185256c79005c1af3?OpenDocument

( , ) ,
, ,
, .
-
175
(client affinity) (sticky sessions). cookies,

.., - . Network Dispatcher WebSphere Edge Server IBM.
: ,
. ,
(gracefully transition).

. , ,
, .
, ,
, . ,
, . .

, ,
- ,
. , IP-, .

( )
NETSTAT.
netstat
an
find LISTEN
TCP
0.0.0.0:8080
find
80801
0.0.0.0:0
LISTENING
0.0.0.0:8080 ( *.*:8080) () , , , TCP/IP-,

. , , IP-,
.
, . ,
127.0.0.1:xx , ,
IP- .
1
176
UNIX find grep. . . .

, , , , , , .
-, ,
[single sign on (SSO)],
, ,
Sametime.
Lotus ,
,
.
. ,
, , - (
-)
, :
, .
( ),

, ,
, .
, ,
(no-cache)
(expires), Web-.
IP-
- IP-
. , , IP-.

HTTP . ,
IP- .
HTTP, IP- . ,
.
-
177
DNS
-
DNS. , -
IP- , . , , .

, - ,

. -.

, - , /
(), .
.

, , , . ,
, .
5.7
- , . ,
.
IBM Lotus.
4, ,
.
178

, ,
[public key infrastructures (PKI)],
Notes Domino.
PKI Notes Domino,
PKI, Web, , .
(Certificate Authorities)
(Registration Authorities),
. , ,
Domino .
, SSL, ,
SSL .
SSL
Domino .
179
6.1 Notes

(PKI) Lotus Notes Domino. :
PKI Notes , . , PKI ,

.
, Notes Domino, , , PKI.
. 1
, .
: (confidentiality), (authentication) (identification), (integrity) (non-repudiation).
, Notes Domino . , ,
.
Notes
6.
6.1.1
PKI, Notes Domino, ,
.
, . Domino (Domino
Directory). Notes Domino Notes ID.
, Notes
Domino. ,
, , . . Notes Domino Notes
Notes ID.
180
6.1.2
Lotus , :
(flat certification). Notes 3 (hierarchical certification).
, , .
5; 5 6 .

Lotus Notes, ,
6, Lotus
.
. .
Lotus Notes.

:
ID , ID Notes.
,
ID Notes.
Notes ID,
(Public Address Book).

.
, ,
, .
,
. , ,
. , ,
. , ,
, .
! ,
. -
181
, , .
, , , .
Lotus Notes Domino 6 (ID) , ID
Notes R4.

, ID , ,
,
.
,
, .
, , .6-1.
Acme, , , .
,
.

Acme
.6-1.
Switzerland/Acme.
, RSA- (/).
Switzerland/Acme. , ID
Switzerland/Acme.
182
. //Acme. ,
RSA- (/).
//Acme. , ID
//Acme.
,
.

() .
Acme o=Acme.
ou=Switzerland/
o=Acme. ou=USA/o=Acme,
ou=East/ou=USA/o=Acme.
cn=Sandy/ou=Switzerland/
o=Acme.
cn=Dave/ou=East/
ou=USA/o=Acme.
, ,
ID ID .
, ,
. ,
,
Acme. ,
,
(crosscertification), .
, ,
, , [ (ID) , ] :
;
;
Notes ID;
.
183
6.1.3 (ID) Notes

Notes (ID)
Notes. Notes ID ( ), , , Notes (PKI).
Notes ID.
ID- ,
Notes ID , , . Notes ID:
ID- (Certifier ID). , ID. :
ID- () ID- (OU) (organizational unit). ID- ; . ID ( ) ID-
.
ID: ID-
Notes ID1.
ID- (Server ID). ,
, Domino. .
ID- (User ID). , Domino.
.
ID- ,
. -
, . Domino 6, Domino 6 CA,
ID- Notes .
Domino ID . ID-,
:
. ID- . ID- .
184
: ID . . . .
.
, Domino
Notes: .
Notes ID- . Notes, ,
, ID- . , ID , , ID . , :
,
, .
630. (primary keys). Notes 6 Notes.
,
.
512 . Notes 6
Notes.
. (
).
. Notes ,
, , ID , .
(.) .

.
(, Notes.) -. -
SSL,
S/MIME. - [Certificate
Authority (CA)] . , -, . .
, ID , , , ,
. , ,
, .
.6-2 Notes ID, (
Notes ID), (
ID ).
185
:
1.
,
ID. Notes , ID (,
).
2. , Notes, . Notes ID ,
ID . Notes ID, Notes .
ID

#
Notes
()
()
.6-2. Notes ID
Notes
Lotus Notes Notes, Notes ID.
, ,
Notes.
, , , Notes
ID, .
Notes, -
( Notes).
Lotus Notes Lotus Domino,
Domino , ,
. Notes Domino . Notes Domino, Domino
.
.
Notes, Notes ID, , :
186
, .
, .
, Domino, ID.
Notes , ,
ID.
.
.
, , .
.6-3 Notes Notes ID.
Notes ID
ID

#
Notes
()
()
Notes
.6-3. Notes
, Notes ID. Person (), Server () Certifier ( ) Domino (Domino Directory).
Notes ID, , ,
Notes (/).
.
, Domino
Notes ID .
Notes , Notes ID .
,
Notes ID ,
.
187
. ID
Notes ID -. ; ,
Notes Notes ID.

Notes, ID
:
Notes.
Notes, ,
Notes Notes Domino. Notes ( ,
, Notes
). Notes.
Notes. . ,
, .
, . ID
(User ID), .
. Notes 4.6 , ,
.
. 5
Notes Domino ,
:
Notes ID ,
Notes 5 .
Notes
, ID Notes
: File () Security ()
User Security ( ) [ Macintosh
Notes Security () User Security ( )].
Notes ID Your
Identity ( ) Your Certificates ( ). Notes. Your Notes
Certificates ( Notes), .6-4, , Notes,
Notes Notes.
188
.6-4. Notes Notes ID, Your Notes Certificates ( Notes)
.6-5 Notes All Notes Certificates ( Notes)
189
Notes
All Notes Certificates ( Notes), .6-5, ID Notes, Notes, Notes (Notes CA),
.
, R5.0.
Notes ID
. ,
Notes, .6-5.
, Frederic Dahm/Switzerland/IBM,
Frederic Dahm, Switzerland/IBM.
; . , /Switzerland/IBM,
, , , IBM. , /IBM
IBM (
).
-
Domino Notes 5.0 x.509 v3. , 5 6, Notes , Domino 6, x.509 v3
Notes ID.
Your Internet Certificates ( -), All Internet Certificates ( -). All Certificates ( )
Notes x.509.v3. ( - ).

Notes ID, , Notes. Notes. , , Notes
ID ( .6-2) Notes ID.
, .
.
, , , . , , , ,
190
, . , ,
.

R5.0 Notes ID Notes .
, .
, , .

(ACL) . ,
,
.
, . , ACL
ACL , .
Notes,
5. , :
Notes/Domino , ;
Notes/Domino
, ;
Notes ID-,
.
6.1.4 Notes
Notes ID .
Notes ID
; .

, ID Notes , Notes ID .
Notes ID
.
Notes ID .
ID Notes
. ,
ID.
191
Notes ID, . , ,
ID.
Notes (
6) Notes ID,
ID
.

ID Notes
( ). 4 6 Notes.
, Notes .

30. .
Notes
.
4 5 . 6
, (, ,
, . .),
. .6-6.
.6-6. Notes
, ,
Notes.
. , ,
Cancel ().
,

. ( ,
, .)
192

ID Notes ID .
, Notes ID
( , ).
, , .
Notes ID , Notes ID ( , ) .

(, ).
, Notes ID . ,
Notes ID , ,
Notes ID . ,
, ID .
. ,
ID Notes ID Notes.
ID Notes .
Notes ID , Notes ID.
:
1. Domino Administrator Configuration () Certification ().
2. Edit Multiple Passwords ( ).
3. Notes ID, , Open ().
4. Notes ID ( ).
5. , Notes ID,
:
) Authorized User ( ).
b) New Password ( ).
c) Confirm Password ( ).
d) Add (). Notes ID.
6. , Notes ID.
, Notes ID.
7. OK.
193

Notes
,
. , , (, ,
).
Notes Domino Notes ID
.

; , . ,
. (, 3-%9&4#_6!), .
, - (, password), .
,
, , ,
. , , , , ,
.
Domino 5 ,
. Notes 5
.
:
. , Change Password ( ).
. , Change
Password ( ), (0 , 16 ).
, . ,
, .
,
(, ,
), Notes .
ID , , , ID-, Notes 6, Notes.
194
,
.
Domino 6 , . , , . ,
. ( Lotus Domino 6 Lotus Domino 6 Administrator Help.)
Domino 6, , ,
, ID.
,
Your
Password is Insufficiently Complex ( ).

4.5 Notes , 6.
, , , Person.
, Person .
50 , .
,
, . / , ,
.
, Lotus
Notes RSA. ,
- ,
ID .
Domino Directory , , ID-.
, Notes,
Domino 4.5 . , , 4.5, . , ,
195
,
. ,
, , ID
.
Notes ID Notes ID
Notes ID
5 6.
Notes ID, ,
Notes ID.
Notes ID , , ,
Notes ID .
ID. ID, -
, .
(Recovery Authorities) ( [Registration Authorities
(RA)], Notes ID, ( ) Notes ID.
, ,
ID.
Notes ID,
.
,
Domino, .
Notes ID ,
ID-. Notes ID , .
, , Notes ID, .
Notes ID ,
(,
- CD-ROM),
, , , , ,
, . .
Notes ID 4. Notes Escrow Agent ( ).
, , ,
196
Notes ID ( ) . ID.
, Notes . Escrow Agent ,
Notes ID, Notes ID , . ,
.
, , .
Notes ID
Notes ID .
,
, Notes ID, ID ,
.
ID
Lotus Domino 6 Lotus Domino 6 Administrator Help.
Notes ID
Notes ID Notes ID
, ,
Notes ID . (RA) Notes ID Notes ID.
, Notes ID .
Notes , Notes ID , ,
,
ID . Notes ID .
Notes ID
Lotus Domino 6 Administrator Help.
6.1.5 Domino
Notes ID ( ID ,
) Domino,
Notes, Domino (Domino Directory).
Domino Person , ,
, Notes.
.6-1 Person.
197
6-1 Person Domino
Basics ( )
Mail ()
Certificates ()
Administration ()
; ; ; ;
; ; -
; ; ; ;
Notes; ;
; ;
; (grace period);
; ; ;
; ;

;
(Person)
Acme
Acme
Acme
Domino
Domino
.6-7. Domino
198
. ID Notes,
, Person.
, Domino ,
ID Notes .
, Domino Server, , Person, .
, Domino Certifier. .6-7 , Domino
.
6.1.6 Domino
, Domino, , .
.
Domino Domino.
Domino Domino , Domino.
Domino , ,
. , Domino
.
.
6.1.7
,
,
. , , ,
, .
,
Domino ,
Domino . , .6-8, Acme
Widget .
, , , . ,
, ; , , .
199
Acme
Widget
Domino
.6-8.
,
Domino, .6-9.
Acme : Sprocket Widget. (
Acme), , Sprocket
Widget.
, / ,
, ( Domino)
. ,
Domino, 6,
, . ,
.
Acme
Sprocket
Sprocket
Widget
Widget
.6-9.
200
6.1.8 Notes
Domino : Notes- -. Notes
, -
.
Notes , . ,
, , .
Notes?
, ,

, .
,
(
, , ).
:
? , , - ,
.
Notes Domino .
.
,
().
, , Notes
. Domino
Domino. Domino
Notes
(Personal Address Books).
, .
201

. , :
( );
;
.
, ,
.

. ,
,

.
, , .
, . ,
.

, ,
.

(ACL) .

, , , Widget Acme, .
,
.
:
1. Acme (/Acme) Widget (/Widget)
Domino Acme.
2. Widget (/Widget)
Acme (/Acme)
Domino Widget.
202
(:
Acme Widget ). .6-10.

.
Cross-Cert
Acme
Widget

.6-10.

, .
, Acme Widget , ,
, .

, .
:
Acme
Widget
/ /
.6-11. ()
203
1. Acme (Server/Acme) Widget (Server/Widget) Acme.

2. Widget (Server/Widget)
Acme (Server/Acme) Widget.
(:
Acme Widget ). .6-11.
.

.
, Acme Widget
, . Widget Acme
Acme, Acme , Widget,
Domino.
,
, Acme
Widget.
:
1. Acme (Server/Acme)
Widget (/Widget) Acme.
2. Widget (/Widget)
Acme (Server/Acme) Domino
Widget.
Acme
Widget
/
.6-12.
204
(:
Acme Widget ). .6-12. Acme
Widget, Acme Widget.

Domino 6,
Lotus Domino 6.
6.1.9
.
, . 1, .
, 1. ,
, , , .
, ,
, , .
. , , , ,
, ,
.
, , .
, ,
. , . , ,
.
, . , Notes Domino.
:
-, Domino .
,
.
Notes, Domino.
205
,
. , ( ).
,
Notes Domino.
, Notes . ,
/ ID /,
.
Notes , ,
,
(PKI) Notes, , Notes.
. Notes ,
, Notes Domino.
,
, .
6.1.10 Notes
, Lotus Notes Domino
1352 TCP
Notes [Notes Remote Procedure Calls (NRPC)]. , ,
Domino Notes.

Notes
. , (validation), . ,
.
Notes
:
1. , Notes ID.
2. , , .
3. ,

.
206
1.
,
.
. ID ,
, .
, Notes ID ( , , ). .6-13.
Widget
Notes ID
Widget
Widget
Widget
Widget
Notes ID
.6-13. Notes Domino

.
1. ,
Notes ID , Widget.
,
.
2. Widget Notes ID
. ( 1,
, Notes ID .)
3. Widget ( ,
Notes ID ) , /Widget . ( 2,
, , , .)
207
4. , Notes ID , .
5. /Widget, , , //Widget . ( 3, ,
.)
6. .
, .
2.
,
. . , ,
.
, , ,
, . , ,
. ,
Notes ID
10
11
.6-14. Notes Domino
208
12
(, , ).
, , ,
, , , , , .
/
.
, ,
, .6-14.
, , , .
.
7. .
8. .
9. .
10. .
11. .
12. , , , .
, . /, .
, . RSA-
-. , , .

, , . ,
,
.
. Domino,
,
. [
(User Activity).] , . ,
. . . .
209

.
,
, . , -

.
, Domino, , , ,
, . ,
, .
,
. / .
.
,
Domino Notes
Domino.
1. Domino Administrator Configuration () Server ().
2. Security ().
3. Security Settings ( ) Allow anonymous
Notes connections ( Notes).
4. .
5. Anonymous () (ACL) , .
Reader (). Anonymous ACL,
Default ( ).
6. , .
, .
, ,
, :
Server X cannot authenticate you because: the servers Address Book
does not contain any cross-certificates capable of authenticating you.
You are now accessing that server anonymously. ( , : , . .)
210
6.1.11
, . (data integrity), .
, ,
,
[ (tampering)].
, ,
.
. ,
. ,
. , ,
, .

, Notes.
. ,
. ,
, .
, Notes,
RSA-, . , Lotus Notes, .6-15.
3
1
=?
d
e
.6-15. Lotus Notes
211
.
1. Notes. Notes,
, Sign (), ( MD5)
( d digest).
2. Notes RSA-
( RC2), , RSA-
.
3. .
4. Notes RSA-
( RC2) ( d).
5. Notes
( MD5, d).
6. Notes ( d)
( d), ,
. ,
. , ,
.
, , Notes ,
, . Notes , .
:
1. , .
2. , .
, , .
6.1.12
, , (confidentiality). .
, , ,
[ ,
() ]
.
, , , , .
, , , ,
, .
. ,
212
, . : , . ,
T- , , . ( ,
, , .)
T-
, , , Notes.
Notes.
Notes . , Notes ,
. . Notes ,
. ,
. ,
Notes Domino ,
, . Notes RC2 RC4.
Notes.
Notes ID / . 5.0.4
, . , 512- RSA- 56- ,
, .
.

, Domino, Domino Administrator, Domino Designer, Lotus Notes (North American), (International) (France) Global () .
, .
, , -
213
. Notes .

Domino Notes,
ID. , .

. , (d 5.0.4 ).
.
Register New User ( )
ID. ,

. .
Lotus ,
.
. .

.
Lotus
, ,
,
.

, ID Notes Domino,
. .
ID.
, ID.
, , 5.0.4.
, Lotus Notes
ID.
. , .
5.0.4. 5.0.4 , , -
214
ID . ID .
5.0.4. Lotus Notes,
Domino, 5.0.4 , , . , , Notes Domino 5.0.4,
ID; . 5.0.4
ID,
ID. ID, ID.
ID , Notes Domino.
Notes Domino .
Notes ID
Notes ID. , .
1. Notes ID ( , Notes ID ,
), , , ( ID, ).
2. Notes ID , Notes
ID . Notes ID , , Notes ID , (, ).

, Lotus Notes , ,
. ,
Lotus Notes, .6-16.
,
. .
1. Notes
. Notes, , Encrypt (),
215
( ,
,
, Notes), .
2. Notes ( RC2) , ,
RSA- .
.6-16. Lotus Notes

3.
Notes.
4. Notes RSA- ( RC2)
. , , ,
.
5. Notes
( RC2), , .
:
Notes ( ,
Notes ID , , , ),
.
, , S/MIME, . S/MIME .
216
Notes
Notes, Lotus Notes
. , ,
.
ID
,
. , , ,
, , .

, .
. ,
,
.

.
File () Preferences () Ports () .
6.1.13 Notes PKI

Notes
(Notes PKI) , Notes Domino ,
, Notes, . PKI Lotus Notes, Notes
, ,
, PKI .
Notes Domino , , , Notes Domino
- ,
.
217
6.2
,
, , ,
. , ,
.
Notes, ,
.
PGP X.509. Domino X.509,
.
-
1996 . Domino 4.5.
Domino,
Domino 6.
, 11,
Domino/Notes 6.
6.2.1 -
, , -.
, .
,
STD RFC, . ,
, .
- IETF (Internet Engineering Task Force). ,
- (Internet Drafts),
[Requests for Comments (RFC)], [standards (STD)]
IESG (Internet Engineering Steering Group).
(STD)
, -, ,
(standards track). (Proposed
Standard), (Draft Standard) (Standard).
(Proposed Standard), ,
, , , , -
218
, . .
, .
,
, (Draft Standard).
, . , .
,
, - (Internet Standard).
- [ (Standard)] ,
-.
, -
, , .
- IP (Internet Protocol).
- STD . , STD1, .
STD RFC
RFC. STD , RFC, RFC . , ,
RFC, .
(RFC)
[requests for comments (RFC)] 1969 .

,
- UNIX-. RFC , - RFC. , RFC RFC 822,
(e-mail) .
RFC, IFTF ,
RFC;
, RFC . RFC .
RFC , , , ,
219
, , (ANSI).
RFC .
, , ,
,
, . RFC.
RFC , 1 .
, RFC; , , ,
, ,
.
STD RFC
STD RFC , .
Web- IETF, URL-:
http://www.ietf.org
RFC :
http://www.ietf.org/iesg/1rfc_index.txt
. RFC , :
http://www.ietf.org/rfc.html
RFC RFC RFC
2026 The Internet Standards Process, Revision 3 ( -, 3).
STD RFC
RFC -. RFC
. ,
RFC.
,
,
RFC
.
. RFC, , RFC
1796, Not All RFCs are Standards ( RFC ), :
http://www.faqs.org/rfcs/rfc1796.html
220
, , Domino -, STD RFC.
6.2.2 (PKI)
, PKI ,
PKI.
PKI ,
, . PKI

, .
:
SSL (Secure Socket Layer);
S/MIME (Secure Multimedia
Internet Mail Extension);
IPSec (IP Security);
SET (Secure Electronic Transactions);
PGP (Pretty Good Privacy).
, ,
, .
(PKI),
.6-17, :
[End Entity (EE)];
[Certificate Authority (CA)];
[Certificate Repository (CR)];
[Registration Authority (RA)];
[Digital Certificates (X.509 V3)];
.
[End-Entity (EE)]
PKI
, .
, PKI ,
PKI. ( , , - ) , ( , ).
[Certificate Authority (CA)]

[Certificate Authority (CA)] ,
. ,
221
( ), (). , , (security domain), -

(CRL)
X.509
X.509

, ,
X.509
& CRL
.6-17. PKI
,
. :
, .

.

().
.
222
, , ,
, . (RA), . .
, . ,
, . , , ,
.
, ,
, , . , , . , , ,
.
, HTTP- SSL Web- ,
( Trusted Roots Trusted CAs), , ( ) VeriSign, Entrust,
Thawte, Baltimore, IBM World Registry . . Web- ,
CA,
, , CA- .
, , :
.
, , .
. RA, .
(,
, . .).
(). , . , .
. , .
223

. , ,
.

. . , CA
[Certificate Revocation List (CRL)].
, , CA . ,
, CRL .
(CR)
[Certificate Repository (CR)] CRL.
CR ,
PKI.
X.509 X.500,
CR (Directory),
LDAP (Lightweight Directory Access
Protocol), LDAP v3.
LDAP ,

CR CRL. LDAP
, , , bind, search
modify unbind. LDAP, CR, [ (Schemas)].
CRL,
CR, . ,
, CR,
,
CR. : , ,
, ( ),
. Domino
Domino (Domino Directory).
224
(RA)
[Registration Authority (RA)] . RA CA.
, RA, ,
CA CA. CA RA. , RA , , . RA
CRL.
6.2.3 X.509
(
) X.509.
,
, ITU-T X.509 ( X.509
CCITT).
X.509 -,
, , , :
SSL (Secure Sockets Layer);
S/MIME (Secure Multipurpose Internet Message Extension).
X.509?
X.509 X.500.
X.509 , .
.
X.509
. X.509 , , RSA .
X.509
RFC, [Privacy Enhanced Mail
(PEM)] , 1993 .,
X.509 v1 ( RFC 1422).
, RFC 1422,
, v1 v2
225
.
.
ISO/IEC/ITU ANSI X9 X.509 3 (v3). v3 v2 .
,
. v3 1996.
X.509
X.509 :
;
;
( );
( );
;
( );
: ;
2
3 ( 2);
2 3 (
2);

3 ( 3);
.
, , . X.509 V3 .6-18.
1 (ASN. 1),
.6-19.
ASN.1,
ITU-T X.208 X.209. .
[object identifier
(OID)]. , .6-19 AlgorithmIdentifier signatureAlgorithm,
(OID)
226
X.509 V3
()

(
)
X.509 (
)
(/
)
X.500

1
.6-18. X.509
. IOD , (). , , OID, .
: Subject Unique Identifier . .

. .
227
Certificate ::= SEQUENCE {

tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] EXPLICIT Extensions OPTIONAL
}
.6-19. X.509
1 (ASN. 1)

, ,
Notes.
, -, , . S/MIME-, , ,
S/MIME- .
, Notes
- SSL.
Certificate , .
(leaf certificate)2 ( , )
.
( ,
). ,
.
, , . , Sales/Acme
228
Sales/ABC Fred/Sales/Acme. Fred/Sales/Acme

Fred/Sales/Acme.
, ,
Lotus Domino Administrator 6.
X.509 .
, , , Notes.
, ,
.
6.2.4 Web-
, .
, WWW,
HTTP (Hypertext Transfer Protocol). HTTP ,
( ) . , :
, ;
( URL-).
-
- Person, Domino , :
-, ;
.
, , (ACL) No Access ( ) ,
Domino .
,
, , Person , ACL .
.

TCP/IP SSL ( ). TCP/IP .
Web-, Web Domino, .
229
(Name-and-password authentication)
, ,
/,
,
Person Domino.
, Domino ,
- - . - -
Notes Domino , Domino Notes Domino , .
- -, ACL
Domino, Person Domino , , Domino LDAP. , Person,
, .
Domino Person ( ) .
. , Editor (), Author
(), Person.
(ACL) Editor, (Anonymous) Author.
TCP/IP,
SSL , - (LDAP, POP3,
HTTP, SMTP, IIOP IMAP).
HTTP
.6-20. .
1. ( , , GET HTTP).
1
2
3
.6-20. HTTP
230
2. , . , ( , Private
() 401 HTTP).
Web-
.
3. Web- , GET HTTP 1, , ID ( Base64).
4. , , .
, .
, , , URL, , URL- . , 401. , ID .
, ,
MIME- HTTP-:
Authorization : Basic <user ID and password block>
ID (user ID) (password block)
UserID:Password Base64.

, ID , , . ,
401 /,
ID .
ID
URL-, , , . Opera Mozilla,
Netscape Navigator Internet Explorer URL, .

401. , , ID , , , .
. -
. , HTTP , LDAP, TCP/IP, .

SSL, -
231
SSL SSL ,
SSL.
. ,
Domino SMTP-, Domino
SMTP- .
, Domino SMTP-,
SMTP- Domino.
, Domino Domino LDAP.
- (HTTP, LDAP, IMAP, POP3).

, Domino
-. Domino ,
Domino Java- IIOP Domino.

(Fewer name variations with higher security)
Fewer name variations with higher security . ,
, . , .6-2 Web- -.
6-2
Domino

CN=prefix

(,
Person,
1 first name)
- ( ,
- Person )
232
LDAP
DN
CN CN CN=prefix
UID UID UID=prefix

first name, : , name, , alice. . . .

(More name variations with lower security)
Domino
. , . .6-3
Web-.
6-3
Domino
(Last name)
(First name)
cn=prefix
()
()

(,
Person,
first name)
Soundex-13
- ( ,
- Person )
LDAP
(Surname)
(Given name)
(CN) CN CN=prefix
DN
DN
UID UID UID=prefix

HTTP,
, :
.
, .
, cookie.
, . cookie.

, ,
.
.

(
SSL-)
, 1
Soundex . . . .
233
.
, .
, , , .
SSL
SSL , , . SSL
.
SSL ,
, , .

Web- Domino [Domino Web Server Application Programming Interface (DSAPI)] (C API),
Web- Domino. , ,
Web-.
DSAPI Lotus Domino Notes.
:
http://www.lotus.com/techzone

(Session-based name-and-password authentication)
Web-, ,
.
, Web- cookie. , , Web Site Server.
,
:
. cookie, ,
,
234
cookie,
, Web.
Web- , cookies.

,
. , . .
HTML-
HTML- ,
.
. HTTP Unicode. US-ASCII.
. .
Domino HTML- ($$LoginUserForm),
Domino (DOMCFG.
NSF). , , . , , - -.

Web- .
, cookie, Domino , .

Web-, , , .
, URL- ?logout
, :
http://acmeserver/sessions.nsf?logout
235
URL-, :
http://acmeserver/sessions.nsf?logout&redirectto=/logoutDB.nsf/
logoutApp?Open
http://acmeserver/sessions.nsf?logout&redirectto=http://www.sales.com
( ,
) URL-.

, , . ,
.
-
Domino 6 - . Lotus Domino 6 Lotus Domino 6.
. (round-robin) DNS,

(
).
DNS cookie . ,
,
, .

.

(Multi-server session-based authentication (SSO))
, single sign-on (SSO),
Web- Domino WebSphere
, Domino
WebSphere DNS, SSO,
().
Web- cookies,
(token)
cookie.
, , :
236
Domino (domain-wide
configuration document) Web SSO Configuration document. Domino .
Multi-server
Web Site Server.
Domino.
Single sign-on Domino.
Lotus, . 7,
.

- -
. Domino . , (log file)
(User Activity).
Notes, - - ,
. , ,
. Notes,
- - , .
TCP/IP SSL , LDAP, HTTP, SMTP IIOP. -, , . , SSL
HTTP-,
LDAP-, TCP/IP.
?
,
. , .
SSL, .
6.2.5 SSL (Secure Sockets Layer)

, , :
. ,
237
:
.
, - ,
, , Base64. , , . Base64 ,
, . , , , , HTTP-, ( , ) ,
.
, , .
, , : SSL (Secure Sockets Layer).
SSL ,
HTTP, ,
LDAP, POP3, HTTP, SMTP, IIOP IMAP.
SSL?

Netscape Inc., -
, . SSL , , , .
. SSL 3.0,
TLS (Transport Layer Security),
IETF. TLS RFC 2246: The TLS Protocol Version 1.0 ( TLS
1.0). Notes Domino TLS -
, SSL v3.
SSL 3, 1996 .,
, :
, , ;
,
, ;
, RSA;
( 3.0).
238
SSL
SSL:
(handshake),
;
(record protocol),
.
SSL
. 6-21 SSL. :
1. . ClientHello , SSL.
ClientHello
,
.
SSL

ClientHello
ServerHello
. 6-21. SSL
239
2. SSL , ServerHello
. ,
( ).
3. X.509,
.
, , :
4. .
5. .
, hello , -, ,
SSL , , (public key certificate). , (public key certificate).
, SSL (identity) -
SSL

ClientHello

ServerHello

Change cipher spec

( )
Change cipher spec

( )
. 6-22. SSL
240
(authenticity) . . 6.21 , .
, SSL. . 6.22.
(handshake)
,
. ,
SSL .
:
1. ClientHello
( ) .
2. , ,
ServerHello, .
3. , . ,
( . 6.22).
4. [ (pre-master) ], , , (
). , .
5. , ( 2) ( 4)
. ,
, SSL.
6. ( ChangeCipherSpec) , .
7.
.
, HTTP- SSL- .
..
. SSL-,
, SSL
, , ,
Web-, .
241
SSL
(master key),
.
,
. , , ,
. .
.
( ) ,
.
SSL . ,
message digest, MD5,
, , .
RC2 RC4, DES, Triple-DES IDEA.
, , X.509, , .
SSL
.
. .
. (
) ,
SSL.
SSL
,
Web- , .
:
?
?
?
- -?
?
Web-?
, , Web-?
,
, :
;
242
;
;
.

, Web-, ,
, , .
,
, .
, Web- SSL,
. SSL- URL http:// https://.
SSL- , . ,
.

.
,
().
,
[Certificate Authority (CA)],
. ( .)
, , . , (
),
.
Web- SSL . Web-
, .

,
-.
.
CA CA , , . ,
-,
.
243

Web- , , , Web-
. , , ,
.
( ),
, .
.6-21, SSL, SSL , . , ,
, .
. ,
,
[certificate authority (CA)].
? , SSL,
, (key ring file).
. .6-23 (
) Opera, .
. 6-23. Opera
244
, .
, - CA.
, .
, CA
( ).
, . , CA ,
, ,
, .

.
MIME, application/x-x509-ca-cert, CA,
CA. PKCS #7, URL-:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/
SSL , , , , ,
CA. ,
( CA, ).
. , -, ,
SSL-,
CA. , , ,
, ,
. ,
,
.

,
. , , . CA
, Web-
( ). ,
CA.
245
, ,
: CA ,
, , ,
, , .
. 6-24 ,
Opera , ,
SSL-.
. 6-24. , ,
:
, ;
;
,
.
, , . , CA ,
,
, CA.
. , -, ,
SSL-,
1, . ,
, ,
,
, .

, , VeriSign.
1
246
: draft-ietf-smime-ess. . . .

, , , ,
, .
CA .
online,
. -. , .
Netscape
, , (,
Mozilla, IE, Lynx . .).
Netscape <KEYGEN>, HTML,
. ,
( PKCS #10) . CA X.509 v3 MIME- ( PKCS #7), .
, Internet Explorer,
, IE
ActiveX (CERTENR3.DLL IE 3.0 XENROLL.DLL
IE 4.0). ActiveX /
PKCS #7 CA , Netscape.
6.2.6 Domino
(Certificate Authority)
PKI, , CA
, SSL. CA

(, S/MIME, ).
, .
Domino CA .
Domino 6
, X.509 ( SSL- S/MIME) IBM (IBM
Redpaper) The Domino Certification Authority, REDP ( Domino).
6.2.7

.
: ,
247
;

.
X.509 v3
SSL,
-, . , ,
,
, .
, , , , Lotus Notes - , Domino .
, - , .

-.
SMTP
SMTP (Simple Mail Transport Protocol)
,
DNS (Domain Name Service) Mail eXchange (MX)
.
, , SMTP.
SMTP, , . , SMTP, SMTP,
SMTP-.
SMTP 7- ASCII,
, ,
- , .
MIME
MIME (Multipurpose Internet Mail Extensions) , ASCII, .
248
, SMTP
,
, ASCII.
MIME ,
.
, , MIME,
Subject. .
From: frederic.dahm@ch.ibm.com
To: roger.guntli@ch.ibm.com
Subject: Map of Western Canada
MIME-Version: 1.0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID:
Content-Description:
[JPEG data]
MIME,
, - . ,
, MIME ,
, ASCII.
POP
POP IMAP ( ) , .
POP (Post Office Protocol) 3 (POP3)
. , , 24 , 7 .
, , .
, ,
, , .
POP3 .
ID , , ,
, .
249
IMAP
IMAP4 (Internet Message Access Protocol, 4, (Interactive Mail Access Protocol))
,
.
, IMAP4, POP3,
. IMAP, ,
, , .
IMAP Web- , :
http://www-camis.stanford.edu/projects/imap/ml/imap.html

, , ,
.
SMTP
SMTP -
SMTP- .
, SMTP- ,
, , .
, , ,
. , , , SMTP. , , ,
SMTP-.
, , ,
.
, ,
, ,
. ,
SMTP-. SMTP- ,
- .
, .
SMTP- TELNET 25 ,
SMTP-, :
250
Telnet <SMTP host> 25

HELO foobar.com
MAIL FROM: <reverse-path>
RCPT TO: <forward-path>
DATA
SEND FROM: whatever.address@you.like
POP
POP3 - .
SMTP, POP3 POP3
. USER PASS

POP3 .
RFC 1725 Post Office Protocol Version 3.

,
T-, , .
POP

, , ,
S/KEY, GSSAPI, APOP Kerberos V4. .
IMAP
IMAP4 , ,
Kerberos V4.
SSL
POP3 IMAP4
SSL. , POP3 IMAP4.
SASL
SASL (Simple Authentication and Security Layer (SASL)) RFC 2222. . , SASL, .
251
SASL
( , SMTP
SASL).
Domino SASL LDAP. Domino SASL , SSL
LDAP .
.
SMTP (ESMTP)
ESMTP,
(Extended Services for Simple Mail Transport Protocol),
SMTP , SMTP SMTP
.
SMTP
[Internet Assigned Numbers Authority (IANA)]. SMTP
: SMTP TLS/SSL (Delivery Status notifications).
SMTP
SMTP,
SMTP (AUTH=LOGIN), . , SMTP (, SMTP- ).
, , base64.
SMTP SMTP SSL TLS

SSL TLS TCP-
. SSL TLS HTTP, , TCP.
TLS SSL ;
. MD5, TLS HMAC.
SMTP SSL TLS
. ,
.
SMTP-, , , SSL TLS ,
SMTP .
252
. SMTP Domino 6 SMTP,

SSL- TCP/IP.
SMTP, Lotus Domino Administrator
Lotus Notes :
1. Lotus Domino Administrator ( Domino Directory Notes) Configuration (). Messaging ( ), Configurations ().
2. Add Configuration ( ),
Edit Configuration ( )
Configuration ().
3. Router/SMTP (/SMTP),
Advanced (). SMTP, . 6-25.
. 6-25. SMTP
4. SMTP Domino.

SMTP SMTP ,
-.
253
, SMTP
.
, . SMTP, , SMTP
(/ /) /
. , .
,
SMTP

, , () - .
, ,
, MIME- ( ). : PGP S/MIME. PGP.
6.2.8 PGP
PGP (Pretty Good Privacy),
,
. 1 1991 . . PGP PGP
URL-:
http://www.pgp.com/
GnuPG (Gnu Privacy Guard),
PGP. IDEA,
- . GnuPG , RFC2440 (OpenPGP). 1.0.0 7
1999 . 1.2.2. GnuPG
. ,

(General Public License) GNU. GPG URL:
http://www.gnupg.org
GNU :
http://www.gnu.org/copyleft/gpl.html
1
254
: PGP (Phil Zimmermann). .: http://www.pgp.com/company/

history.html. . . .
PGP .
, ,
, ,

.
, OpenPGP,
, X.509
. OpenPGP
URL-:
http://www.openpgp.org/
OpenPGP RFC2440, :
http://www.ietf.org/rfc/rfc2440.txt
PGP
, S/MIME
, .
S/MIME ,
Lotus Notes Lotus Domino.
6.2.9 S/MIME
S/MIME (Secure Multipurpose Internet Mail Extension)
, RSA
.
S/MIME , S/MIME 3. .
(draft-ietf-smime-cms; ftp://ftp.ietf.
org/rfc/rfc2630.txt).
S/MIME 3 (draft-ietf-smime-msg; ftp://ftp.ietf.
org/rfc/rfc2633.txt).
S/MIME 3 (draft-ietf-smime-cert; ftp://ftp.ietf.org/
rfc/rfc2632.txt).
(draft-ietf-smime-crs;

http://www.ietf.org/proceedings/98dec/I-D/draft-ietf-smime-crs-00.txt).
S/MIME (draft-ietf-ietf-ess1;
ftp://ftp.ietf.org/rfc/rfc2634.txt).
Lotus Notes Domino 6 S/MIMEv3.

MIME
, . S/MIME
, : Triple-DES
1
: draft-ietf-smime-ess. . . .
255
RC2. RC2
, ,
RSA.
S/MIME
, S/MIME. , Notes Domino 6
S/MIME.
S/MIME :
;
();
;
S/MIME-
;
Netscape Messenger;
.
:
, , , ;
, ,
, ;
,
.

, , S/MIME ( )
. , , Notes
Notes PKI.
S/MIME- .
, , , , . , Notes, . 6-16 6-26.
,
. . 6.26 .
1. S/MIME- .
256
, , , ( ,
; , S/MIME-) .
2. ( Triple-DES, RC2)
. 6-26. S/MIME
, , 1 RSA- .
3.
SMTP.
4. RSA- ( RC2) . ,
, ,
.
5.
( Triple-DES, RC2,
,
), ,
.
, ,
X.509 , , .
. 6-26 , ,
1
: . .
.
257
S/MIME (digital envelope),

, .
, ,
. ,
.

, ,
S/MIME , . ,
. ,
,
Notes.
:
S/MIME ,
( , ), ( ,
). . 6-27.
.
1. S/MIME- . -
.6-27. S/MIME
258
=?
, , ,
( MD5 SHA-1) ( d
digest).
2.
RSA- ( RC2), ,
RSA- .
3. .
4. RSA-
( RC2)
( d).
5. ( MD5, d).
6.
( d) ( d), ,
. ,

() . ,
, () .
, , , , . ,
.
:
1. , .
2. , .
, (), ,
.
! ,
.
.
, , .
,
. S/MIME , . ,
RFC , ,
, .
259

, S/MIME
, ,
.
,
.
X.509 (
, ).
, .
, (CA),
, ? S/MIME
, (chain of trust). , , ( , CA ),
CA .
CA .
- CA ,
CA, .
, CA?
,
; CA ( , , ). :
1. .
2. .
3. CA, .
, , , CA,
.
,
,
, , ,
. , , , .
,
: .
, ,
. , ,
. ?
260
, ,
. , , ,
.
/ ? , S/MIME PKCS#12, .

, , S/MIME, S/MIME-.
(opaque), ,
MIME application/pkcs7-signature (/ pkcs7).
S/MIME
pkcs7-signature ( pkcs7). S/MIME , .
(clear), , MIME multipart/signed (/).
, application/pkcs7signature MIME. ,
MIME MIME application/pkcs7-signature.
S/MIME-

PKCS #12 .

. ,
S/MIME , S/MIME, / .
PKCS #12 / , S/MIME, . ,
Internet
Explorer CA VeriSign,
Outlook Express. Netscape Navigator,
Netscape Messenger.
261
S/MIME

S/MIME, X.509.
S/MIME
CA. ( ),
S/MIME , .
,
.
.
. 6-28 ,
, S/MIME .
S/MIME
1.
S/MIME
S/MIME
S/MIME
6.
(X.509/LDAP)

2.
3.

6.
5.
Web-

Notes
4.
Web-
2.
. 6-28. S/MIME-
262
Web-

Notes
, S/MIME-,
. 6-28, .
1. , S/MIME,
.
Web- .
2. )
. (
, ,
.)

) HTTP
( PKCS #10), Web- .
3. (CA) , . URL- ID
, .
4. URL-, ID .
5. , S/MIME.
6. )
. .

) , S/MIME.
S/MIME
,
S/MIME, .

. , , S/MIME, . , ,
S/MIME, .
LDAP
(, Four11,
Bigfoot, Switchboard . .).
, , S/MIME.
263
6.2.10 Lotus Notes 6 S/MIME-

Lotus Notes
CA ,
S/MIME-,
Notes. , Lotus Notes 6,
Domino Server 6 S/MIME.
S/MIME Notes R5.0

Notes, , Notes
Notes ID,
.
6 Notes ID, Notes,
X.509 v3. Web- ( Domino, ,
), Notes. , ID Notes.
Notes ID
Notes. , , . Notes X.509.
S/MIME- Notes
PKCS #12.
S/MIME
X.509 Notes ID.
, Notes, , Domino, ,
, , .
,
Domino.
, ,
. Notes . Lotus Notes 6 Domino (Domino Directory).
S/MIME-
Lotus Domino 6 , X.509 , , MIME
Notes ,
-. ,
. .
264
Notes S/MIME- :
directly to Internet ( ) Send outgoing mail ( ) Mail () Location ( . 6-29). , , MIME.
MIME format ( MIME) Format for
messages addressed to Internet addresses ( ,
-) Mail ()
Location. , -,
(Personal Address Book) Domino, S/MIME.
When receiving unencrypted mail, encrypt before storing in your mail file (
) Basics () Person . , , MIME.
,
Body
. 6-29. Location : Mail
265
Store contents as HTML and MIME ( HTML

MIME). Notes,
MIME ( Notes Person), MIME.
, S/MIME, X.509
Domino.
Notes ,
.
,

Delivery Options ( ) Encrypt (). , Notes.
. 6-30. : Mail
. Lotus Notes 6
File Security User Security ( ), Mail ()
(User Security) Encrypt mail that
you send ( , ), . 6-30.
266
S/MIME-

, .
, X.509 ID Notes.

Delivery Options ( ) Sign ().
File Security User
Security ( ), Mail ()
(User Security) Sign mail that you send
( , ).
S/MIME-
Notes .
, . .,
, Notes , , .
Signed By: Bob, at 10:52 AM, According To: TestCertAuthority.
, .
, .
. S/MIME-
.
.
, ,
S/MIME-. .
, X.509 .
S/MIME-
Actions Tools Add Sender to Address Book ( ). ,
. , S/MIME-,
.
267
6.3
, , , .
,
. X.509 ( , SSL)
(, S/MIME). , Notes Domino
X.509 , , Notes Domino.
268
7

(Single sign-on)
[single signon (SSO)] ,
. ,
, .
SSO:
, , , .
Web- The Open Group :
http://www.opengroup.org/security/12-sso.htm
,
( )
,
.

, .
:
.
,
.
(Single sign-on)
269

.
SSO,
.
:

.
, ,
.
.
(user security
information) ,
, . ,
.
SSO:
, ;
(credentials)
;
, , ,
.
SSO , . . . SSO
.
(credentials), (accept) . (credentials)
C , , , SSO , WebSphere Lotus.
SSO,
IBM:
HTTP (HTTP headers);
Lightweight Third Party Authentication (LTPA);
X.509;
DSAPI.
270
7.1 SSO
SSO :
1. .
2.
.
3. (users credentials) ,
.
, SSO .
SSO , , .
7.1.1 SSO
, SSO
, SSO. ID [ (credentials)], .

( ), , ,
ID .
,
ID (credentials store),
(ID) - .
()? ,
logon- , . , , , .
? ,

.

, . , Notes Windows, Notes
, Windows
. Notes
Domino -. ,
, .
(Single sign-on)
271

,
,
. , . , . . ,
. , - ,
,
(bind).
. Domino MD2-solted -
Person, (Directory Profile) Use more secure Internet
Passwords ( -).
( , IBM Tivoli Directory Server
MD5). , salt-.
(
, salted ). ()

, .

, .
(ID) , .
bind- LDAP, LDAP ID (credentials).
, , (bind) . ,
, -, ;
.
.
password IBM
Directory Server - [B@7a8ea817. ,
- Person
Domino? -, Domino
(log in) (bind) password, 355E98E7C7B59BD810ED84
272
5AD0FD2FC4. - LDAP,
([B@7a8ea817), Domino
.
,
, , ,
Notes Windows. ,
. (SSO) Web-.
7.2 LTPA
Lightweight Third Party Authentication (LTPA) IBM, cookies,

Web- Lotus, WebSphere Tivoli. ,
, DNS LTPA, . LTPA , cookie
.
LTPA , , , [Distinguished Name (DN)] a , ,
.
LTPA :
, LTPA, DNS.

( LDAP). Lotus Domino
( LDAP), IBM Directory Server, MS Active Directory
iPlanet.
, , cookies, .
, SSO
HTTPS-.
LTPA , IBM;
LTPA (
).
,
DNS, , LTPA.
LTPA cookie , cookies
RFC-2965, :
(Single sign-on)
273
RFC , () cookie
, DNS, , () cookie (). -, DNS,
.
DNS . ,
cookie LTPA ,
. ,
DNS , cookie
, LTPA, . , Domino alpha.com, beta.com ,
iNotes iframe, Domino R5
,
, beta.com. Domino 6 beta.com Internet Site. ,
Domino beta.com DNS.
, , HTTP DIIOP ( IBM WebSphere), Domino . ,
,
Web- SSO (Web SSO Configuration)
Domino .
,
, .
LTPA WebSphere.
WebSphere , Lightweight Third Party Authentication
(LTPA), Domino R5.0.5 . Domino WebSphere

WebSphere Web- SSO (Web SSO
Configuration). LTPA WebSphere WebSphere.
. , WebSphere Lotus, Tivoli,

, LTPA WebSphere
.
WebSphere , Domino
, WebSphere. , Domino SSO, 20- , SHA-1, . LTPA Domino
server only ( Domino) LTPA WebSphere.
274
7.2.1
LTPA
. ,
, Web-
. , , :
1. () LTPA ,
.
2. () LTPA, HTTP
.
LTPA ()
. LTPA , LDAP, , cookie LTPA. ,
LDAP (trusted third party),
: ( )
(Third Party Authentication).
(ID) LTPA,
LDAP. LDAP ,
- . , , . LDAP
Web- ( ) LTPA
cookie . cookie
HTTP- , cookie . , cookie, , (Lightweight). LTPA . 7-1.
7-1. LTPA
CookieName ( cookie)
CookieValue ( cookie)
LtpaToken ( LTPA)
AuthenticationToken ( )
Digital Signature ( )
LtpaToken ( LTPA)
Base64 ( LTPA)
( ,
) 3DES
+%+
+%+ Base64
( )
( ,
)
LTPA ( RSA/SHA1)
(Single sign-on)
275
. 7-1
PrivateKey-ltpa ( LTPA)
SharedKey ( )
UserData ( )
TokenExpirationDate (
)
(
,
) LTPA
;
LTPA
/
3DES,
LTPA /
,
$ ( , uid:+ID )
,
. (
,
(00:00:00)
1 1970 .)
, . ( Domino) , ( WebSphere).
() LTPA
LTPA,
Web-. Web-, , () ( LTPA) .
, .
Domino,
LTPA, WebSphere:
Base64,
( WebSphere), ,
, .
7.1
06/09/2003 05:53:39.53 PM [03071:00010-106510] SSO API> Decoding
sphere style Single Sign-On token (LTPA).
Web-
06/09/2003 05:53:39.53 PM [03071:00010-106510] SSO API> Dumping memory

of encoded token [364 bytes].
00000000: 6C71 3150 4847 4536 3576 597A 6154 7878
'qlP1GH6Ev5zYTaxx'
00000010: 6F5A 534D 4262 6D70 3746 4643 6B56 3172
'ZoMSbBpmF7CFVkr1'
00000020: 5146 7045 5762 756E 6467 4532 6C68 314B
'FQEpbWnugd2EhlK1'
276
00000030: 3138 6E47 5164 5A41 634C 3965 3258 386C
'81GndQAZLce9X2l8'
00000040: 2B7A 7239 7263 7976 5537 6332 4957 4F44
'z+9rcrvy7U2cWIDO'
00000050: 3755 4677 586D 2B6B 3768 7A31 3767 6976
'U7wFmXk+h71zg7vi'
00000060: 3672 5949 4672 7566 4C4D 636E 6236 665A
'r6IYrFfuMLnc6bZf'
00000070: 6E63 6A43 6246 4476 7159 476A 2F72 5445
'cnCjFbvDYqjGr/ET'
00000080: 6742 6C57 7779 7457 3671 6632 7467 3978
'BgWlywWtq62fgtx9'
00000090: 4947 6D71 4674 6643 7470 716D 6E56 5863
'GIqmtFCfptmqVncX'
000000A0: 6C43 5A4A 5050 4E48 4733 336E 6F69 757A
'ClJZPPHN3Gn3iozu'
000000B0: 4562 3777 475A 6136 3362 5138 6C4D 7554
'bEw7ZG6ab38QMlTu'
000000C0: 5475 7166 7438 5971 5269 5736 4949 6238
'uTfq8tqYiR6WII8b'
000000D0: 5839 6578 6552 714F 6378 6A35 4663 6435
'9XxeReOqxc5jcF5d'
000000E0: 4343 4E69 3076 4A6D 4372 686A 306C 6A51
'CCiNv0mJrCjhl0Qj'
000000F0: 4F57 6142 5955 7634 7771 3838 5A57 3230
'WOBaUY4vqw88WZ02'
00000100: 6F42 7671 3939 7231 5765 3068 4753 596B
'Boqv991reWh0SGkY'
00000110: 7A63 5862 4D31 4A4B 314E 4F6B 3576 4337
'czbX1MKJN1kOv57C'
00000120: 7449 654A 5253 3577 477A 4352 384D 684C
'ItJeSRw5zGRCM8Lh'
00000130: 6665 4E43 7365 504C 6B2B 7258 5157 7343
'efCNesLP+kXrWQCs'
00000140: 5866 3741 576C 534C 4630 6941 3035 6C76
'fXA7lWLS0FAi50vl'
00000150: 3247 356E 5076 2B68 4968 2F64 6955 3442
'G2n5vPh+hId/UiB4'
00000160: 5065 4F6F 324C 476D 3958 3D30
'ePoOL2mGX90='

of encoded token before decryption step [272 bytes].
00000000: 53AA 18F5 847E 9CBF 4DD8 71AC 8366 6C12
'*Su.~.?.XM,qf..l'
00000010: 661A B017 5685 F54A 0115 6D29 EE69 DD81
'.f.0.VJu..)min.]'
00000020: 8684 B552 51F3 75A7 1900 C72D 5FBD 7C69
'..R5sQ'u..-G=_i|'
00000030: EFCF 726B F2BB 4DED 589C CE80 BC53 9905
'Ookr;rmM.X.NS<..'
00000040: 3E79 BD87 8373 E2BB A2AF AC18 EE57 B930
'y>.=s.;b/.,Wn09'
00000050: E9DC 5FB6 7072 15A3 C3BB A862 AFC6 13F1
'\i6_rp#.;Cb(F/q.'
00000060: 0506 CBA5 AD05 ADAB 829F 7DDC 8A18 B4A6
'..%K.-+-..\}..&4'
00000070: 9F50 D9A6 56AA 1777 520A 3C59 CDF1 69DC
'P.&Y*Vw..RY<qM\i'
00000080: 8AF7 EE8C 4C6C 643B 9A6E 7F6F 3210 EE54
'w..nlL;dn.o..2Tn'
00000090: 37B9 F2EA 98DA 1E89 2096 1B8F 7CF5 455E
'97jrZ.... ..u|^E'
000000A0: AAE3 CEC5 7063 5D5E 2808 BF8D 8949 28AC
'c*ENcp^].(.?I.,('
000000B0: 97E1 2344 E058 515A 2F8E 0FAB 593C 369D
'a.D#X`ZQ./+.<Y.6'
000000C0: 8A06 F7AF 6BDD 6879 4874 1869 3673 D4D7
'../w]kyhtHi.s6WT'
000000D0: 89C2 5937 BF0E C29E D222 495E 391C 64CC
'B.7Y.?.BR^I.9Ld'
000000E0: 3342 E1C2 F079 7A8D CFC2 45FA 59EB AC00
'B3Bayp.zBOzEkY.,'
(Single sign-on)
277
000000F0: 707D 953B D262 50D0 E722 E54B 691B BCF9
'}p;.bRPPgKe.iy<'
00000100: 7EF8 8784 527F 7820 FA78 2F0E 8669 DD5F
'x~...R xxz./i._]'

of encoded token after decryption step [271 bytes].
00000000: 3A75 7375 7265 3A5C 7469 6F73 6573 2D63
'u:user\:itsosec-'
00000010: 646C 7061 632E 6D61 692E 7374 2E6F 6269
'ldap.cam.itso.ib'
00000020: 2E6D 6F63 5C6D 333A 3938 552F 4449 443D
'm.com\:389/UID=D'
00000030: 6948 6B6E 656C 4F2C 3D55 7250 646F 6375
'Hinkle,OU=Produc'
00000040: 6974 6E6F 6F2C 723D 6465 6F62 6B6F 2C73
'tion,o=redbooks,'
00000050: 3D63 7375 3125 3530 3235 3831 3733 3138
'c=us%10552183781'
00000060: 3635 4125 4274 4669 5238 3748 4858 6C4F
'56%AtBiF8RH7XHOl'
00000070: 7A47 554F 5645 3575 7456 4172 597A 765A
'GzOUEVu5VtrAzYZv'
00000080: 6756 314E 5374 6548 3671 7573 554E 6872
'VgN1tSHeq6suNUrh'
00000090: 4E4B 3537 6632 6442 6A35 3161 6969 3479
'KN752fBd5ja1iiy4'
000000A0: 2F65 5868 7261 5A7A 4D6A 5977 6E6F 715A
'e/hXarzZjMwYonZq'
000000B0: 7868 2B43 4142 7434 7A52 5764 4B33 4E6A
'hxC+BA4tRzdW3KjN'
000000C0: 3044 6471 4B55 4C48 7450 5772 7150 2B48
'D0qdUKHLPtrWPqH+'
000000D0: 4655 7A33 4469 4F75 3261 4B4A 7349 5855
'UF3ziDuOa2JKIsUX'
000000E0: 6A69 684A 5567 594D 4335 6266 3335 3256
'ijJhgUMY5Cfb53V2'
000000F0: 6263 7034 4657 6851 6A35 7152 7636 3641
'cb4pWFQh5jRq6vA6'
00000100: 6339 4662 4441 5A58 7248 744D 414A
'9cbFADXZHrMtJA='
3D
06/09/2003 05:53:39.56 PM [03071:00010-106510] SSO API> -LDAP Realm

= itsosec-ldap.cam.itso.ibm.com\:389
06/09/2003 05:53:39.56 PM [03071:00010-106510] SSO API> -Username
= UID=DHinkle/OU=Production/o=redbooks/c=us
06/09/2003 05:53:39.56 PM [03071:00010-106510] SSO API> -Expiration
Ticks = 1055218378666 [06/10/2003 12:12:58 AM].
06/09/2003 05:53:39.56 PM [03071:00010-106510] WebAuth> LOOKUP in view
$Users (user='UID=DHinkle/OU=Production/o=redbooks/c=us')
, Domino
, ,
LTPA WebSphere. Domino LTPA:
, ;
( LDAP);
/ .
, WebSphere Domino / , , (PKI)
278
Domino
WebSphere.
LTPA WebSphere-Domino . ,
.
, ,
(
) - (brute force cracking). WebSphere ,
, .
7.2.2
LTPA
. [distinguished
name (DN)] LDAP, . DN [ ,
(ACL) Domino], , LTPA, ,
.
Domino 6, 6.0.2 , , LTPA (DN)
( ). LTPA
( ), LDAP (DN), ,
Domino.
, Domino HTTP-, LTPA.

, . LDAP
Domino ,
. , .

Domino 11.9.4, Domino.
Domino Tivoli WebSeal
, .
(Single sign-on)
279
7.2.3 LTPA
LTPA ,
, LDAP.
Lotus- search filters
base dn 75% LDAP-
.
(search
filters) ,
:
Domino Directory Assistance;
Sametime;
QuickPlace;
global security ( ) WebSphere Application Server.
Sametime . 7-1.
. 7-1. LDAP Sametime
LTPA Domino
, LDAP,
LTPA , .
NOTES.INI , (Single Sign-On). ,
Web SSO Configuration, , ,
DEBUG_SSO_TRACE_LEVEL=1. ,
, ,
DEBUG_ SSO_TRACE_LEVEL=2.
. Domino 6 SSO (Web,

POP . .), , -. ,
SSO Domino 5/6, ,
5 Internet Site. , Domino 6
R5 Web config, SSO
. SSO Domino 6
, Web 5. Internet Site.
:
280
1. , Domino 6 Basics
(Disabled) -.
2. SSO, Domino . Create Web (R5)

[ Web (R5)...] SSO Configuration ( SSO),
LTPAToken.
3. (Organization name) Web

SSO ( -).
, SSO - .
7.3 X.509
X.509
SSL, LDAP.
, , LDAP,
.

(Single sign-on)
281
,
(CA), . .
, X.509 , X.509
: - ( ), -
(). , , X.509
.
, X.509 ( )
, ,
. , Internet Explorer X.509 Windows.
. - , , ,
, , - , .
LDAP, ,
, (
X.509). , X.509 Web-, X.509.
LDAP CA,
, SSL-
(), .
LDAP ()
LDAP, . ,
X.509,
- (PKI),
X.509, LDAP (),
() .
SSL- Web-
X.509 SASL (Simple Authentication and Security
Layer).
.
.
, SASL , SASL External ()
X.509. SASL RFC-2222,
:
282

, LDAP
. LDAP,
X.509
Lotus .
7.3.1
,
, .
, .
,
SASL X.509v3.
SASL
, [
(userid)] .
LDAP LDAP,
:
1. LDAP
:
(DN), ;
;
- (), ,
;
SASL, LDAP SASL.
2. , .
3. - LDAP
LDAP.
4. SASL, ,
SASL. SASL ,
.
5. SASL (=EXTERNAL) SSL , , , CA

. , ldap_sasl_
bind, NULL, LDAP (DN), -
(Single sign-on)
283
X.509v3 . ( DN NULL),
.
6. Simple (),
, DN ,
, .
7. DN (DN)
, , . DN
NULL LDAP_AUTH_NONE .
8. , .
7.3.2
X.509 SSL- ,
, . DN , .
, DN
, .
SASL , - (proxy authorization),
.
, (DN) ,
. , . , LDAP-
DN, , LDAP
(DN) .
7.4 DSAPI
Web- Domino [Domino Web
Server Application Programming Interface (DSAPI)]
(C API), Web- Domino. DSAPI, , , HTTP-
. DSAPI SSO, , Domino SSO.
, - IBM Lotus
, Web-
284
: SASL-. . . .
DSAPI
Domino 6. Web- IBM.
DSAPI HTTP- ,

Web- Domino.
. HTTP
DSAPI o , DSAPI
, .
StartRequest 13 , DSAPI. , .
DSAPI , ()
. ,
, . .7-2
, DSAPI HTTP- Domino Web-.
DSAPI

( R5)

TCP/IP
Web- Internotes
CGI
.7-2. - Domino 6
, . HTTP . (
)
.
,
.
(Single sign-on)
285
.
, (, Filter Init Data, ). HTTP,
, :
: HTTP .
HEAD: HEAD , .
GET: GET
( ), Request-URL (URL-).
POST: POST , , , , Request-URL Requst-Line (-).
PUT: PUT ,
Request-URL.
DELETE: DELETE , , Request-URL.
TRACE: TRACE.
CONNECT: CONNECT.
OPTIONS: OPTIONS.
UNKNOWN: .
BAD: . .
.
kFilterStartRequest
, , HTTP . . ,

, .
pEventData , NULL. , , kFilterHandledEvent.
kFilterRawRequest
, , , HTTP. ,
, . ,
HTTP. pEventData FilterRawRequest.
286
kFilterParsedRequest
, , , HTTP HTTP. , , kFilterRawRequest, HTTP
HTTP , -
. . pEventData FilterParsedRequest. ,
.
HTTP. kFilterRawRequest.
kFilterRewriteURL
, , URL-
. URL- URL-, DSAPI
, , . pEventData FilterMapURL. , FilterMapURL , kFilterTranslateRequest kFilterPostTranslate.
kFilterAuthenticate
, HTTP .
, HTTP . pEventData .
kFilterUserNameList
, HTTP
. , . kFilterAuthenticate. , Domino ,
, ( ). pEventData HttpEventProc FilterUserNameList.
kFilterTranslateRequest
, HTTP URL-
.
, . pEventData
FilterMapURL.
(Single sign-on)
287
kFilterPostTranslate
, kFilterTranslateEvent. , . , . . pEventData FilterMapURL.
kFilterAuthorized
,
.

. pEventData FilterAuthorize. .
, ServerSupport kGetAuthenticatedUserInfo.
, .
, isAuthorized FilterAuthorize
0. kFilterHandledRequest, kFilterHandledEvent. DSAPI HTTP .
kFilterProcessRequest
HTTP. .
. pEventData FilterMapURL.
kFilterEndRequest
,
, HTTP. pEventData NULL.
kFilterAuthUser
kFilterAuthenticate,
DSAPI. Web-. pEventData FilterAuthenticate.
kFilterAuthenticate.
288
Web-,
. DSAPI , Domino
. DSAPI ,
,
, Web- Domino, , Domino .
, eventData
FilterAuthenticate.
1. .
eventData authName , eventData
authType kAuthenticBasic kAuthenticClientCert, kFilterHandledEvent.
2. ,
Domino .
kFilterNotHandled.
3. ,
Domino
.
eventData authType kNotAuthentic, kFilterHandledEvent.
kFilterResponse
, HTTP HTTP
. . DSAPI. pEventData FilterResponse.
kFilterRawWrite
, HTTP HTTP
. .
DSAPI. pEventData
FilterRawWrite.

SSO kFilterAuthenticate, kFilterUserNameList kFilterAuthorized. ,
kFilterAuthenticate kFilterAuthUser,
5, Domino 6 . DSAPI kFilterAuthenticate.
(Single sign-on)
289

DSAPI Lotus C API Toolkit,
:
http://www.lotus.com/ldd
DSAPI (shared library) UNIX
DLL- Win32. DSAPI Domino.
, API Notes
Domino .

. , API Lotus
Domino 6 , , ,
6., Domino. Domino R5
R5 Domino 6, R5.x.
DSAPI ,
Domino API ID .
, . Domino HTTP, FilterContext. ,
, . FilterContext
privateContext, . , , privateContext.
AllocMem
. , AllocMem, , . , ,
.
Server
DSAPI Internet Protocols (-) HTTP table ( HTTP). ,
Domino;
. ,
.
DSAPI LTPA
API Domino 6 LTPA
:
290
SECTokenValidate LTPA SSO;

SECTokenGenerate LTPA SSO.
LTPA,
, LTPA.
7.4.1
DSAPI Web-
Domino . Domino LDAP,
cookie - .
,
. DSAPI.
. , DSAPI
, .
, .
7.4.2
DSAPI
Domino.
,
HTTP, DSAPI.
,
authname .
. 1 kFilterAuthUser.
7.5 HTTP
ID Domino 6 HTTP,
Web- Domino.
WebSphere Application Server plug-in (
WebSphere) Domino, , , (plug-in) [Trust Association Interceptor (TAI)]
WebSphere, Domino,
notes.ini, HTTP Domino HTTP ID , WebSphere. SSO HTTP-.
HTTP-,
Domino, Microsoft IIS IBM HTTP Server, Domino 6
Apache iPlanet.
(Single sign-on)
291
HTTP
Domino, NOTES.INI :
HTTPEnableConnectorHeaders=1
HTTP Domino , WebSphere IIS
IBM HTTP Server. .
HTTP Domino
, NOTES.INI . .
, HTTP- Domino
; Domino , HTTP . , HTTP- HTTP Domino , HTTP-
Domino 80/443. SSO
HTTP- Domino.
7.5.1
HTTP Domino,
HTTP-.
7.5.2
Domino HTTP , Web-. (ACL) Domino - , .
Notes , , .

Domino
, URL- Domino.
, ,
(reader) (writer).
, , hide when ( ) Domino, . Domino -
292
(ID UNID), URL-.

HTTP
Notes Notes. Notes , ACL Domino,
(ACL) Domino,
.
, Domino LDAP Notes, 11.9.4, Domino.
7.6
( )
SSO. 4,
.
SSO, , Domino, Lotus Domino Lotus Sametime,
WebSphere.
SSO LTPA, .
, ,

, .7-3.
1- ().
(2) (3)
LTPA. LTPA (4),
(5).
, LTPA
, , .7-4.

Domino (1). , Domino ,
LTPA,

(2 & 3). Domino LTPA (4). Domino LTPA ACL LTPA (5). ,
(Single sign-on)
293
, Domino (6),
.
,
WebSphere
5- LTPA
1-
Web-
WebSphere
4- LTPA
3-
2-
.7-3. SSO LTPA

WebSphere
2-
1- Domino
Web-
7- Domino
Domino
3- LTPA
WebSphere
4- Domino
( LTPA)
6- Domino
5- ACL
Lotus
Domino
LDAP
.7-4. Domino SSO LTPA

. , ACL,
Domino. ACL , ,
.
294

WebSphere
2-
1-
Web-
Web-
7-
Web-
( )
3- LTPA
WebSphere
4-
( LTPA)
6-
5- ACL
Lotus
Sametime
8-
9- LTPA?
10- LTPA
11-

.7-5. , Sametime SSO -

LTPA
, .7-5 SSO LTPA.
Web- Sametime (1).
, (meeting)
Sametime , LTPA, (2 & 3).
Sametime LTPA (4). Sametime LTPA ACL
LTPA (5). , , Sametime (6), Web- (7).
,
, Sametime
(8), (9).
LTPA (10) (11).
,
, .
(Single sign-on)
295
7.7
SSO Lotus Lotus Domino.
.
LTPA ,
IBM Lotus, WebSphere Tivoli Access Manager. , ,
. Domino (Dominos Directory Assistance) ,
Domino.
X.509 , ,

.
.
DSAPI , , Domino.
DSAPI .
HTTP ,
; , HTTP- Domino
.
(Enterprise Access Management), Web-.
, SSO , :
1. SSO, ,
IBM. , DSAPI, HTTP.
2. SSO

IBM.
LTPA.
3. SSO,
.

. (identity management) Tivoli IBM.
296
8

LDAP. ,

, (credentials)
.
.
297
8.1
,
, . ()
, .
, , , .
, . ,
, . ,
, .
, .
, ( ) , ( ).

, .
,
, . , ,
. IBM Directory Server, DB2.
. , ( )
, . ,
, .
8.1.1 LDAP
LDAP . LDAP
, X.500 [Directory Access Protocol (DAP)] X.500,
Lightweight DAP, LDAP (j ).
-,
LDAP TCP/IP- 389 636, SSL.
298
LDAP IETF, :
RFC-1777 c LDAPv2;
RFC-2251 LDAPv3: LDAP 3;
RFC-2252 LDAPv3: ;
RFC-2253 LDAPv3: UTF-8 ;
RFC-2254 LDAP;
RFC-2255 URL LDAP;
RFC-2849 LDAP [LDAP Data Interchange Format
(LDIF)].
,
(partitioned) (replicated);
. ,
. , - . LDAP (LDAP referrals). LDAP LDAP , , ( ) . , . ,
.
LDAP
IBM:
IBM Redbook Understanding LDAP, SG24-4986
IBM Redbook LDAP Implementation Cookbook, SG24-5110
IBM Redbook Using LDAP for Directory Integration: A Look at IBM SecureWay Directory,
Active Directory, and Domino, SG24-6163
IBM Redbook Implementation and Practical Use of LDAP on the IBM e-server iSeries
Server, SG24-6193
IBM Redpaper, LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1,
REDP3603
8.2

.
, , .
, , , :
299
, LDAP (: Domino, IBM Directory

Server, Microsoft Active Directory, Netscape/iPlanet/SunONE,
Novell NDS);
X.500 (: Syntegras Aphelion/CDCRialto, Bomara/Isocor Global Directory Server, Nexor Directory);
(: PeopleSoft HRMS, Siebel ERM, JD Edwards, Oracle HRMS);
(: Siebel CRM,
Microsoft CRM, PeopleSoft CRM, Oracle CRM);
, ( , Oracle, DB2,
SQL Server);
;
(: XML, SAML, LDIF
SOAP);
, , LDAP;
;
(: ).
, .
, ,
,
.
8.2.1
(attributes) . . (authoritative
source) , , ,
.
,
:
: . ,
, , ,
, , . .
: , - . , ,
, .
300
: , .

( - ).
: RFC-822- (SMTP) T-.
SMTP-,
. , - .
, .
, , T- .
, name () ( ,
, ).
, . , , , , . ,

, , ,
. ,
. , .
. ,
.
, . , ,
,
-. , ,
, . ()
, . .
8.2.2
() (point of control) , . -
301
, . .
.
, ,
, . .

.
,
, .
. , . ,
.

.
,
, , .
, . ,
.
8.2.3
, (
) ( ).
. , , ,
.
, .
, , ;
, , .
,
.

, ,
,
302
. , ,
.
,
, . , . ,
,
. ,
1,

2 . . , ,
, , .
(), .
, ,
, .
8.3

.
. ,
, .
. , , .

7, (Single sign-on).
.
:
: , ;
: ;
: ;
: .
8.3.1
.

(), .
303
, ,
,
, . , [application programming interface (API)], LDAP, .
. . , . , , -.
8.3.2
. LDAP,
LDAP , .
LDAP, , .
, (person), (organization), (organizational unit), (domain component)
(groupOfNames). , , ? (top), ,
() . , LDAP . , organizational
unit top,
, .
LDAP , MUST ( ) MAY ( ).
, . LDAP
.
, , ,
.
, LDAP, :
objectclass: top
objectclass: person
objectclass: organizationalPerson
304
objectclass: inetOrgPerson
objectclass: eDominoAccount
, , , . top , , . ,
, top . LDAP ,
top, [Access Control Lists (ACL)] .
person top ,
cn (Common Name) sn (Surname), . organizationalPerson person. inetOrgPerson organizationalPerson. : eDominoAccount
top , sn userid. , person sn.
, c sn ? ,
. .
,
.
? ( LDAP ) . LDAP V3 RFC-2251 RFC-2252.
IBM Directory Server, , OpenLDAP.
objectclass: top
objectclasses=( 2.5.6.0 NAME top DESC Standard ObjectClass ABSTRACT
MUST ( objectClass ) )
objectclass: person
objectclasses=( 2.5.6.6 NAME person DESC Defines entries that
generically represent people. SUP top STRUCTURAL MUST ( cn $ sn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
objectclasses=( 2.5.6.7 NAME organizationalPerson DESC Defines entries

for people employed by or associated with an organization. SUP person
STRUCTURAL MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ internationalISDNNumber $
facsimileTelephoneNumber $ street $ postalAddress $ postalCode $
postOfficeBox $ physicalDeliveryOfficeName $ ou $ st $ l ) )
305
objectclasses=( 2.16.840.1.113730.3.2.2 NAME inetOrgPerson DESC Defines
entries representing people in an organizations enterprise network. SUP
organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $
carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $
manager $ mobile $ pager $ photo $ preferredLanguage $ roomNumber $
secretary $ uid $ userCertificate $ userSMIMECertificate $
x500UniqueIdentifier $ displayName $ o $ userPKCS12 ) )
objectclasses=( 1.3.18.0.2.6.122 NAME eDominoAccount DESC Represents a

Domino account. SUP top STRUCTURAL MUST ( sn $ userid ) MAY (
certificateExpirationDate $ certifierId $ certifierPassword $ clienttypereg
$ createAddressBookEntry $ createFullTextIndex $ createIdFile $
createMailDatabase $ createNorthAmericanId $ createNotesUser $ description
$ fullName $ givenName $ idFilePath $ idtype $ initialPassword $
initialPopulation $ internetAddress $ l $ localadmin $ location $ mail $
mailDomain $ mailFile $ mailFileOwnerAccess $ mailFileTemplate $
mailProgram $ mailServer $ mailSystem $ middleName $ minPasswordLength $ ou
$ overwriteaddressbook $ overwriteidfile $ principalPtr $ profiles $
proposedaltcommonname $ proposedAltFullNameLanguage $ proposedAltOrgUnit $
registrationServer $ saveIdInAddressBook $ saveIdInFile $ setDbQuota $
setWarningThreshold $ shortName ) )
, ,
.
OID (object identifier). OID (NAME),
(DESC).
, [SUP (superior)] .
, , (MUST), (MAY).
OID , . OID ,
[International Organization for Standardization (ISO)] (Web- ISO
http://www.iso.ch/) [International Telecommunication Union (ITU)[ (Web- ITU http://
www.itu.ch/). ISO ITU OID
OID.
OID
306
. OID,
, ASN.1 (Abstract Syntax Notation).
, OID .
( , 1.3.4.7.4.17)
(,
1.3.4.7.4.17.1, 1.3.4.7.4.17.2, 1.3.4.7.4.17.3 . .).
(branch) (root) (vertex) OID.
(arc) ( 1.3.4.7.4.17). [ (subarc)], ,
OID . , OID (vertex) (arc) (root) branch (), LDAP
X.500.
LDAP,
LDAP ( LDAP), ,
.oc. , , eDominoAccount, , IBM Directory Server. , IBM OID 1.3.18.0.2;
, IBM. :
1 ( OID, ISO)
1.3 ( ISO )
1.3.18 (IBM)
1.3.18.0 ( IBM)
1.3.18.0.2 ( IBM)
, (dot notation),
IETF IP-,
OID. , IP-,
OID .
,
.
, , , ( LDAP ). ,
OID ISO, IANA -

. OID,
- - . OID
307
. , (, ) ,
OID. OID ( IP-,
); OID ,
OID, OID .. OID .
, ; OID , .
(arc)
, () Web IANA :
http://www.iana.org/cgi-bin/enterprise.pl
OID,
Web-
ASN.1:
http://asn1.elibel.tm.fr/oid/faq.htm
8.3.3
, , .
cn [common name ( )], sn [surname ()], givenName, mail, uid
userPassword. OID, OID.
LDAP V3 ,
ASN.1 . .
attribute: name
attributetypes=( 2.5.4.41 NAME 'name' DESC 'The name attribute type is the
attribute supertype from which string attribute types typically used for
naming may be formed. It is unlikely that values of this type itself will
occur in an entry.' EQUALITY 1.3.6.1.4.1.1466.109.114.2 SUBSTR 2.5.13.4
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
attribute: sn
attributetypes=( 2.5.4.4 NAME ( 'sn' 'surName' ) DESC 'This is the
X.500
surname attribute, which contains the family name of a person.' SUP
2.5.4.41 EQUALITY 2.5.13.2 ORDERING 2.5.13.3 SUBSTR 2.5.13.4 USAGE
userApplications )
308
attribute: mail
attributetypes=( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822mailbox' )
DESC 'Identifies a users primary email address (the email address retrieved
and displayed by white-pages lookup applications).' EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
, (SUP) sn 2.5.4.41, name (
). name , ,
. . , , . sn, name.
, mail () rfc822mailbox. , EQUALITY
SYNTAX ASN.1.
, ASN.1 . .
, LDAP
LDAP, ,
LDAP LDAP.
8.3.4
,
, . , ,
,
. , ,
. .
, . ,
. .
, , ,
, (attribute mapping). ,
,
(data transformation).
309
, - , (record mapping). ,
. , . , . , James L Smith Jim Smith JLSmith .
, ,
(multiple identities):
( ).

, Navy Enterprise Portal Space and
Naval Warfare Systems Command (SPARWAR), ,
100 000 (identities, ID), .
720 000 -
, - 200 000 , ( ) ID.
100 000 ID ;
. , , ,
, , , ,
ID ? , UNIX- , , ID .
. :
( ). , [distinguished names (DN)] :
LDAP Directory: cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme
Active Directory: uid=bhinkle,cn=users,dc=corp,dc=acme,dc=com
, , 100%- .
, , , , , , ?
310
, ()
, (correlation keys),
.
, .
8.1. LDAP
LDAP Directory: cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
uid=bhinkle
empid=10543
mail=
internetaddress=b_hinkle@acme.com
employeeid=BC10543
Active Directory: uid=bhinkle,cn=users,dc=corp,dc=acme,dc=com
logonPrincipalName=bhinkle
mail=b_hinkle@acme.com
,
, ,
. ? mail
LDAP AD internetaddress Domino. , SMTP- Domino. Domino AD? Domino LDAP? ,
, AD LDAP. AD
, SMTP-,
Domino AD. ,
Domino LDAP Domino.
,
. , , , . ,
LDAP Domino,
. SMTP-
Domino mail
LDAP ( ).

. ,
(identity), (DN), -
311
,
,
. 7.2, LTPA, cookie . LTPA IBM
cookie , IBM.
DN cookie LTPA, HTTP- Domino,
DN (direct mapping). Domino Directory Assistance
, LDAP. 8.2.
8.2.
LDAP Directory:
cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
empid=10543
notesname=cn=Brendan Hinkle,OU=Finance,O=Acme

employeeid=BC10543
, DN cookie LTPA cn=Brendan C Hinkle,
ou=West, o=Acme, dc=Acme, dc=com Domino Directory Assistance notesname Notes LDAP, Domino
LDAP DN LDAP,
notesname . , Domino cn=Brendan Hinkle, OU=Finance, O=Acme,
CN=Brendan Hinkle/OU=Finance/O=Acme.
, ,
ACL Domino. , ,
Domino 6 .
,
, Domino 6.02+
Domino 5.x. Notes LDAP, Directory Assistance
. (DN)
LDAP Domino (
Notes ), ,
8.3.
8.3.
LDAP Directory:
312
fullname= CN=Brendan Hinkle/OU=Finance/O=Acme,

, Domino cookie LTPA
(DN) cn=Brendan C Hinkle, ou=West, o=Acme, dc=acme, dc=com,
Domino person, Directory Assistance
LDAP. SMTP-
, ,
Domino person .
Domino 11.9.4,
Domino.
cookie , , cookie
DN . (indirect mapping)
cookie
(cookie) (DN) . ,
8.2, LDAP notesname,
, empid, emploeeid Domino. ,
Domino DSAPI.
, cookie LDAP empid=10543, Domino DN , LDAP
empid=10543,
cn=Brendan C Hinkle, ou=West, o=Acme, dc=acme, dc=com.
DN , Domino , DN , Directory Assistance
LDAP. , DSAPI ,
, cookie, empid, Notes. ,
DSAPI empid=10543 Domino.
employeeid Domino ID , , Domino ,
CN=Brendan Hinkle/OU=Finance/O=Acme.
, .
, ,
cookie , !
313
8.3.5
(data flows)
(). , , - -.
,
.
(authoritative sources),
. , ,
, ,
-.

. , -,
.
8.3.6 -
(events) ,
.
, ,
. , -, . ,
. , .

, .
8.3.7
. ,
IBM.
Lotus Domino .
ADSync
Active Directory Synchronization, ADSync,
Active Directory (, ) Active Directory Domino Directory
Active Directory Users Computers Console.
Lotus Active Directory Synchronization Domino Administration ,
Active Directory.
314
, ADSync . , Windows Domino Directory, ADSync . Domino Windows

, .
ADSync , ADSync
Domino , , ,
Domino Administrator. , ,
Domino .
ADSync , Domino 6. C
Active Directory Domino Directory, person
group, Notes ID, .
Active Directory Notes ID
Domino Directory. Domino 6 ,
Domino Administration 6 .
, (sub policies), , , Domino,
. Active Directory
, .
ADSync
IBM Active Directory Synchronization with Lotus ADSync,
REDP0605, PDF- :
http://www.redbooks.ibm.com/redpapers/pdfs/redp0605.pdf
LDAPSync Solution
LDAPSync Solution , IBM Software Services for Lotus. ,

, LDAP, Domino.
,
, Domino, Lotus.

Notes ,
. ,
Domino .
:
1. LDAPSync: LDAP Domino.
315
2. SynchroNSF: Domino, ( , , Domino,

).
3. RunAgent: - Domino.
LDAP Domino.
LDAPSync . ,
:
, -,
Domino. , , LDAP: (, ..),
. LDAPSync
Domino.
, LDAP, . , , , LDAP. , , Employee
Change Requests Travel Requests.
/ LDAPSync.
Notes (Notes
Names&Address Books) .
RunAgent ,
. LDAPSync. ,
Notes (Notes Full Names),
X.500 (X.500 Distinguished Name).
SynchroNSF Domino .
, Software Bug Reports, Domino.
.8.1 , .
LDAPSync
:
(simple synchronization);
(broadcast);
(summarization);
(consistency).
316
Corporate
Directory
(LDAP,
non Notes)
Target
Notes DB
3:replication
1:Download
SyncohoroNSF
Transactions
waiting
(Notes DB)
LDAPSync
Transactions
Ready
(Notes DB)
2:Format
Full Names
Run Agent
.8-1. LDAPSync

(simple synchronization) , - - ( ).
source database
destination database
.8-2.
,
Domino (),
(). .
, LDAP - Business card, , (ObjectClass=Person).
(Name), (First Name), (Address)
(Phone number).
, - ( )
. ,
LDAP, ,
Person Domino.
(broadcast) - - ( ).
317
destination database 1
source database
destination database 2
.8-3.
- -, ,
LDAP , , ,
. -
-
, -.
(summarization) - - ( ).
source database 1
source database 2
.8.4

() ().
- -
-.

(data consistency)
- (
), .
318
source database
.8.5
- ,
-. , -, ,
-.
Domino
, . , Person
Domino
. ,
Domino, , Customer management ( ),
Sales leads ( ) Purchasing ().
Person, Domino
, .
- , . , - - (
), - ( ). ,
( ).
LDAPSync () , /
, .
, (,
LDAP ), -,
, [ Domino,
Contacts () ..], -. LDAPSync ,
.
, LDAPSync
- LDAP Domino
Domino. IBM Tivoli Directory Integrator, .
319
IBM Tivoli Directory Integrator

, ; ; ;
, (HR), (CRM), (ERP) .
, Directory Integrator .
,
, Directory Integrator

, .
(connectors),
Java
c Directory Integrator :
-;
,
, , (provisioning);
, (, Web-),
.
(identity management) IBM,
, ,
(online), , .
IBM
(, ), ( , ),
( Web- ) (
) ,
.
Directory Integrator :
(assembly line),
320
,
//
(). , . , , , ..
(connectors)

. . ,
.
(Event Handler),
Directory Integrator
,
(, , ,
, HTML- Web-
, Simple Object Access Protocol
(SOAP) Web-, ).
(parsers)

, .

.
, , ,
, LDAP Data Interchange Format (LDIF),
Extensible Markup Language (XML), SOAP, Directory Services
Markup Language (DSML), .
(hooks),

.
(Link Criteria), ( ) .
, , () =
(), ,
, , f()=().
: equals (), not equals ( ), contains (), starts with
( ), ends with ( ).
.
321
(Work Entries), ,
.
Java perl-,
.
,
.
( ) :
Btree Object DB Connector,
Command Line Connector,
Domino Users Connector,
File System,
FTP Client Connector,
Old HTTP Client Connector,
HTTP Client Connector,
Old HTTP Server Connector,
HTTP Server Connector,
IBM MQ Series (JMS),
IBM Directory Changelog Connector,
JMS Connector,
JNDI,
LDAP,
Lotus Notes,
MailboxConnector Connector,
Memory Stream Connector,
Netscape/iPlanet Changelog Connector,
NT4,
Script Connector,
SNMP Connector,
TCP Connector (generic),
URL Connector (generic),
(Runtime provided) Connector,
Web Service Connector,
C.
Directory Integrator (assembly line),
.
,
.8-6
322
DS3
DS1
DS2
.8-6. Directory
Integrator
(data source) DS3,
DS1.
DS2. Directory Integrator
(assembly line).
, . ,
,
.8-7. , , . .8-7
, .
DS3
DS1
DS3
DS2
DS1
DS2
.8.7

323
, , , (,
),
. ,
. ,
. Directory Integrator
, ,
, , .

Directory Integrator (GUI).
GUI Idaptodom.
.8-8.
GUI
324
LDAP,
readldap. LDAP. Domino, updatedomuser Domino User. LDAP, LDAP GUI . .8-8 GUI.
-,
(), .8-9 ( ).
.8-9, InternetAddress, .
(Domino). .8-10 , -
.8-9.
GUI
325
.8-10.
GUI
Domino User. . 8-10 , Connector Attribute InternetAddress ,
, InternetAddress ( ).
Domino User,
.
(),
. , GUI Directory Integrator.
.
, Directory Integrator
-, , Web-.
326
JDBC
Web Service
JMS
RDBMS
LDAP
Web
.8-11. Directory Integrator

Web service
8.4
, . , , , , . , , .
,
, ,
.
(unified directory service)
. , , ,
,
. (metadirectory) ; , ,
. , .
IBM ,
, .
, ,
.

. , -
327
, . , , .

, , .

.

, (ID) .

(unique keys) , . ,
- -.
,
. , ,
, . ,
SMTP- ;
.
, . ID
,
. , (primary) (secondary) . , ID , SMTP- , , .

, (
) . , :
;
.

, . .

. , , , Domino, Active
Directory, PeopleSoft HRMS ..
328
, (, , ). ,
, ,
. LDAP,
LDAP. . -,
LDAP .
.8.12, Dept 3
1, Mail 2
3. , .
CN=David Hinkle
EmpID=1234
Dept=LPS ISSL
Mail=dave@ibm.com
CN=David Hinkle
EmpID=1234
Dept=ISSL
1
CN=David Hinkle
EmpID=1234
Phone=555-1234
Mail=dave@ibm.com
.8-12.

. ,
- .
, , (, A , , ).
-,
.
.8.13,
(master record).
, -
( 1, 2 3) . ,
CN EmpID ,
1 2. , -
329
(). , ,
, ,
. , . . ,
, .
,
( ) .
CN=David Hinkle
EmpID=1234
Dept=ISSL
CN=David Hinkle
EmpID=1234
Dept=ISSL
Mail=dave@ibm.com
UID=DH9876
1
CN=David Hinkle
EmpID=1234
UID=DH9876
.8-13.
,
, , .
- ,
, .
,
. () .
.
. , .8.14, -,
- , .

, ,
330
LDAP . ,
, ,
, ( . ). LDAP,
, , .
, LDAP
, .
LDAP . , 3 LDAP.
3 Domino LDAP
Domino Notes
LDAP. ,
.8.14 ,
IBM Tivoli Directory Integrator, LDAP IBM Directory Server.
CN=David Hinkle
EmpID=1234
Dept=LPS ISSL
Mail=dave@ibm.com
Notesname=David Hinkle/Phoenix/IBM
CN=David Hinkle
EmpID=1234
Dept=ISSL
1
CN=David Hinkle
EmpID=1234
Phone=555-1234
UID=DH9876
Mail=dave@ibm.com
2
CN=David Hinkle
EmpID=1234
Dept=ISSL
Mail=dave@ibm.com
UID=DH9876
Phone=555-1234
Notesname=CN=David Hinkle,OU=Phoenix,O=IBM
LDAP
.8.14 - LDAP
331

. :
(object classes): .
, .
8.3.2, .
(attributes): . ,
OrganizationPerson Title.
Title . , , Person CN [common name ( )] SN [surname ()].
8.3.3, .
[Directory Information Tree (DIT)]:
LDAP .
,
(branches) (leaves),
(end nodes). , ,
, (Distinguished Name, DN).
, , (, CN=users), (OU=).
, LDAP
. LDAP. , , .
DIT , (DN) . DN
. , DN
CN=john q public,OU=sales,O=acme,C=us UID=jsmith4
,CN=users,DC=acme,DC=com.
X.500, C=US . , DNS DC=acme, DC=com . ,
, , , DN ( )
UID (User ID). , , ,
,
.
( 10000 ) .

, . ,
:
332
DN= uid=bhinkle,cn=users,dc=acme,dc=com
cn=Brendan C Hinkle
mail=b_c_hinkle@acme.com
DN= uid=bhinkle2,cn=users,dc=acme,dc=com
cn=Bill Hinkle
, , DN.
, , , DN,
.
, .
. , ,
, , , . ,
( ),
,
:
DN= uid=bhinkle,ou=sales,dc=acme,dc=com
mail=b_c_hinkle@acme.com
DN= uid=bhinkle2,ou=hr,dc=acme,dc=com
OU DC ( 10000 ) , . ,
, () .
X.500 DNS, . , X.500
,
. DNS
- X.500 SMIME-. ,
35 , . , -
. , , , , . DNS
DIT , LDAP.
333
DIT .
. - . DIT, ,
,
.
DIT
:
;
( );
;
(, );
.
, ,
LDAP? , LDAP-
X.500 Open LDAP. LDAP,
, . LDAP , LDAP- .
LDAP ,
.
LDAP LDAP , .

, .
,
, ,
Middleware
Architecture Committee for Education (MACE). :
http://middleware.internet2.edu/dir/
, ,
, .
.
.
334
, ,
:
Charles Carrington (Editor), Timothy Speed, Juanita Ellis, and Steffano Korper, Enterprise Directory and Security Implementation Guide: Designing and Implementing Directories
in Your Organization.
8.4.1

. (account provisioning) ,
.

.

.
(service) ,
, .
. Notes.

(account)
. , , . (credential)
,
,
. :
.
() ( ) .
(ID)
.
. , ,
, .
335
,
. ,
, Enterprise Directory.
, favorites,
.
,
.
(registration)
. ID, .. () .
, ,
, , ..
( ) , ,
.
, .

(entitlement)
. ,
, . ,
- , , , .

,
- . , Domino, , (Directory Integrator). - ,
, , ,
, .. ,
336
(Instant Messaging), .
,

. ,
, -.

, . ,
, ,
. ,
. , , . -
, . ,
,
.
8.4.2

, .
, , ,
.
(SSO)
, , . ,
,
(enterprise access management systems). IBM Tivoli Access Manager Netegrity Siteminder.
, ,
:
LDAP;
;
337
, ,
, , ;
Web- .
, , SSO . , SSO,
, ,
( ).
IBM Tivoli Access Manager
IBM Tivoli Access Manager for e-business, REDP3677.
8.5
.
. , , , , , .

[single sign-on (SSO)]. ,

.

.
. :
, , .

. , -,
.

, .
, ,
, .
,
-, .
:
338
;
(DIT).

.
: , , . ,
, , .
.
() :
;
;

;

;
;

.
339
9
(hardening)
, - , .
(), ,
.
, (hardening),
(. . , , )
, .
,
Lotus- , :
Windows ( NT)- :
Win32 WindowsNT4.0, Windows2000 WindowsXP;
UNIX/Linux- :
Sun Solaris 8;
Linux ( 2.4) SuSe Red Hat;
IBM AIX.
, , ,
.
(hardening)
341
9.1
.
,
- .
9.1.1
, , . ,
. , ,
. ,
, .
, .
, ,
. , ,
, . ,
.

,
.
, , , ,
Windows Linux, . , 1 , .
,
, .
, .

100% , ,
, , ,

.
,
. , . (service pack) ,
1
342
, . . .
, CD (-) .
,
, .
(,
up2date Red Hat Windows Update Tool Microsoft).
, ,
, , , .

-. ,
, , , . ,
Windows Server Internet Information Server (IIS, ), .
, ,
, ,
. , ; , , .
, ,
. :
netstat an
, , , Nessus, Nmap Stealth,
- , .

- , ,
, ,
-.
,
, -. ,
, ,
. -,
, . ( , -
(hardening)
343
.
.)
. (, , ) (PSPG Policies, Standards, Procedures Guideline) ,
.
9.1.2
,
- , . ,
, .
, ,
-. ,
,
, , ,

, ,
, 4.1, . .
,
, , , . , , , , . UNIX, Windows ( NT) , ,
.
,
, ,
. ,
, , , ,
.
,
, , . , . ,
, .
344

,
.
. ( Microsoft ISA
Server, http://www.microsoft.com/
isaserver/.)
, , ,
TCP-. IP- ( )
,
, .
, P2P ( , , KaZaa, Morpheus, eDonkey ..), . ,
P2P . HTTP , , P2P, .
, Web- URL- , Web- .
, , . , Web- IP-,
URL-. , , ( ),
, , .

,
. , , Bluetooth.
,
.
.
, , ,
. ,
.
(hardening)
345
, , , ,
, , ,
P2P-
( ) ,
, .
, , . 2, ,
, ,
, .

NMap ( Network Mapper) , URL-:
http://www.insecure.org/nmap
NMap open source1, UNIX,
Windows (NmapNT).
IP- ( ) :
;
() ;
;
.
NMap . f (), NMap
IP-. NMap TCP- ,
(Intrusion Detection Systems, IDS).
, , , , .
, Nessus, NMap ,
NMap .
9.1.3

- ,
, -.

- , .
1
346
Open source . . .
9.2
, -,
, .
, Lotus Notes,
- Sametime

, - .
,
, . ,
: 1 . ,
, .

(, , ), , ,
. -
,
.
.
, , . ,
-, -.
9.2.1
, ,
, . ,
, .

, . :
, ;
, ,
.
,
, .
1
- . . .
(hardening)
347
,
.
,
. , - ,

.

, , ,
:
1. .
(
QNX). .
, .
2. . , PDA ( Palm OS). . , .
3. . , Microsoft
Windows.
, . , , Windows Server
Operating Systems ,
,
( Terminal Services).
4. . . Linux. , ,
-
.
348
PDA Personal Digital Assistant, , , / .

. .

. ,
. , , .
. ,
.
. ,
.
. ( , , , ..), ,
.
. , ,
, .
. , ,

(APIs, Application Programming Interfaces).
. (Graphical User Interface, GUI),
.
, .
,
, .
.
, , .
, Windows
UNIX, :
Windows 2000 (Maximum Windows 2000 Security, Sams, 2001, ISBN 0672319659);
Linux (Maximum Linux Security, Sams, 1999,
ISBN 0672316706).

Windows Linux.
(hardening)
349
9.2.2 Windows
Microsoft Windows , ,
Windows . , . ,
Windows .
, , , Windows , :
/. Microsoft
( ).
,
:
1) ; 2)
.
. ,
Windows , ,
. , Windows
.
, , . , , , -.
. , Windows, , , (Event Viewer). Windows ,

.
. Windows ,
, .
. ,
, , Microsoft - , .
, , .
,
.
. Windows . ,
.
350
,

, .
,
.
Windows ,
. , , , ,
Windows .
, ,
Windows. ,
:
SecurityFocus:
http://www.securityfocus.com/
NT:
http://www.ntbugtraq.com/
CERT:
http://www.cert.org/nav/index_red.html
, ,
.
, Windows . Linux ,
.
9.2.3 Linux
Linux
. - ,
Linux , . Lindows Red Hat-, Linux ,
IBM. , ,
Linux.
Linux
, Windows. ,
- , - , , Linux.
, Linux
, ,
, . Linux :
(hardening)
351
root. , , root . , root , . Administrator Windows NT, root

,
Linux. , , . ,
root Web- , root
, . , (, Lindows) root .
. , Linux
, , . ,
,
Linux. () Linux
,
, Linux -
,
rpm, .
,
. , HTTP-, FTP-, .., .
. Linux (Maximum Linux Security): Linux
( ),
.
, ,
,
-. .
(open source).
Linux , , Linux . , Linux , ,
, , , . , , . , ,
Linux -
352

. , ,
. , Red Hat
, , , .
,
, .
Linux- Web (, Caldera, Red Hat, SUSE, Turbolinux) ,
UNIX SecurityFocus (http://www.securityfocus.com/unix), ,
.
Linux Windows. ,
,

, .
Windows Linux,
Solaris AIX, , Domino.
Domino , zOS (OS/390) OS/400 (
zSeries - iSeries). , .
9.3 Windows ( NT)

Windows ( Win32).
, NT- Windows, :
Windows NT 4.0,
Windows 2000 Server,
Windows XP Professional.
Windows XP Professional, Windows (Linux ), , ,
,
.
Windows ,
, , , -
(hardening)
353
. , :
1) 2) , -.
Web- . , ,
-.
9.3.1 Windows NT 4.0

Windows NT 4.0 Microsoft .

, ,
Windows NT 4.0. , , , , .
. , ,
Windows, .

Windows NT 4.0 Server , .
, , . ,
. ,
,
,
, .

, , , , . ,
, ,
. , .
, Windows NT 4.0
:
NTFS, FAT. NTFS (access control lists,
ACLs) .
354
.
FAT, , , NTFS.
, ACLs
.
, (, , ).
, DMZ Web, Domino DNS
.
(Service Pack) , .
Service Pack 6a, .
, . :
Remote Procedure Call (RPC),
NetBIOS,
Computer Browser.
.
, , .
:
(Control Panel Network Services):
Workstation. , , at.
, Server,
.
Server. .
, .
WINS TCP/IP. (Control Panel Network Bindings).
(All Protocols). WINS Client (TCP/IP)
/ (Disable/Remove).
. DMZ- .
, :
Alerter. ,
.
ClipBook.
.
(hardening)
355
DHCP Client.
.
Messenger. ,
.
NetBIOS Interface. NetBIOS TCP/IP.
Net Logon. ( )

() .
Network DDE.
.
Network DDE DSDM.
(Dynamic Data Exchange, DDE) DDE-.
TCP/IP NetBIOS Helper. NetBIOS
TCP/IP, IP-.
,
, ,
, telnetd FTP. ,
,
. , , ,
IP- , .
IP- DMZ.
IP-, IP Windows NT.
TCP/IP (Control Panel Network Protocols TCP/IP Protocols Properties Advanced).
(Enable Security) (Configure). , .
,
; .
,
.
.
(Administrator) -
.
.
,
.
, , , . ,
.
356
. , , :

.
, .

, 24 .

. 30 .
(Everyone).

(Access This Computer From the Network),
, .
.

: ; ; , .
(
5). .
SYSKEY (Security Accounts Manager, SAM).
SYSKEY 3; ,
6a SYSKEY
.
OS/2 POSIX.
C2SECURITY Windows NT (Resource Kit) .
, ,
OS/2 HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\OS/2 Subsystem for N.
Os2LibPath Environment:
H K E Y _ L O C A L _ M AC H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \
SessionManager\EnvironmentOs2LibPath.
Optional, POSIX OS/2
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems.
%WINNT%\system32\os2 .
, ,
- ,
, .
(hardening)
357

, . ,
, , .
,
. Windows NT , ,
, .
, . :
.
(Internet Information
Server, IIS) v2.0, Windows NT, Web-. IIS
,
IIS.
, IIS
, .
, TCP/IP. . NetBEUI , IPX .
IPX NetBEUI.

.
,
DNS-. Web-,
DNS. , , ,
, (Simple Network Management
Protocol, SNMP) DMZ.
, (community) - . SNMP , ,
.
WINS. NetBIOS
DNS, LMHOSTS.
DHCP- (relay). , DMZ-
(, , , ).
IP- (IP Forwarding),
.
, IP-.

.
358
(Internet Explorer) 5 5.5:

, . , . 5 5.5 , . , , , ,
Windows NT 4.0, . , .
Windows NT 4.0 DMZ- ,
4.01 2 (Internet Explorer 4.01 Service Pack 2).
. Internet Explorer 4.01 SP1 Windows NT -

(Option Pack CD), Internet Explorer 4.01 SP2
.

Windows NT,
. , . Windows NT .
1, , :
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogin
DontDisplayLastUserName
1, :
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\Lsa
RestrictAnonymous
, . (
3 .):
\CurrentControlSet\Control\SecurePipeServers\winreg
1, NTFS
8.3. ( 8.3 Win16, .
,
8.3.):
(hardening)
359
\CurrentControlSet\Control\FileSystem
NtfsDisable8dot3NameCreation
0,
(ADMIN$, C$
. .). (,
( ) net share /d.):
\CurrentControlSet\Services\LanmanServer\Parameters
AutoShareServer
1 ,
( ):
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
RestrictGuestAccess
0 ( Windows NT 10 , , ):
\Microsoft\Windows NT\CurrentVersion\Winlogon
CachedLogonsCount

(Access Control Lists, ACLs).
(Everyone) ,
(Full-Control) (Administrators) (SYSTEM). (Owner) (Full-Owner control):
\Microsoft\Windows\CurrentVersion\Run
\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWAR
\Microsoft\Windows\CurrentVersion\RunOnceEx
\Microsoft\Windows NT\CurrentVersion\AeDebug
\Microsoft\Windows NT\CurrentVersion\WinLogon
360
Windows NT 4.0
Windows NT 4.0 . EventLogs, Windows.
.
Windows, .
(,
FTP, HTTP, SMTP . .), . , (Performance Monitor). EventLog,
.
, .
Windows NT , .
, , . , 100%,
,
. , .
? , . .
EventLogs
EventLogs Windows NT ,
(Event Viewer).
Windows NT EventLogs syslogs UNIX.
EventLog (Application Log), (Security Log) (System Log). , Windows NT .
, .
:
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
File
(hardening)
361
File . , .

, Windows IIS Web-,
: Web, FTP SMTP.
,
. .

Web FTP.
(Properties) .

(Performance Monitor). %SystemDrive%\PerfLogs.
DefaultLogFileFolder
:
\CurrentControlSet\Services\SysmonLog
DefaultLogFileFolder

%SystemRoot%\SchedLgU.Txt.
,
, .
LogPath :
\Microsoft\SchedulingAgent
LogPath
Windows NT. , Windows.
, , NT 4.0 Windows
,
.
9.3.2 Windows 2000

Windows 2000 , Windows
NT 4.0, , ,
. ,
362
, , ,
. , , Microsoft
Technet, .

Windows 2000 , . , , , , , Windows 2000.
Windows 2000 Windows 2000. Windows 2000 , Windows NT 4.0.

( - ),
.
Windows 2000 , ,
, . , , , . - ,
, . :
, .
, Windows NT 4.0, ,
Windows 2000 .

, . ,
,
, .
, .
Windows 2000 NTFS, FAT. NTFS
(ACLs) .
.
FAT, , , NTFS.
, ACLs
.
, ,
. DMZ
(hardening)
363
, ,
. , , IIS- FTP, HTML-. , , , Windows Media
.
Microsoft (File and Printer
Sharing for Microsoft Networks). (Custom),
.
Web
SMTP, Microsoft (Microsoft Networking Client) ,
. ,
RPC
Microsoft. IIS, SMTP.
IP (IP Protocol Properties). IP DNS DHCP.
(Advanced)
:
a) DNS.
DNS (Register This Connections Addresses in DNS).
b) WINS;
WINS. NetBIOS,
LMHOSTS. NetBIOS
TCP/IP NetBIOS TCP/IP.
c) (Options) TCP/IP-, Windows NT 4.0.
.
DMZ- .
telnetd. - telnet
, telnet
TelnetClients.
TelnetClients, , telnet . telnetd
Telnet TelnetClients.
DNS-. . DNS. (Notify)
, (Only Allow Access From Secondaries Included on Notify List).
, . ,
DNS-, Windows NT 2000,
. -
364
, ISC BIND
(Internet Software Consortium Berkeley Internet Name Daemon),
UNIX-. ,
GUI1, , BIND. ISC
:
http://www.isc.org/products/BIND/

, .
:
, CA [Certificate Authorities
( )] , . , . , Lotus Domino
SSL, , , .
, SNMP (Management and Monitoring Tools), (community) .
(Active
Directory). , DMZ-, DMZ DNS .
Windows 2000
Windows NT 4.0 ,
.
, , /
. , , , .
Windows 2000 Microsoft Microsoft (Microsoft Management Console, MMC). (Security Templates Tool) , .
(Security Configuration and Analysis Tool) 1
GUI Graphical User Interface ( . . ..
(hardening)
365

, , , .
MMC. .
,
(High Security for Workstations), HISECWS.INF. , Microsoft , Web-.
, Windows
NT 4.0. HISECWEB.INF Microsoft
URL:
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316347
:
1. %windir%\security\templates.
2. .
3.
.
4. (Analyze Computer
Now) .
5. .
6. , , .
.
, WordPad. , ,
.
. , , , .
;
; .
, ,
. , , .
, , ,

.
.
366
. , , SECEDIT. , Telnet. .
,
, , , -. ,
, , HTTP, FTP SMTP, .
, ,
IIS , . - . 9-1.
9-1. -, IIS
IIS
IIS SDK
Admin Scripts
Data Access

\inetpub\iissamples
\inetpub\iissamples\sdk
\inetpub\AdminScripts
\Program Files\Common Files\System\msadc\Samples
, , DMZ:
Microsoft Windows NT 4.0 and IIS 4.0:
http://www.microsoft.com/technet/security/iischk.asp
Microsoft Windows 2000 Server and IIS 5.0:
http://www.microsoft.com/technet/security/iis5chk.asp
Microsoft SQL Server:
http://www.microsoft.com/technet/SQL/Technote/secure.asp
http://www.sqlsecurity.com/faq.asp
Windows 2000.
Windows NT 4.0 Windows 2000 , .
Windows 2000 , Windows NT 4.0.
9.3.3 Windows
, .
,
(hardening)
367
, ,
Windows (NT, 2000, XP),
.
,
, Windows .
, - ( ) ( ),
: .
, Windows NT,
2000 XP; ,
.
, Windows Windows .
Lotus Collaborative,
. , , Windows,
, . ,

, .
Microsoft
( Steps to Personal Computing Security),
URL:
http://www.microsoft.com/security/articles/steps_default.asp
Windows, ,
Windows NT (NT 4.0, 2000 XP). , Windows 9x 95, 98, 98SE ME,
. , -,
9x, Windows NT.

Windows NT, 2000 XP . ( Windows 95, 98 ME,
. , 9x
.) , , .
368
, Windows,
(
) .
,
,
- .
. , ( )
, . , , . , ,
. ( , 2, , .)
,
.
Windows
. - ,
, .
, .
: , ( ). .
1. , , .
:
. (
, , ,
.)
(, , , ).
, ;
.
2. , ,
. , .
, .
(hardening)
369

,

.
,
, , , . , . ,
. , , .
Norton Anti-Virus (NAV), McAffees
VirusScan ,
. , .
Windows.
Microsoft
(Microsoft Update Center)
Microsoft Windows .
Microsoft
( ),
. , , , , .

:
1. , Microsoft (http://windowsupdate.microsoft.com/) Product Updates.
2. , - (CRITICAL UPDATES AND SERVICES PACKS); .
(Download).
, . . , , ,
, .
, ,
370
, ,
. , -,
, .
Microsoft
(Microsoft Baseline Security Advisor, MBSA)
Microsoft , . URL MBSA :
http://www.microsoft.com/technet/security/tools/tools/MBSAhome.asp1
MBSA .
2002 . , Web
, Microsofts Personal Security Advisor (MPSA),
. MBSA
Windows NT 4.0, Windows 2000 Windows XP ( ,
Windows).
MS IIS MS SQL.
MBSA ( ),
. MBSA . , , , -, .
. , ,
Microsoft,
, MBSA.
.
, ,

. , - , ,
, , ,
.
,
, -. , Microsoft ,
.
, ,
, , , , ,
.
1
: http://www.microsoft.com/technet/security/tools/
mbsahome. , Microsoft Baseline Security
Analyzer. . .
(hardening)
371
MBSA ,
. MBSA
, , .
IIS Web- Microsoft

Windows NT 4.0, 2000 XP Web
, Microsoft (Internet Information Server, IIS). ,
Code Red, ,
IIS.
, -, MS IIS Web-.
1. MS IIS Web-, .
MS IIS Web- ,
. ,
Web- (, IIS) , .
, , . , IIS , , , -
, Windows , 100% , - .
2. MS IIS Web-.
MS IIS Web- MBSA,
. ,
, Web- ( ). MS IIS Web-. Microsoft , IIS,
Windows 2000 Windows XP.
Microsoft (Microsoft Network Security Hot Fix Checker), Hfnetchk.exe, URL:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215

Microsoft, Hfnetchk.exe,
(Q305385) :
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305385
Microsoft,
Microsoft Technet Web URL:
http://www.microsoft.com/technet/security/current.asp
372
, Microsoft MS IIS Web-

. . IIS Microsoft, URL:
http://www.microsoft.com/technet/security/tools/tools/locktool.asp
Microsoft SQL-
Windows NT 4.0, 2000 XP
, (Structure
Query Language, SQL). MS SQL-.
MS IIS, .
Slammer.
Microsoft SQL- .
, , , . MS SQL-
:
1. MS SQL-, .
MS SQL-
,
. , ,
(, MS SQL-) , .
, ,
.
, MS SQL- - , -
. , .
MS SQL-
, , , - , Windows , 100% ,
- .
, MS SQL- , ,
.
2. MS SQL-
MS SQL- ( )
MBSA, .
,
MS SQL- , . MBSA , .
.
Microsoft, Hfnetchk.exe, (Q303215), .
(hardening)
373

Microsoft, Hfnetchk.exe,
(Q305385).
Microsoft, Microsoft Technet Web.

- (
). ,
, .
, Symantec, Norton Anti-Virus, Symantec
Security Check ( Symantec), . URL:
http://security.symantec.com/ssc/home.asp
Scan for Security Risks
( , . . ),
Scan for Viruses ( , Norton
Anti-Virus) Trace a Potential Attacker ( ,
IP-). , .
, , , Scan for
Security Risks ,
. , - , - .
,
, Scan for Viruses
, .
- . , , .
. .
-, Symantec - ActiveX.
, , , ,
. , Symantec
,
. ,
; .
-, Symantec . ,
, ActiveX Symantec
25.06.2003, ( ) ActiveX,
. :
http://www.sarc.com/avcenter/security/Content/2003.06.25.html
374
Symantec . ,
- . , Gibson Research
Corporation ShieldsUp!,
. URL:
http://grc.com/intro.htm
!
, Symantec Gibson Research.
,
, , -
.
9.3.4
Windows.
-, , ,
, ,
,
:
Microsoft (http://www.microsoft.com/security/)
:
http://www.microsoft.com/security/articles/steps_default.asp

http://www.microsoft.com/technet/security/tools/tools.asp
Windows NT CERT (http://www.cert.org/tech_tips/win-resources.html)
Windows NT
http://www.cert.org/tech_tips/win_configuration_guidelines.html

http://www.cert.org/tech_tips/home_networks.html

http://www.cert.org/other_sources/viruses.html
SANS
(http://www.sans.org/rr/index.php)
Windows 2000
http://www.sans.org/rr/catindex.php?cat_id=66
. Web ,
.
(hardening)
375
9.4 UNIX
UNIX-. UNIX
Windows ,
.
UNIX , ,
. UNIX , BSD AT&T System V. UNIX .
UNIX, BSD:
OpenBSD,
FreeBSD,
NetBSD,
BSDi,
MacOS X,
SunOS 4.
UNIX, System V:
HP-UX,
Solaris (SunOS 5).
. AIX, , , ,
BSD, System V , . -
AIX . . 9.5,
AIX.
, Linux? ,
Linux UNIX.
BSD System V.
, , Linux
. Linux GNU (http://www.gnu.org), -
GNU/Linux. GNU/Linux,
, , ,
.
, , Windows NT, Windows
2000 Windows XP, , UNIX Linux,
.
,
UNIX Linux. , ,
, .
376
9.4.1 UNIX Linux

, UNIX ( GNU/
Linux) , , .
, ,
, , .
, , ,
.
, , (e-mail) . e-mail root, , , .
, ,
.
UNIX GNU/Linux
. , :

, ;
;
, ,
( ), .
UNIX,
, Web- CERT URL:
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines
9.4.2
, UNIX,
, , SWAP /tmp. ,
(denial-of-service) (out-of-disc-space).
: UNIX
FTP, , Domino- ,
, mail.box .
(hardening)
377
.
(/). ,
, ,
, /bin, /sbin, /etc /lib.
/dev /devices.
GNU/Linux /boot,
/lib.
/usr. , ,
. /usr
, ;
(, mount) .
/var. ,
, Web, , , ,
.. / , /var
, .
/usr/local (/opt Solaris). ,
. /usr/local . , UNIX,
.
UNIX ( GNU/
Linux),
, UNIX, .
9.4.3 inetd
inetd UNIX. -1,
, /etc/inetd.conf.
inetd IP-.
, . ,
, .
, ,
-.
inetd , ,
. - FTP, TFTP, Telnet Berkley r*, .
1
378
- ,
, . Windows
DOS. . .
in.named. BIND. , DNS- , DNS UNIX.

in.fingerd. finger,
, .
UNIX , .
daytime. .
,
.
time. , 32- ,
, 1 1900 .
.
echo. ,
. , .
discard. ,
( ,
). .
chargen. ,
. ,
.
systat. .
.
netstat. .
.
. , ,
UNIX, UNIX.
9.4.4 tcp_wrappers
UNIX tcp_wrappers (
Wietse Venema), , , , , ,
IP- DNS. , , , DMZ - ( , ).
,
GNU/Linux BSD. UNIX, tcp_
(hardening)
379
wrappers ,
URL ( ):
ftp://ftp.porcupine.org/pub/security/index.html

UNIX , (single
points of failure) .
, .
, ,
, . , (DDoS, Distributed Denial of Service), //
.
tcp_wrappers , .
,
.
/etc/hosts.allow
/etc/hosts.deny
, tcp/ip- (, , ),
.
: hosts.allow, hosts.deny.
KNOWN UNKNOWN. ALL
, . man-1 hosts_access, tcp_wrappers.
9.4.5 sendmail
Sendmail UNIX ( GNU/Linux)
(Mail Transfer Agent, MTA).
, sendmail
. suid root, sendmail .
sendmail , STARTTLS
SMTP AUTH. 1
UNIX GNU/Linux , , man (man pages), man [] ////. , man hosts_access man bash.
. .
() suid (set-UID)
- (.. ), , ( ). , suid root ,
root root.
. . .
380
UNIX sendmail ( , ),
. ,
8.9.3 - .
Realtime Blackhole List ( ), , sendmail.
mc :
FEATURE(rbl)dnl
, sendmail SMTP VRFY EXPN. . :
define('confPRIVACY_FLAGS', 'novrfy,noexpn')dnl
, ,
sendmail :
authwarnings: X-Authentication-Warning,
;
needmailhelo: - SMTP HELO;
needexpnhelo: - SMTP HELO
EXPN;
needvrfyhelo: - SMTP HELO
VRFY;
noreceipts: (Delivery Status Notifications, DSNs) ;
goaway: , restrictmailq restrictqrun;
restrictmailq: mailq
;
restrictqrun: .
, Domino UNIX GNU/Linux sendmail 1.
9.4.6 , Linux
GNU/Linux.
, - 1.44 ( Minix).
,
.
GNU/Linux Red Hat, SUSE, TurboLinux,
Mandrake, Caldera, Slackware Debian.
1
(SMTP) Domino,
sendmail, 25. . . .
(hardening)
381
,
GNU/Linux, Domino, . , GNU/Linux , , , .
,
, ,
, - .

, .
Red Hat. , ,
. , Oracle, IBM Check Point,
Red Hat. ,
GNU/Linux, -

, Red Hat.
Debian. . , , ,
, .
Debian
100% . Debian
. GNU/Linux. Debian
, , . ,
Debian
, , , . Debian 3900 , .
SUSE,

, YAST2,
. GNU/Linux,
Domino, TurboLinux Caldera.
GNU/Linux, ,
(Custom
Installation) ,
. , , KDE GNOME, X Windows (
Domino, Domino ). ,
382
,
.
.
(enable shadow password); crypt
MD5.
, . Red Hat setup. Debian
shadowconfig. GNU/Linux man-. MD5 md5
/etc/pam.d.
ipchains, DMZ,
ipchains , - .
, / GNU/Linux.
Debian apt-get. Red Hat, 6.0, up2date.
, ,
GNU/Linux.
, Red Hat Linux, , Bastille Linux,
Linux, , .
Bastille Linux Red Hat Mandrake Linux1, , UNIX , .
Bastille Linux ,
, ( , ),
. , ,
. ,
, Linux. Bastille Linux
URL:
http://www.bastille-linux.org/
Linux.
Linux .
Linux :
http://www.securityportal.com/lasg/
1
Bastille Linux : Red Hat

(Fedora Core, Enterprise, Numbered/Classic), SUSE, Debian, Gentoo, Mandrake HP-UX.
Full Mac OS X. . .
(hardening)
383
9.4.7 , Solaris
Solaris :
(Core), (End-User), (Developer) (Entire Distribution). ,
, ,
. , .
Solaris ,
Sun Blueprints Online, URL:
http://www.sun.com/software/solutions/blueprints/online.html

Solaris.
Solaris : ,
(Solaris Operating Environment Minimization for Security: A Simple, Reproducible and
Secure Application Installation Methodology),
(Alex Noordergraaf) (Keith Watson).
Web- iPlanet, Apache, Domino
Web- .
Solaris (Solaris Operating Environment
Security), . Solaris.
SPARC-; Intel.
Solaris, (Solaris Operating Environment Network Settings for Security),
, .
Blueprints Online Sun , Solaris,
Web- DMZ, Domino.
(Lance Spitzner) Solaris, Check Point FireWall-1
Solaris (
8) Intel SPARC. URL:
http://www.enteract.com/~lspitz/armoring.html
, Solaris Bastille-Linux,
TITAN. TITAN URL:
http://www.fish.com/titan/
384
9.4.8
WAN-, DMZ-
, TCP/IP.

: (Strict SourceRouted) (Loose Source-Routed). , .
Traceroute , .

, .
,
TCP/IP.

:
Solaris :
ndd -set /dev/ip ip_forward_src_routed 0
GNU/Linux
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

Smurf
(direct broadcast)
, :
Solaris :
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ICMP (ICMP echo)

draft RFC, draft-vshah-ddos-smurf-00,
URL-:
http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt
, , IP ICMP-
(multicast) , ,
. , . , ICMP,
, :
Solaris :
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
(hardening)
385
GNU/Linux :
echo 1 > /proc/sys/net/ipv4/icmp_echo_ ignore_broadcasts
GNU/Linux - ICMP. Linux
ICMP:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
ICMP- (ICMP redirect)

, . ,
.
ICMP- , .
ICMP- ,
,
ICMP- :
Solaris :
ndd -set /dev/ip ip_ignore_redirect 1
GNU/Linux :
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
ICMP-
ICMP- .
DMZ-
, :
Solaris :
ndd -set /dev/ip ip_send_redirects 0
GNU/Linux :
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

ICMP- (ICMP type 13)
. .
ICMP- rdate - .
,
.

NTP,
386
, ,
, .
ICMP 13 (
) 14 ( ) .
Solaris :
ndd -set /dev/ip ip_respond_to_timestamp_ broadcast 0
9.4.9
, , , ( ) . : , , , . .
.
. ,
- , , .

, UDP/514.
, , ,
, CD-R, WORM, .
UNIX .
,
syslog.
, /var/log.
, UNIX GNU/Linux
. , ,
(), .
UNIX GNU/
Linux, syslogd , , syslog-ng. syslogd,
, facility.priority
(.).

. Syslog-ng, ,
UNIX GNU/Linux. ,
URL:
http://www.balabit.hu/en/products/syslog-ng/
(hardening)
387
UNIX
GNU/Linux. AIX1, AIX
, .
9.5 AIX
AIX UNIX, , ,

. AIX ,
, , , .
AIX
, , . ,
, ,
, .

AIX .
AIX, ,
AIX,
Lightweight Directory Access Protocol (LDAP) Internet Protocol Security (IPSec).
, Web- IBM AIX :
http://www-1.ibm.com/servers/aix/library/index.html
, , . X11 CDE ,

.
, AIX, , ,
.
, ,
. ,
, ,
1
388
, , 9.4.8, AIX no. . . .
, .
,
.
, ,
, . , .
9.5.1
(login) AIX
, ,
. , . .
herald /etc/security/login.cfg.
, AIX. chsec .
chsec:
# chsec -f /etc/security/login.cfg -a default -herald
Only authorized use of this system is allowed.\n\nlogin:
/etc/
security/login.cfg herald :
default:
herald =Only authorized use of this system is allowed.\n\nlogin:
CDE
CDE (Common Desktop
Environment). CDE . , /usr/dt/config/$LANG/Xresources, $LANG
, AIX.

.
.
lock , AIX windows,
xlock.
(hardening)
389
9.5.2
AIX, . ( , AIX.)

,
.
. AIX
, , :
,
, ;
;
,
.
, , , UNIX,
. dictionlist
( ), , bos.data bos.txt.
dictionlist /etc/security/users:
dictionlist = /usr/share/dict/words
UNIX dictionlist /usr/share/dict/words.
root

, root. ID root AIX
su.
root ,
root ,
, . /var/adm/sulog.
, .
root
/etc/security/user. rlogin root
false.
390
root , AIX ID, root. , , .

root , su root,
, root . , , ,
.

,
.
, .

. , /etc/security/.profile , :
TMOUT=300 ; TIMEOUT=300 ; export readonly TMOUT TIMEOUT
300 , 5 .

,
. , , , .
, root , INTERNAL
FIELD SEPARATOR (IFS), , , sed,
awk cut, .

, , .
umask 077.

, ,
, .
. SP umask 022.
umask 022.

077. etc/security/user.
(hardening)
391

, , ID . ID
.netrc1. ,
, , .
, :
# find 'awk -F: '{print $6}' /etc/passwd&' -name .netrc ls
, . Kerberos.

. 9-2 ,
.
/etc/usr/security2.
- , . chsec (, , , IBM Redbook AIX
Security Tools, SG24-5971-00).
9-2
dictionlist
histexpire
histsize
maxage
maxexpired
maxrepeats
minage
minalpha
mindiff
,
UNIX
,

,

maxage,

,

,

,

/usr/share/dict/words
26
20
4
2
2
13
2
4
. AIX. .
. .
: /etc/security/user. . . .

392
0, ..
, . . . .
.9-2
minlen
minother
pwdwarntime

,

,

,

6 (8 root)
2
5

, ,
(, , ), etc/security/login.cfg1.
,

AIX
ID . , AIX, ,
, ID , . ID ,
.
. 9-3 ID, , , .
9-3 ID
ID
uucp, nuucp
lpd
imnadm
guest
, uucp
,
IMN [
(Documentation Library Search]
,
. 9-4 ID , , ,
.
9-4 ID
ID
uucp
printq
imnadm
1
, uucp nuucp
, lpd
, imnadm
/etc/security/login.cfg. . . .
(hardening)
393
ID ; ID, .
, ID.
9.5.3
Trusted Computing Base ( , TCB) , . TCB
(trusted communication path),
TCB.
TCB . TCB , preservation. TCB
(trusted shell), (Secure Attention Key, SAK).
TCB, /dev
TCB. , TCB
600 , /etc/security/syschk.cfg. TCB ,
, , , CD
, , .
9.5.4
AIX
. .

- ,

. , , .

, , Domino
DB2,
. ID,
, .
394

. , ,

. CD-ROM- CD-,
, CD , , , . , .
(Service Level Agreements,
SLAs), ,
, ,
,
. ( ).
.
(
CD, mksysb /CD).
. , , , IBM , .
root. ,
. , root,
.

AIX
- ,
.
, ,
, .

- , , .
9.5.5
,
. ,

.
(hardening)
395
/etc/security/audit/
events. cron
.
9.5.6 ,
, , .

AIX.
AIX skulker,
.
, /tmp,
a.out, core ed.hup. skulker
:
# skulker -p
skulker, cron
.
,
ID , , . , , find , :
# find / -nouser -ls
, . , .
.

.rhosts.
. .rhosts AIX.
HACMP .rhosts 1. 600 root.system.
.rhosts :
# find / -name .rhosts -ls
1
396
HACMP 5.x . . . .

, . , , ,
root SUID SGID.

, ,
. ,
, AIX. :
# find / -perm -4000 -user 0 -ls
# find / -perm -2000 -user 0 -ls
cron at
cron at .
, ,
cron.allow at.allow, root.
/var/adm/cron cron.deny at.deny.
, cron at root.
9.5.7 , X11 CDE

,
X- X11 CDE (Common Desktop Environment).
/etc/rc.dt
CDE , .
CDE , .

CDE (dt). - , , /etc/rc.dt, CDE.
X-
, X11,
. X-
xwd xwud,
, .
,
(hardening)
397
,
root.
xwd xwud X11.apps.clients.
xwd xwud , OpenSSH
MIT Magic Cookies. , xwd xwud.

X- xhost+ AIX. , xhost+ , X- .
,
X-.
xhost :
# xhost +
xhost
, xhost ,
. chmod /usr/bin/X11/xhost 744, :
# chmod 744/usr/bin/X11/xhost
, xhost . , X-.
. , .
9.5.8
,
.

- ,
.
, ,
; ,
. , , ,
.
, , .
netstat:
398
# netstat -af inet

. netstat .
, ,
/etc/services (Internet Assigned Numbers Authority, IANA) .
.

TCP-, LISTEN, UDP-, .
lsof, netstat -af. lsof AIX 5.1 AIX Toolbox for
Linux Applications CD.
, TCP-, LISTEN,
UDP-, IDLE, lsof :
# lsof -i | egrep COMMAND|LISTEN|UDP
ID
, :
# ps -fp PID#
,
man- .
9.6
, .
, , ,
,
.

,
.
, , , 100% 100% .
, , ,
, .
- , ,
.
.
(hardening)
399

Lotus
, Lotus. Lotus Notes Domino 6, Sametime 3, QuickPlace 2.08, Domino Web
Access (iNotes) 6.x, WebSphere Portal 4.x
IBM/Lotus. ,

Lotus, , Lotus.
10

Notes/Domino
,
Notes/Domino. Domino . , Notes/Domino, .
, Notes/Domino.
Notes/Domino
403
10.1 Notes/Domino
Notes:
() , . , , . 10-1.
. 10-1. Notes
, : ,
Notes. . 10-2.
Notes
. 10-2.
,
,
Notes, ( ) Notes.
,
.
: . .
404
10
10.2

, ,
, , . 10-3.
Notes
. 10-3.
Domino.

.

, , .

, , .

:
, .
, . .

.
Domino Domino (Administration Tools), Lotus, .. Domino Administration 6 Client ( , Web-) Web Administrator 6, WebAdmin.nsf.
Notes/Domino
405

- ,
Notes Web- (. ., Telnet,
FTP ).
10.3

Notes, . 10-4.
Notes
. 10-4.
Notes ,
,
.
10.3.1
,
.
, . - , Notes
Notes
. 10-5.
406
10
Domino Web- Domino. (. ., - -), Notes Notes-Notes.

. 10-5.
, .
: .
(routers) , . (gateways) , , .
, - . IP,
,
.
, . , . , FTP, DNS
(Domain Name System) X11.
; , . ,
. IP, , .
-. -
. ,
UNIX- SendMail 20 000 ,
- SendMail 700 . -
.

. ,
. .
,
, , .
-
OSI (, ) (), (). . . .
Notes/Domino
407
. , .
(demilitarized
zone, DMZ), ,
( ).
, , - .
, , , .
.

Ethernet, Fast Ethernet, Gigabit Ethernet Token Ring, MAC- , , MAC-, .
(shutdown mode) (restrictive mode). ,
.
. , , .
, MAC- , . MAC- , ,
, ,
, . .
OSI, TCP/IP (
), TCP UDP,
, .
.
, , Network Mapper (NMap). :
http://www.insecure.org/nmap/
Nmap
. , . Nmap IP-
, , , () , ( ) -
408
10
, ,
. Nmap ; . Nmap , GNU GPL.
10.3.2 Notes
Notes Domino,
Notes , Notes,
. 10-6.
Notes
. 10-6.
Notes
Notes.
Notes Notes ID, .

, . Notes.
, -, SSL
S/MIME.
:
, .
, .
, Domino Directory, ID- (
). Notes , ,
.
.
.
Notes/Domino
409
, Person,
Server Certifier Domino Directory.
. . ,
,
Domino .
, ,
.
, ,
, ,
.
, -.
, Domino
Notes . ,
-
Domino Certificate Authority (CA), (Certificate Authority). Domino 6
-, x.509v3,
x.509, [Certificate Revocation Lists (CRL)] [Certificate Distribution Points (CDP)].
, , ( ) , , ,
. . (, ), (
) .
.
, , .
(ciphertext). . .
, Notes Domino,
, ,
,
(, RSA Security BSAFE Engine Notes Domino)
, , .
410
10

Notes Domino
( ), ( ), .
,
,
( ).
, . , ; . Notes Domino
.
,
.
, .

. , Notes, Notes.

;
,
, , , (
, ,
, ).
, ,
( ), , (
). non-repudiation (
).
, .
(
) :
1. (message digest)
. ( ), .
2.
, -
Notes/Domino
411
( ) .
3. ,
, .
4.
, . , , .

, , -,
[access control list, (ACL)], Domino .
, Domino , . .
, , , . , , , . Manager ACL
, .
( ): No Access, Depositor, Reader, Author, Editor, Designer, Manager.

ECL, Notes 4.5, (e-mail bombs), ,
(Trojan horses) . ECL ,
.
ECL
. , ,
, ,
,
, .
ECL . , Notes ,
ECL , ,
. , , ECL ( , , : */Lotus, Default) -
412
10
, . ECL , , , ,
, ,
( ), , ECL. : Abort (), Execute Once ( ) Trust Signer ( ). ,
No Signature ( )
ECL.

ID-.
Notes.

Notes.
, - , , Notes ID, . ,
.
, Notes.
, , ,
. Notes
Domino, . ,
, .
10.4
, Lotus Notes Domino.
.
Notes/Domino
413
11

Domino/Notes 6
Domino
Notes 6,
. . Domino 6 Administration Guide
Notes 6.

Domino Notes. Domino Designer 6 . Domino 6 Designer: A Developers Handbook, SG24-6854.
Domino
, , Domino, ,
. ( ) , .

. , ,
,
, .
:
Domino;
;
Domino;
;
Notes Domino;
Web-;
;
.
Domino/Notes 6
415
11.1 Domino
Domino
Security () Server (. 11.1). :
;
;
Domino;
;
.
. 11-1. Security () Server
416
11
11.1.1 Domino

Domino. . Notes, Domino Server ,
. ,
.

Notes . 6, .
Domino 6
Server Notes
. R6 Only allow server access to users listed in this Directory ( , ), Access server ( ) Not access server ( ) Notes.
Domino 6 -,
Notes.
, -
- ( ).
Server Ports () Internet Ports (-),
, , . Yes () Enforce server access settings (
).
11-1 Notes

Server access list
( )
Notes, Domino
, - (HTTP,
IMAP, LDAP, POP3)
Deny access list
Notes -.
( )
, ,
,
,
Notes Person Domino
Directory - , ,
-
Notes ID lock out ( Notes.
Notes)
, Notes
,
,
. Notes
,
, ,

Domino/Notes 6
417
. 11-1

Anonymous access
( )
Network port access

( )
Limit access to create new

databases, replicas, or
templates (

,
)
Control access to a server's
network port (

)
Encrypt server's network port
(
)
Notes Domino
.

,
.
Domino (LOG.
NSF) User Activity ( )
Notes
Domino ,
. , Alan Jones/Sales/
East/Acme, , ,
TCP/IP
Notes Domino
.

Notes Domino

11.1.2
Domino
, ,
Domino. , ,
.
Security () Server.
. :
Full access administrator ( )
, Server;
Administrator () (
);
Full console administrator ( )
( );
418
11
System administrator ( )
.
.
, , , . , , . ,
(, */Sales/Acme).
Administrators (), ; ,
. Administrators () , .
. 11-2. Server

Domino 6
Domino 6. Notes .
, , .
Domino/Notes 6
419
:
;

, ACL ;

Web- (WEBADMIN.NSF);
,
;
,
;
.
. .
, ,
.
, ,
.
ACL .

, :
Full Access Administrators (
) Administrators () Security () Server. .
Full Access Administration ( ) , Administration () Full Access Administration ( ).
, , Server.
Administrator ().
, , , ,
, ,
.

, Domino Designer
( Domino) Lotus Notes.
, .

, Server, , -
420
11
. ,

. , Server .
Full Access Administrators ( ) SECURE_DISABLE_FULLADMIN = 1
NOTES.INI. ,
, Server.
NOTES.INI , , NOTES.INI .
, Server.

:
Full Admin, Full Admin/Sales/Acme, Full Admin. , , .
, .

, Jane Admin/Full Admin/Acme.
Full access administrators ( )
.
.
Full Access Administrators ( ) .
:
Event Handler ( )
EVENTS4.NSF ;
, , ,
Database Properties ( ).
.
! , Full Access Administrators (

), Administrators () Database Administrators
( ) Security () Server,
,
(managers) ACL .
Domino/Notes 6
421
11.1.3 Web-

Domino, Web- , Domino.
Web- Web- (WEBADMIN.
NSF). HTTP- Web- Domino Domino. Web- .
Web-:
Microsoft Explorer 5.5 Windows 98, Windows NT 4, Windows 2000 Windows XP;
Netscape 4.7x Windows 98, Windows NT 4, Windows 2000, Windows XP
Linux 7.x.
.
Domino/Notes 6.
Domino:
Web- Administration Process (AdminP);
Certificate Authority (CA) Domino 6,
Issued Certificate List ( ) ;
HTTP- Web-, .
Domino
Web- (WEBADMIN.NSF) . , Full Access Administrators ( ) Administrators () Server, Web-.
, HTTP- ( 20 ) ACL Web-, ,
Server Full Access Administrators ( ) Administrators (), ACL.
webadmin.nsf
ACL Web- . . 11-2.
,
Administrators () Server.
11-2. ACL Web-

,
Server:
422
11
. 11-2

);
Administrators ()

- Default ( )
Anonymous ()
OtherDomainServers ( )

Web- -,
SSL-. Web- , SSL . Web- , / Web-
Domino (WEBADMIN.NSF) SSL-.
Web- SSL.
HTTP .
11.1.4
, ,
Server.
, Server
. Run unrestricted methods
and operations ( ) , Run Simple and Formula agents ( ) . , . , ,
.
. ,
.
Run unrestricted methods and operations (

)
Domino 6
,
, . Domino Designer 6 .
Domino/Notes 6
423
(Restricted mode).
(Unrestricted mode).
(Unrestricted
mode with full administration rights).
,
Do not allow restricted operations ( ).
Lotus Notes.
Server, ACL (, , ACL ).
.
, (),
, Full Access Administrators (
), Agent Builder.
Full Access Administrators ( )
.
Sign agents to run on behalf of someone else (

/)
, , .
; , .
. , ,
, ACL.
Sign agents to run on behalf of the invoker of the agent (

)
, , ,
. , . Web-. ;
, , ( ).
Run restricted LotusScript/Java agents ( LotusScript/Java)

, , LotusScript Java, , , .
, .
424
11
Run simple and formula agents ( )

, ( , ). ( ,
), .
Sign script libraries to run on behalf of someone else (

/)
,
, /.
, / .
11.1.5
Notes. ,
. , , .
, , .
Domino .
, . -
. 2, .
:
(Registration).
, , -,
.
(Setup). Notes Location .
- -, .
(Desktop).
. ,

,
.
Domino/Notes 6
425
(Mail archiving). .
.
(Security). ECL
, -
Notes.
o -
HTTP.
. - , , (session authentication).
o - Notes.
( Notes - . 11.7, -
Notes.)
o Notes.
o Notes / -.
, (grace periods) history ( Notes).
o . .
. 11-3. Security Settings
426
11
! Person
Server. Domino
, .
Domino ,
, .
ECL, :
ECL ECL .
ECL . Refresh ECL , , ECL; ECL ECL
. Replace ECL ECL. ECL .
ECL : Once Daily
,
ECL ECL; When Admin ECL
Changes ECL
, ECL
; Never ECL .
. 11-4. :
: (organizational) (explicit).
.

, . ,
, Sales/Acme,
*/Sales/Acme. Sales/Acme -
Domino/Notes 6
427

.
,
(Sales) (Marketing),
. ,
Sales/Acme Marketing/Acme , ,
*/Marketing/Acme.
.

. , 6-
, ,
,
.
: , Person
Assign Policy.

,
, , .
, .
,
.

, . , , */Acme ,
60 . Acme . , , ,
. . ,
.
. Policies () User and Server Configuration ( ) Domino 6 Administration Guide.
428
11
11.1.6 -
Domino 6
Internet Site -, Domino. Internet Site [Web (HTTP), IMAP, POP3, SMTP Inbound, LDAP IIOP]
Domino. ,
:
Web Site. Web-,
Domino.
LDAP Site. LDAP- .
IMAP Site, POP3 Site SMTP Site. , IP-, Internet
Site.
IIOP Site. Domino
IIOP (DIIOP) . Domino Domino Object Request Broker (ORB).
Internet Site - . ,
Domino 6 Web-
Domino Mapping, Web realms
() File Protection. .
Domino 6 Web Site,
Web-, ,
Web realm.
Internet Site :
e WebDAV (Web-based Distributed Authoring and Versioning) Web- Domino;
e SSL
(Certificate Revocation Lists) -, ;
e hosted organization (
).
Domino . Domino 6 Administration Guide.
Internet Site ( Site)
.
Site .
.
Domino/Notes 6
429
, Internet
Site ;
.
Domino Internet Site,
Server. , Server .
Internet Site Internet Sites, -, Internet Site .
. 11-5. Server,
-
430
11
! Internet Site Internet Site

- . , LDAP Internet Site
Server HTTP.
Internet Site, Server
-.
:
TCP/IP;
SSL ( TCP
SSL);
,
.
. 11-6. Web Site
Domino/Notes 6
431
Internet Site
Internet Site SSL- ,
- .
SSL -, SSL Server SSL ,
(key ring) .
SSL-
(server key ring file) Internet Site. Internet Site , , .
Security
() .
(Certificate Revocation
List, CRL) -, Domino .
SSL , IP-
Host names or addresses mapped to this site ( ,
) Basics ( )
Internet Site.
Web- (common name)
DNS-, IP-
Web Site. IP- Host name or addresses to map to this
site ( , ) Web
Site. Redirect TCP to SSL ( TCP SSL) Web Site , IP- .
Domino 6 Internet Site,
No Internet Site.
TCP-, SSL- TCP.
Internet Site
Domino. Web Server Server.
SSL . 6, .
Domino 6
. 11.5.1, Domino.
11.1.7
, . :
432
11
, , .
.
Domino 6
- . - . Notes,
Domino Domino 6 Administration Guide.
11.2 HTTP-
Domino 6
Domino 6, Lotus Domino HTTP-.
HTTP , , Domino
HTTP Domino 4.5. Domino 6
HTTP HTTP- IBM
( ICS). , Domino 6 API HTTP.
Web-
, HTTP 1.1
.
denial of service ( , DOS) , ,
URL length . . IP- IP-.
,
HTTP, HTTP- Domino Web-
( Web- Domino),
DSAPI, HTTP- Domino. ( DSAPI HTTP) .
11.2.1 Domino Web Server API

Domino Web Server Application Programming Interface (DSAPI)
C API, Web-
Domino. ( )
Web-.
Domino 4.6.1 Web- IBM Web Server (ICS) Domino GO Web Server API Domino Domino
Domino/Notes 6
433
GO Server GWAPI (Go Webserver Application Programming Interface). Domino 5.0 , - API . Domino 5 DSAPI HTTP- ICS,
Domino 5, GWAPI
( , ).
, HTTP-
Domino 6, DSAPI.
DSAPI,
Domino 6 DSAPI R5, . DSAPI, Domino5,
Lotus Domino 6,
HTTP-, . , , , API,
, HTTP, Domino 6.
, Domino 6 API, R5 DSAPI, , R5 DSAPI
100% , HTTP- ( ,
DSAPI 100% ). Domino 6
DSAPI -, 100% , .
. DSAPI-, R5, HTTP-

DSAPI (private)
Domino 6. , (
DSAPI-)
R5/DSAPI- .
,
HTTP- R6.
DSAPI (single sign-on) . 7.4, DSAPI.
11.2.2 HTTP-
Domino 6
Domino R6 Web- WebSphere.
Domino for IIS, Release
5. Web-
(, IIS)
( ), NSF- HTTP- Domino.
HTTP Domino;
HTTP-
, , HTTP-
434
11
Domino, .
Domino [ Domino,
Lotus iNotes Web Access, Lotus Domino Off-Line Services (DOLS), Lotus Discovery Server];
HTTP-
HTTP- .
, Domino,
Domino.
HTTP-
. Domino 6.0 :
IBM HTTP Server (IHS) AIX, Windows NT 4.0 Windows 2000 Server;
Microsoft IIS Windows NT 4.0 Windows 2000 Server.

Domino 6, Domino ( ,
, ,
Domino 6).
Lotus Domino 6 plugins data/domino. plug-ins
WAS 4.x 5.x , Microsoft
IIS IBM Apache HTTP. , Domino 6, HTTP-
(, IIS).

HTTP- Domino
notes.ini (HTTPEnableConnectorHeaders=1). notes.ini Domino , USER,
HTTP- .

HTTP . . C,
HTTP Domino 6.
HTTP Domino6, IBM iSeries . Lotus
Domino 6 for iSeries Implementation, SG24-6592.
11.3 (xSP)
Domino 6
Domino ( , , ,
..)
Domino.
,
Domino/Notes 6
435
Domino. , .
- , , . xSP- (.. ),
Domino .
, , ,
.
, . ,
,

, .
Domino
Domino
Domino
, . xSP, , ,
.
, ACL
Domino Directory
. ACL,
xSP, . , ACL ACL
xSP: .
Site
, -.
ACL ACL Domino Directory.

, - , . help common
Domino, ,
.
,
,
.
436
11
11.4
Domino 6
, Notes Notes,

Notes . ,
(roaming users),
,
. Notes ID- , ,
. ,
, . Notes.

.

-. -
, ,
Notes. , -
- .
11.5 Domino
(certificate authority, CA), (certifier), , .
, - SSL S/MIME .
,
, ,
.

(trusted root certificates), , , , .
Notes- -. Domino
Notes- Notes
Notes. Notes
Domino, Domino. Notes-
Domino/Notes 6
437
, Web-.
, - - (X.509),

(SSL, TLS . .). - Domino
.
, SSL Domino, , , SSL
.
. SSL . ,
SSL , , IMAP, POP3 SMTP.
SSL , -. Domino, , . , ;
, , . ,
.
(PKI) Domino
SSL . 6, , The Domino Certificate Authority IBM Redpapers.
. SSL ,
Domino, Domino.
11.5.1 Domino
Domino 6
Domino 6 Domino-, ( CA) .
CA Domino, . ,
Notes- CA -.

CA , CA.
CA;
. Domino
CA Domino Tell.
Domino 6 ,
:
Notes- -.
438
11
(registration authority, RA), / .

. CA , , .
- Web-.
, -.
(Issued Certificate List,
ICL) , , .
-, X.509 PKIX.
Domino Notes- -
CA. CA
(, - CA),
CA.
Domino,
CA.
CA.
, ICL ,
.
(ICL)
(Issued Certificate List,
ICL),
CA. ICL ,
, CA.
. CA
:
, , .
CA, .
RA/CA, , .
.
Domino/Notes 6
439
ID-,
.
CA ( Certifier) Domino Directory .
(CRL)
(Certificate Revocation List, CRL)
, -, , . CA
CRL -. CRL
, ICL
. CRL Domino Directory,

.
CRL -. , CRL , CRL. CRL
.
CRL , . ,
. HTTP Web- CRL, ,
,
. Internet Site - Domino CRL
.
CRL: . CRL ( , CRL ) CRL. CRL , CRL . , , ,
CRL, .
CRL CRL.
CRL. CRL
, CRL.
(,
) (. . ) CRL .
CRL.
CRL Tell.
440
11

-
(CERTREQ.NSF)
. ,
Administration Process .
, .

, , .

. , CA, Notes- - ,
.
. , ,
Domino 6 , CA.
Domino
Domino (certificate authority administrator,
CAA) :
.
. , CA Notes-.
CA RA, .

Domino Directory , Editor ().
. , , .
. , ,

.
,
.
Domino/Notes 6
441
Domino
(registration authority, RA) Notes Domino, - -. , , Domino , . , Domino ,
CA.
,
. CA Configuration,
ICL .
Domino, Notes,
Notes-.
Web Administrator
Notes. Web Administrator, , Web Administrator, .
Domino :
, Notes-;
-;
, ,

.
.
Domino Directory , Editor ().
, CA
CA , CA . , CA . CA Tell
.
CA , ,
12 . , Administration Requests CA, .
Tell AdminP CA.
442
11
. CA ca
Server NOTES.INI.
, CA,
:
1. :
Notes- O () OU (),
CA.
Notes- CA.
-
CA.
2. .
3. CA.
4. - .
. Domino 6 Administering the Domino
System.
11.6
Domino,
Domino.
11.6.1
Domino
Domino Directory.
Administration Process, Domino Directory. , ,
Domino Directory.
11.6.2
Domino .
, ,
, . .
:
Domino
Directory, Configuration Directory;
Domino/Notes 6
443
LDAP;
Dircat (directory
catalogs);
, ;
Domino Directory, Directory Assistance.
Notes ,
, .
Domino
Domino 6 , Domino Domino Directory .
: , , Person Group, , Domino.
Domino 6
,

Domino Directory, Domino Directory. Configuration Directory, Domino Directory
, Domino. , Configuration Directory, Domino Directory
( Domino Directory) Person, Group, Mail-In Database Resource,
, .
, .
,
, ,
Domino Directory, . , Configuration
Directory , , .
, . ,
Domino Directory.
444
11
11.6.3 Directory Assistance

Directory Assistance ,
,
Domino Directory (NAMES.NSF). Directory Assistance
:
( , -/
HTTP);
;
Notes;
(referrals) LDAP.
Directory Assistance LDAP-
Domino. LDAP- LDAP- LDAP-,
Domino, LDAP.
Domino PUBNAMES.NTF,
NAMELookup. Directory
Assistance Domino. Domino, Directory Assistance,
(secondary) Domino Directory,
(Extended Directory Catalog) (primary)
Domino Directory.
(secondary) Domino Directory Domino Directory, Domino Directory .
Domino Directory ,
Domino. Domino Directory Domino Directory,
PUBNAMES.NTF,
Domino, , ,
Web-.
(Extended Directory Catalog) , Domino Directory. Directory Assistance Extended Directory Catalog, Extended
Directory Catalog Domino Directory.
(primary) Domino Directory ,
Domino
. Directory Assistance Domino Directory, ,
Domino Directories
Configuration Directory.
Domino/Notes 6
445
Directory Assistance
, Domino - (Web (HTTP),
IMAP, POP3 LDAP), , Directory Assistance.
X.509
.
, Directory Assistance, Directory Assistance :
Basics ( ) Make this
domain available to ( ) Notes clients
and Internet Authentication/Authorization (/ Notes -);
Naming Contexts (Rules) [ ()] , (distinguished names) , , Trusted for Credentials (
) Yes ().
, Web-
LDAP-, Web-
Web- Domino
LDAP- .
! Domino Directory Assistance

, , ,
Directory Assistance.
, -, Internet Site Ports ()
Internet Ports (-) Server.
,

- , , .
Security () Internet Access ( )
Server Domino Directory More name variations with lower
security ( ) Fewer name
variations with higher security ( ( ).
,
Domino Directory.
446
11

,
Directory Assistance, , . , ,
cn=alice browning,o=Acme, alice browning. , alice browning. , , cn=alice browning,o=acme
.
Domino,
ACL , , ACL ,
Server, File Protection Web-.

, ,
, , X.509. X.509 ,
, X.509.

Domino -,
.
.
, Domino HTTP Web LDAP ,
, .
Notes
Notes Domino Directory Person Notes.
Compare Notes public keys against those stored in Directory ( Notes ) Basics
( ) Server Notes, ,
Notes, Person .
Domino/Notes 6
447
Notes, , Domino Directory, Domino Directory Compare Notes public

keys against those stored in Directory ( Notes ) , ,
Make this domain available to: Notes clients and Internet Authentication/
Authorization ( : /
Notes- -) Directory Assistance, .
Directory Assistance:
Domino Directory,
Notes;
(Extended Directory Catalog), Domino Directory,
Notes.
. , Domino Directory Extended Directory Catalog,

, Directory Assistance,
,
Notes, ,
Make this domain available to: Notes clients and Internet Authentication/Authorization (
: / Notes- -). ,
,
, .
LDAP-
LDAP- :
, LDAP-;
LDAP Domino, Notes, LDAP
Directory Assistance LDAP-

, Domino, . , .
,
, Domino Directory. ,
Directory Catalog ( ),
( ),
448
11
(Distinguished Name, DN),

. ,
,
, . , , / , .
, . ,
/ .
Person
Domino Directory , , ,
. , , , , , , , ,
ACL , .
11.6.4
Domino 6
(ACL) , ,
PUBNAMES.NTF, Domino Directory Extended Directory Catalog. ACL ACL
Domino Directory Extended Directory Catalog.
Notes-,
LDAP-.
ACL ACL ,
Access Control List ( )
Notes 6 Domino Administrator 6. ACL
, ; ,
. ACL
:
, ,
OU=West/O=Acme;
,
Person;
;
.
Domino/Notes 6
449
ACL :
Domino,
, ;
;

,
Readers Authors;

: Notes (NRPC), Web (HTTP), LDAP, POP3 IMAP.
. , Router, ,
ACL. Router,
Readers
, ,
. , Readers,
, Router .
, ACL,
, ACL , , ACL . , ACL
Reader, ACL
Write.
User Creator ACL , ACL
Person Create.
, , , ACL. , Readers , , Browse ACL , Readers.

Domino Directory ACL . , ACL
ACL . ACL Domino Directory Extended Directory Catalog.
:
Domino Directory?
,
ACL, -
450
11
. , .
ACL? ACL ,
.
? Configuration Settings Domino Directory
LDAP-.
LDAP Read .
Anonymous () ACL
No Access ( )
, LDAP. ACL Anonymous () ACL ACL LDAP. Anonymous () Reader.
11.6.5 LDAP-
LDAP (Lightweight Directory Access Protocol) - . Domino Notes LDAP :
LDAP, Domino LDAP LDAP-;
LDAP Notes, Notes
LDAP- LDAP-;
Directory Assistance, Domino LDAP- .
LDAP-
Domino 6
LDAP- , Directory Assistance LDAP-. ,
.
Type of search filter to use ( )
Directory Assistance. . 11-3.
Domino/Notes 6
451
11-3.

Standard LDAP (
)
LDAP,
LDAP-, Domino, IBM
Directory Server, Netscape/iPlanet Directory Server
Active Directory
,
Active Directory. ,
LDAP- Active Directory
Custom

,
. , LDAP- .
Custom Type of search filter to use (
) ,
, . 11-4.
11-4.

(Mail filter)
Directory Assistance ,
Notes ,
. ,
: (|(cn=%*)(|(&
(sn=%a)(givenname=%z))(&(sn=%z)(give nname=%a))))

(Authentication filter)

LDAP- .
,
: (|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(s
n=%z)(give nname=%a))))

(Authorization filter)

Notes. ,
: (|(&(objectc
lass=groupOfUniqueNames)(UniqueMember =%*))(&(obje
ctclass=groupOfNames)(Member=%*)))
,
, RFC 2251 2254.
LDAP
,
LDAP , , .
452
11
11-5. LDAP

(RFC 822)

(RFC 822)
( )
Alex M Davidson

%a
Alex M Davidson
%z
Alex M Davidson
amd@acme.com
%*
%l
amd@acme.com
%d
11-6. LDAP

Alex M Davidson

(|(gn=%a)(sn=%z)(cn=%*)(mail=%l))
amd
amd
amd
amd
amd@acme.com
amd@acme.com
amd@acme.com
blue
(EmpID=%*)
(EmpID=%z)
(mail=%*@acme.com)
(mail=%*@*)
(mail=*@%d)
(mail=%*)
(uid=%l)
(color=%*)
(|(gn=Alex)(sn=Davidson)(cn=Alex M
Davidson)(mail=))
(EmpID=amd)
(EmpID=)
(mail=amd@acme.com)
(mail=amd@*)
(mail=*@acme.com)
(mail=amd@acme.com)
(uid=amd)
(color=blue)
11.7 - Notes
Domino 6
- ,
Person Domino Directory Notes- . , Domino
Notes Web-. Notes -
- Notes

.
. 11.1.5, .
Notes -.
Domino/Notes 6
453
! , ,
, Notes -
User Security ( )
Notes -. ,
.
User Security ( )
. 11.14, Notes.
11.8 Notes
ID- Notes mail-in ID- Notes. ,
( -Recovery Authorities) Notes.

mail-in :
-Default- Anonymous No Access;

Reader.
ACL
Notes, .
ACL.
ID :
1. Domino Administrator Configuration (),
Certification ().
2. Edit Recovery Information ( ).
3. Choose a Certifier ( ) Server,
Domino Directory (
).
4. , .
Use the
CA process ( CA),
. ,
.
, Supply
certifier ID and password ( ). ,
Certifier ID ( ),
ID- .
454
11
5. OK. Edit Master Recovery Authority List ( ).

6. ,
ID-. .
7. Add () ,
.
8. , , :
mail-in,
, I want to use an existing mailbox ( ). Address ()
Domino Directory.
, I want to create a new mailbox (
). Create New Mailbox (
) ,
, . , , .
. Export ()
. ,
.
9. OK.
10. ,

load ca

CA
, .

tell adminp process all

. Notes (O),
-
Notes, .
Notes, . , Action ()
Accept Recovery Information ( ),
ID- Notes.
.
Notes
ID- Notes .
Domino/Notes 6
455
Notes
-
-, Notes
-.
, Notes -,
:
1. , .
2. , .
3. Action () Accept Recovery Information
( ).
4. Backup ID File ( ID-) Send (), .
. ID- Notes
Notes, .
ID- Notes
ID- Notes
Notes ID- Notes. Notes
Notes. , Notes
.
, Notes ID- Notes - .
, , ,
, Notes
.
Notes,
:
1. ( ,
), ( ,
Notes), Notes.

Notes .
456
11
.
Notes, ,
Notes.
Notes
.
2.
Notes. Password ()
Notes OK, .
3. Wrong Password ( ) Recover
Password ( ).
. -
Backup ID File ( ID-).
4. Choose ID File to Recover ( ID- )
, .
5. Enter Passwords ( ) ,
, ,

.
6. Notes,
.
. , , ,
Notes.
7. ,
Notes Notes
Notes.

Notes
. :
,
;

, Notes
.

(.. ) - .
Domino/Notes 6
457
11.9 Web-
Web-, Web- Domino. :
.

HTTP .
cookie- cookies, .
HTML-
. , Domino ,
cookie- .

, HTML . (single sign-on).
, , LTPA-cookie ,

. LTPA- ,
. ,
(single sign-on) .
6.2.4, Web-,
LTPA 7.2, LTPA.
,
.
11.9.1
, Domino Domino Directory LDAP-. - (HTTP, LDAP, IMAP, POP3). ,
- Domino. Domino
, Java-,
Domino,
Domino IIOP.
458
11
Fewer name variations with higher security (

)
Fewer name variations with higher security ( ) .
, , .
Web- -
, . 11-7.
11-7. Fewer name variations with higher security (
)
Domino Directory

CN=prefix
(, User name Person,

, )
- ( ,
Internet address Person)
LDAP-
DN
CN CN CN=prefix
UID UID UID=prefix
More name variations with lower security (

)
Domino
.
. , . 11-8, Web-.
11-8. More name variations with lower security (
)
Domino Directory
cn=prefix
()
()

(, User name Person,
, )
Soundex-
- ( ,
Internet address Person)
LDAP-
(CN) CN CN=prefix
DN
DN
UID UID UID=prefix
Domino/Notes 6
459
11.9.2 (SSO)
, (single sign-on, SSO), Web- Domino WebSphere Domino WebSphere DNS,
(SSO), .
Web- cookie-,
LTPA- , , cookie-.
:
( Web SSO Configuration)
Domino Directory ( Domino Web SSO Configuration,
, , );
Multi-server Web Site Server.

LTPA . 14, , , .

Domino, SSO.

URL, , ,
(fully qualified domain name, FQDN),
IP-. cookie-
, DNS- cookie-, DNS-
cookie- URL . cookie-
. , SSO,
DNS-).
Web Site Server
(FQDN). Internet
Cluster Manager (ICM)
SSO. DNS-, ICM URL Web-, TCP/IP, cookie-,
DNS- URL.
460
11
WebSphere
WebSphere Domino LDAP-. , (SSO),
(Distinguished Name, DN) , cn=john
smith, ou=sales, o=ibm, c=us. LDAP ,
Directory Assistance Domino , LDAP-, WebSphere. , LDAP Domino Directory WebSphere LDAP- Domino.
, ,
WebSphere, LDAP- Domino,
(flat) (
Domino, SSO
flat- ).
SSO- WebSphere
Domino. WebSphere LTPA- SSO, Domino.
Web SSO Domino

Domino
SSO,
.
:
Notes, . Web SSO Configuration , Domino Directory .
Server Person , Web SSO Configuration,
, , Person Server.
Web SSO Configuration Domino:
1. Web SSO Configuration Domino Directory, , Domino Directory .
2. Web SSO Configuration
Participating Domino Servers ( Domino),
Server ,
.
3. Server
. , , Location , , , , . -
Domino/Notes 6
461
, SSO
.
4. .
.
11.9.3 Web- Domino

Directory LDAP-
Web- Domino Directory Person. Domino Directory
LDAP- , Domino .
Domino LDAP-
, Domino
Domino Directory,
Domino LDAP-. Directory Assistance , Domino .
, Domino Domino Directory , , SSL- Domino Directory
Domino Certificate Authority. LDAP, LDAP- Domino.
SSL ,
LDAP-.
, Domino Directory LDAP-, Directory Assistance, ,
. ,
Dave Lawson/Acme, Directory Assistance */Acme.
, .
Domino , , , , . Public Key Checking ( ), Allow Access
( ) . Password Checking ( ). ,
Notes, , , iNotes.
462
11
11.9.4 Domino
Domino Web-
Domino
LDAP- Domino Notes/Domino
ACL Domino.
,
:
Domino Portal.
Domino WebSphere Portal,
Portal LDAP-,
LTPA- LDAP, uid=twor
ek,ou=users,o=redbooks,c=us.
, Domino , Domino
LTPA- ( , Portal Domino
LTPA SSO). ACL
Notes, William Tworek/Cambridge/IBM.
LTPA- LDAP-, Domino , , .
Domino LDAP-.
Domino Directory Assistance LDAP- ,
LDAP- Domino
LDAP. Domino Notes, ,
Domino , LDAP- .
, Domino ,
Domino 6:
1. LDAP- ACL .
2. LDAP DN Person
Domino. Domino 5.x Domino 6.02+.
3. Domino LDAP-. Domino 6.x Directory Assistance.
LDAP- ACL
,
ACL Domino , LDAP-. ACL
, LDAP
Notes.
Domino/Notes 6
463
, ACL William Tworek/Cambridge/

IBM , LDAP- uid=tworek/ou=users/
o=redbooks/c=us. , LDAP- ACL Domino
, LDAP, /.
,
, ACL .
LDAP DN Domino
Domino Directory , LDAP Person .
. 11-7.
. 11-7. LDAP, Person

, 8,
. ; LDAP- Person Domino,
.
, Domino 5.x Domino 6.02+.
Domino 6.0 6.01.
464
11
Domino LDAP-
Domino , LDAP-. , , , . .
Domino LDAP-.
:
1. LDAP-, , LDAP .
2. LDAP- , LDAP-
Notes.
3. , Domino Directory Assistance LDAP Directory Assistance. DA, LDAP
.
Directory Assistance . 11-8.
. 11-8. LDAP Domino Directory Assistance

,

LDAP- LDAP-.
Domino 6,
Domino 6.x, Domino 5.x .
Domino/Notes 6
465
11.10 Domino
Password Checking ( ) , . . - - ID- Notes
Notes, Notes. Password Checking , ID- Notes,
. -
ID- Notes, .
Password Checking Required Change Interval ( ) ( ), ID- Notes .
Notes . Grace Period ( ). ( ), ( ),
. R5, Version 6

, Person . Notes
R4.67. R5 Version 6.
11.10.1 Notes Domino

Notes Domino : Notes Domino ( iNotes
). , ,
Domino (
), Notes.
,
.
Notes ,
.
Notes, ID- Notes
.
ID- Notes
ID- Notes
:
;
466
11
;
, ;
;
49 .
Domino Directory
Domino Directory , . 11-9 11-10.
11-9. , Server
Check passwords on Notes IDs (

Notes)
11-10. , Person
Check password? ( ?)
Required Change Interval (
)
Grace Period ( )
Last Change Date (

)
Password Digest ( )
-

. ,

,

, Notes
(
Person)
,

, .

,
Notes
. .
1. . Server
, .
Server Security (), .11-9.
Check passwords on Notes IDs ( Notes)
Enabled ().
.
, Server.
Domino/Notes 6
467
, Notes Domino, ,
Notes . ,

.
. 11-9.
2. ,
AdminP.
, .
Person.
:
) Domino Directory People View ,
.
) Actions () Set Password Fields (
).
) Notes Set Password Fields ( )
You are about to set the password fields for the selected person records.
Do you want to continue? (
. ?). Yes ().
) . Check Password ( ) Check password ( ), Required Change Interval ( )
Grace Period ( ); . ,
, ,
90 , 30
, 90 30 ( -
468
11
, ).
) OK. Administration Process (adminp)
Domino (Domino Server Administration Request Database, admin4.nsf), Notes Completed
Successfully ( ), ,
.
3. Adminp .
, Set password information ( ).
, Adminp, ,
. . 2 . 11-10.
. 11-10. Adminp
4. Adminp .
Adminp
,
.11-11.
Person , ,
Check Password ( ), Change Interval ( )
Grace Period ( ) .
Domino/Notes 6
469
, Password digest ( )
Person . , .
, Notes ( ), Notes
, , , , , Person.
true.
. 11-11. Adminp
, admin4.nsf
. Adminp Grace Period ( ) Change
Interval ( ) ID- Notes.
admin4, , Notes Grace Period ( )
Change Interval ( ).
ID- .

Notes, , , 11.1.
470
11
11.1. Notes
PWD_KEY_HDR
Type: 0000
Version: 0000
LastChanged: TIMEDATE
Innards: 0025 69DC 0039 822B
Text format: 22/01/2001 10:28:08
ExpirationDays: 0000 005A
NextExpirationDays: 0000 005A
NumDomains: 0001
NumOldPwds: 0001
OldPwdTotLen: 0214
Adminp ,
Password digest ( ) Person
Last Changed Date ( ), . , Person, . 11-12.
, Person , Notes .
. 11-12. Person ,
Domino/Notes 6
471
ID- Notes
, , , .
11.10.2
, Notes , . Notes

.

NOTES.INI CertificateExpChecked. ID- Notes, ,
Notes. Lotus Notes Notes .
, CertificateExpChecked, , Notes,
, , ,
, , ; , 11.2.
11.2.
Where = (
+ )
{
If ( - ) < (25% )
{
}
, CertificateExpChecked,
.
. 11-13.
472
11
Password Expiry
( ), . 11-13.
.
OK , .

Server,
, . , Person
Check Password ( ).
, , . 11.13.
,
, .
, . 11-14. .
22/04/2001 :
( ) + ( , ID)
. 11-14.
R4 , OK. ,
, . .
R4.6.7, R5 Version 6
, .
OK , , , , . 11-15.
, .
,
, ,
.

.
Domino/Notes 6
473
. 11-15.
R5 Version 6
, ,
(
, ).
R4.6.7
; , ,
.

30. R5 Version 6,
30- , ID- Notes, -
. 30- ,
, Person
; 30- , ,
,
.
, ,
, . 11.16.
Notes .
, Person, , -
474
11
. 11-16.
. , ,
, ,
, Notes, .
.
,
, adminP. , ,
, .

, Person .
, ,
Adminp .
, Person, , ( , ID- Notes
).
ID-, user.id ,
Person ,
. , , Person, Adminp.
. 11.17 Adminp, .
Administration Process
Person Password Digest (
) Last Change Date ( ), ID- .
ID- . .
,
49 , Notes ( ), , . 11-18.
Domino/Notes 6
475
. 11-17. Adminp,
,
, , .
. 11-18. ,
11.10.3
,
. , -.
, , -,
. , , . ,
, , , .
476
11
: Connection failed because of a problem with clock synchronization and password change intervals. Check your clock setting, change your password, or
consult your system administrator ( -
.
, ).
-, , Notes Person .

NOTES.INI
CertificateIsExpChecked
=
>

Server?

Person?

Person = EMPTY?

,

dd-mm-yyyy
:

,

D
B

ID

Person
(
+ )
< (
)
Person
= EMPTY?

Person = EMPTY?

+ 3
<
(
)
< (25%
)
<
:

dd-mm-yyyy
?

ID =

Person

ID-
.

,

ID ?
:

dd-mm-yyyy
D
E
AdminP,

. 11-19. -
Domino/Notes 6
477
- . 11.19, 11.3.
11.3.

if NOTES.INI CertificateIsExpChecked =
{
//
else
{
//
if ( > ) or ( < )
{
//
print , dd-mm-yyyy
}
else
{
//
if ( - ) < (25% )
{
print : ddmm-yyyy
}
}
}
if
{
//
if Server
{
if Person
{
if Person = EMPTY
{
//
478
11
if Person = EMPTY
{
//
ID

Person

AdminP,
else
{
//
if + 3 >
{
//
ID

Person

AdminP,
else
{
//
AdminP,
}
}
}{
//
if Person = EMPTY
{
//
Domino/Notes 6
479
print :
(...)
ID-

else
{
//
If ( + ) <
- )
{
//
print :
(...)
ID-

else
{
//
if
{
//
ID

Person

AdminP,
else
{
//
if ID = Person
{
//
480
11
if ID-
{
//
print :
(...)

ID

Person

AdminP,
else
{
//

}
}
else
{
//
print ID- (...)

}
}
}
}
}
}
}
Domino/Notes 6
481
11.10.4

Adminp. Person Adminp
Notes,
.
,
(, Warning: Your password will expire on dd/mm/yy),
Server .
Notes
. ,
, Last
Change Date ( ), Grace Period ( ) Expiration Date ( ), .
. Last Change Date ( )

Person,
.
, adminp- Lockout the user (
). adminp Person; Check Passwords ( )
Lockout ID. , , . 11-20.
. 11-20. ( )
. , . names.nsf , Domino , . Person (, )
,
, Domino Directory.
482
11

. ,
adminp-. 12 . , adminp-.
. , , adminp- . , ,
Person.
. adminp
adminp. , adminp
, adminp
, Person.
11.10.5 iNotes
iNotes Web Access Domino, : iNotes
,
?
iNotes - ,

. ,
, Notes.
iNotes Web Access Notes,
Notes. -.
11.11
Notes
(ACL),
.
ACL . Domino Designer 6 .
IBM Redbooks Domino 6 Designer: A Developers Handbook, SG24-6854.
Domino Notes , ,
. , ,
, , , , , .
Domino/Notes 6
483
, ,
.
.
. , UserCreator ACL Domino Directory
, Person.
ACL:
-Default-;
Anonymous ();
;
LocalDomainServers ( );
OtherDomainServers ( ).
ACL Anonymous ()
Person ACL.
ACL : Anonymous () -Default-. Anonymous () . -Default-
, Anonymous () .
Anonymous () -Default- , Domino Directory. , LocalDomainServers ( ) Domino Directory
ACL . Anonymous () .
-Default , -Default-,
, , , -. , ACL Anonymous (), ,
, -Default-.
-Default-
.
, -Default-, . No Access ( ), ,
. Author () Reader (), . -Default-
Unspecified ().
-Default- ACL .
484
11
Anonymous ()
Anonymous () - Notes, .
ACL- Anonymous ()
(.NTF-) Reader (),
.NSF- .
ACL- Anonymous ()
(.NSF-) No Access ( ).
-
-
, . ,
, Manager (). Manager ()
Designer ().
LocalDomainServers ( )
LocalDomainServers ( )
, , , Domino Directory.
LocalDomainServers ( ) Manager
().
Designer
(). LocalDomainServers ( )
, OtherDomainServers
( ).
OtherDomainServers ( )
OtherDomainServers ( ) , , ,
Domino Directory.
OtherDomainServers ( ) No Access ( ).
ACL
-
, ACL
(*).
. , ACL
Domino/Notes 6
485
, , , -.
ACL- .
*/Illustration/Production/Acme/US
:
Mary Tsen/Illustration/Production/Acme/US
Michael Bowling/Illustration/Production/Acme/US
:
Sandy Braun/Documentation/Production/Acme/US
Alan Nelson/Acme/US

ACL. ,
*/Illustration/*/Acme/US

Michael Bowling/Illustration/West/Acme/US
Karen Richards/Illustration/East/Acme/US
- ACL
Unspecified, Mixed Group Person Group.

ACL Notes -, SSL-.
Notes
, John Smith/Sales/Acme, ,
, .
- , User name ( ) Person.
. User name ( ) ,
;
. ACL
Domino, Server .ACL-.

ACL ,
. , (, Server1/Sales/Acme), ,
, .
486
11

(, Training) ACL , .

. . ACL,
Domino Directory, Domino Directory LDAP, Directory Assistance.
ACL . ACL :
ACL
. ACL, Domino Directory LDAP-, .

, .

.
. ,
, Manager () Designer
(). , Domino Directory
, ACL . , .

Domino Directory Deny List Only, . Deny Access ( ) Server
Notes, Domino.
, ACL
. Domino Directory,
Add deleted user to deny access group [ Deny Access ( )], ;
, No Deny Access group selected or
available [ Deny Access ( ) )].

, Notes. ACL. , . , Sandra Brown/West/Sales/Acme
Sandra Smith/ANWest/ANSales/ANAcme, AN .
Domino/Notes 6
487
LDAP
-
LDAP-. - ACL
.
LDAP- ,
-, ACL Notes. , - Web- Domino. Web- , ACL Web (),
- Web (), LDAP-, Domino Directory.
, , ,
Directory Assistance Web- LDAP Directory Assistance LDAP- Group Expansion ( ).
Notes, LDAP- ACL .
LDAP- ACL LDAP- , (/), (,). , LDAP- :
uid=Sandra Smith,o=Acme,c=US
ACL :
uid=Sandra Smith/o=Acme/c=US
LDAP- ACL . , LDAP-
cn=managers
ACL
managers

LDAP- ACL. ,
cn=managers,o=acme
ACL
cn=managers/o=acme
, , , (cn, ou, o, c), ACL .
, ACL :
cn=Sandra Smith/ou=West/o=Acme/c=US
Notes, ACL
:
Sandra Smith/West/Acme/US
488
11
. LDAP-,
Domino Directory, Domino 6 -
, Domino ACL.
. 8, .
Anonymous ()
, , Anonymous (). - Notes, .
, . , , Anonymous () . Reader () .
. 11-11 .
11-11.
-
Anonymous
ACL (). , Anonymous

() Reader
(), ,
,
Reader ()

no access (
) ACL

Anonymous () No Access ( )
Read Public Docu-ments
( ) Write Public
Documents ( ),
Anonymous ()
.
ACL

,
Anonymous
()
ACL

-Default-.
, -Default- Reader () ACL Anonymous, ,
,
Reader ()

.

(
, -
),

-Default-
Domino/Notes 6
489
[ ,
Anonymous (), ,
-Default-], , , . , Anonymous () Reader () ,
.
. , ,
, ACL Anonymous () No Access
( ), Read Public Documents (
) Write Public Documents ( ).
- ACL .
Domino Anonymous ()
. , Anonymous ()
Author () ACL , Authors () . Domino
Notes,
- Authors () .
Authors () , , ;
, .

@DbColumn @DbLookup ,
, , ACL , . , , Reader () , .
.
ACL : 85255B42:005A8fA4. , ,
.
,
,
-Default- Reader () .
ACL
ACL , , , . , ,
Anonymous ().
490
11
ACL
ACL. ACL . , Sandra E
Smith/West/Acme Sandra E Smith/West/Acme/US Sandra E
Smith. ,
(, ),
, ,
, ACL. ,
.
. ACL (, Sandra E Smith),

,
. , Sandra E Smith
Sandra E Smith/West/Acme Manufacturing/FactoryCo,
Sandra E Smith ACL
Manufacturing/FactoryCo.
ACL ,
.
, ACL
. ,
, (, Sales, Sales ,
Acme Sales Sales Managers), ,
ACL.
. ACL, ,
, ACL,
, ,
.
, ACL -. ,
, -,
, -.
, ACL ,
, -Default-.
ACL
, ACL .
, ,
. 20 , .
Manager () ACL ACL.
. ACL (Extended Access) 20

. .

Domino/Notes 6
491
-
,
, Notes , Notes. Maximum Internet name & password access ( - )
. Notes.
,
TCP/IP- SSL-. SSL- , SSL-.
SSL- , ACL .
Anonymous () ACL ,
.
, , .
, Notes
, ,
, Maximum Internet name & password access ( -
).
! ,
ACL ,
.
, Sandra Smith/West/Sales/Acme
Web- .
Sandra Smith/West/Sales/Acme ACL Editor (),
Maximum Internet name & password access ( ) Reader (), Sandra
Reader (). , Sandra Smith/West/Sales/Acme ACL Reader (), Editor (), Sandra Reader ().
Sandra Smith Notes
, Sandra Editor ().
Editor (). , , , -.
492
11
! , .
No Access ( ),
Notes -,
SSL- .

Domino 6
, ,
, . ,
,
, .
.
Effective Access ( )
Effective Access ( ) . Domino Directory
.
,
ACL Effective Access ( ). , :
, ACL .
.
, .
), ,
.
, Names () Calculate Access (
).
! ,
Unrestricted with Full Access ( ),
ACL . ,
Effective Access ( ), ACL . ,
,
, .
Domino/Notes 6
493
ACL
Domino 6
Domino 6 , , enforce consistent ACL ( ACL), .
,
. R6 Domino
. , , Enforce a consistent Access Control List ( ). ,
.
.
, Enforce a consistent access control list ( ) ACL , . . , , . ,
, ACL. , , ,
ACL , .
Enforce consistent ACLs ( ACL):
,
( );
,
( ) Domino Directory.
Enforce consistent ACLs ( ACL):
,
( );
, ( ).
ACL
ACL
-Default- No access ( ). , Default-, ,
494
11
, -. Default- No Access ( )
, ACL (
-Default- ACL).
, ( ), Manager (). , ,
. Designer (), .
LocalDomainServers (
) Manager (). LocalDomainServers ( ) , , , Domino Directory. LocalDomainServers ( )
Manager ().

Designer ().
ACL
,
, ACL.
(, Server1/Sales/Acme), ,
, .
ACL .
, Person Group , .
, ACL
. adminp
. Domino Directory
ACL , .
ACL, . ,
, Designers ().
, , . Designer
() ACL.
Domino/Notes 6
495
, ACL,
. ,
, . , , , , , , , .
ACL . Administrators (). .

, .
, Administration Process ACL. Administration Process
, , , , , Domino
Directory ACL , , Administration Process .
Readers () Authors () .
Administration Process Access Control List ( ) Multi-ACL
Management ( ACL) .
Depositor () No Access
( )
, . ,
, , , .
Enforce a consistent Access Control List (
) ,
Manager () ,

.
. ,
.
, ,
SSL-. Secure Sockets Layer (SSL)
,
Domino, TCP/IP.
SSL-
.
496
11
11.12
:
.
, , (inbound relay controls) - ,

(inbound recipient controls) .

. , Domino Secure Sockets Layer
SMTP-, IMAP POP3. Notes Notes ID- - X.509. X.509.
Notes ( ) S/MIME
, .
S/MIME
Notes . 6, .
11.12.1
80-, . ,
(flooding). SMTP-, . , .
. . Domino
, .
Domino, ,
, . IBM Redbooks Lotus Domino 6 spam
Survival Guide, SG24-6930.

,
, ,
. . .
, :
, ;
-, .
Domino/Notes 6
497
. , , Domino
, .

.

,
Configuration Settings [Router/SMTP
Restrictions and Controls ( ) SMTP Inbound
Controls ( SMTP)].

. ,
.
Allow messages to be sent only to the following external Internet domains
( -)
-, Domino . Domino
.
- .
, abc.com xyz.com Domino , abc.com xyz.com.
.
@ . ,
@xyz.com, , xyz.com, User@xyz.com. , xyz.com, User@
uvwxyz.com User@abc.xyz.com, .
Domino, ,
(%); , %AcmeEast, ,
Domino- AcmeEast.
Deny messages to be sent to the following external Internet domains ( -)
-, Domino .
(*) -.
Domino ,
. .
, abc.com, Domino -, abc.com. Domino abc.com.
@ . ,
@xyz.com, , -
498
11
, xyz.com, user@xyz.
com, , xyz.com, user@server.xyz.com.
Domino (%);
%AcmeEast Domino- AcmeEast. SMTP-
Domino , FAX-.
Allow messages only from the following Internet hosts to be sent to external
Internet domains ( - -)
, Domino SMTP .
, Domino , . .
IP- , Domino ,
-. , lotus.com
ibm.com, Domino , -, , lotus.com ibm.com. Domino , .
Deny messages from the following Internet hosts to be sent to external Internet domains ( -)
, Domino SMTP .
, Domino ,
. Domino .
IP- ,
Domino ,
-.
, lotus.com. Domino
- , , lotus.com. Domino
- lotus.com.
Domino,
(*) .

.
(*) . ,
Allow...
.
;
[127.*.0.1].
Domino/Notes 6
499
. , [123.234.45-*.0-255] ,
, 45.
; Domino
, .
IP- ,
[127.0.0.1].

Allow... . , ,
,
, . ,
, , , .
, Allow.... . 11-12 , Domino
Allow... Deny... .
11-12.

Allow messages to be sent only to the following

external Internet domains (

-)
Deny messages from the following Internet hosts to
be sent to external Internet domains (
-):
(* )
xyz.com

xyz.com,
smtp.efg.
com
smtp.efg.com smtp.efg.com
-
, xyz.com,

11-13.

Deny messages to be sent to the following external

Internet domains (
): (* )
qrs.com
, ,
relay.abc.com,

Allow messages only from the following Internet
relay.abc.com Relay.abc.com
hosts to be sent to external Internet domains

(
,
- qrs.com
)
500
11
qrs.com
. Domino Release 5, ,
, -
,
. Release 5
SMTPRelayAllowHostsandDomains NOTES.INI.
, Domino Deny.... , Domino xyz.com . 11-14.
11-14.
Allow messages to be sent only to the following external Internet domains

(
xyz.com, abc.com, qrs.com
-)
Deny messages to be sent to the following external Internet domains
( )
xyz.com
-
Domino 6
(blacklist, blackhole list) (, Open Relay Database Spamhaus Project).

(unsolicited commercial e-mail, UCE), , ,
Domino - SMTP-
DNS (DNS blacklists, DNSBL).
DNS , DNSBL-, SMTP-,
.
DNS SMTP-
Domino DNS- . Domino Mail Routing Events (
) Notes Log. ,
( DNS-) IP- ,
, .
, Domino , ,
Notes ($DNSBLSite) ,
.
Domino/Notes 6
501
DNS
- DNS
, SMTP , ,
. , IP- DNS.
Domino -
, .
, Domino DNS- .
,
, DNS.
Domino DNS- . DNS-, -, . DNS-, , ,
, Domino DNS- .
DNS- DNS- .

.
, ,
.
, ,
, ,
. , .
-,
DNS.
, DNS
DNS- Domino
DNS , ,
SMTP.
, , . , Domino [Router/SMTP Restrictions and Controls
( ) SMTP Inbound Controls (
SMTP) Perform Anti-Relay enforcement for
these connecting hosts ( )]. , ,
.
502
11
, DNS
Domino , -
:
;
;
.
Notes : IP ( DNS- ), , .
.
. , Domino ,
, ,
, .
Domino Notes , , . Domino
, , $DNSBLSite , , MAIL.BOX. $DNSBLSite , .
$DNSBLSite , , . ,

, , .
,
, ,
DNS. ,
, ; , , . , , , .
DNS
SMTP ,
, DNS , , . SMTP, , , .
Domino Administrator SHOW STAT SMTP . -
Domino/Notes 6
503
, , IP-
DNS. SMTPExpandDNSBLStats NOTES.INI . - , , Domino
.
. Domino IPv4- DNS

. IPv6-,
Domino DNS .

Domino 6
Configuration Settings SMTP
, .. , -.

Domino , , .
,
,
. :
. Domino ,
-. ,
,
, Domino - ( ).
. Domino
SMTP-.
, .
IP-. . ( IP- ), .

Domino 6
Domino . ,
Domino ,
Deny messages from the following Internet hosts to be
504
11
sent to external Internet domains ( - -) .

.
. ,
SMTP- Domino ,
Domino . SMTP- Domino , (, POP- IMAP-),
.

, SMTP- Domino .
SMTP- Domino ,
SMTP- , - .
SMTP- Domino, , , .
-
-, Deny
messages from the following internet hosts to be sent to external internet domains ( - ).
, SMTP- Domino ,
. Domino
, , ,
,
-, -. , Router , -,
RCPT TO, $Users Domino Directory, .
,

(, ) . IMAP- POP3-, Domino - , ,
Domino .
Domino/Notes 6
505
, Domino POP3- IMAP- ,

,
. SMTP- (listener) Domino , ,
. SMTP Ports () Server,
POP3- .
External hosts ( )
Domino , . Domino ( Domino
DNS-, IP- SMTP_
Caller , ).
All connecting hosts (
) .
, (store-and-forward firewall), .
None (). Domino
.
IP-

.
,
(, sendmail,
Domino) IP- Exclude these connecting hosts from anti-relay checks ( ).
Domino .
, , -, SMTP- Domino
Domino -.
. - DHCP (Dynamic Host

Control Protocol) IP- ,
IP- .
IP-
IMAP- POP3-, Domino
-.
.
506
11
.
, IMAP- POP3-,
-, , .
Yes (), POP3- SMTP- . POP3- SMTP-.
11.12.2
Configuration Settings Domino , , , Domino , .

Domino 6
ND6 (Inbound Intended
Recipients Controls) . , . MAIL.BOX.
Verify that local domain recipients exist in the Domino Directory (
Domino Directory) Enabled (), Domino ,
DNS-. Domino DNS PTR-,
IP- . Domino
- DNS
PTR-, .
Domino , SMTP- Mail From.
All messages intended only
for the following ( , ).
. REDP-3622.

Domino 6
, , .
, , MAIL.BOX, Domino . , ,
.
:
Domino/Notes 6
507
;
MAIL.BOX;
;
;
.
, , ,
make money fast, .
,
, ,
(EXE, VBS, VBE, SCR . .), ,
, , .
, Domino
, .
, , Domino
, . ,
Dont deliver message/Send NDR ( / NDR), , , .
. Domino ,
dont accept message ( ),
MAIL.BOX,
, . , SMTP- Domino
, SMTP-
, , .
, ,
-. ,
, Notes, MAIL.BOX,
, , .

. ,
, , .
Messaging Settings. Domino ,
Configuration Settings.
Configuration Settings
MAIL.BOX.
508
11
MAIL.BOX - (SMTP-, Router , ),

. . ,
MAIL.BOX ( , ,
), .

Messaging ()
Configuration Settings , .
,
, (. 11-15).
11-15.

Notes, Router
, .
: Sender (), Subject (), Body (
), Importance (), Delivery priority ( ),
To (), CC, BCC, To or CC ( CC), Body or subject (
), Internet domain (-), Size (in bytes) [
()], All documents ( ), Attachment name (
), Number of attachments ( ), From (),
Recipient count ( ) Any recipient (
). All Documents ( ),
, MAIL.BOX
Router .
, Attachment Name (
) is () ,
, ,
.
:
contains (, );
does not contain ( , );
is ();
is not ( );
is less than (, );
is greater than (, ).
.
, Attachment Name (
) contains () .VBS,
, ,
, .VBS, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT MY.VBS.CARD.EXE.
, (*).
, contains ()
. ,
, ,
.VBS, Attachment
Name contains .VBS, Attachment Name is *.VBS..
.
, (. . 2, two)
Domino/Notes 6
509
:
.
. .
, , , , Add Action ( ) (. 11-16). .
11-16.

Journal this
message
(
)
Move to database
(
)
Dont accept
message
(
)
Dont deliver
message
(
)
Change routing
state (
510
11
Router .
Router/SMTP Advanced () Journaling
()
Router MAIL.BOX ,
, GRAVEYARD.NSF.
. .

Domino , Router
.
NDR , .
Domino SMTP-,
SMTP , ,
.
SMTP ( 500) ,
,
.
.
, Notes, Domino
, ,
.
, Notes,
, ,
Domino , , ,
:
Silently delete ( ) Domino MAIL.BOX
;
Send NDR ( NDR) Domino . MIME Notes Richtext,
Notes,
Domino , .
RoutingState
HOLD.
Router MAIL.BOX ,
. Domino ,
, , .
. ,
(,
) RoutingState

, . , , . , , , .
Configuration Settings ,
.
Configuration Settings .
.
. , Server Configuration Settings. 5 .
,
set rules.

MAIL.BOX (
Notes, S/MIME, PGP . .), , (, ), ,
.
. , .
, , .
Notes ( Form
); , MIME. , MAIL.BOX,
Notes, -
MIME. , SMTP, Memo, SMTP,
Domino NonDelivery Report. Notes:
Appointment,
Delivery Report,
Memo,
NonDelivery Report,
Notice,
Reply,
Return Receipt,
Trace Report.
Domino/Notes 6
511
11.13 Domino Off-Line Services

Domino 6
Domino Off-Line Services (DOLS) Web- IBM Lotus Domino Release 6 , Domino. IBM Lotus Notes 6, .
DOLS ( subscription )
Notes. , , , Notes, .
DOLS subscriptions Java-,
. DOLS , Notes.
DOLS

Offline Security Policy. , ,
,
, .
Offline Security Policy Offline
Services Configuration () Domino Administrator. Security () DOLS subscriptions (. 11-17).
11-17. DOLS
Tighten access to the

database (
)
Tighten security on the
configuration document
(
)
ACL subscription ,
. Anonymous ()
No Access ( )
, Offline
Subscription Configuration Profile ,
DOLS Offline Configuration ( DOLS)
subscription Lotus Domino Designer 6

Tighten security on offline
data (
subscription
)
, Offline
Subscription Configuration Profile
Tighten security for all
DOLSsubscriptions on the server subscriptions ,
(
DOLS Resource (DOLRES.NTF);
) DOLRES.NTF; Designer
512
11
11.14 Notes
Domino 6
Notes . Notes 6 ,
Notes, User Security ( ). Notes 6
.
User Security ( ) :
Notes Windows
Web/- Domino;
Notes Notes,
;
;
-,
- Notes ;
Notes -;
Notes -
;
Notes
; , , ,
;
,
.
User Security ( )
. Notes 6 Client Help.
, . , :
Notes -, Person
.
,
( Notes -) ;
, ,
, ,
.
Notes - . 11.7, - Notes.
-.
Domino/Notes 6
513
! , -,
-
, / Person
-.
.
ECL.
(Execution Security Alerts, ESA) ,
, . ECL . ECL , , .
11.14.1 -
- , . -

Notes. , - -, .
- , . Notes - -, PIN
- .
- Notes . Notes 6 Client Help.

- . Domino 6 Administration Guide.
-
- , /
Person -.
.
, ID- (ID File Recovery),
-.
11.14.2
(Execution Control List, ECL)
-
514
11
, . ECL , , , ,
.
, ECL , , .
,
, , , ,
, , ,
(hot spots), (,
).
ECL: ECL , Domino Directory (NAMES.NSF), ECL ,
(NAMES.NSF). ECL ECL
. ECL
Notes. ECL Domino Directory
Notes ECL .
ECL . ,
. , , Domino
Notes, Lotus Notes Template Development. , , , .
ECL , ,
, ,
,
.
,
, ECL, Notes
(Execution Security Alert, ESA),
,
ECL. :
Do not execute the action ( ). .
Execute the action this one time ( ). . .
ECL.
Start trusting the signer to execute this action ( ).
ECL ECL.
.
Domino/Notes 6
515
. ECL ,
ECL .
.
Domino 6
More Info ( ). ,
, , Notes,
, .
, , ,
. More Info ( ),
, .
Domino 6
Notes 6 ECL User Security ( ). What Others Do ( )
User Security ( ), , JavaScript.
, , JavaScript
.
Domino 6 Administration Guide Lotus Notes 6 Client Help.
ECL
Domino ECL
, . ECL
ECL .
Notes ECL Domino Directory Notes.
ECL Notes . , John Doe
John Doe ECL.
Notes (,
), ECL , ECL .
. ECL
. ECL
ECL ECL
ECL ,
. ECL
. ECL
ECL .
ECL ECL . ECL
ECL. , -
516
11
ECL ( Security Settings, ) ( ECL ).

ECL,
, Security Settings,
. , ECL
ECL .
ECL .
Domino 6 Administration Guide.
Security Settings ECL . Domino 6 Administration Guide.
ECL
, , , .
, ECL .
ECL :
ECL , , ECL .
.
, ( ) .
.
. ECL (,
, , ECL), Allow user to
modify ( ) ECL .
.
, , . ECL,
, , .
,
(, Enterprise ECLApp Signer/West/Acme). ,
,
. ECL .
Domino/Notes 6
517
12

Lotus
Notes Domino
Lotus, .
, Lotus:
Lotus Team Workplace (QuickPlace);
Lotus Web Conferencing and Instant Messaging (Sametime);
Lotus Domino Web Access (iNotes);
Lotus Workplace Messaging;
WebSphere Portal Server;
Lotus Domino Everyplace;
Lotus Sametime Everyplace.
Notes Domino,
Notes/Domino.
Lotus
519
12.1 Lotus Team Workplace (QuickPlace)

IBM Lotus Team Workplace (QuickPlace) Web- . , QuickPlace
, ,
, ,
, . . 12-1.
. 12-1. /
520
12
: , QuickPlace , . 12.1, ( ): Readers

(), Authors (), Managers (). , ,
ACL .
QuickPlace Domino. , Web Domino (nhttp.exe) HTTP-, URL- Domino (ninotes.
dll) URL- Domino.
12.1.1 QuickPlace SSL

QuickPlace SSL-
, Web- QuickPlace. SSL- (handshake) Web- Domino, SSL Domino. QuickPlace SSL
LDAP- QuickPlace LDAP-, HTTP
QuickPlace.
SSL , QuickPlace Domino, .
! QuickPlace SSL, Domino, SSL/LDAP .

TCP/IP Notes.
QuickPlace.
Domino . Domino 6.
12.1.2
(place) QuickPlace , .
.
QuickPlace (Contacts1.nsf) .
, .
.
, , . , , .
.
Lotus
521
LDAP-
QuickPlace LDAP-
,
LDAP- . (, ) LDAP- QPTool
, .
QPTool ,
. QPTool
:
;
;
;
;
;
;
;
;
PlaceTypes ( );
PlaceTypes;
;
;
PlaceTypes;
Place Catalog ( );
;
;
dead mail ( );
E-Mail API.
, John Smith LDAP- , LDAP- QPTool- updatemember .
QPTool , QuickPlace, . Lotus QuickPlace 3.0
Adminstrators Guide, Lotus QuickPlace, Web- :
http://doc.notes.net/uafiles.nsf/docs/QP30/$File/na5d3fus.pdf
522
12
.
. LDAP-
, .
,
, .
QuickPlace
, LDAP (Lightweight Directory Access
Protocol) 3, Domino LDAP
LDAP-. , QuickPlace
LDAP- .
12.1.3 QuickPlace
QuickPlace Web-
QuickPlace:

. , QuickPlace single server sessionbased name-and-password authentication (

), Domino, 1.

.
QuickPlace .
. 12-2. , ,
, . , ,
Domino .
, Web- DNS,
.
(single
sign-on, SSO) QuickPlace LTPA (Lightweight third-party)
HTML-cookie. cookie-
Domino .
QuickPlace , Domino Server API (DSAPI).
1
. . . .
Lotus
523
DSAPI-, QuickPlace. DSAPI- . 7.4, DSAPI.
. 12-2.
12.1.4 QuickPlace
QuickPlace
, .
, (room) QuickPlace Server
Settings ( ),
Members Customize ( ).
QuickPlace
QuickPlace. , :
524
12
QuickPlace.
,
QuickPlace.
, QuickPlace.
. , , .
( super user) QuickPlace.
,
QuickPlace. ,
.
. ,
.
12.1.5
Server Settings QuickPlace . ,
:
ActiveX Java- ;
(PlaceBots) ;
,
;
Sametime;
Domino Offline Passthru Server;
Alternate Offline Download URL;
URL- ,
QuickPlace -;

, .
12.2 Lotus Sametime

IBM Lotus Web Conferencing and Instant Messaging (Sametime)
: Sametime, Sametime Meeting Room Sametime
Connect.
Lotus
525
Sametime Connect : Java Connect Sametime Connect . Sametime Connect

, . . , Meeting Room
(shared whiteboard), (online meeting).
, Connect, Meeting Room.
12.2.1 Sametime Connect

Sametime Connect .
.

Sametime 3 Connect :
1. Sametime (handshake)
(630-) Sametime.
2. ,
( 10 ).
3.
, .
4. , .

, Sametime
connect.ini. connect.ini . , connect.ini, RSA RC2
40.
, .

Sametime- Sametime , Sametime 1.5 .
! - Sametime
(, AOL), .
.
RSA RC2 128- . Sametime Connect.
526
12
Sametime 2.5 3.0 Sametime 3.0x

, , Encrypt all meetings ( ) .
Sametime 2.5 , .
Sametime 2.5 Sametime 3.0
.
(instant meetings) Secure
meeting ( ), .
, , ,
.
(buddy list) Sametime
vpuserinfo (vpuserinfo.nsf). , Sametime.
(stauths.nsf)
(stautht.nsf). VPUserInfo , ,
. Connect.
,
.
12.2.2 - Sametime
. 12-1 -, .
12-1. -
Sametime
-
SOCKS 4
-
SOCKS 5
-
HTTP
-
HTTPS
Connect
Meeting Room

(. )
Meeting Room

Meeting Room

Broadcast

Sametime
Lotus
527
. , Sametime Meeting Room HTTP - HTTPS. Sametime Meeting Room

HTTPS- - HTTPS. Sametime Connect
- HTTPS ( CONNECT),
Sametime Connect
- HTTPS. Meeting Room
CONNECT - HTTPS, HTTPS-
- HTTPS.
12.2.3 Sametime Java Connect
SSL Web- Sametime. SSL HTTP, .
, Sametime
Connect .
12.2.4 Sametime Meeting Room
SSL Web- Sametime. SSL HTTP, . SSL Domino SSL Sametime-. Domino SSL . 6.2.5, Secure
Sockets Layer.
! cookie-. Cookie , Sametime

Sametime ,
.
cookie-, ,
.
Sametime-
Sametime- , , , .
.
, ,
.
528
12
, Security () New Meeting ( ), .

:
, .
.
. Sametime.
.
.
! , .
.
(Online
meeting center). ,
Meeting Center. . , . Meeting
Center , unlisted meeting ( )
, .
, .
. .
, , , NetMeeting,
, .
12.2.5 meeting server
Web- Sametime , .
Sametime.
, Sametime , SSL (Secure Sockets Layer)
HTTP- Sametime- ( ), Web- HTTP-.

Sametime
HTTP- Sametime Web-. , Sametime
Sametime (stcenter.nsf), .
Lotus
529

Sametime.
(access control list,
ACL) Sametime Sametime
Sametime Meeting.
Sametime,
Sametime,
ACL, :
Sametime Online Meeting Center (STCONF.NSF), ACL
No Access ( ) .
.
Sametime Web Admin (STADMIN.NSF), ACL
.
Sametime. -
Sametime.
ACL
ACL Domino,
Sametime Meeting Center.
Anonymous () Default No
Access ( ), ACL
. Anonymous () Default No Access ( ) , ,
ACL, .
Default.
ACL ,
,
. , ACL ,
Default.
. ACL Anonymous (), Default ACL

No access ( )
. ACL
Anonymous (),
,
Default . ACL Anonymous ()
No access ( ),
, ACL
Default.
530
12
Sametime
Sametime , Sametime. Sametime Development/Lotus Notes
Companion Products.
,
Sametime, ,

Sametime:
STCONF.NTF,
STDISC50.NTF,
STTEAM50.NTF,
STSRC.NSF.
,
ACL Run unrestricted
agents ( ) Server Sametime.
ACL :
: Reader ();
: Group Creator ( ), Group Modifier ( ),
UserCreator ( ), UserModifier ( ).
LDAP-
SSL
, Sametime- LDAP-. , Sametime- LDAP-,
, Sametime.
, Sametime- LDAP-,
:
1. Use SSL to authenticate and encrypt the connection between the
Sametime and the LDAP server ( SSL
Sametime LDAP-) Sametime Administration Tool.
2. Directory Assistance LDAP- .
3. Sametime LDAP-. SSL , Sametime- LDAP, :
Encrypt all data ( ).
( ),
Sametime LDAP-.
Lotus
531
SSL-
Sametime LDAP-. , .
Encrypt only user passwords ( ).
(, ), Sametime- LDAP-. ,
Sametime- LDAP- SSL.
, .
Encrypt no data ( ).
Sametime- LDAP- .
, ,
, Sametime- LDAP-, .
, Sametime- LDAP-, . Sametime Server Administrators Guide,
Sametime, Lotus Developer Domain :
http://doc.notes.net/uafiles.nsf/docs/QP30/$File/na5d3fus.pdf

Configuration () Meeting Services
( ) Sametime Administrator Encrypt all Sametime meetings ( Sametime-). T.120 , , Sametime Meeting Room Sametime
Broadcast Sametime . RSA RC2 128-
. , , , .

, Configuration () Meeting Services (
) Sametime Administrator Require all scheduled
meetings to have a password ( -
. 12-3. Sametime Server Meeting Services
532
12
), . 12-3.
, .
,
.
12.3 Domino Web Access (iNotes)

iNotes Web Access Web- , Domino, Web-. ,
, .
, , .
iNotes
Domino . , iNotes, .
12.3.1
Domino Notes,
ID- Notes .
Domino iNotes Web Access Web- ID- Notes . , Domino
.
Notes
, iNotes.
X.509
, ID- Notes, Web-, X.509 iNotes. ,
ID- Notes, X.509
.
6, .

. ,
, .
Save this password in your password list (
) . . (replay attack),

.
Lotus
533
(realm),
Domino . ,
URL-, ( ), .
yourserver/mail.
, , yourserver/help/help5_client.nsf, , yourserver/help
yourserver/mail.
,
Domino.

, , 30 , , .
, . iNotes Web Access
Logout, ,
.
,
back ()
,
.
,
iNotes Web Access.
, - .
! .
iNotes Web Access ,
.
Forms5.nsf
Forms5.nsf , iNotes Web Access.
JavaScript-, HTML- , iNotes Web Access.
iNotes Web Access , Anonymous () Reader () {
}\iNotes\Forms5.nsf. Catalog.nsf , , Domino
Administrator Files () Notes.

,
, iNotes.
534
12
12.3.2
Domino R5.09 iNotes
iNotes. . , .
:

(snooping). , .

.
.
,
, .
Preferences ()
iNotes. Other () Encrypt mail file locally ( ). .
, , , . , :
1. , Offline Sync Manager.
2. iNotes Web Access Preferences () - Other (),
Encrypt local mail file ( ).
3. Go Offline ( ), Install
Subscription ( ), (
).
. Encrypt mail file locally (

) ,
.
12.3.3
-
iNotes Web Access Notes, , , (to do list) : , - .
Lotus
535
iNotes Web Access ,

, . iNotes Web Access
,
back () .
, iNotes Web Access
. , ,
.
,
. Internet Explorer ,
. iNotes Web Access
;
, ( -) .
-
Internet Explorer -. Internet Explorer 5.01 Tools () Internet Options ( ) Advanced (), Empty temporary Internet
file folders when browser is closed (
).
12.3.4 iNotes Web Access Notes

Notes
iNotes Web Access.
Notes iNotes:
iNotes .
Notes , iNotes .
iNotes .
, , Notes Notes
iNotes.
iNotes .
iNotes ,

.
ID- (), iNotes, Notes.
iNotes - Domino Directory.
Notes,
-, iNotes.
536
12
12.3.5
Notes
(Execution Control List, ECL). ECL
.
, ECL , Domino . ECL . Lotus Domino Administrator 6 Help.
,
. Web- ECL
. iNotes
Web Access, , , . . ,
, .
.
,

.
, (, ,
ECL).
12.3.6
() iNotes Web Access.
Cookie-
, cookie- , . Cookie-
/ .
iNotes Web Access , cookie-. iNotes Web Access cookie-
Shimmer, . cookie-
.

iNotes Web Access iNotes Web Access
. HTML-,
, ( HTTP- Cache-Control) no-cache, , . , , JavaScript, .gif-
Lotus
537
iNotes Web Access, . iNotes Web Access , , [,

Empty temporary Internet files when browser is closed ( ) ].
, iNotes Web Access .
pdf- . .pdf-,
, private
Adobe Acrobat. 1 Adobe Acrobat Reader.
, - Internet Explorer (. Q272359 http://
www.microsoft.com) SSL iNotes Web Access
Cache-Control none XML-. ,
. XML- , .
, ,
. , , iNotes Web Access
Logout . - .
, .
iNotes Web Access . ,

, Notes.
iNotes Web Access default copy
and close ( ),
(, read later
with Notes),
Notes.
12.4 Lotus Workplace

Lotus Workplace Lotus,
(on demand) IBM,
:
, -
, , .
538
12
Lotus Workplace , , . Lotus Workplace ,

, -:
Lotus Workplace Messaging
.
- , , , , POP3, IMAP Microsoft Outlook. : ; (presence awareness) ;
; (,
, ); WebSphere Member Manager, .
Lotus Workplace Team Collaboration Web-.
, ,
, , - , , . : , ; ; ; ;
; ,
; , .
Lotus Workplace Web Content Management
, , Web-
.
Web-,
, , . , : , (
) .
Lotus Workplace Collaborative Learning ,
, . ,
.
, ,
.
Lotus
539
Lotus Workplace . 12-4,

.
Web-
WebSphere Portal
Lotus Collaboration
. 12-4. Lotus Workplace

Lotus Workplace , . ,
, ,
.
Workplace Messaging ,
Notes/Domino, iNotes
Web Access, WebSphere Portal, .
Workplace Team Collaboration , QuickPlace Sametime, WebSphere Portal, .
12.5 IBM WebSphere Portal

IBM WebSphere Portal IBM,
- (business-to-employee, B2E), - (business-to-business,
B2B) - (business-to-consumer, B2C). , Lotus, WebSphere Portal, Lotus. , ,
Lotus, Lotus,
WebSphere Portal.
540
12
12.5.1
Portal Server ,
. .
. WebSphere Portal Server IBM
WebSphere Application Server. - Trust Association Interceptor (TAI).
WebSphere Application Server
LDAP- CustomRegistry , LDAP. WebSphere Application Server Trust Association Interceptor (TAI) Netegrity SiteMinder, Tivoli Policy Director Tivoli Access Manager,
, WebSphere Application Server. , WebSphere Application Server (single sign-on) Domino, WebSphere Application Servers
, Tivoli Access Director Policy Director WebSEAL.
WebSphere Portal Server (Custom Form-based Authentication mechanism), WebSphere Application Server , .
WebSphere
Application Server /wps/myportal WebSphere Application Server All Authenticated Users ( ) Custom Form-Based Challenge ( ).
, Portal Server.
: WPS, (, LDAP-) - CustomRegistry.
(, Policy Director WebSEAL)
. WebSphere Application Server
Portal Server TAI.
Portal Server
,
WebSphere Application Server -
. -
Lotus
541
WebSphere Application Server,

/wps/myportal WebSphere Application Server. Portal Server
Portal Server. Portal Server

. .
-
WebSphere Application Server,
(, Policy Director
WebSEAL). WebSphere Application Server Trust Association Interceptor (TAI) -
. - , WebSphere Application Server, LTPA-. Policy Director WebSEAL.
Trust Association Interceptor WebSphere Application Server, (Security Center)
WebSphere Application Server trustedservers.properties.
, WebSphere Application Server TAI, , .. , , . TAI (Distinguished Name, DN), . WebSphere Application Server
,
. , , WebSphere Application Server . , WebSphere Application Server LTPA-
cookie- .
WebSphere Application Server TAI Tivoli Access Manager Tivoli
Policy Director. WebSphere Portal Server TAI SiteMinder,
TAI Portal
Server.
TAI .
- , Portal Server -
TAI LTPA-.
WebSphere Application Server -
542
12
, WebSphere Application Server Portal Server . , WebSphere Application Server WebSphere

Portal Server ,
.
TAI, WebSphere Application Server. , SiteMinder Tivoli Access
Manager, TAI .

WebSphere Portal Server Portal
Server, LDAP-,
( ).
WebSphere Application Server CustomRegistry
. LDAP
WebSphere Portal Server , WebSphere
Application Server,
.

.
, . , LDAP-
,
. Member Services Portal Server, ,
.
WebSphere Application Server .

(, LDAP-)
Portal, WebSphere Portal Server,
Customer User Registry (CUR). Member Services
.
, . , , . WebSphere
Portal Server .

(single sign-on) WebSphere Portal Server ,
,
.
Lotus
543
WebSphere Portal Server - . ,

WebSphere
Portal Server,
,
. WebSphere Portal Server
WebSphere Application Server, - ,
, Tivoli Access Manager SiteMinder. WebSphere Application Server Domino.
WebSphere Portal Server .
Credential Service, , , ,
. ,
WebSphere Portal Server
.
Portal Server Java Authentication and Authorization Services (JAAS). .
WebSphere Portal Server JAAS. WebSphere
Portal Server JAAS Subject . JAAS Subject Principal Credential. Principal , DN , . Credential , CORBA Credential, . JAAS Subject Principal Credential,
Credential Service.
Credential Service
Credential Service , LTPA- .
Principal JAAS Subject,
(credential vault service). Credential Service
JAAS Subject. Credential Service
Tivoli Access Manager SiteMinder JAAS Subject .

(Credential Vault) , , . -
544
12
, ,
, .
. (Default Vault)
, , ,
. , , , POP3, ,
. , , ;
.
, base64.
, ,
(Vault Adapter) . (Vault
Adapter Implementation):
was_root/lib/app/config/services/VaultServices.properties
,
. (Vault Segment) Credential Vault.
WebSphere Portal Server , , Tivoli Access Manager. Portal Server
Tivoli Access Manager, AIX, Solaris Windows. . . . Credential Vault.
12.5.2
,
Access Control List.
Application Server - . Application Server
EJB (Enterprise Java Beans). WebSphere Portal Server
, , . WebSphere Portal Server .
WebSphere Portal Server ,
Tivoli Access Manager SiteMinder
.
Lotus
545

.
, . .
Access Control List .
, Tivoli Access Manager Netegrity SiteMinder, .
, (access control). Access Control List (ACL)
. . WebSphere Portal
Server. Access Control List .
, . , , WebSphere Application Server - . WebSphere
Application Server EJB. WebSphere Portal
Server , ,
. , . WebSphere Portal Server
J2EE, .
Access Control List

Access Control List ,
. ,
, . Access Control List
.
.
. ,
Administrative Role. ,
, (Security Center)
Application Server.

, .
, DELEGATE, ,
.
: VIEW, EDIT, MANAGE CREATE. -
546
12
,
. WebSphere Application Server. .
DELEGATE
DELEGATE . DELEGATE, (, ),
.
(VIEW, EDIT, MANAGE, CREATE), ,
. DELEGATE . DELEGATE ,
. , Sandy EDIT DELEGATE
Financial DELEGATE , Fred, Sandy Fred VIEW EDIT Financial.
Sandy MANAGE , MANAGE .

.
, , . MANAGE DELEGATE
. Access Control List,
, .
, . .
, . ,
.

Access Control List .
.
, wpsadmin wpsadmins.
,
, wpsadmin. LDAP . wpsadmins ,
Lotus
547
LDAP.
, ,
LDAP .

MANAGE PORTAL,
.
WebSphere Portal Server , XML- . MANAGE DELEGATE
. VIEW
. VIEW , .

Access Control List.
.
MANAGE .
DELEGATE DELEGATE
, . Portal Server . ,
,
.

, , . WebSphere Portal Server
: Tivoli Access Manager Netegrity SiteMinder.

WebSphere Portal Server. ,
MANAGE DELEGATE
ACL.
,
Access Control List . , EXTERNAL_ACL, MANAGE DELEGATE.
. ,
, , ,
, MANAGE DELEGATE.
548
12

. Access Control List . Access Control List ,
,
MANAGE DELEGATE. Access Control List
.
, , ACL . ,
Tivoli Access Manager ACL Tivoli Access Manager.
. WebSphere Portal Server.

.
. TAM SiteMinder . WebSphere Portal Server.
SSL
, SSL (Secure Sockets Layer)
.
SSL . , SSL .
Web-. ; . .
, WebSphere Portal.
.
-, Web- HTTPS. ,
(Certificate Authority, CA). IKEYMAN
.
, Web- , , Web-,
. SSL
Web- .
Web- , ikeyman,
HTTPD WebSphere Application Server.
Lotus
549
. SSL
Web- WebSphere Application Server IBM WebSphere V4.0 Advanced
Edition Security, SG24-6520.
12.5.3
.
, , .
(Setup Manager) (, DB2) , 42 .
.

. ,
, , wpsbind wpsadmin , WebSphere
Portal Server.
12.5.4
install.log wps_root/install.
LDAP XML-:
AppServer_home/lib/app/xml/wms.xml
AppServer_home Application Server.
LDAP Member Services,
.
was_root/lib/app/xml/wms.xml.
12.5.5 Member Services

Member Services WebSphere Portal Server, .
. Member Services . , . Member Services
, ,
, .
Member Services
, .
550
12
Member Services :
(Profile management). , Manage Users.
(User repository). ,
. . .
. WebSphere Portal Server.
(Group membership). Member Services
Portal Server.

.

Member Services :
. ,
, . , , ,
, , ,
. ,
(generic user). .
.
. ,
. .
,
, , Portal Server
, .

,
,
. Manage Groups.

. . ( LDAP-, ,
, ) .
Member Services LDAP-
.
Lotus
551

, , , , . , , ,
, . .
, .
, , -, .
.
. .
WebSphere Portal Server. LDAP-
.
, LDAP.
Member Services Authentication. . , , , .

LDAP-
.
, Member Services. Member Services

XML-:
<was_root>/lib/app/wms.xml
WebSphere Portal Server WebSphere Application Server . WebSphere Application Server
.
Member Services
LDAP- , Member Services,
.
, .
552
12
Member Services
Portal Server
Member Services XML-:
<was_root>/lib/app/xml/wms.xml
,
.
Portal Server :
.
CustomRegistry. XML-:
<was_root>/lib/app/xml/wms.xml
LDAP XML-:
<wp_root>/wms/xml/attributeMap.xml
,
. LDAP- inetOrgPerson, LDAP-.
wms.xml Member Services
. WebSphere Portal Server. ,
<DIRECTORY.../> , Member Services .
LDAP
Member Services ,
Java-, ,
. LDAP-,
LDAP- XML-:
<wp_root>/wms/xml/AttributeMap.xml
LDAP- Java- ,
Java- , LDAP-.

LDAP- , , , . LDAP- attributeMap.xml.
: , , ,
.
Lotus
553

Portal Server ,
. , . WebSphere
Portal Server ,
. , Portal Server
. , ,
GlobalMarketing, , USMarketing. Portal Server
, USMarketing GlobalMarketing. USMarketing , GlobalMarketing. , GlobalMarketing File Server USMarketing World Clock, USMarketing
File Server World Clock. , Fred
GlobalMarketing File Server,
Sandy USMarketing
File Server, World Clock.

WebSphere Portal (
):

;
User/Group Manager
;
LDIF-, , LDAP-.
Tivoli Access Manager WebSphere Portal LDIF-
:

;
, WebSphere Portal Server,
Tivoli Access Manager (. portallogin.config)
; , .

Tivoli Access Manager TAM:
pdadmin> user import wpsadmin uid=wpsadmin,cn=users,dc=yourco,dc=com

pdadmin> user modify wpsadmin account-valid yes
Tivoli Access Manager WebSphere Portal.
554
12
.
, WebSphere Portal, . WebSphere Portal Server.

, /wps/myportal, , /wps/portal/.scr/Login, . WEBSEAL TAI
Portal Server. /
wps/myportal.
WebSphere Portal Server , . , .
.

(common
names), WebSphere Portal Server. WebSphere Portal Server
, . , was_root\lib\
app\config\puma.properties:
puma.commonname = {0} {1}

{0} , {1} . {0} {1} + +. {0}, {1}. ,
, , : puma.commonname = {1} {0}.

WebSphere Portal Server . .
.

WebSphere Portal Server (self-care)
. ,
.
Lotus
555

, , . .
,
.
, WebSphere Portal .
Portal Server (turbine
actions) .
Puma.properties Registration Servlet.
puma.UserValidator , .
JSP (Java Server Pages):
UserProfileForm.jsp , ;
UserProfileConf.jsp , ;
Congrats.jsp , ;
RegistrationError.jsp .
JSP-
JSP- WebSphere Portal Server
, . JSP- , , wps.Name, Name , . Name
inetOrgPerson LDAP-,
attributeMap.xml, , LDAP-. Portal Server, : 64 255
.
(Self-care) , ,
. Portal Server
, . Puma.properties
Registration Servlet. puma.UserValidator
, .
556
12
JSP-:
UserProfileForm.jsp . . , .
UserProfileConf.jsp . Continue
(). UserProfileForm.jsp
Cancel ().
RegistrationError.jsp .
12.6 Domino Everyplace Access

Domino Everyplace Access Server (DEAS) Domino HTTP. Domino Mobile Notes,
Notes/Domino,
Domino. DEAS
, Domino
WAP 1.1.
Domino Everyplace Access - Domino .
HTTP- WML.
Domino Everyplace Access
, , Notes. Domino DEAS Domino, WML.

DEAS- ,
Manager () Domino,
. , , DEAS-
Manager () Delete . localdomainserver .
Domino Everyplace
:
, .
.
Notes ( ) .
Internet password (-) Person.
Lotus
557
IP- WAP- /
IP- WAP-.
Web- DEAS.
,
IP- WAP-, , Server. IP- WAP-,
IP-. IP-, ,
Permitted WAP gateway IP Addresses ( IP- WAP-).
IP- Restricted WAP gateway IP Addresses ( IP- WAP-).
( Phone.com).
, Phone.com, . , Server, Person, , . ,
.
( Phone.com).
DEAS- ( , , ),
.
, . , - - .
. ,
, .
12.7 Sametime Everyplace

Sametime Everyplace (STEP) Sametime WAP-,
. , , Sametime, , Sametime Connect .
Sametime Everyplace :
WAP 1.1
Web- , Notes, Netscape 4.5
( 4.7), Microsoft Internet Explorer 4.01 Service Pack 2
.
. Netscape 4.7 Netscape 6.0 .
558
12
.
STEP , WAP
1.1. . , STEP-.
STEP
STEP-
Sametime. STEP Sametime
. Sametime :
(STAUTHS.NSF) (STAUTHT.NSF), STEP Sametime.
STEP Sametime. STEP
.
STEP
STEP Sametime .
STEP . STEP- ,
STEP- , STEP- .
Sametime , ,
STEP. STEP Domino, , Sametime Domino,
STEP.
STEP Sametime, (STAUTHS.NSF)
(STAUTHT.NSF) STEP-.
STEP Domino
STEP Sametime, ,
Domino. STEP- Domino,
Sametime .
STEP Sametime , :
1. - STEP- Sametime.
2. STEP- Sametime.
3. Directory Assistance, STEP- .
Lotus
559
12.8
Lotus, Notes
Domino, . Lotus, ,
, .
:
Lotus Team Workplace (QuickPlace),
Lotus Web Conferencing and Instant Messaging (Sametime),
Lotus Domino Web Access (iNotes),
Lotus Workplace Messaging,
WebSphere Portal Server,
Lotus Domino Everyplace,
Lotus Sametime Everyplace.
Notes Domino, ,
, Notes Domino.
560
12

, Lotus. ,
.

, , .
13

Lotus, , .
, .
,
.
563
13.1
Redbooks Company. Redbooks : , , . , . , ,
, , .
,
.
.
, .
.
: .

.
.
13.2 1.
, RedbooksCo , , . , ,
;
Web-. ,
Lotus Domino Domino Web Access (iNotes) , Lotus
Team Workplaces (QuickPlace) Lotus Instant Messaging (Sametime) .
, RedbooksCo , ,
. ,
, ,
.
Redbooks . (single sign-on, SSO) .

URL ( Matt Milza):
http://itsosec-dom.cam.itso.ibm.com/mail/mmilza.nsf
564
13
URL Web- .
. 13-1.
. 13-1.
,
. Lotus Sametime QuickPlace
, .
iNotes , , . 13-2.
iNotes RedbooksCo . RedbooksCo -
. 13-2.
565
, iNotes.
. ,
, .
. 13-3. Sametime Meeting Server

, Lotus Sametime.
.
Sametime Java Connect Redbooks .
. 13-4. QuickPlace Server

, QuickPlace. QuickPlace .
. RedbooksCo , () . , .
, . .
566
13
13.3 2.
, RedbooksCo

. RedbooksCo .
, , ,
.
,
- (reverse proxy). - , - . , . - , .
. :
-, -; ,
- / ,
.
,
, ,
.
, .
SSL (Secure Sockets
Layer) -. , -.
Redbook
, URL, :
https://itsosec-dom.cam.itso.ibm.com/mail/mmilza.nsf
, SSL URL HTTPS.
- Domino SSL.
,
,
( SSL -)
.
,
-
. -.
-
567
Domino. -
, . , ,
https://itsosec-dom.cam.itso.ibm.com
you are not authorized ( ), . 13-5. - ,
.
. 13-5.
13.4 3.
RedbooksCo ,
: Domino,
, ,
. ,
, . ,
,
,
Domino Directory, .
, LDAP,
. -
568
13
RedbooksCo. Directory Assistance Lotus Lotus-

Domino LDAP- .
.
LDAP- ,
Domino LDAP-, Lotus.
RedbooksCo , ,
,
. ,
-
RedbooksCo .
13.5 4.

RedbooksCo , ,
, .
. , -
Lotus . ,
-, - Sametime
Sametime, RedbooksCo
. Sametime (3.1)
.
,
URL . (QuickPlace, Sametime, iNotes ..),
.
WebSphere Portal. . - , .
WebSphere Portal , RedbooksCo . - , , SSL- .
569
URL, :
https://itsosec-wps.cam.itso.ibm.com/wps/myportal
, . 13-6.
. 13-6. WebSphere Portal

, RedbooksCo.
,
, .
URL Redbooks, , .
, , ,
URL .

.
13.6 5.

RedbooksCo Web-
, .
Lotus
570
13
. 13-7. Lotus Learning Management System

Workplace Messaging Lotus Learning Management System.
, .
. , .
RedbooksCo WebSphere Portal
,
, .
13.7 6.
RedbooksCo SSL -. , LDAP-,
, , .
,
- WebSphere Portal / Lotus
.
.
RedbooksCo ,
,
- ,
. , -
, .
IBM Tivoli Access Manager (TAM). -
571
- - . ,
TAM , -. TAM
, - .
TAM -
TAM- -. TAM-
LDAP-. - . ,
TAM- . .
13.8 7.

RedbooksCo Web- .
Sametime, . , Sametime, .
, RedbooksCo,
, RedbooksCo.
. Lotus Sametime 3.0. Lotus

Sametime 3.1 Sametime -,
Lotus- , Sametime 3.1
-.
- Sametime 3.1 . 5.5, - Lotus Sametime 3.1.
13.9

RedbooksCo.
. Lotus.
.

.
572
13
14

,
, Redbooks.

(single sign-on, SSO)

.
573
14.1
(Domino, Sametime QuickPlace)

Lotus Domino, Sametime QuickPlace .
. 14-1 . ,
Web- Lotus, Domino. Lotus Domino LDAP,
Lotus Sametime Domino LDAP.
ITSOSEC-QP
ITSOSEC-DOM
ITSOSEC-ST
. 14-1.
14.1.1
Lotus Domino
:
1. Linux RedHat 8. sendmail telnet vncserver.
Lotus Domino.
2. Lotus Domino 6.01.
3. Redbooks
Servers. itsosec-dom/Servers/Redbooks.
4. Sametime QuickPlace.
itsosec-st/Servers/Redbooks itsosec-qp/
Servers/Redbooks .
5. : East West.
6. / East West
Lotus iNotes/Domino Web Access.
Lotus Sametime :
574
14
1. Windows 2000 Service Pack 3.

2. Lotus Domino 5.010.
3. Sametime 3.0 Service Pack 1
LDAP- . LDAP- itsosecdom/Servers/Redbooks (itsosec-dom.cam.itso.ibm.com).
4. Domino 5.012 .
Domino
. Domino, Domino Directory LDAP-, . Domino 5.012. ,
Domino 5.012 Sametime
Domino 5.012.
Lotus QuickPlace :
1. Windows 2000 Service Pack 3;
2. Domino 5.012;
3. Lotus QuickPlace 3.0.
14.1.2 Web SSO Configuration

Lotus Web SSO Configuration Domino Directory. Web
SSO Configuration Web SSO
Configuration :
1. Domino Directory (names.nsf) Domino (itsosec-dom/Servers/
Redbooks).
2. Configuration ().
3. Servers ().
4. All Server Documents ( ).
. 14-2. Web SSO

5. Web () Create Web SSO Configuration ( Web
SSO Configuration).
6. Web SSO Configuration (. 14-3). :
575
. 14-3. Web SSO Configuration

LtpaToken.
cam.itso.ibm.com.
DNS- (.. itsosecdom.cam.itso.ibm.com, itsosec-st.cam.itso.ibm.com, itsosec-qp.cam.itso.ibm.com).
Lotus Domino,
.
-, 30 , .
7. Keys () Create Domino SSO keys ( Domino SSO).
LTPA-, LTPA-.
. 14-4. Domino SSO

8. ,
Web SSO Configuration.
Server Internet
Protocols (-) Domino Web Engine (- Domino):
) Session Authentication ( )
Multiple Servers (SSO) [ (SSO)].
b) Web SSO Configuration Web SSO Configuration,
6. LtpaToken.
576
14
. 14-5.
9. Domino Directory . , Web SSO Configuration
Server .
HTTP, Web SSO. HTTP Tell HTTP Restart Domino.
. Lotus Domino 6 SSO

Internet Site. ,
Internet Site .
14.1.3
SSO (Fully
Qualified Domain Names, FQDN).
Server . Basics (
) Server, . 14-6.
, FQDN, Ports () Notes
Network Ports ( Notes) Server, . 14-7.
. 14-6. Basics ( ) Server
577
. 14-7. Ports () Server

, FQDN, Internet Protocols
() HTTP, . 14-8.
. 14-8. HTTP Server
14.2 -
, . WebSphere Edge,
SSL . Web-, , ,
Domino Directory.
. 14-9 ( ), .
-, Lotus Domino, ,
( ). /
.
578
14
. 14-9. Edge
14.2.1 SSL
SSL- SSL Lotus.
SSL / SSL-/.
, , Verisign.
Domino CA (untrusted) SSL-/ .
. 14-10. Internet Ports (-) 1
579
Domino SSL, Server . Ports () Internet Ports

(-) Server ,
SSL (SSL Key Ring) ,
SSL.
SSL 443
, . .
Internet Ports (-) . 14-8
14-9.
Server
HTTP.
. 14-11. Internet Ports (-) 2
14.2.2 WebSphere Edge Server

( -)
IBM WebSphere Edge Server
Edge Server Windows 2000 (Service
Pack 3). Edge Server Configuration Wizard -. :
Select Proxy Behavior ( -) Reverse Proxy ( -);
Select Proxy Port ( -)
80;
Target Web Server ( Web-)
URL itsosec-dom.cam.itso.ibm.com.
580
14
Edge Server
Web- :
http://itsosec-rp.cam.itso.ibm.com/admin-bin/webexec/frameset.html
:
, Proxy Settings ( -), HTTP.
. 14-12.
. 14-12. -
Privacy Settings ( )
HTTP- . Forward clients IP address to destination
server ( IP- ).
HTTP-, IP-
. . 14-13.
. 14-13.
581
SSL , SSL-. , SSL-

. SSL . 14-14.
. 14-14. SSL
Caching Filters ( ) - , -.
-
, HTTP-.
, . *//itsosec-dom.cam.itso.ibm.com/*
WebSphere Edge Server, . 14-15.
Last Modified Factor ( )
Domino, Edge.
URL- ?OpenImageResource ?OpenElement&FieldElemFormat=gif. Domino, -
( , HTML). . 14-16.
Basic Settings ( ) IP-, . . ,
IP-. . 14-17.
582
14
. 14-15.
. 14-16. Last Modified Factor ( )

583
. 14-17.
HTTP Methods (HTTP-) ,
Edge. ,
Domino, GET, HEAD POST.
, . . 14-18.
Request Routing ( )
. ,
. . 14-1 , Request Routing ( ). , , 192.168.0.3 IP- itsosecdom.cam.itso.ibm.com.
, , Edge , /mail /iNotes . . URL, 192.168.0.3 Domino.
14-1.
Index
()
1
2
584
Action
()
Proxy
Proxy
14
Request template
( )
/mail*
/iNotes/*
Replacement file path

( )
http://192.168.0.3/mail*
http://192.168.0.3/iNotes/*
. 14-1
Index
()
3
4
5
6
Action
()
Proxy
Proxy
Proxy
Proxy
Request template
( )
/inotes5/*
/icons/*
/domjava/*
/names.nsf
Replacement file path

( )
http://192.168.0.3/inotes5/*
http://192.168.0.3/icons/*
http://192.168.0.3/domjava/*
http://192.168.0.3/names.nsf*
. 14-19.
. 14-18. HTTP-
. 14-19.
IBMPROXY.CONF
. IBMPROXY.CONF :
SignificantUrlTerminator ?OpenImageResource;
SignificantUrlTerminator ?OpenElement;
SignificantUrlTerminator /?OpenImageResource;
585
SignificantUrlTerminator /?OpenElement;
fail /*;
Reversepass http://192.168.0.3/* http://itsosec-dom.cam.itso.ibm.com/*.
fail /* -. URL:
https://itsosec-dom.cam.itso.ibm.com
, . 14-20.
. 14-20.
- Domino Directory
(names.nsf) (/mail). Domino Directory
. -
.
14.2.3
- WebSphere Edge Server
.
, - Domino. Domino, QuickPlace Sametime
. .
,
80 443 . . 14-21.
586
14
, , Domino -.
. 14-21.
14.3 LDAP-
Domino Domino Directory LDAP LDAP. ,
LDAP-, LDAP- , Lotus. LDAP
Domino, , Redbook , LDAP-, Lotus,
.
, , Lotus , LDAP-, LDAP- (. . ) LDAP-. . 14-22 , Lotus,
LDAP-. , -
Lotus Domino
-,
LDAP-.
Lotus
ITSOSEC-RP

ITSOSEC-LDAP

-
. 14-22. LDAP-
587
14.3.1 LDAP-
LDAP- IBM Directory Server
Windows 2000 Service Pack 3.
LDAP- LDIF-. LDIF- LDAP-,
Domino LDAP (East West). ,
, Admin, Sales, Production Editorial.
.
14-1 LDIF- , , .
14-1. LDIF-
dn: UID=MMilza,OU=Admin,O=Redbooks,C=US
objectclass: person
objectclass: top
mail: M.Milza@redbooks.com
fullName: CN=Matt Milza,OU=East,O=Redbooks

title: IT Mgr
mailSystem: 1
givenName: Matt
sn: Milza
cn: Matt Milza
uid: MMilza
userid: mmilza
mailDomain: Redbooks
mailServer: CN=itsosec-dom,OU=Servers,O=Redbooks
mailFile: mail\mmilza
. LDIF-, dn
LDAP, fullName
Lotus Notes.
14.3.2 Lotus Domino LDAP-

Lotus Domino , LDAP- IBM
Directory Server. Domino LDAP- Directory Assistance Domino.
Directory Assistance Domino LDAP- :
588
14
1. Directory Assistance Database Domino da50.ntf.

2. Directory Assistance
LDAP-.
3. LDAP-. . 14-23, 14-24 14-25
Directory Assistance LDAP.
4. Directory Assistance Server Domino ,

Directory Assistance Basics ( )

Server da.nsf DA.
. 14-26.
5. .
. 14-23. Domino Server Directory Assistance Basics ( )
. 14-24. Domino Server Directory Assistance Naming Contexts ( )
589
. 14-25. Domino Server Directory Assistance LDAP
. 14-26. Basics ( ) Server Domino
590
14
14.3.3
, Domino, LDAP- LDAP-.
Matt Milza East Domino LDAP UID=
MMilza,OU=Admin,O=Redbooks,C=US, Admin. Domino R5,
LDAP ACL ,
Matt Milza .
, Domino 6.01, LDAP-, Domino
, Domino 6.
. 14-25 Attribute to be used as Notes Distinguished Name (, Notes) Directory Assistance. fullName LDAP-,
Lotus Notes LDAP- LDIF
14.3.1, LDAP-.
, Domino
LDAP-.
. 11.9.4,
Domino.
14.3.4 Sametime LDAP-

Sametime , LDAP-.
1. Sametime Administration, administer the
server ( ). URL,
STCenter.nsf
http://yourservername.company.com/stcenter.nsf
2. LDAP directory (LDAP-) Connectivity ().
3. LDAP- LDAP Sametime. itsosec-ldap.
cam.itso.ibm.com 389 .
4. Domino - LDAP- LDAP. itsosec-dom.cam.itso.ibm.com Remove (), .
5. LDAP directory (LDAP-) Basics ( ) LDAP-.
LDAP- . 14-29 14-30.
6. Authentication () CN UID, IBM Directory Server Domino LDAP UID, CN.
591
. 14-27. LDAP-
. 14-28. LDAP-
. 14-29. People () Basics ( )

7. Directory Assistance (da.nsf) Sametime
Notes Directory Assistance,
Sametime LDAP- Domino.
8. Directory Assistance, LDAP.
592
14
. 14-30. Groups () Basics ( )

Directory Assistance, , .14-31,

14-32 14-33.
9. LDAP- , . ,
LDAP- .
. 14-31. Sametime Directory Assistance Basics ( )
. 14-32. Sametime Directory Assistance Rules ()
593
. 14-33. Sametime Directory Assistance LDAP
. 14-34. Sametime
14.3.5 QuickPlace LDAP-

QuickPlace , LDAP-, :
1. Directory Assistance Sametime
QuickPlace; DA Sametime.
2. Server QuickPlace Domino Directory
, Directory Assistance.
, Directory Assistance Basics
Server.
3. QuickPlace .
http://itsosec-qp.cam.itso.ibm.com/quickplace
4. Server Settings ( ).
5. User Directory ( ).
594
14
6. Change Directory ( ).
7. LDAP Server (LDAP-).
8. LDAP- Name ().
itsosec-ldap.cam.itso.ibm.com
9. Port Number ( ) 389 (
LDAP).
10. LDAP,
. o=redbooks,c=us.

. 14-35.
. 14-35.
. 14-36. LDAP ACL
595
11. LDAP , QuickPlace, ACL Main.nsf Admin.nsf

.

, Matt Milza Domino Directory

Matt Milza/West/Redbooks, LDAP- uid=mmilza/
ou=admin/o=redbooks/c=us. LDAP
Domino Directory, Matt Milza QuickPlace LDAP.
, QuickPlace
Domino 5.x; , Domino 5.x LDAP.
LDAP ACL .
. 14-36 ACL main.nsf.
14.4 WebSphere Portal

IBM WebSphere Portal. WebSphere Lotus.

LDAP-. - -.
Sametime QuickPlace . , iFrame,
Domino
Lotus
-
ITSOSEC-WPS
ITSOSEC-RP
ITSOSEC-LDAP
. 14-37. WebSphere Portal Server
596
14
Domino -.
iNotes.
. 14-37.
WebSphere Portal Extend
Windows 2000 Service Pack 3 DB2
.
LMS . WebSphere Portal Handbook Volume 1, SG24-6883.
14.4.1 SSO
WebSphere Portal .
:
1. Java- WebSphere Administrator.
2. wpsadmin , wpsadmin
.
3. Console () Security Center ( ) Java.
4. Authentication (); , . 14-38.
. 14-38. WebSphere Porta
597
5. Enable Single Sign On ( ) DNS- .

cam.itso.ibm.com.
6. Generate Keys ( ). WebSphere LTPA-.
7. Export Key ( ),
. LTPA- WebSphere
Domino.
8. Domino Directory Domino Notes.
9. Configuration () Web () Web Configurations () Domino Directory.
10. Web SSO Configuration, 14.3.2,
Lotus Domino LDAP-.
LtpaToken.
11. Edit (), .
12. Keys () Import WebSphere LTPA keys ( LTPA- WebSphere) (. 14-39).
. 14-39. LTPA- WebSphere
13. , WebSphere 7.
14. LDAP Realm (LDAP-) (\) :389.
LDAP- LTPA WebSphere (. 14-40).
. 14-40. LDAP Realm (LDAP-)
598
14
15. SSO Configuration Domino (. . QuickPlace Sametime),

HTTP (. . Tell HTTP Restart Domino)
.
14.4.2 -
- , WebSphere Portal, Domino.
ibmproxy.conf, URL
.
:
remove proxy /mail* http://itsosec-dom.cam.itso.ibm.com/mail*
remove proxy /iNotes/* http://itsosec-dom.cam.itso.ibm.com/iNotes/*
remove proxy /inotes5/* http://itsosec-dom.cam.itso.ibm.com/inotes5/*
remove proxy /icons/* http://itsosec-dom.cam.itso.ibm.com/icons/*
remove proxy /domjava/* http://itsosec-dom.cam.itso.ibm.com/domjava/*
remove proxy /names.nsf http://itsosec-dom.cam.itso.ibm.com/names.nsf
Proxy /* http://192.168.0.6/*itsosec-wps.cam.itso.ibm.com
proxy /* http://192.168.0.3/*itsosec-dom.cam.itso.ibm.com
proxy /* http://192.168.0.4/*itsosec-qp.cam.itso.ibm.com
Reversepass http://192.168.0.6/*http://itsosec-wps.cam.itso.ibm.com/*
Reversepass http://192.160.0.3/*http://itsosec-dom.cam.itso.ibm.com/*
Reversepass http://192.168.0.4/*http://itsosec-qp.cam.itso.ibm.com/*
conf-
-.
14.5
IBM Lotus Learning Management System (LMS).
Learning Management System 1.01
Windows 2000 Service Pack 3. LMS LMS,
DB2 WebSphere 5.
LMS . IBM Lotus Learning Management System Handbook, SG24-7028.
. , LMS WebSphere Application Server

v5.0 . , Lotus Domino

WebSphere 4 WebSphere 5.
599
14.5.1 LMS
LMS
:
1. WebSphere Application Server LMS- . WebSphere 5 , WebSphere 4, Java-.
2. Security () Authentication Mechanisms ( ) LTPA WebSphere.
. 14-41. LMS LTPA

3. LTPA- WebSphere,
WebSphere, LTPA-,
.
WebSphere Portal LMS-.
4. Import Keys ( ); LTPA-
.
5. Save (), (. 14-42).
. 14-42. LTPA
600
14
6. Save (), ,
, SSO LMS; Domino WebSphere
Portal, LMS (. 14-43).
. 14-43.
14.5.2 LMS
, LMS , WebSphere Portal,
LMS- WebSphere Portal, LMS .
SSO, WebSphere Portal, ,
, LMS- .

LMS LMS WebSphere (My
Courses, Search Catalog My Calendar). WebSphere Portal,
:
1. WebSphere Portal (wpsadmin).
2. Portal Administration ( ).
3. Install portlets ( ).
4. My Courses.war LMS,
Next ().
5. , war-;
Install () , .
6. 4 5 Search catalog.war My Calendar.war.
601

WebSphere
, LMS- Web- LMS-,
LMS.
:
1. Portal Administration ( ) Manage
portlets ( ).
2. Myourses Modify Parameters (
) (. 14-44).
. 14-44. LMS-
3. ,
(. 14-45):
webserviceport: 80;
webservicepath: /lms-lmm/auth-api;
webserviceserver: itsosec-lms.cam.itso.ibm.com.
. 14-45. LMS-
4. 2 3 Search Catalog My Calendar,
.
602
14
14.6 Tivoli Access Manager

-, .
, , ,
. , , Redbook.
, ,
.
14.6.1 Tivoli Access Manager

WebSphere Edge Server
-,
Domino WebSphere Portal . , Tivoli Access Manager (TAM).
TAM - WebSeal, RPSS ( - ). - . 5, -.
IBM Websphere Edge Server,
-,
Tivoli WebSeal.
Tivoli WebSphere Edge Server, WebSeal-Lite.
, , Tivoli Access Manager, WebSeal-Lite . Tivoli Access Manager
.Tivoli Information Center :
http://publib.boulder.ibm.com/tividd/td/IBMAccessManagerfore-business4.1.html
Tivoli Access Manager , Tivoli Access Manager .
14.6.2 WebSeal
Websphere Edge Server
WebSeal-Lite
-, :
1. Tivoli Access Manager Edge Server:
) .
603
b) - IBM Tivoli Access Manager Web Security, Version 4.1 for

Windows. setup.exe, :
cdrom_drive\windows\PolicyDirector\Disk Images\Disk1
c) Select Packages ( )
Edge Server.
2. Edge Server:
) wslconfig.exe.
b) :
- Edge Server.
80.
Tivoli Access Manager, TAM. , sec_master
.
:
;
(ivacld-servers SecurityGroup);
SSL-;
SSL- Tivoli Access
Manager;
- Edge Server
Edge Server, - Edge Server (ibmproxy.conf);
- Edge Server (ibmproxy).

Edge Server wesosm.
Edge Server.
Edge Server .
- Edge Server
Edge Server. sec_master
-.
14.6.3 Domino TAM

Lotus Domino (Domino, Sametime, QuickPlace ..),
cookie- SSO LTPA Domino ,
IBM Tivoli WebSeal - Domino .
:
1. Administration Command Prompt (PDAdmin) AccessManager for e-business Start ().
604
14
2. pdadmin.
3. Lotus Domino, :
(-t);
(-h);
TCP-, (-p);
(-A);
(-F);
(-Z);
JavaScript (-j);
(/).
14.2. WebSeal Domino

commands:
pdadmin>login
Enter User ID:sec_master
Enter Password:
pdadmin>server list
webseald-webseal39
pdadmin>server task webseald-webseal39 create -t tcp -h
itsosec-dom.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /domino
Created junction at /domino
pdadmin>
Domino, Sametime QuickPlace
. ,
Domino, :
itsosec-dom.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /domino
itsosec-st.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /sametime
itsosec-qp.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /quickplace
605
14.6.4 WebSphere Portal TAM

Domino TAM WebSeal- ,
Websphere Portal Tivoli Access Manager:
1. Tivoli Access Manager SvrSslCfg. :
c:\progra~1\Tivoli\POLICY~1\sbin\%WAS_HOME%\java\jre\bin\java
com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master
-admin_passwd password -appsvr_id itsosec-tam_amwps -mode remote
-port 7201
-policysvr itsosec-tam.cam.itso.ibm.com:7135:1 -authzsvr
itsosec-tam.cam.itso.ibm.com:7136:1 -cfg_file
c:\websphere\appserver\java\jre\PDPerm.properties -key_file
c:\websphere\appserver\java\jre\lib\security\pdperm.ks -cfg_action create
2. Portallogin.cfg WebSphere Portal Server. (
.)
WpsNewSubject {
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.GetCORBACredentialLoginModule;
required delegate=com.ibm.wps.sso.CORBACredentialLoginModule;
required delegate=com.ibm.wps.sso.UserDNGroupDNLoginModule;
required delegate=com.ibm.wps.sso.UserIdPasswordLoginModule;
required delegate=com.ibm.wps.sso.UserIdPrincipalLoginModule;
required delegate=com.ibm.wps.sso.PasswordCredentialLoginModule;
required delegate=com.ibm.wps.sso.LTPATokenLoginModule;
required delegate=com.tivoli.mts.PDLoginModule;
};
WpsSubjectExists {
606
14
required delegate=com.ibm.wps.sso.GetCORBACredentialLoginModule;
required delegate=com.ibm.wps.sso.CORBACredentialLoginModule;
required delegate=com.ibm.wps.sso.LTPATokenLoginModule;
required delegate=com.tivoli.mts.PDLoginModule;
};
,
, Tivoli Access
Manager ( WebSphere Edge Server)
.
(. . WebSphere Portal, Lotus
Domino . .) . ,
ACL, , , TAM, . TAM
,
.
14.7
, Redbook RedbooksCo Redbooks.
.
607

(, html- ),
. ,
HTML- , HTTP-. ,
, , . , .

, , , ,
.
,
. , (, TCP, HTTP, HTML).
611
, .
:
EtherReal.
http://www.ethereal.com
CommView. ,
http://www.tamos.com/products/commview/
CommView , . , ,
. ,
.

,
Web-.
. A-1
Web- Domino,

. A-2
IE ( HTTP,
HTML)
612
. A-1 , .
. A-2 HTML- .
. A-3 HTML- .
. A-3 GET, (CommView)

, , ,
<HTML>, <! Doctype>. HTML- HTTP-. HTTP- ( ) (
Domino).
. A-3 CommView.
ASCII.

(Ethernet, IP, TCP,
HTTP ..). . A-3 .
, Lotus, , . , , . . A-4
.
. A-4 HTTP-. ASCII- HTTP-
( , 11 ). , , HTTP- ( Domino , 8 ). ,
, HTML-
613
. A-4

. A-5 HTML-
(), , . , View Source ( HTML-) Web-,
HTTP-. .
, , .
614
B
DSAPI
DSAPI-, Web- Domino
.
DSAPI, 7, .
DSAPI- Windows- Domino Windows. Domino
UNIX,
UNIX.
: , Windows
UNIX. , make- Domino 6 C API Samples,
Admin.

1. DSAPI-
Domino ,
DSAPI- Domino.
2. , ,
Domino Domino,
,
. Domino -
DSAPI
615
. Domino .
3.
Domino Web-. ACL
. Reader ()
Default No Access ( )
Anonymous (). No Access
Anonymous () .
DSAPI- Domino
1. DLL
Domino.
2. Domino.
3. Notes UI Lotus Domino (
names.nsf).
4. Server () Servers () Server
.
5. Internet Protocols (-) DLL
DSAPI-.
6. .
Domino

1. Domino.
2. Domino Administrator.
3. , Server () , Local.
Local, File () Open Server
( ) , Domino.
4. People () .
5. People () Register
().
6. First name (), Last name (), Short name ( ) Password (). .
7. Register () Domino.
8. Domino Administrator.
9. Domino.
616
DSAPI- secdom
( Windows). DSAPI Windows,
Act as part of the operating system (
). ,
.
Windows , .
Windows , Windows Windows.
1. Lotus Domino , http server .
:
DSAPI Operating System Authentication Filter Loaded successfully.

2. Web- Domino .
3. URL <Domino-server>/<Domino-server-database>,
Web, <Domino-server> Domino ( IP-), <Domino-server-database> .
: dserver/dsdatabase.nsf
4. Enter Network Password ( )
, .
Domino Windows NT/2000,
:
<operating-system-user-name>@<operating-system-domain>
: jdoe@os_domain
Domino UNIX, :
<operating-system-user-name>
: jdoe
5. OK .
6. .

DSAPI-.
B-1.
/******************************************************************
: SECDOM
: SECDOM.C ( )
DSAPI
617
: C API,
, Domino
Web DSAPI.
******************************************************************/
/* - */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* Notes SDK */
#include global.h
#include osmem.h
#include lookup.h
#include dsapi.h
#include addin.h
#define MAX_BUF_LEN 512
#define USER_DOMAIN_SEPARATOR @
/*--*
*/
/* Notes SDK Unix */
STATUS FAR PASCAL MainEntryPoint (void);
/* , DSAPI */
unsigned int Authenticate(FilterContext* context, FilterAuthenticate* authData);
/* Notes */
int getUserNames (FilterContext* context,
char *userName,
char **pUserFullName,
int *pUserFullNameLen,
char **pUserShortName,
int *pUserShortNameLen);
int getLookupInfo (FilterContext* context,
char *pMatch,
unsigned short itemNumber,
char **pInfo,
int *pInfoLen);
int doAuthenticate(char *userName, char *domain, char *password);
#ifdef UNIX
int unixAuthenticate(char *userName, char *password);
#else
int separateUsernameAndDomainname(char *userName,char *separator,char
**user,char**domain);
618
int winAuthenticate(char *userName, char *domain, char *password);

#endif
/*--*
*/
STATUS FAR PASCAL MainEntryPoint (void)
{
/*
* : Notes API
* . ,
*
*
* Notes SDK API.
*
* :
* :
* : NOERROR
*/
return NOERROR;
}
/*--*
*/
unsigned int FilterInit(FilterInitData* filterInitData)
{
/*
* :
* .
*
* : filterInitData dsapi
*
* : filterInitData
*
* : kFilterHandledEvent
*/
printf(\nFilterInitData() is getting called.\n);
/**/
filterInitData->appFilterVersion = kInterfaceVersion;
/* , */
filterInitData->eventFlags = kFilterAuthenticate;
/* */
strcpy(filterInitData->filterDesc,

DSAPI
619
Operating System Authentication Filter);

/* ... */
/* , stdout stderr,
* , .
*/
printf(\nDSAPI Authentication filter initialized\n);
return kFilterHandledEvent;
}
/*--*
*/
unsigned int TerminateFilter(unsigned int reserved)
{
/*
* :
* .
*
* : , ( dsapi
* )
* :
*
* : kFilterHandledEvent
*/
/* ... */
}
/*--*
*/
unsigned int HttpFilterProc(FilterContext* context,
unsigned int eventType, void* eventData)
{
/*
* :
dsapi-.
*
* : , ( dsapi
* )
* :
*
* : kFilterNotHandled ,
620
* * .
*/
/* ,
*/
switch (eventType) {
case kFilterAuthenticate:
return Authenticate(context, (FilterAuthenticate *)eventData);
default:
break;
}
return kFilterNotHandled;
}
/*--*
*/
unsigned int Authenticate(FilterContext* context,
FilterAuthenticate* authData)
{
/*
* :
* dsapi kFilterAuthUser.
*
* : dsapi
*
* authData ,
*
* userName
*
* foundInCache = TRUE,
* e
* .
*
* : authType authName
*
* authType filed
* kNotAuthentic -
* kAuthenticBasic -
* .
*
* : kFilterNotHandled - ,
* e,
DSAPI
621
* ,
* .
* kFilterHandledEvent -
.
*/
/* e, * .
*/
if (!authData || authData->foundInCache) {
AddInLogMessageText (\n user is found in the cache \n, NOERROR);
}
/* .
*/
if (authData->userName && authData->password) {
char *fullName = NULL;
int fullNameLen = 0;
char *shortName = NULL;
int shortNameLen = 0;
char *user = NULL;
char *domain = NULL;
#if defined SOLARIS || AIX
user=(char*)authData->userName;
#else
separateUsernameAndDomainname(authData->userName,USER_DOMAIN_SEPARA
TOR,&user,&domain);
#endif
/* .
* (,
* )
* (, ,
* dsapi).
*/
if (NOERROR == getUserNames (context,
user,
&fullName,
&fullNameLen,
&shortName,
&shortNameLen) )
{
/* / */
if (NOERROR != doAuthenticate(shortName, domain,
622
(char *)authData->password))
{
}
else
{
/* ,
* dsapi. */
strncpy ((char *)authData->authName, fullName,
authData->authNameSize);
authData->authType = kAuthenticBasic;
authData->foundInCache = TRUE;
}
}
}
}
int getUserNames (FilterContext* context,
char *userName,
char **pUserFullName,
int *pUserFullNameLen,
char **pUserShortName,
int *pUserShortNameLen) {
/*
* :
* .
*
* : context - ,
* userName - ,
* : pUserFullName -
* pUserFullNameLen -
* pUserShortName
* pUserShortNameLen -
*
* : -1 - , 0 -
*/
STATUS error = NOERROR;
HANDLE hLookup = NULLHANDLE;
DWORD Matches = 0;
char *pLookup;
char *pName = NULL;

DSAPI
623
char *pMatch = NULL;

int rc = -1;
/* */
*pUserFullName = NULL;
*pUserFullNameLen = 0;
*pUserShortName = NULL;
*pUserShortNameLen = 0;
/* do the name lookup
*/
error = NAMELookup2(NULL, /* NULL */
0, /* */
1, /* */
$Users, /* */
1, /* , */
userName, /* , */
2, /* */
FullName\0ShortName, /*
* */
&hLookup); /*
* */
if (error || (NULLHANDLE == hLookup))
goto NoUnlockExit;
pLookup = (char *) OSLockObject(hLookup);
/* .
*/
pName = (char *)NAMELocateNextName2(pLookup, /*
* */
NULL, /*
* */
&Matches); /*
*
* ( 1) */
/* - */
if ((pName == NULL) || (Matches <= 0)) {
goto Exit;
}
pMatch = (char *)NAMELocateNextMatch2(pLookup, /*
* */
pName, /* */
NULL); /* */
if (NULL == pMatch) {
goto Exit;
}
624
/* */
if ( getLookupInfo (context,
pMatch,
0,
pUserFullName,
pUserFullNameLen) )
goto Exit;
AddInLogMessageText (full name=%s,length=%d\n, 0,*pUserFullName,*
pUserFullNameLen);
/* */
if ( getLookupInfo (context,
pMatch,
1,
pUserShortName,
pUserShortNameLen) )
goto Exit;
else
rc = 0;
AddInLogMessageText (short name=%s,length=%d\n, 0,*pUserShortName
,*pUserShortNameLen);
Exit:
if ( pLookup && hLookup )
OSUnlock(hLookup);
NoUnlockExit:
if (NULLHANDLE != hLookup)
OSMemFree(hLookup);
return rc;
}
int getLookupInfo (FilterContext* context,
char *pMatch,
unsigned short itemNumber,
char **pInfo,
int *pInfoLen) {
/*
* :
*
*
*
*
*
*
*

: context - ,
pMatch
itemNumber
: pInfo
pInfoLen
DSAPI
625
* : -1 - , 0 -
*/
unsigned int reserved = 0;

unsigned int errID;
char *ValuePtr = NULL;
WORD ValueLength, DataType;
STATUS error;
void *newSpace = NULL;
/* */
*pInfo = NULL;
*pInfoLen = 0;
/* */
ValuePtr = (char *)NAMELocateItem2(pMatch,
itemNumber,
&DataType,
&ValueLength);
if (NULL == ValuePtr || ValueLength == 0) {
return -1;
}
ValueLength -= sizeof(WORD);
/* DataType */
switch (DataType) {
case TYPE_TEXT_LIST:
break;
case TYPE_TEXT:
break;
default:
return -1;
}
/* .
* .
*/
newSpace = (context->AllocMem)(context, ValueLength+1,
reserved, &errID);
*pInfo = (char *) newSpace;
if (NULL == *pInfo) {
printf (Out of memory\n);
return -1;
}
/* */
error = NAMEGetTextItem2(pMatch, /* */
626
itemNumber, /*
* */
0, /*
* */
*pInfo, /*
* */
MAX_BUF_LEN); /* */
if (!error) {
*pInfoLen = strlen(*pInfo)+1;
return 0;
}
return -1;
}
int doAuthenticate(char *userName, char *domain, char *password) {
/*
* : ,
* , , .
*
* : userName -
* domain - (NULL - UNIX)
* password -
*
* : -1 - , 0 -
*/
if (!userName) {
AddInLogMessageText (\nERROR: User must be specified\n, NOERROR);
return -1;
}
#if defined SOLARIS || AIX
printf(\nin doAuthenticate()\n);
return(unixAuthenticate(userName, password));
#else
if (!domain) {
AddInLogMessageText (\nERROR: Domain must be specified. Use username@domainname format\n,
NOERROR);
return -1;
}
return(winAuthenticate(userName, domain, password));
#endif
}
/* ----- secdom.c */

DSAPI
627
B-2. Windows
/******************************************************************
: SECDOM
: W_SECDOM.C ( Windows)
: C API,
, Domino
Web DSAPI.
******************************************************************/
/* W32 */
#include <windows.h>
#include <winbase.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* ************************************************************* */
/* * Windows API . * */
/* ************************************************************* */
int separateUsernameAndDomainname(char *userName,char *separator,
char **user, char **domain)
{
*user=strtok(userName,separator);
*domain=strtok(NULL,separator);
return 0;
}
/* ************************************************************* */
/* * Windows API . * */
/* ************************************************************* */
int winAuthenticate(char *userName, char *domain, char *password)
{
char *lpMsgBuf;
HANDLE phToken;
printf(\n Executing Windows-specific authentication for user %s
in domain
%s\n,userName,domain);
if (LogonUser(userName,domain,password,LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,&phToken))
{
printf( ** Successful return from Windows-specific authentication
\n);
return NOERROR;
}
else
628
{
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
printf(***** Error from Windows-specific authentication: ***\n);
printf( %s\n,lpMsgBuf);
LocalFree(lpMsgBuf);
return -1;
}
}
B-3. UNIX
/******************************************************************
: SECDOM
: U_SECDOM.C ( UNIX)
: C API, , Domino Web

DSAPI.
******************************************************************/
/* */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* UNIX */
#ifdef SOLARIS
#include <shadow.h>
#endif
#ifdef AIX
#include <sys/types.h>
#include <pwd.h>
#endif
int unixAuthenticate(char *userName, char *password)
{
char buffer[1024];
int error = -1;
int success = 0;
int unknown = 1;
/* UNIX- */

DSAPI
629
#ifdef SOLARIS
struct spwd result;
#endif
#ifdef AIX
struct passwd *result;
#endif
/* UNIX- */
#ifdef SOLARIS
if (getspnam_r(userName, &result, buffer, sizeof(buffer))) {
/*
* .
*/
char *thisCrypt = NULL;
thisCrypt = (char *)crypt(password, result.sp_pwdp);
if (strcmp (result.sp_pwdp, thisCrypt) == 0) {
return success;
} else {
return error;
}
}
#endif
#ifdef AIX
result = getpwnam(userName);
if (result && result->pw_passwd) {
/*
* .
*/
char *thisCrypt = NULL;
thisCrypt = (char *)crypt(password,
result->pw_passwd);
if (strcmp (result->pw_passwd, thisCrypt) == 0) {
return success;
} else {
return error;
}
}
#endif
return unknown;
}
630
C

Domino 6 HTTP
Domino
6 HTTP, 11.2.2, HTTP-.
HTTP-
, HTTPEnableConnectorHeaders
Notes.ini Domino HTTP , WebSphere, Web- .
HTTP-
Domino, ,
.
HTTPEnableConnectorHeaders :
Domino 6 HTTP
631
0. Domino HTTP .
HTTP , .
1. Domino HTTP .
. , ,
, , http.
notes.ini HTTP- Domino HTTP-.
. 14-46. HTTP
HTTPEnableConnectorHeaders=1
. LogLevel TRACE XML-
,
.
$WSAT. , .
$WSCC. , .
Web- base64,
base64, .
632
$WSCS. , Web- .
, .
$WSIS. True False,
, ( SSL/TLS).
$WSSC. , . http https.
$WSPR. HTTP-, .
HTTP/1.1.
$WSRA. IP- , .
$WSRH. , .
, IP-.
$WSRU. , .
$WSSN. , .
, HOST .
$WSSP. , .
, .
$WSSI. SSL-, . Web- base64, base64,

, Domino , HTTP-. , IP- , HTTP- Domino HTTP-, Domino IP-, $WSRA. :
, Domino , $WSRU, Domino
, !
HttpEnableConnectorHeaders=1
notes.ini, ,
Domino , HTTP . , ,
HTTP-.
,
Domino IP Web- IP- Domino 6.
Domino 6 HTTP
633
IIS-
!
PlugIn (Plug-In)
(Plugin Config) .
, , ,
. , , ,
NAME ,
( EventViewer) .
WebSphere Application Server Microsoft IIS.
1. IIS (
) Domino
IIS-:
data/domino/plug-ins/plugin-cfg.xml
c:\WebSphere\AppServer\config.
. C-1. , C IIS-
2. RegEdit.exe ( Windows)
: HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere Application Server - 4.0.

4.0 Plugin Config. plugin-cfg.xml (C:\

WebSphere\AppServer\config\plugin-cfg.xml).
WAS5.x
( RegEdit):
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. '5.0' BinPath. , (C:\WebSphere\AppServer\bin).
634
. C-2. , !
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'InstallLocation'.
, WAS (C:\WebSphere\AppServer).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'LibPath'. (C:\WebSphere\AppServer\lib).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'MajorVersion'.
(5).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 ' p l u g - i n
Config' .
plug-in-cfg.xml (C:\WebSphere\AppServer\config\plug-in-cfg.xml).
. C-3. (DLL), bin IIS

3. data/domino/plug-ins/w32/iisWASPlugin_http.dll plug-in_common.dll ( , Domino) c:\WebSphere\
AppServer\bin IIS- .
4. Internet Service Manager IIS-.
IIS, Internet Service
Domino 6 HTTP
635
Manager. Windows NT Microsoft Management Console ( MMC), XP

Administrative Tools ().
. C-4. IIS Manager

5. Web-,
WebSphere.
, Default Web Site (- ).
Default Web Site (- )
New () Virtual Directory ( ).
! IIS
Domino, , Web-
.
) Alias () sePlugins ( ).
) Directory () WebSphere bin (C:\WebSphere\
AppServer\bin).
) Execute ()
.
) Finish (). sePlugins.
636
. C-5.
. C-6.
6. ( ) Web- .
) ISAPI Filters ( ISAPI). Add ()
iisWASPlugin Filter Name ( ).
Executable ( ), Browse (),
WebSphere bin iisWASPlugin_http.dll.
Domino 6 HTTP
637
. C-7. ,

. C-8.

sePlugIns
. C-9.

638
. C-10. Web-
! , ;
ISAPI- .
) , OK.
! OK ISAPI , Priority ()
ISAPI- *Unknown*. ,
IIS ISAPI- ,
.
) OK , ,
, *Unknown* , . C-13. .

, -, .
, , ,
Domino 6 HTTP
639
. C-11. ISAPI-
. C-12. OK
640
. C-13.
. C-14. !
Domino 6 HTTP
641
, .

.
XML
WebSphere\AppServer\config\plugin-cfg.xml
. Domino,
plugin-cfg.xml,
URL, , Domino.
, .
Web- .
. Windows!
plugin-cfg.xml:
1. plugin-cfg.xml Notepad () XML-.
2. <Transport> ,
Domino. Hostname Port , ,
HTTP .
:


<ServerGroup Name=default_group>
<Server Name=default_server>
<Transport Hostname=mydomino.server.com
Protocol=http/>
Port=81
</Server>
</ServerGroup>
3. <UriGroup>. URL-, Web-
Domino.
<UriGroup Name=default_host_URIs>
<Uri Name=*/icons/*>
<Uri Name=*/domjava/*>
<Uri Name=*/.nsf*>
642
. URI .
( ,
) .
, Web-
. IIS World Wide
Web Publishing Service Windows
- Internet Services Manager. Web-
, . Web- IIS
IIS, .
Domino , <Uri> .
! , ,
XML. ,
(< >) ,
plugin-cfg.cml Internet Explorer (). IE
XML-.
plugin-cfg.xml
plugin-cfg.xml,
,
.
C-1. plug-in.xml :

<?xml version=1.0 encoding=ISO-8859-1?>
<!-###################################################################
C:\Websphere\AppServer\config\plugin-cfg.xml chiesa@dotNSF.com
(c) IBM Corp 2003. (c) dotNSF
Inc MMIII
###################################################################
WAS...
.xml- !!!
( : !)
###################################################################
, WAS plugin-cfg-service.xmi,
. !!!
###################################################################
-->
Domino 6 HTTP
643
<ConfigIgnoreDNSFailures=true RefreshInterval=300 > 

<Log Name=C:/WebSphere/AppServer/logs/native.log
LogLevel=Trace /> 
<VirtualHostGroup Name=DominoHosts>
<VirtualHost Name=*:*/>
</VirtualHostGroup>
<UriGroup Name=DominoHostsURIs>
<Uri Name=/icons/* />
<Uri Name=/domjava/* />
<!- , . Regex!
###################################################################
http://www-106.ibm.com/developerworks/xml/library/x-case/
?dwzone=xml
###################################################################
-->
<Uri Name=/*.(N|n)(S|s)(F|f|G|g|H|h|1|2|3|4|5|6)* />
<!-###########################################################
! . ( !)
###########################################################
... !
###########################################################
-->

<Uri Name=/*.nsf* />
<Uri Name=/*.Nsf* />
<Uri Name=/*.nSf* />
<Uri Name=/*.NSf* />

<Uri Name=/*.nsF* />
<Uri Name=/*.nSF* />
<Uri Name=/*.NsF* />
<Uri Name=/*.NSF* />

<Uri Name=/*.nsg* />
<Uri Name=/*.nSg* />
<Uri Name=/*.Nsg* />
<Uri Name=/*.NSg* />

644
<Uri Name=/*.nsG*
<Uri Name=/*.nSG*
<Uri Name=/*.NsG*
<Uri Name=/*.NSG*

<Uri Name=/*.nsh*
<Uri Name=/*.nSh*
<Uri Name=/*.Nsh*
<Uri Name=/*.NSh*

<Uri Name=/*.nsH*
<Uri Name=/*.nSH*
<Uri Name=/*.NsH*
<Uri Name=/*.NSH*

<Uri Name=/*.ns2*
<Uri Name=/*.nS2*
<Uri Name=/*.Ns2*
<Uri Name=/*.NS2*

<Uri Name=/*.ns3*
<Uri Name=/*.nS3*
<Uri Name=/*.Ns3*
<Uri Name=/*.NS3*

<Uri Name=/*.ns4*
<Uri Name=/*.nS4*
<Uri Name=/*.Ns4*
<Uri Name=/*.NS4*

<Uri Name=/*.ns5*
<Uri Name=/*.nS5*
<Uri Name=/*.Ns5*
<Uri Name=/*.NS5*

<Uri Name=/*.ns6*
<Uri Name=/*.nS6*
<Uri Name=/*.Ns6*
<Uri Name=/*.NS6*
</UriGroup>
<ServerGroup
Name=DominoGroup
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
Domino 6 HTTP
645
LoadBalance=Round Robin
RemoveSpecialHeaders=true
RetryInterval=60
>
<Server
Name=Domino1
CloneId=TestingClone
MaxConnections=50
>
<Transport
Hostname=localhost.dotnsf.com
Port=81
Protocol=http
/>
</Server>
<Server
Name=Domino2
CloneId=ProductionClone
MaxConnections=50
>
<Transport
Hostname=server203.dotNSF.com
Port=80
Protocol=http
/>

</Server>
<Server
Name=Domino3
MaxConnections=50
CloneId=ProductionClone>
<Transport
Hostname=server101.dotnsf.com
Port=80
Protocol=http
/>
</Server>
646
</ServerGroup>
<Route
VirtualHostGroup=DominoHosts
UriGroup=DominoHostsURIs
ServerGroup=DominoGroup
/>
</Config>
: TRACE (log)
(Trace mode),
( C:/WebSphere/AppServer/logs/native.log).
( ),
,
, . , , URI .
C-2. C:/WebSphere/AppServer/logs/native.log
[Mon Jun 09 11:59:14 2003] 00000b0c 00000c44 - PLUGIN:
------------------------------------------------------------------[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Plugins
loaded.
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: -------------------System Information---------------------------------------[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Bld date:
Apr 28 2002, 01:26:50
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Webserver: IIS
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Hostname =
VAIOR600
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: OS version
5.1, build 2600, Service Pack 1
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN:
------------------------------------------------------------------[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: iis_plugin:
HttpFilterProc: In
HttpFilterProc for SF_NOTIFY_PREPROC_HEADERS
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: iis_plugin:
checkRequest: In checkRequest
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: lib_util:
decodeURI: Decoding /wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: lib_util:
decodeURI: Decoded to
/wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereCheckConfig: Current time is 1055174814, next stat time
is 1055174766
Domino 6 HTTP
647

websphereCheckConfig: Latest
config time is 1055173899, lastModTime is 1055173899
websphereShouldHandleRequest:
trying to match a route for: vhost=127.0.0.1; uri=/wmi.nsf
websphereUriMatch: Comparing
/icons to /wmi.nsf in UriGroup: DominoHostsURIs
/domjava to /wmi.nsf in UriGroup: DominoHostsURIs
/*.NS6* to /wmi.nsf in UriGroup: DominoHostsURIs
/*.Ns6* to /wmi.nsf in UriGroup: DominoHostsURIs
/*.nS6* to /wmi.nsf in UriGroup: DominoHostsURIs
/*.ns6* to /wmi.nsf in UriGroup: DominoHostsURIs
/*.ns5* to /wmi.nsf in UriGroup: DominoHostsURIs
648
/*.ns4* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.NS3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.Ns3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.nS3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
[Mon Jun 09 12:06:54 2003] 00000d54
/*.NS2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.Ns2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.nS2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
[Mon Jun 09 12:06:54 2003] 00000d54
/*.NSH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.NsH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.nSH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.nsH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.NSh* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
/*.Nsh* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54

DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
DominoHostsURIs
Domino 6 HTTP
649
/*.nSh* to /wmi.nsf in UriGroup: DominoHostsURIs

[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nsh* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.NSG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.NsG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nSG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nsG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.NSg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.Nsg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nSg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nsg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.NSF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.NsF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nSF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.nsF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.NSf* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
/*.Nsf* to /wmi.nsf in UriGroup: DominoHostsURIs
650
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:

/*.nsf* to /wmi.nsf in UriGroup: DominoHostsURIs
websphereUriMatch: Found a
match /*.nsf* to /wmi.nsf in UriGroup: DominoHostsURIs

, ,
Domino, HttpEnableConnectorHeaders=1.
, , ( ) , cookie- , URL URL.
,
sticky-, . . , (affinity), ,
.
C-3
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Accept| to value |image/gif, image/xxbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_
htrequest: htrequestSetHeader:
Setting the header name |Accept-Language| to value |en-gb|
htrequestSetHeader:
Setting the header name |Connection| to value |Keep-Alive|
htrequestSetHeader:
Setting the header name |Host| to value |127.0.0.1|
htrequestSetHeader:
Setting the header name |User-Agent| to value |Mozilla/4.0
(compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)|
htrequestSetHeader:
Setting the header name |Accept-Encoding| to value |gzip, deflate|
htrequestSetHeader:
Setting the header name |x-ibm-incoming-enc-url| to value |/wmi.NSF|

Domino 6 HTTP
651
htrequestSetHeader:
Setting the header name |$WSAT| to value |Negotiate|
htrequestSetHeader:
Setting the header name |$WSIS| to value |false|
htrequestSetHeader:
Setting the header name |$WSSC| to value |http|
htrequestSetHeader:
Setting the header name |$WSPR| to value |HTTP/1.1|
htrequestSetHeader:
Setting the header name |$WSRA| to value |127.0.0.1|
htrequestSetHeader:
Setting the header name |$WSRH| to value |127.0.0.1|
htrequestSetHeader:
Setting the header name |$WSRU| to value |VAIOR600\MyUserChiesa|
htrequestSetHeader:
Setting the header name |$WSSN| to value |127.0.0.1|
htrequestSetHeader:
Setting the header name |$WSSP| to value |80|
websphereHandleSessionAffinity: Checking for session affinity
websphereHandleSessionAffinity: Checking the SSL session id
htrequestGetCookie:
Looking for cookie: SSLJSESSION
htrequestGetCookie: No
cookie found for: SSLJSESSION
websphereParseSessionID:
Parsing session id from /wmi.NSF
Failed to parse session id
websphereHandleSessionAffinity: Checking the app server session id
652
htrequestGetCookie:
Looking for cookie: JSESSIONID
htrequestGetCookie: No
cookie found for: JSESSIONID
Parsing session id from /wmi.NSF
Failed to parse session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_server_
group:
serverGroupNextRoundRobinServer: Round Robin load balancing
websphereFindTransport:
Finding the transport
websphereFindTransport:
Setting the transport: dotNSF.theconifers.com on port 80
websphereExecute: Executing
the transaction with the app server
websphereGetStream: Getting
the stream to the app server
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_transport:
transportStreamDequeue:
Checking for existing stream from the queue
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_stream:
openStream: Opening the stream
websphereGetStream: Created a
new stream; queue was empty
htrequestWrite: Writing
the request:
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: GET /wmi.NSF
HTTP/1.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Accept:
image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.
ms-powerpoint,
application/msword, */*
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: AcceptLanguage: en-gb
Domino 6 HTTP
653
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Connection:

Keep-Alive
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Host:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: User-Agent:
Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: AcceptEncoding: gzip, deflate
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: x-ibmincoming-enc-url: /wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSAT: Negotiate
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSIS:
false
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSSC: http
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSPR: HTTP/1.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSRA:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSRH:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSRU:
VAIOR600\MyUserChiesa
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSSN:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSSP: 80
htrequestWrite: Writing
the request content
flushStream: Flushing the
stream
websphereExecute: Wrote the
request; reading the response
htresponse: htresponseRead: Reading the response:
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: HTTP/1.1 200 OK
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Date: Mon,
09 Jun 2003 16:03:37 GMT
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Last-Modified:
Mon, 09 Jun 2003
16:03:35 GMT
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Expires:
Tue, 01 Jan 1980 06:00:00 GMT
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Content-Type:
text/html;
654
charset=US-ASCII
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ContentLength: 1601
htresponse:
htresponseSetContentLength: Setting the content length |1601|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Cachecontrol: no-cache
flushStream: Flushing the stream
websphereExecute: Read the
response; breaking out of loop
websphereExecute: Done with
Request to app server processing
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheWriteHeaders: In cacheWriteHeaders
cb_write_headers: In the write headers callback
cacheWriteBody: In cacheWriteBody
cb_write_body: In the write body callback
cb_write_body: Writing chunk
websphereHandleRequest: Done:
host=127.0.0.1; uri=/wmi.NSF
websphereEndRequest: Ending the request
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_transport:
transportStreamEnqueue:
Adding existing stream to the queue
cacheFinish: In cacheFinish
HttpFilterProc: In
HttpFilterProc for SF_NOTIFY_LOG
Domino 6 HTTP
655

,
, .
IBM Redbooks
. IBM Redbooks. , .
Lotus Notes and Domino R5.0 Security Infrastructure Revealed, SG24-5341
IBM WebSphere V5.0 Security WebSphere Handbook Series, SG24-6573
Upgrading to Lotus Notes and Domino 6, SG24-6889
Deploying QuickPlace, SG24-6535
Enterprise Security Architecture using IBM Tivoli Security Solutions, SG24-6014
A Deeper Look into IBM Directory Integrator, REDP-3728
IBM Tivoli Access Manager for e-business, REDP-3677
Enterprise Business Portals II with IBM Tivoli Access Manager, SG24-6885
Deploying a Public Key Infrastructure, SG24-5512
Understanding LDAP, SG24-4986
LDAP Implementation Cookbook, SG24-5110
Using LDAP for Directory Integration: A Look at IBM SecureWay Directory, Active Directory, and Domino, SG24-6163
Implementation and Practical Use of LDAP on the IBM e-server iSeries Server,
SG24-6193
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1, REDP-3603
Active Directory Synchronization with Lotus ADSync, REDP-0605
IBM WebSphere V4.0 Advanced Edition Security, SG24-6520
WebSphere Portal Handbook Volume 1, SG24-6883
IBM Lotus Learning Management System Handbook, SG24-7028

.
Maximum Windows 2000 Security (Sams, 2001, ISBN 0672319659)
Maximum Linux Security (Sams, 1999, ISBN 0672316706)

D. Verton, Common Ground Sought for IT Security Requirements, Computerworld
35, No. 11, 8 (March 12, 2001)
P. B. Checkland, Systems Thinking, Systems Practice, John Wiley & Sons, Inc., New
York (1981)
W. R. Cheswick and S. M. Bellovin, Firewalls and Internet Security: Repelling the Wily
Hacker, Addison-Wesley Publishing Co., Reading, MA (1994)
E. Rechtin, Systems Architecting: Creating and Building Complex Systems, Prentice
Hall, New York (1991)
Committee on Information Systems Trustworthiness, National Research Council,
Trust in Cyberspace, National Academy Press, Washington, DC (1999)
A. Patel and S. O. Ciardhuain, The Impact of Forensic Computing on Telecommunications,
IEEE Communications Magazine 38, No. 11, 64-67 (November 2000)
F. B. Schneider, Enforceable Security Policies, ACM Transactions on Information
and System Security 3, No. 1, 30-50 (February 2000)
P. T. L. Lloyd and G. M. Galambos, Technical Reference Architectures, IBM Systems
Journal 38, No. 1, 51-75 (1999)
S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Security Secrets &
Solutions, McGraw-Hill Publishing Company, Maidenhead, Berkshire (1999)
Charles Carrington (Editor), Timothy Speed, Juanita Ellis, and Steffano Korper,
Enterprise Directory and Security Implementation Guide: Designing and Implementing
Directories in Your Organization. ISBN: 0121604527

Web- URL .
RFC 2316, Report of the IAB Security Architecture Workshop (April 1998)
Digital Signature Guidelines, American Bar Association (1996), Section 1.35
http://www.abanet.org/scitech/ec/isc/dsgfree.html
Information Technology--Security Techniques--Evaluation Criteria for IT Security-Part 1: Introduction and General Model, ISO/IEC 15408-1 (1999)
http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/lttf_Home/PubliclyAvailableStan
dards.htm
Information Technology--Security Techniques--Evaluation Criteria for IT Security-Part 2: Security Functional Requirements, ISO/IEC 15408-2 (1999). and Information
Technology--Security Techniques--Evaluation Criteria for IT Security--Part 3: Security
Assurance Requirements, ISO/IEC 15408-3 (1999).
http://www.commoncriteria.org/protection_profiles/pp.html
Guide for Development of Protection Profiles and Security Targets, ISO/IEC PDTR
15446
http://csrc.nist.gov/cc/t4/wg3/27n2449.pdf
RFC 1825, Security Architecture for the Internet Protocol (August 1995)
Security Architecture for Open Systems Interconnection for CCITT Applications,
ITU-T Recommendation X.800/ISO 7498-2 (1991)
http://www.itu.int/itudoc/itu-t/rec/x/x500up/x800.html
J. J. Whitmore, Security and e-business: Is There a Prescription?, Proceedings, 21st
National Information Systems Security Conference, Arlington, VA (October 6-9,
1998)
http://csrc.nist.gov/nissc/1998/proceedings/paperD13.pdf
IBM Redbooks
, Redbooks, Redpapers, Hints and Tips, , Redbooks - Web-
ibm.com/redbooks
IBM
IBM Support :
ibm.com/support
IBM Global Services:
ibm.com/services

Lotus Security Handbook

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Lotus Security Handbook

Загружено:

Авторское право:

Доступные форматы

IBM

International Technical Support Organization

Lotus Security Handbook

First Edition (April 2004)

Copyright International Business Machines Corporation 2004. All rights reserved.

2.4 (MASS, Method for Architecting

5.4 Lotus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

5.4.3 URL, Domino

5.5 Lotus Sametime 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

6.1 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

6.2.4 Web- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

7. (Single sign-on) . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

7.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

7.2 LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

7.3 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

7.4 DSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

7.5 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

9.3 Windows ( NT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

9.5 AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

10.1 Notes/Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

11. Domino/Notes 6 . . . . . . . . . . . . . . . . . . . . . . . . . . 415

11.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

11.2 HTTP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

11.3 (xSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

11.5 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

11.6.3 Directory Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

11.7 - Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

11.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

11.10 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

11.13 Domino Off-Line Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

11.14 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

12. Lotus . . . . . . . . . . . . . . . . . 519

12.1 Lotus Team Workplace (QuickPlace) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520

12.2 Lotus Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

12.3 Domino Web Access (iNotes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

12.4 Lotus Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

12.5 IBM WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

12.6 Domino Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

12.7 Sametime Everyplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

14.1 (Domino, Sametime QuickPlace) . . . . . . . . . . . . . 574

14.3 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587

14.4 WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596

14.6 Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603

Lotus Discovery ServerTM

(Amanda Mason) Lotus Software , (Austin, Texas).

.1-1. 1988- 2001 .

2,340 2,412 2,573 2,134

.1-2. 1995- 2002 .

ISO International Standardisation Organisation, . . .

(brute force attack)

ANSI American National Standards Institute, .

Twofish [ (Bruce Schneier) Counterpane

. PKCS-2 PKCS-4 PKCS-1.

PKCS #1, PKCS #7, PKCS #10,

(FAQ, Frequently Asked Questions). . .

2.2.2 ISO 17799

2.2.3 ISO 17799

. . (TCSEC, Trusted Computer System Security Evaluation Criteria).

- (NIS, Networked Information System). , , NIS,

.4-2. SOCKS- SOCKS-1

OSI : 1) (physical); 2) (data link); 3.) (network); 4) (transport); 5) (session); 6) (presentation); 7)

2. [Encapsulating Security Payload (ESP)]: .

Firewall-1 Check Point

IBM SecureWay Firewall

0.0.0.0:8080 ( .:8080) () , , , TCP/IP-,