Академический Документы
Профессиональный Документы
Культура Документы
William Tworek
George Chiesa
Frederic Dahm
David Hinkle
Amanda Mason
Matthew Milza
Amy Smith
April 2004
Note: Before using this information and the product it supports, read the information
in Notices.
IBM
Lotus:
2007
. , . , .
IBM Certified Advanced Technical Expert IBM System p5
.
(2004 .)
(2007 .)
IBM Corporation ( International Business Machines Corporation), 2004 .
.
: ,
GSA
ADP Schedule IBM.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 / . . . . . . . . . . . . . 5
1.1.3 CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.3 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
1.4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
1.4.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2. . . . . . . . . . . . . . . . . . . . . 43
2.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.2 ISO17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2.2 ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.2.3 ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.3 ( 15408) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.5 ISSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.2 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.5.3 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.5.4 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3. . . . . . . . . . . . . . . . . . . . . . . . 91
vi
3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.1.3 , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.4 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.1.6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.2.1 DMZ-: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.2.4 : . . . . . . . . . . . . . . . . . . . . . 141
4.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
4.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
(IP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
5. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
5.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
vii
5.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
. . . . . . . . . . . 177
IP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
5.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
6.2.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
6.2.2 (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . 221
6.2.3 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
viii
6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
7.6 ( ) . . . . . . . . . . . . . . . . . . . . . . . . . 293
7.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
8.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.1.1. LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
8.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
8.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
8.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
8.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
ix
8.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
8.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
8.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
8.3.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
8.3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
ADSync 314
LDAPSync Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
IBM Tivoli Directory Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
8.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
8.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
8.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
9. (hardening) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
9.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
9.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
9.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
9.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
9.2.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
9.2.3 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
9.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
3. Lotus . . . . . . . . . . . . . . . . . . . . . . . . . 401
10. Notes/Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
10.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
10.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
10.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
10.3.2 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
11.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
11.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
11.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
11.6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
xi
11.9 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
11.9.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
11.9.2 (SSO) . . . . . . . . . . . . . . . . . . . . 460
11.9.3 - Domino Directory
LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
11.9.4 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
11.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
11.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
11.12.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
11.12.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
xii
12.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
12.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
12.3.3
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
12.3.4 iNotes Web Access Notes . . . . . . . . . . . . . . . . . . . . 536
12.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
12.3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
12.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
13. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
13.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
13.2 1: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
13.3 2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
13.4 3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
13.5 4: . . . . . . . . . . . . . . . . . 569
13.6 5: . . . . . . . . . . . . . . . . . . . . . . . . . 570
13.7 6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
13.8 7: . . . . . . . . . . . . . . . . . . . . . . . . 572
13.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572
14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
14.2 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
14.2.1 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
14.2.2 WebSphere Edge Server ( -) . . . . . . . . . . . 580
14.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
xiii
14.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
14.5.1 LMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
14.5.2 LMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
14.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
. . . . . 611
. DSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
.
Domino 6 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656
xiv
, .
IBM , , , . IBM. , IBM
. , ,
IBM.
.
IBM , .
. : IBM Director of Licensing, IBM Corporation, North
Castle Drive Armonk, NY 10504-1785 USA.
, : INTERNATIONAL BUSINESS MACHINES
, , , ( ) , . ,
.
.
, . IBM
/
.
IBM: , , .
- IBM
.
, , -
xv
. IBM
, , . , ,
.
, . , ,
. , .
, . ,
IBM, , , (application programming interface, API) ,
. . IBM ,
. , - IBM, , ,
IBM.
International Business Machines / .
@server
OS/390
DominoTM
@server
OS/400
iNotesTM
RedbooksTM
Secure Way
Lotus Notes
SP1
Lotus
SP2
Mobile NotesTM
Redbooks (logo)
AIX
DB2
Everyplace
TM
TM
Extended Services
Tivoli
HACMP
Tivoli Enterprice
QuickPlaceTM
IBM
WebSphere
Sametime
ibm.com
zSeries
Workplace MessagingTM
OS/2
Domino Designer
xvi
TM
Notes
TM
TM
:
Intel, Intel Inside () Intel
/ ;
Microsoft, Windows, Windows NT Windows () Microsoft / ;
Java , Java, Sun Microsystems, Inc. /
;
UNIX The Open Group .
, .
xvii
IBM Redbook
Lotus. Redbooks TM, The Domino Defense: Security in Lotus
Notes 4.5 and the Internet Lotus Notes and Domino R5.0 Security Infrastructure
Revealed, , Lotus. , ,
Notes Domino TM, , , Lotus IBM.
, Lotus Notes Domino,
Lotus. , .
. ,
- .
, . (security zoning),
(single sign-on, SSO), (public key infrastructure, PKI) .
, ,
, , Lotus .
Lotus.
, Lotus Notes Domino 6, Sametime 3,
QuickPlace TM 2.08, Domino Web Access (iNotes TM), WebSphere Portal IBM/Lotus. ,
, Lotus, ,
Lotus.
, ,
Lotus, ,
. ,
, .
xviii
,
Lotus Notes Domino -.
Notes Domino IBM Redbook, Lotus Notes and Domino
R5.0 Security Infrastructure Revealed, SG24-5341, :
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245341.html
,
Redbook , (International Technical Support Organization, ITSO), .
(William Tworek) , , .
, Redbook , IBM Lotus Software. , ITSO,
- , Andersen Consulting/Accenture, IBM Software Services for Lotus. -, .
(George Chiesa, Jorge Garcia-Chiesa,
Giorgio) (Chief Technical Officer, CTO) dotNSF Inc. (http://dotNSF.com). dotNSF - IBM, , ,
/
. -, - (MBA) SDA
(SDA Bocconi University), IBM /
14- Notes. Best Practicies IBM Lotusphere/Symposium , .
(Frederic Dahm) ,
IBM Software Services for Lotus , . 14- , 10
-.
(David Hinkle) - IBM Software Services for
Lotus , (Phoenix, AZ). 19- , Lotus Notes/Domino . Domino, , LDAP (Lightweight Directory Access
Protocol) Web-. LotusSphere
, IBM
Microsoft.
xix
26- (residency program). IBM Redbook , . , IBM.
. IBM,
.
, :
http://ibm.com/redbooks/residencies.html
xx
!
, Redbooks ,
.
Redbooks :
Contact us :
http:/ibm.com/redbooks
redbook@us.ibm.com
xxi
.
, - , ,
.
1
-
,
Redbooks.
, , , .
, -.
,
, .
:
, -
,
- , ;
, -
;
, -
, , , , Redbooks
.
, ,
- , -, .
1.1
,
, . ,
, , .
1980- . IBM Personal Computer,
. ,
, .
. -,
.
1990- , 20-
(, , ARPANet) Web-. .
. Web- Web-
. , ,
. , ,
, , ,
, - .
1.1.1
. , ,
, . , . , ,
, , .
, , ,
. ,
( ).
: , , (
).
- .
, , , ,
, .
,
-. , -. ; .
,
,
.
1.1.2 /
, ,
:
.
,
.
/ ,
() :
http://www.gocsi.com/forms/fbi/pdf.html
(CSI, Computer Security Institute), 1974 .,
- .
, .
, (FBI, Federal Bureau of Investigation) , ,
(NIPC, National Infrastructure Protection Center), - , (Regional Computer Intrusion
Squads),
. NIPC, -
, . (
, , , ,
).
(Computer Fraud and Abuse Act,
Title 8, Section 1030), ,
,
, ,
.
7
-
.
, .
503
, , ,
, 2002 . (2002 Computer Crime and Security Survey)
, .
2002 .
(
) 12 .
.
( )
. 223 $445,848,000.
,
(26
$170,827,000) (25
$115,753,000).
, , (74%), , (33%).
. ( 1996 . 16% .)
.
:
40% ;
40% ;
78% , ( ,
,
);
85% .
. :
WWW-.
.
12
Web. , ,
.
, ,
. .
( 2000 . 64%).
( 60% 2000 .).
.
( 3% 2000 .).
,
. .
1.1.3 CERT
CERT (CERT/CC) (DARPA, Defense Advanced Research Program Agency) 1988 . ,
. -
,
,
. , , :
,
;
;
, ;
, ;
.
CERT/CC (NSS, Networked
Systems Survivability) (SEI, Software Engineering Institute),
(Carnegie Mellon University). NSS , ,
.
CERT/CC . URL:
http://www.cert.org/annual_rpts/index.html
1988- 2001 .
60,000
52,658
50,000
30,000
21,756
20,000
9,859
10,000
1
20
0
19
99
3,734
19
98
19
97
19
96
19
95
19
94
1,334
19
93
773
19
9
406
19
9
252
19
90
19
88
132
19
89
20
00
40,000
, , .
1995- 2002 .
4,000
3,000
2,420
2,000
1,090
1,000
345
171
311
427
262
20
02
20
01
0
20
0
19
9
8
19
9
7
19
9
6
19
9
19
9
, . , .
-. :
-: , , -,
;
: , ,
, , , (non-repudiation);
: , , , , , .
(. . Notes Domino), , ,
.
1.2
,
, .
1.2.1
Redbooks ,
Notes Domino
(.. 6.0), , .
(, ,
) (. .
).
,
,
. , , .
, ,
.
10
1.2.2
, , , .
:
,
.
, .
,
. [, (, hub) (switch)], Ethernet , , , .
, , . , ( ) , , , , , . .
1.2.3 -
- , .
- , . , , :
( , );
(, );
(, . .).
, - , ,
- (, ).
(extranet). -
, , .
, -
, , , ,
.
11
1.2.4
, (NIST, National Institute
ofStandards and Technology)
: (An Introduction to Computer Security: The NIST
Handbook, Special Publication 800-12). PDF URL-
http://csrc.nist.gov/publicatiuons/nistpubs/800-12/handbook.pdf
5 .
: , ,
, ,
( , ,
, , / ).
,
. - .
()
, , :
, , ;
, ,
.
, , .
( )
- , ,
:
, - ,
-;
, - ,
-.
- , -
,
-.
-, ,
; - ( ) ,
.
12
()
, -, ,
,
, :
, , ;
().
, , .
().
, , ,
().
, , , .
, ( ).
, .
,
(
).
,
, , .
1.2.5
, , ,
.
, ,
(sensitive information). ,
, .
1987 ., 100-235 ( 145), 8 1988 . (Computer Security
Act of 1987, Public Law 100-235 (H.R. 145), January 8, 1988).
(EPIC,
Electronic Privacy Information Center) :
http://www.epic.org/crypto/csa/csa.html
,
3, :
13
() : (4) , , ,
,
, ,
552 ( ),
()
.
, , , . , ,
. , ,
.
, (, , ,
) . , , , , . , .
. ,
( ) . ,
, , : , , , , , ( ) .
. ,
, ,
. Web-
, ,
,
.
(
, )
.
, .
,
, ,
.
. -
.
Web- -
, .
14
, , , , , (
, ). , .
. , Web-, , .
, , . .
,
. ,
(, )
, .
,
, ,
.
1. . . , , .
,
, . . .
. , .
1
,
,
. . ..
15
1.2.6
, ,
,
.
, Web- ,
, . 30-day interest-free loan (30- ) interest-fee loan ( , ). , Web- ( ),
.
1.3
, , ,
.
, ,
IBM (IBM Security Architecture),
ISO1(ISO Security Framework, 7498-2).
IBM , , ,
.
.
(Enterprise-Wide Security Architecture and Solutions Presentation Guide, SG24-4579),
IBM Redbooks. PDF- :
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg244579.html
:
( );
( );
(, ).
1
16
(, );
( ).
, ; ,
.
1.3.1
:
, , , , ,
[INFOSEC-99];
, , , ;
.
IBM ,
.
, ,
-. ,
:
;
;
;
, ;
, , , .
, ,
, , .
, .
. :
;
;
17
,
;
, .
1.3.2
:
, , [INFOSEC-99];
,
,
,
- (-) .
IBM- ,
.
, .
.
ISO (8730, 8731
9564).
1.3.3
(I&A) .
,
.
, , (, , , , ).
. , -, ,
, (, Notes), .
.
18
, , :
, , ID1 .
, .
, ,
-. PGP x.509. , (PKI, Public Key Infrastructure).
, , , -, , -, .
(ATM, automated teller machine) , (PIN, personal identification number).
.
, ,
.
( ),
.
, . , , , . , :
, Notes ID .
- ,
, ,
. - : , 3,5''
( Suns Java TM). ,
, ,
. - , , . , ? ,
.
1
ID identifier, . tx. .
19
-
.
,
(IC, integrated circuit) - . - ( -).
- -, . .
, ,
- -; , -
- . USB-,
USB-, .
1.3.4
. , , - .
.
, , , ID .
,
.
, , , , .
, ,
.
, , .
, , /
.
, .
, ,
, (,
, ).
, , , ,
( ).
20
1.3.5
, ,
, . , , , , .
, , , .
,
, / ,
.
100- , , .
1.4
, , .
, ,
.
,
, . , .
,
:
( );
() ;
() ;
;
.
, , , , , ,
. ,
, ,
RSA , 4.1
(RSA Laboratories Frequently Asked Questions About Todays Cryptography, Version 4.1),
:
http://www.rsasecurity.com/rsalabs/faq/
21
1.4.1
, ,
.
, , . ,
, . ( ,
, ,
, .)
,
. , , ,
. , - , . ,
. ( ,
, .)
.
, , . :
1. , 1
.
2. ,
,
; ;
.
, . .
, , ( ) (
).
. ,
(. . ), , , (. . ).
( ), 2. ,
.
1
2
22
. . .
10 ( ) . . . . .
1.4.2
, .
; ,
. :
:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
:
GHIJKLMNOPQRSTUVWXYZABCDEF
1,
, HELLO WORLD NKRRU CUXRJ.
, , , .
.
,
, . ,
, , , / ( ) (),
.
. 2, .
.
,
, ,
.
, , , , A3.
, , , ,
- ( : ), , ,
.
. ,
, . 1
, ;
. . .
. . .
, , ,
A. , , . . .
. : - . . . . .
23
.
, , . , , .
,
- ,
.
,
, , ; . . .
, 25 ,
.
1, ,
, .
, , 40 256 .
2 39- , -
550,000,000,000 . .
,
, . ,
. . 1-3.
.1-3.
, -
. x x + 1 ( , ).
, ,
, .
, , . ,
, .
1
24
, .
,
.
, A, B C
. , - . ,
, ,
. , .
, , , -, .
(The Alice and Bob after-dinner speech), (John Gordon) 1984 . :
http://www.conceptlabs.co.uk/alicebob.html
, . ,
, , , ,
. . 1-4 , .
"THINK"
"THINK"
M0B4Q4Rg2s
M0B4Q4Rg2s
"THINK"
.1-4.
:
1. .
2. ; , ,
.
3. , ,
.
4. .
25
. .
, ,
.
: . , ,
. .
DES (Data Encryption Standard, )
(FIPS, Federal Information Processing Standard)
46-3 (DEA, Data Encryption Algorithm). DEA ANSI110X3.92. DEA 64-
56- (
64- 8 ).
3DES (Triple-DES, DES) ANSI X9.52
DES, : DES-EDE DES-EEE.
: DES-EDE DES,
(Encryption), (Decryption) (Encryption)
. DES-EEE (Encryption, Encryption, Encryption).
AES (Advanced Encryption Standard, ). FIPS PUB 197 NIST DES, AES 128, 192 256 , 56- , DES. Rijndael, (Joan
Daemen) (Vincent Rijmen),
. AES
: 128- .
RC2 [ (Ron
Rivest); RC Rons Code ( ),
Rivest Cipher ( ). DES].
RC2 64-
- , DES.
Blowfish [ (Bruce Schneier) Counterpane
Systems]. 64- ;
( 448 )
. 32-
, DES.
1
26
. : RC1
, RC3 RSADSI .
27
, . , , ,
Notes, Domino Lotus. , .
- ,
,
.
, .
,
,
. , , ?
, ,
, .
,
, .
, .
(NSA, National Security Agency).
, :
,
,
;
,
, , , , NSA.
, , , . , , , .
Redbooks,
40 .
28
,
40-
. , 56 , ,
. ( , , -); 56 , , , 40,
2 16- , 65,536 , .
18 1998 .,
. : 56 DES (. . RC2, RC4, RC5 CAST) 1,024 RSA
, , , , ,
, . , .
, , , , - ,
.
, 6 2002 . (BIS, Bureau of Industry and Security) ,
(EAR, Export Administration Regulations) , , 111 2,12
EAR, .
64 , 5A992
5D992 (ECCNs, Export Control Classification
Numbers), (NLR, No License Required) 30- BIS.
5, II ( )
(CCL, Commerce Control List) , ECCN 5B002, License Exception ENC.
, , :
, , :
1
http://w3.access.gpo.gov/bis/fedreg/ear_fedreg.html#67fr38855
-/
, . 1994 . () . 1995 . . .
,
, . . .
29
, , :
http://www.bxa.doc.gov/encryption/EncFactSheet6_17_02.html
, ,
:
http://www.bxa.doc.gov/Wassenaar/Default.htm
1.4.3
, , .
.
, . . , ,
, , .
, . (, , ), (, , ). ,
, .
, , ,
, . , , ,
, , .
,
.
.1-5 , .
"THINK"
"THINK"
M0B4Q4Rg2s
M0B4Q4Rg2s
"THINK"
.1-5. :
30
:
;
( , , );
, , , ;
;
.
. ,
, .
. :
(D-H, DiffieHellman) , (
, )
. ,
.
1975- 1976 .
(Whitfield Diffie), (Martin Hellman)
(Ralph Merkle)
.
GCHQ , GCHQ
1997., . RSA ,
,
.
(RSA, RivestShamirAdleman).
.
1977 . (Ron Rivest),
(Adi Shamir) (Len Adleman); RSA
. (Clifford Cocks), ,
GCHQ, 1973 .
. , , ,
1997 ., . 1983 . (MIT, Massachusetts Institute of Technology). 2000 . -
31
, .
RSA ,
.
. , RSA
1024 64
.
(ECC, Elliptic Curve Cryptography). D-H RSA, ECC , . , D-H
RSA, .
, . ECC ,
, .
. : NIST ANSI X9
1024 RSA 160 ECC, 80-
. NIST ( 80, 112, 128, 192 256).
, . , ,
, Notes, Domino Lotus.
,
.
, . , .
, , , . , ,
.
, , . .
, . , , -
32
. ,
.
1.4.4
. ,
,
.
, . .
, . , . , , Notes, SSL, S/MIME.
.
, .
.
. 1-6, .
"THINK"
"THINK"
M0B4Q4Rg2s
M0B4Q4Rg2s
"THINK"
.1-6. :
33
. :
;
;
(, ,
, ) ( , ,
, , );
.
:
;
() ,
( , ,
) ;
.
1.4.5
, .
,
.
, , , , ( ,
, ).
, ? . ,
,
. .
,
, ( ),
,
, .
-
,
- ( ).
, , - .
. - .
34
, - ,
. , ,
, . :
,
( ).
-
. .
.
. -, -, 1
.
. ,
.
- ? ,
,
. RSA .
, -
.
- . MD5, RSA Data Security,
Inc. Notes. 128-
RFC1321.
, , - (SHS, Secure Hash Standard). 160- , , MD5.
, .
. 1-7. ,
, ,
.
. :
;
, ( ,
, );
;
35
;
.
=?
d'
.1-7.
:
(
, );
, (- );
(
,
- );
.
:
, , : (
) (, 1
).
( ). - -
,
.
, ,
( ), , -
(
).
36
-
- ( -), , MD5 SHA-1.
,
MD5 SHA-1, MD2, MD4 SHA.
MD2 MD5 -, ,
R RSA. , , .
128- . -
RFC 1319-1321. (SHA, Secure
Hash Algorithm) NIST (SHS, FIPS 180, Secure Hash Standard).
MD2 1989 . , ,
16.
16- -.
, , , MD2
. , , , MD2.
MD5 1991 . MD4 , , MD4, .
,
MD4.
SHA-1 SHA, 1994 . SHA.
- MD4. SHA-1 ANSI X9.30
( 2). 264
160- . , MD5,
.
-
, . MD2 MD5,
, MD1, MD3 MD4? : .
MD ( Message Digest, RSADSI) . MD3 MD4 ,
. MD4 ,
. ,
, , MD5, RFC 1321.
, SHA-1, SHA-0? : . SHA
- NIST. NSA 1993 . MD4.
1995- NSA ( SHA-1;
37
SHA-0). , ,
.
, ,
MAC.
MAC (message authentication code) , . (Media Access
Control Layer) OSI.
, ,
, , , , , .
, . ,
(, . .).
(. .
) ( ), . ,
,
.
1.4.6
, .
, , ,
,
. : , , ?
, ,
. (
),
. , .
.
,
, .
, ,
. .
38
, , , , .
. , ,
, SSL Notes.
1.4.7
,
. (PKCS, Public Key Cryptographic Standards).
PKCS ,
1991 . RSA Laboratories Apple, Digital, Lotus,
Microsoft, MIT, Northern Telecom, Novell Sun. 1991 . PKCS ,
Notes Domino.
RSA , , , , ,
.
:
PKCS #1: RSA;
PKCS #2: (. );
PKCS #3: ;
PKCS #4: (. );
PKCS #5: ;
PKCS #6: ;
PKCS #7: ;
PKCS #8: ;
PKCS #9: ;
PKCS #10: ;
PKCS #11: ;
PKCS #12: ;
PKCS #13: ;
PKCS #15 (): .
39
1.5
-
, .
:
-, , , , , -, ;
1
40
, ,
, ,
( );
, , ,
, ,
.
, . . .
,
.
41
2
,
.
,
-, , ,
,
.
,
.
: , . . , .
.
, .
.
43
2.1 -
, ,
(. . , -).
2.1.1
, , , .
, .
, , . , , . , .
(threat) thrat,
, . :
1. , , .
2. .
3. , .
: .
, -
, . , : :
1. ; .
2. , , - , ; , , , :
, ,
( ).
3. ; ,
.
, :
,
, , :
.
.
( 1), - ,
44
( 2), ( 3).
- , . , , .
, .
- .
( ,
) , , .
,
, ,
, ,
.
, , :
(Clifford Stohl: The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage, Mass Market Paperback Reprint edition, July 1995, Pocket Book, ISBN, 0671726889).
, , ,
.
,
, .
.
: , . ,
, ,
. . , .
,
.
,
.
, , .
.
45
2.1.2
. . , -.
, , ,
- , .
, ,
, - - , ,
, . ( , , , .)
(
),
.
,
.
.2-1.
. 2-1, , , ,
, .
, . .
46
, ( )
.
, . .
. /
:
(, , );
( , ,
);
(, , , , );
(. ., , - ).
. ,
(DOS attack, Denial-Of-Service attack) , , , , TCP/IP,
DOS- (, SYN Floods),
, , , , DOS, DOS-. ,
, ,
.
, . . , - (
).
. 2-1, , :
1. , , ,
.
2. ,
.
3. , , ( ), , .
4. , ,
47
, ,
, .
.
,
, ; .
2.1.3
- , .
, , . , , , .
, .
. 2-2 , . 80% ( ), 20%
. , 80% , , 55% , .
. . ,
.
.
.2-2.
, , , .
- ,
,
.
.
48
. , ,
, , ,
-, .
, , ,
, .
, ,
.
2.1.4
,
.
, ,
.
.
, ,
, . ,
,
, .
,
. ,
ISO17799.
2.2 ISO17799
ISO17799 (ISO), 146 ,
: , , , .
ISO : , .
ISO . ,
, , . , , .
ISO
,
, , , .
49
Web- ISO :
http://www.iso.org
ISO 17799 ( ISO/IES 17799:2000)
(Information technology Code of
practice for information security management). (. . ) 71 ,
.
:
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441
&ICS1=35&ICS2=40&ICS3=
, .
[ISO17799]. [BS7799-2].
ISO17799
, , , .
, .
2.2.1
ISO17799 . DTI (United Kingdom, UK), 1995.
BS7799. BS 7799 ,
, , -.
-
BS7799, 2, 1999 . , ISO
BS , .
.
BS 7799 , (British Standards Institution, BSI)
. BS 7799 :
7799-1 ( 1): -
50
.
BS7799-1 , (Information Security Management System, ISMS). BS 7799-1 . , ISO/IEC 17799 (
) BS7799-1.
7799-2 ( 2): , .
BS 7799-2 ISMS, .
ISO/IEC 17799.
BS 7799
, 1999 . , ISO,
2000 . ISO 2002 .
2. ISO 17799 2002 .
ISO 17799 .
ISO-, .
-, .
2.
; ;
; ; -
51
; .
3.
, ;
, : ,
; , - ; .
4.
,
; ,
; ,
.
5.
, , ; ;
.
6.
, , ; , ,
;
.
7.
; , ; , .
8.
52
; ; ; ; ;
; ,
.
9.
,
.
10.
, ,
.
2.3 ( 15408)
(CC, Common Criteria for Information Technology Security Evaluation)
-,
. -, -
.
CC
-, .
1980- . (TCSEC, Trusted Computer System Evaluation Criteria).
1990- . (ITSEC, Information Technology Security Evaluation Criteria),
TCSEC. 1990 . ISO
.
CC 1993 ., ( )
-.
-. . 2-3 , .
53
, , .
, .
-.
TSSEC
NIST
CTCPEC
ITSEC
v 1.2
CC
v 0.9
CC
v 1.0
CC
v 2.1
ITSEC
v 1.0
ISO
ISO 15408
.2-3.
, , :
1. . .
-
. 1 -,
- . ,
CC .
2. .
(TOEs, Targets
of Evaluation). 2 , .
54
3. .
TOEs. 3 , . (PPs, Protection Profiles)
(STs, Security Targets) ,
CC
TOEs, (EALs, Evaluation Assurance Levels).
CC
, .
, .
, ( PDF-), :
http://www.commoncriteria.org/
,
.
, .
2.4
(MASS, Method for Architecting Secure Solutions)
IBM , IBM Global Services (IGS) . (MASS, Method for Architecting Secure Solutions).
, -.
IBM (IBM Systems Journal on End-to-End Security,
Volume 40, N 3). :
http://www.research.ibm.com/journal/sj/403/whitmore.html
2.4.1
, , .
IBM Global Services
:
1. -
.
55
2. - .
3. ,
, ,
; , , , .
,
,
.
IBM Global Services, :
, ,
;
-,
;
, ,
,
.
2.4.2
, . ,
,
.
.
,
, .
,
. , , . ,
, .
,
[3].
- , , , -
56
. ,
.
- :
1. ,
.
2.
, , , [4]
[5].
3.
. , -, .
,
ISO 7498-2[6]
-. ,
OSI (Open Systems Interconnection,
) .
5 ,
OSI . 8 OSI,
, .
OSI:
, , ,
-. ISO 7498-2 ,
OSI ,
, , , , OSI.
, OSI.
57
.
11 :
;
;
;
;
;
;
;
;
;
;
.
11 66 , . 130 ,
- .
, :
http://www.commoncriteria.org
. , [10], , . . ,
.
. -
.
/
. . -
58
:
, [11].
, , .
[8]:
( TOE, Target Of Evaluation) ; TOE ( TSF, TOE Security Functions) TOE, .
;
.
.
, -,
,
.
, -, .
: .
.
, :
1. , .
2.
.
2.4.3
(Eberhardt Rechtin) ,
(, ), ( , ), ( )
( , ,
, , , , ).
59
2-1
60
, ,
, , ,
, ,
, , /
, , ,
, /,
. 2-1
/
, , ,
, ,
, /
, , ,
,
, .
.
2.4.4
, , , . , , . 2-1,
, , . ; . . 2-4
, ,
, .
CC- . -
.2-4. -
61
, , , .
,
- , , . ,
.
- ,
,
, -.
, , , .
. ,
, , . , , -
.2-5.
62
, .
:
,
, ;
,
, ;
, , , ;
, .
. 2-5.
- ,
.
,
. ,
.
.
:
;
, , ,
, , , . .;
, , ;
; ;
;
;
;
.
. 2-6.
63
- ,
, , . ,
()
.2-6.
,
.
, , , , .
.
:
;
;
, , ( )
- ;
, ;
64
;
, ,
, , -, .
. 2-7.
.2-7.
-
,
, , .
.
, , , , .
-
65
.
:
;
;
: , , , ,
;
: ();
: ;
- : ,
, , , , .
. 2-8.
:
/
/
/
/
/
.2-8.
66
- , ,
,
, , .
,
, .
.2-9.
,
. ,
, , ,
. :
- ;
;
67
, -;
, : ;
, : ,
;
, ;
;
;
.
. 2-9.
, - , , ,
.
-.
2.4.5
, . ,
,
. . 2-10 .
.
.
-, -, . -.
-, :
1. , -- .
2. ,
(..) -- , .
68
.2-10.
:
,
.
2.4.6 -
. 2-11 - -. ,
, , .
- ,
-,
.
OSI: , , ,
. -.
. ,
.
. , -
69
,
,
- ,
,
( - ( ),
( ),
)
,
,
( )
( ,
)
.2-11. --
.
1.
.
2.
.
3.
.
4. .
5. .
6.
, .
7. - .
70
2.4.7
. . 2-2.
, (), () . .
2-2
, , . . 2-3
.
.
2-3
1 n
1 m
1 k
.
.
.
.
OSI: , ,
, , .
.
.
.
71
2.4.8
,
-. . 2-12 2-13 .
.
,
,
.
. .
,
,
.
,
;
. , ,
.2-12.
72
. .
-
.2-13.
.
2.4.9
. : , , ,
.
73
. .
,
.
(ESS, Enterprise Solutions Structure) .
, . .
.
, .
, , , . . . , - ,
, .
, :
,
, .
:
, ,
;
, , , , ;
, , ;
,
.
2.4.10
. .
,
.
74
1.
. 2-14
,
.
.2-14.
. , . ,
.
;
,
.
.
, ,
.
,
. .
75
2. -
. 2-15 -
, . . -.
.2-15. -
, . .
. ,
, .
. :
1. -,
.
2. , . . .
76
3. ,
,
, .
4. .
, -.
5. ( ) . .
6. , .
7. , -.
, . , , , ,
- .
-, ,
.
3.
(PKI)
, PKI.
-, -,
, , , -,
PKI.
. 2-16 1. 2.
3. 4 , . 5
, 6
, 7 .-
77
1
4
7
3
1
3
.2-16. PKI
. .
, ,
, .
-.
, .
.
. -, ,
, : ,
, , . , , , ,
78
, -
. ,
:
;
-;
, , ;
;
, , ;
.
- . , - . , ,
-.
.
2.4.11 (MASS)
, .
.
:
-.
. ,
.
, , - , .
,
, , IPSec SSL (Secure Socket Layer), ,
. -
79
, , , , , .
,
. ,
. , , , , , .
, , IBM Global
Services. , ,
, . , (MASS), .
, ,
MASS ,
.
2.5 ISSL
IBM Software Services for Lotus (ISSL),
, (,
Blowfish Twofish): , .
ISSL-. ,
. ,
. , , , , , .
2.5.1
, , . . ,
, . , .
, - :
1) ? 2) ? 3) ?
: , .
80
. 2-17, , ,
.
10 , . 2-18.
.
.2-17.
1.
2.
? ?
3.
4.
5.
6.
7.
e ?
8.
, ?
9.
e ,
?
10.
? ?
.2-18. ISSL
81
2.5.2 1.
, .
, . , .
1. -
, .
, , , , , ,
( ), , , . ,
.
:
1. :
a) ;
b) ;
c) ;
d) ;
e) -;
f) ;
g) .
2. :
a) ;
b) .
3. (
).
4. , :
a) ;
b) ;
c) ;
d) ;
e) ;
f) ;
g) ;
h) ;
82
i) ;
j) ;
k) ;
l) ;
m) .
,
, -. -,
, , , . (, .) , .
2.
:
= + + .
, , . , . .
, ,
.
:
1. .
2. .
3. .
4. .
5. .
.
,
.
3.
:
1. ( ).
2. ( ).
, : ? ? -
83
? - ?
:
? ?
( )?
4.
. , (,
, ,
) . - . ,
.
5.
. .
, ,
, - ,
,
-, . ,
.
ISSL ,
.
, , .
, , : ? ? ,
? , ?
, .
, , , ,
,
, , - ,
.
84
2.5.3 2.
. , . . . .
6.
, ,
. (PKI), , , . , , ,
,
.
. ,
; , -. ,
, , .
7.
, , .
4 :
a) ,
, ;
b) ,
;
c) ,
( ,
), , ;
d) , .
2.5.4 3.
, ,
, .
85
8.
.
.
,
. , , ,
, , .
: . , , ,
, -,
. , ,
, , ,
, ,
, .
, , , , , , (
, ),
. , ,
, , , .
9.
. ,
, .
, ,
, ,
.
,
. ,
, , , . ,
.
86
10.
, , ,
, ; ;
, , , . ,
, .
, , . , , , , ,
, , , , , , .
2.6
,
.
:
, ;
;
: ISO 17799, , IBM (MASS);
, IBMs Software Services for Lotus.
.
87
,
. , (single sign-on, SSO), (PKI),
.
, ,
, , Lotus .
, , , .
, T-
.
.
Web-,
.
. :
, ;
(
-).
, ,
( ,
, , ).
()
.
91
3.1
, , .
,
. , .
,
, .
, , . ,
, . , (, ), ,
, , . , ( ), ,
, ,
.
.
, ,
, ,
, . . ,
, ,
. ,
, ,
.
.
, , . , ,
.
, .
.
92
(appropriate) (adequate), . . . .
3.2
. , - , . , , ,
.
, ,
, , .
, , :
;
;
;
;
.
.
,
, , .
3.2.1
:
;
,
, ;
() ;
, ;
Web- (proxy);
(IDS).
93
-, ,
( / ).
, ,
,
. 1.4, , 6, .
-, , .
.
, . , , Notes
Domino. , ,
Domino Domino, . , ,
. Notes
.
, Notes Domino
. Notes ( Domino Notes) , , ,
. ,
(ID), . Domino ,
, , , . 3-1.
( )
, , ,
mymail.nsf
(
)
Domino
!
,
Acme
.
-
.
. 3-1.
94
()
mymail.nsf
(
)
, . , ,
Domino . () .
VPN,
VPN. VPN .
( ). ,
() . , (, Domino) ,
. , ,
.
! , Domino, ,
, ID . ID Domino
( ), ID-
, .
, ID-
Windows- Notes root
Unix.
. ,
, .
, .
.
.
(, firewall).
. .
, , ,
, DNS (Domain Name Services). DNS IP- IP- . IP-, IP-.
95
, ,
.
(MX) . , , :
IP-
IP-. DNS 4, .
,
- .
, . ,
; , ,
. . T- , ,
. , ! , .
,
( ). , . Ethernet- , Ethernet .
Ethernet-
, .
(
, TCP/IP). , , , .
:
1. TCP/IP-. , Ethernet- , .
. TCP/IP , . -
96
,
, (VLAN).
2. , .
. , , , SSL, ,
, ( ,
).
ID , .
Ethernet- 802.11
.
, , , . netstumbler.com ,
Wi-Fi- ,
, ,
. IEEE 802.11i 2004 .,
. , WEP (Wired Equivalent Privacy) , , WPA (Wi-Fi Protected Access),
( - ).
, , , WEP, , ( ) , .
, .
. ()
, .
.
, 8, . ,
, , ,
-
97
. ,
. , , ,
ID- , , . . . ,
, ( ) . ,
,
.
T- , . , . :
?
, ?
, ?
, ,
, , , , . .
.
, . , ,
-, .
( ).
, ,
. :
1. . , . , , ( ), .
2. .
, . : , , , ,
. .
98
3. . , ,
-
.
.
-
-
Web-. , ,
TCP/IP.
, .
HTTP, FTP telnet,
TCP/IP. - . ,
.
, .
-. , , -, .
, , . , ( ), , , . , ,
,
, .
-
, . - ,
, . TCP/IP , (NAT), . - ,
,
.
, ( )
, ,
. -
99
, . , , , , , . . (IDS) ,
( ).
, , , .
TCP/IP
. .
,
, ,
. , Web-, .
, :
? , . ,
, ,
. ,
() . ,
.
,
, (
).
(IDS): (NIDS), , . IDS,
, e-mail- , IDS.
IDS 4.1.5, .
( ). ,
. IDS , ,
, . . ,
, IDS.
.
100
:
1. .
2.
.
3. .
4. .
5. , .
6. , .
7. .
, . :
.
(IP) . ( ) ,
.
, IP- .
; ,
.
, , , , ,
() , .
, .
, .
, ,
( )
. , , .
, ,
.
. () , , .
101
, ( ) .
,
. .
. , .
, , ,
.
,
,
.
,
.
,
. .
.
:
;
, ;
.
. , DoS- ( ) ,
.
, DoS-
-.
, , .
102
,
. ,
, , , .
.
,
, .
, , ,
, . , , , .
:
?
?
,
, ID
? ,
?
, , ID ?
(, ,
), , , ?
, , ?
?
, ?
,
,
103
. , . ,
,
, .
( )
. , ,
,
. , ,
(
). ,
, .
, . , , UNIX- telnet. telnet-, .
telnet-
:
/
telnet;
, , , .
[SSH (Secure Shell)] telnet. SSH .
Cisco SSH , SSH telnet.
, .
, . ,
4, .
104
,
, (, , , )
, .
,
: (exploits).
. ,
, ( )
, .
, , .
, .
DoS- ( ).
. , , . ,
, . , , : ,
. , . , .
, , :
1. .
2. .
3. .
.
, .
, .
, .
.
, , ,
,
, -
105
. , , -,
,
, - . ,
( ), . ,
, . , ,
.
, , ,
, .
. ,
, .
. ,
,
,
. , , , . , ,
,
, ,
. , .
, ,
.
, . , CERT.
Web- :
http://www.cert.org
, () ,
, -
106
, . , , , , . ,
-, , Patchlink Update (www.patchlink.com), BigFix Patch Manager (www.bigfix.com), Security Update Manager (www.configuresoft.com), LANguard Network (www.gfi.com) .
. , ,
().
, .
1. ,
( ) - . ,
.
, . 60 ,
.
2. . , , ( ).
.
3. ,
( , ,
). ,
,
, : ID , , , , , , , NETID.
4. . ,
. , , ,
, .
107
5. , . , , .
,
.
, .
, , ,
.
, ,
.
, , ,
, . ,
, .
.
,
, , .
. , - .
,
.
, , ,
. , ,
, , , , .
3.3
, ,
.
:
108
, .
, .
.
, .
Web- .
,
(IDS).
, .
.
.
.
, .
, .
.
, ,
,
,
.
109
Metagroup . ?
,
. IBM .
, .
. (,
.)
.
, .
( ) ,
.
111
4.1
, .
:
;
, ;
-;
;
;
.
, . ,
, - , , .
4.1.1
The American Heritage Dictionary of the English Language:
(firewall)
1. , .
2. . , .
,
. ,
-
, , ,
IP-.
.
, , , ,
.
:
;
.
112
,
:
;
;
(VLAN);
;
.
IP-
. .
,
( ) ,
. ,
, , :
IP- ;
;
;
, (UDP, TCP, ICMP . .).
.4-1 ,
TCP- 80 .
80
STOP 80
ASYNC 9-16
AUI
ASYNC 1-8
SERIAL 0
SERIAL 1
CON
AUX
2511
.4-1.
, , IP ,
, .
, , , ICMP, IP-.
113
,
,
.
.
, , . ( )
,
-.
; . ,
, .
TCP-
. , , TCP TCP-, . . ,
. .
, 4 ( ), . (ACL) , . -
.
, IP-, ,
, , , . .
, .
114
,
.
, ,
(circuit-level proxies). .
- .
.
,
. . ,
:
http://www.aventail.com
.
,
, .
SOCKS
SOCKS - TCP/IP, IETF- (RFC 1928). SOCKS
.
SOCKSv5 ( 5.0) IETF
(Internet Engineering Task Force) (RFC 1928) -
TCP/IP. SOCKS
.
SOCKS . - SOCKS
, SOCKS
OSI. . SOCKS -
SOCKS SOCKS TCP/IP-. - SOCKS
OSI .4-2.
,
- SOCKS. - . ,
. - , .
SOCKS: v4 v5. , - -
115
SOCKS-
SOCKS
SOCKS
IPsec
IPSec IETF ( RFC RFC 2401, RFC, IPSec). O , IPSec, :
1. [Authentication Header (AH)]:
. AH
, IP- . AH , . ,
.
1
116
4.1.2
. , , Lotus WebSphere
.
, . ,
.
.
,
, . , .
! ,
.
, , ,
.
117
Cisco PIX
Cisco PIX
Cisco. Cisco PIX ,
. , [ , (DMZ)]
.
,
.
Web- Cisco:
http://www.cisco.com
Raptor Firewall
Raptor Firewall Axent Technologies,
Symantec. Raptor Management Console (RMC) , VPN (IPSec IKE)
,
WWW Internet Usenet. Web-, Symantec:
http://www.symantec.com
118
4.1.3 ,
(routers), (switches) (hubs) , ,
OSI: ,
, . , , , , .
, , , , , . , , -.
, (, FTP).
, , : . ,
.
( )
. .
,
.
119
, ,
. .
. , ,
, , , , . .
,
.
. , - (ISP), .
-
. , ( )
.
,
.
, , .
. ,
, .
Ethernet-
Ethernet, . Ethernet, , . ,
,
. , , .
( ).
NAT
[Network Address Translation (NAT)]
RFC 1918 IETF
IP-.
IP- [ Internet Assigned Numbers Authority (IANA)].
,
120
. IP-,
. NAT RFC 1631.
,
-
. IP- IP-
, - ,
.
NAT IP-
. NAT
IP; IP . . ,
IP- ( ,
), NAT IP-,
IP- . ,
NAT , ,
.
, NAT
TCP UDP. [Internet Control Message Protocol
(ICMP)] NAT-. , ping
ICMP, , , NAT,
NAT-, , IP- .
, NAT
[Port Address Translation (PAT)]. IP . PAT
, .
VLAN
(VLAN) ( 1998 .) , .
. VLAN ,
, , NetBIOS IPX. ,
.
, ,
. , .
121
VLAN
, .
,
.
, ()
. , , Cisco Catalyst,
.
VLAN ,
,
VLAN .
VLAN ,
(, ) , .
, VLAN
.
VLAN, . ,
thernet- MAC- . , VLAN , VLAN .
VLAN IEEE 802.1q :
http://standards.ieee.org/reading/ieee/std/lanman/802.1Q-1998.pdf
, VLAN, VLAN-
. ,
VLAN ,
. , VLAN , . VLAN ( VLAN,
,
ID, VLAN) , , , - VLAN .
122
4.1.4 -
. .
-.
- .
.
:
.
.
- ,
, . ,
( 4), ( 7).
,
, ,
. ,
, , , .
, . , ,
.
,
() .
. . ,
, ,
. .
, , . , , .
123
-
. ,
, 5, -.
4.1.5
, , . [intrusion detection system (IDS)] , .
IDS :
1. [Network intrusion detection systems (NIDS)]. O TCP/IP . DoS- (
). NIDS
.
,
,
. NIDS
. , NIDS
TCP- TCP-. NIDS , . , , , , . ,
NIDS
.
2. .
.
. , , ; ,
. , Tripwire, , , IBM Tivoli Risk Manager Tivoli
Enterprise Console.
: http://tivoli.tripwire.com/
3. .
.
124
. . ,
HTTP
(get) URL.
4. . , (, -, - Web-) . ,
.
, ,
. Web- HTTP-, -
,
. , ,
() , , .
-
Sametime IBM Working with
the Sametime Community Server Toolkit, SG24-6667, . 63-84.
IDS Lotus Sametime. ,
-
. , , ,
, IDS.
IDS ( ), IDS, , Purdue University COAST
(Computer Operations, Audit, and Security Technology):
http://www.cerias.purdue.edu/coast/ids/ids-body.html#systems
IDS , IDS
.
NIDS, ,
, .
IDS
,
(, -).
,
, cookies Web-,
/.
125
4.1.6
,
, . , . , ,
.
IBM Tivoli Tivoli Access Manager,
. IBM Tivoli Access Manager Tivoli , , IBM:
Identity Management Design Guide with IBM Tivoli Identity Manager, SG24-6996
Enterprise Security Architecture using IBM Tivoli, SG24-6014
IBM Tivoli Access Manager for e-business, REDP3677
4.1.7
.
, , DNS DHCP,
- . , , , ,
,
.
:
DNS;
- SMTP;
- FTP.
.
DNS
[domain name service (DNS)]
IP- ,
IP- .
126
, MX- , , SMTP- .
, ,
DNS, , DNS. DNS, , . , DNS
, DNS, . DNS
, IP-.
DNS , .
DNS
( NS) MX. , , , , DNS-.
,
.
. ,
DNS ,
, , Web-, FTP-
-. DNS
, ,
.
DNS ,
. ,
DNS.
,
, , , .
, - , DNS, ,
DNS.
DNS- ,
- . DNS . DNS, , IP-.
- SMTP
- SMTP ,
SMTP- ,
. - SMTP , SMTP,
SMTP- (, UNIX sendmail Domino).
127
SMTP, - .
- SMTP . - - . - , ,
. -
. .4-3 - SMTP,
SMTP .
DNS MX
(mail exchanger), smtp1
acme.com. smtp1 , smtp2.
DNS:
acme.com
acme.com
DNS
()
SMTP1
FTP-
SMTP2
DNS ( -)
relay.acme.com
relay.acme.com
DNS
()
.4-3. - SMTP
128
FTP
FTP- ,
File Transport Protocol (FTP).
(),
- . , FTP- ,
SMTP. , - SMTP .
,
, FTP (
). FTP- , , IP- , .
SSL
[Secure Sockets Layer (SSL)]
. . ,
, SSL. SSL (SSL record protocol) . , () SSL (SSL handshaking protocol),
129
, . SSL .
SSL. SSL SSL. :
1. .
2. .
3. , .
4. ,
,
( , ).
5. .
6. HTTP- HTTP- .
4.2
- ,
, Web-.
Web-, -
(, -, , , . .). , - . ,
, c
.
,
( ) Web- IBM.
, :
1. .
2. .
3. .
4.2.1 DMZ-:
. , ,
DMZ, (demilitarized zone).
DMZ 38- , 1953 .
130
.
, .
, .
DMZ T-
,
, .
DMZ . ,
(. 4-4).
( )
DMZ
( )
()
.4-4. DMZ
DMZ (, ) ,
(. 4-5). , ,
IP-.
DMZ
DMZ .
, , , (,
IP- ) .
, -
131
DMZ, , - .
DMZ .
.
. , DMZ -
.
, , DMZ, . DMZ .
,
, DMZ .
DMZ .
Firewall (filtering)
DMZ
()
.4-5. DMZ
DMZ- DMZ ,
, . : .
, .
Web- (HTTP) , , (FTP),
132
- (). - , , ,
, Web- , - -, . . . DMZ , .
4.2.2
,
,
.
,
, .
. ,
, .
,
. .
, , , , , , , , .
. , .
.
, (root). ,
,
, ,
. , UNIX-
( ); ,
, chroot jail1
. Google chroot
breaking out :
http://www/bpfh.net/simes/computing/chroot-break.html
, .
; UNIX-
chroot. . . .
133
, .
, , ,
.
,
-.
. , , -.
, , :
1. -.
2. -.
3. .
4. -.
, , . , ,
. , , . , ,
, , , ; , . , .
1. -
, , , .
, ,
. ,
; ( , ) , .
- :
- .
- -
.
- -. , , , .
134
2. -
, .
,
- (, DNS, -,
- c , -). - :
. ,
-.
.
,
. , - - ,
, .
IP- .
- -
.
, -,
.
.
.
-
.
, ,
.
( , , , ISDN, ADSL, VPN . .).
3.
, IP- .
- , , , . :
( RFC 1918), IP ,
- -.
135
.
-. ,
.
. .
T-.
.
.
( )
( -).
.
, .
4. -
IP-. . - :
IP- ,
, ,
.
.
.
, ,
-.
, T- .
.
( )
, -
136
(, ).
, ,
. , , .
, - .
- -, , . ,
.
, , .
,
/ .
4.2.3
. ,
. :
, ;
;
, ,
;
, ,
;
, .
.
? . , . ,
. , IP-
, . , . , ,
IP-,
137
. , .
, -
. ,
, . ,
. ,
.
.
,
, . T- ,
.
, ,
,
. ;
IPSec NAT- IPSec NAT-. , -, T-. ,
, T- . T- - .
, . , . ,
.
.
, -,
.
- T-, .
138
.
( ).
.
, ,
.
IP- , .
(NAT).
.
(VPN):
SSH (
);
.
( )
SOCKS V5.
, , .
.
.
, :
, , (). (. 4-6).
, . , . , , . ,
, .4-7
, .
,
. Cisco PIX ,
139
.4-6.
AUI
SERIAL 0
SERIAL 1
ASYNC 1-8
CON
AUX
2509
CISCO SECURITY PIX 535
F
E W
CATALYST 3550
SERIES
MODE
POW ER
SYST EM
RPS
11
STAT
UTIL
DUPLX
SPEED
10
12
AC TIVE
Cisco 3600
SERIES
( )
PS2
ACTIVE
FE
SYSTEM PS1
READY
0/0 0/1
(IDS)
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
CATALYST 3550
1
SYSTEM
RPS
STAT
UT IL
DUPLEX
SPEED
.4-7.
, , , ,
VPN, . ,
140
. ,
.
.
, (),
, .
:
HTTP, ;
DNS;
SMTP.
, .
,
, , ,
.
, , , .
4.2.4 :
,
, , . , .
. - .
. ,
,
.
,
. ?
, , ,
x y. ,
x y
. ,
. .
.
141
- . - , , -.
-, , , ,
, . - ; , - . .4-8 ,
.
()-()
()-()
()-()
.4-8.
, . ,
-.
- (firewall routers) .
, ( )
- . , - ( ) . -. , , -
142
.
.
.4-8: ,
. , -
- ( -). , -.
, ,
- . ;
, .
.4-9 .
- .
. , - -
IP
IP
-
(
)
IP -
IP 1
(
)
(
)
IP 2
IP
-
.4-9.
143
. ,
, ,
.
-, -. 2 1 . , , ,
- . ,
-.
Web- -.
-.
4.2.5
, .
, . , 1.3.3,
.
,
.
, .
-
() . - (challenge-response)
. .509
Notes.
LTPA cookie HTTP. .
, ,
.
-
, . .509 Notes. - (challenge-response). ,
, .
.
144
, ,
. , ,
SSL, Notes Domino Domino Domino
Domino.
1, T-.
, .
, , .
.
. , ;
. , IP-, ,
.
. , , .
.
-, .
, SSL . , . -
.
,
,
Secure Sockets Layer (SSL). ,
. -
145
- .
.
- -
, , .
,
,
. , . ,
-, . ().
.
4.2.6
4.2.3, , ,
, .
,
, .
, .
4.2.4,
: .
/
:
1. ;
2. ;
3. ;
4. ;
5. ;
6. ;
7. ;
8. ;
9. .
. 4-1 4-9
:
146
H ( ; );
(
, ).
.4-10 , , FTP .4-1.
-
FTP: X
FTP: H
.4-10. FTP - -
. . ,
.
1. - -
4-1 - - ()
HTTP
TCP
80
HTTPS
(SSL
TCP
443
FTP
FTP
DNS
TCP
TCP
UDP
20
21
53
X
X
80 , HTTP (DNS, SMTP ..)
X
X
443 ,
HTTP (DNS, SMTP ..)
X
H
FTP-
X
H
FTP-
X
H
H
X
147
2. - -
4-2 - - ()
TCP
25
H
SMTP
DNS
UDP
53
HTTP
TCP
80
HTTPS
(SSL)
TCP
443
( -
SMTP)
DNS DMZ-
NAT-,
NAT-,
H
X
3. -
4-3 - ()
HTTP
TCP
80
SSL
(HTTPS)
DNS
TCP
443
X
-.
X
-
UDP
53
LDAP (SSL)
TCP
636
SMTP
TCP
25
SNMP Trap
UDP
162
NTP
UDP
123
TSM/ADSM
Backups
TCP
1500/1501
H
X
148
-
:
(traps)
.
-
.
- ,
4. -
4-4 - ()
SMTP
SSH
TCP
TCP
25
22
H
H
X
X
LDAP (SSL)
TCP
636
DNS
UDP
53
HTTP
TCP
80
HTTPS
(SSL)
TCP
443
& ;
(
)
-
:
/
DNS
NAT -
/
NAT -
/
H
X
5. -
4-5 - ()
25
SMTP
TCP
UDP
53
NTP
SNMP Trap
UDP
UDP
123
162
H
H
H
H
/ IP-
DNS-,
TMR/GW/Netview
Netview.
(traps)
DNS
Domino
Replication
MQ Series
MQ (HACMP)
DB2
(JDBC -
DPROPR)
TCP
1352
TCP
TCP
TCP
1414
1415
37xx
H
H
H
H
H
H
/
/
3700-371x
H
X
149
6. -
4-6 - ()
FTP
FTP
DNS
SNMP
SNMP Trap
LDAP
DB2 Admin
LDAP (SSL)
TCP
TCP
UDP
UDP
UDP
TCP
TCP
TCP
20
21
53
161
162
389
523
636
X
H
X
H
X
H
H
H
H
H
X
H
X
H
X
H
Domino
Replication
MQ Series
MQ (HACMP)
DB2
(JDBC - DPROPR)
net.commerce
ESM
TCP
1352
TCP
TCP
TCP
1414
1415
37xx
X
X
X
H
H
H
TCP
TCP
X
H
H
X
Tivoli
TCP
4444
5599,
5600,5601
20001
zOS/390
zOS/390
/
/
3700-3719
H
X
7.
4-7 (-)
HTTP
TCP
80
X
X
443
LDAP
TCP
389
LDAP (SSL)
TCP
636
Domino
Replication
TCP
1352
H
X
150
/XML
( )
/XML
( )
(
)
(
)
(
)
8. -
4-8 - () NAT/PAT
HTTP
TCP
80
443
NAT/PAT
/
NAT/PAT
/
H
X
9. - -
- -
, , ,
. , - , . , IBM.
, HTTP-
- -, HTTP-.
80 443 - HTTP-.
.4.9 , . ,
, ,
.
4-9 - - ()
TCP
25
SMTP
DNS
UDP
53
HTTP
TCP
80
HTTPS
TCP
443
X
X
SMTP-
X
X
DNS
X
X
Web-
X
X
Web-
H
X
4.3
.
.
151
,
, . .
,
. , :
1.
, .
2.
.
.
. :
1. . ,
- -.
2.
.
.
4.3.1
, . Acme Web- . Lotus Domino. WebSphere. ID , () LDAP.
URL- Tivoli Access Manager.
Acme [ ,
()] . , [ , ()],
. , .
152
.4-11 .
.4-11 , .
.
( )
IP
WebSeal
WebSeal
6
DNS
- 1
- 2
11
8
8
Websphere
Websphere
Domino
()
Domino
()
10
IBM (LDAP)
12
Websphere
()
.4-11.
153
,
/ . ,
URL-, URL DNS-. URL IP-, IP- - 1. 1
HTTP GET ,
-. ( LTPA), Tivoli Access Manager ( 2) .
(ID , 3),
, Tivoli Access Manager ( 4). Tivoli Access Manager
LDAP ( 5), , - LTPA
GET ( 6) ( 7). WebSphere Domino (8). , , . , , .
1.
-. - LDAP (SSL, 636) Tivoli Access Manager. ,
-, - Tivoli Access Manager,
Tivoli Access Manager
SSL. LDAP SSL -
. , SSL (-) X.509 .
2. Web- - . SSL, ;
, SSL
- .
-
HTTP . 80 - 1 Web-
1.
Domino . ( 9 .4-11)
Domino Domino ( 10). -
154
Domino ( 11). ,
, :
(Notes ID ) ; -
. Domino ,
.
, . . , .
, ,
, . .
- ,
. , , , , ,
.
4.4
, :
;
;
;
.
, :
1. -.
2. -.
3. .
4. -.
,
, .
,
, .
,
.
155
(IP)
.
( ).
.
NAT ( ).
.
.
IPSec, SOCKS, .
DNS .
- .
- SMTP
.
- ( -)
IP-.
- .
( DoS-
).
(SSL).
.
.
.
.
.
HTTP-.
156
5
-
. , ,
, ,
.
-.
- ( ) ,
.
IP-,
.
( ),
, . , ,
.
-
157
5.1
proxy, , , . , proxy - ( -),
.
,
-,
( ) . ,
, , , ,
. https- 443 http-
80.
,
, , , , ( ) . .
( ), ,
- .
, . ,
( )
() , , ,
.
() . , ,
,
.
5.2
, .
,
( bind), .
, ,
. ,
, , .
, . , ,
158
,
. Notes, Lotus Notes
Notes .
,
-.
5.3
, . , -. , - .
.
, , :
(forward proxies);
(transparent proxies);
(caching proxies);
(security proxies);
(reverse proxies).
5.3.1
-,
,
, ( ) (
, , - ).
, ( )
. .
,
Web- .
( , ) - WAN- ( ),
.
-
159
5.3.2
-, ,
, . Linux/UNIX ,
, . , () , , ,
, .
, ,
, , ( : HTTP) . , proxy.mydomain.com, proxy.mydomain.com, . , (HTTP),
.
, ,
, .
,
. , , , ,
, .
, , .
5.3.3
, , -, , . , , .
, ,
. ,
, , . HTTP- HTTP
cache.
. ,
IBM Edge Server: IBM
Caching Proxy. .5-1
-.
160
1
2
1
1 -
2 -
3 -
4 - /
5 -
6 - Web-
.5-1. ,
5.3.4
- .
( )
.
-. , .
, , - , .
[plug-in ()] ( , IBM Tivoli WebSeal Plug-In IBM WebSphere Edge
Server). , , IBM Tivoli Access Manager for
e-Business, .
4.1.6, .
5.3.5
,
.
, , -
-
161
4
5
x
z
.5-2.
(
, ) , , . ., .
:
!
.
, . -. ,
, .
, , ,
.
. ,
.
,
, .
, .
162
, .
,
. , ,
. , Web- .
[Reverse Proxies Secure Servers (RPSS)] ( ) , .
RPSS
, , .
(blade). ,
IBM Tivoli Access Manager; ,
(WebSeal , WebSeal-lite).
5.4 Lotus
Lotus Domino . Lotus Sametime.
.
Domino
Lotus Domino (Notes/Domino, iNotes, QuickPlace . .).
5.4.1 Domino
, ,
Domino . ,
HTTP.
Domino , .
, ,
, ,
Java- . , Domino
blade () , .,
, IBM Blade Center. . . .
-
163
, -
. - Domino
:
?OpenImageResource
?OpenElement&FieldElemFormat = gif URL
IBM WebSphere Edge Server
(Last Modified Factor).
164
/mail*. , ( , /mail[1-3]), .
, , , /pubmail/*.
,
iNotes Web Access.
, ,
/names.nsf, .
Domino Directory, ,
.
URL- Domino . Domino,
/names.nsf?Login. -
Domino. , ,
(Groups) /names.nsf/Groups?Openview /names.
nsf/85255ed5006cafef852556d4006ca21c?OpenView, Domino, - , .
403, .
URL- Domino
- URL, -,
URL .
URL ( IBM WebSphere Edge Server SignificantUrlTerminator)
Domino, URL- Domino ? - URL- .
URL, Domino, :
SignificantUrlTerminator ?OpenImageResource
SignificantUrlTerminator ?OpenElement
SignificantUrlTerminator /?OpenImageResource
SignificantUrlTerminator /?OpenElement
Domino
ReversePass ( ) - 302 Domino
. URL- , , , :
ReversePass http://xxx.xxx.xxx.xxx/* http://proxy.formymailserver.
web/*
-
165
Domino
- Lotus Developer Domain
(LLD) Web- iNotes - WebSphere Edge. LDD :
http://www-10.lotus.com/ldd/today.nsf/62f62847467a8f78052568a80055b380/ ff0e8350
68e03c3685256cda0054a213?OpenDocument&Highlight=0,reverse,proxy
5.5.2 -
,
- Sametime 3.1.
URL ( id)
Sametime -,
(affinity-id)
166
( ) URL-, . , -
URL :
http[s]://hostname:port/affinity-id/
hostname
(FQDN) (DNS-) -, affinity-id
, -.
URL
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
st01
(affinity-id). id Sametime
(, sametime.ibm.com), . id -
Sametime.
-
-
, Sametime
-, :
-
DNS-
.
, - reverseproxy.
ibm.com, - reverseproxy.ibm.com. - DNS, Sametime
Sametime, -. Web- -
, (, IBM WebSphere Edge Server).
-
.
-
URL-, Web- -,
Sametime. URL URL- Sametime -, Sametime
Sametime, -.
-
167
- cookies
-, URL- , . - HTML URL-,
.
-.
- ,
URL-
. Sametime -,
.
,
cookies. ,
cookies ,
-.
cookies
- cookie . , cookie
,
Sametime, -.
5.5.3 Sametime
-
Sametime 3.1 -,
Sametime.
JVM
Sametime Sametime -. :
Sametime Meeting Room Sametime Broadcast.
168
, Explorer 6 Netscape 7,
Sun Microsystems JVM 1.4.1.
Sametime -, :
/. /-
Sametime, Sametime
-.
TeamRoom Discussion. , Sametime -, Sametime TeamRoom Discussion.
Sametime Administration Tool. , Sametime -, Sametime Administration Tool.
Sametime Administration Tool
Sametime Web-. Sametime Administration Tool
Sametime
, HTTP- -.
Sametime Enterprise Meeting Server.
Sametime 1.0 Enterprise Meeting Server, Sametime
3.1, -.
5.5.4 SSL,
Sametime - [Secure Sockets
Layer (SSL)]. SSL , Sametime -. Sametime .
-
169
SSL Sametime, Sametime Java Plug-in Web- ( , . .). Java Plug-in - SSL, SSL.
, , , Java Plug-in, .
- SSL, SSL- ( handshake) Web- SSL . Web- Java 1.4.1
Plug-in (Signer certificate),
(Certificate Authority (CA)), .
Java Plug-in
, . Java Plug-in 1.4.1 Java Plug-in :
1. Windows [Start () Settings
() Control Panel ( )].
2. Java Plug-in 1.4.1 Java Plug-in.
3. Certificates ().
4. Signer CA ( ).
( ) SSL- , - Web- , (CA) .
-
, Java Plug-in 1.4.1 . Java Plug-in Certificates () Java Plug-in.
:
1. Windows
[Start () Settings () Control Panel ( )].
2. Java Plug-in 1.4.1 Java Plug-in.
3. Certificates ().
170
5.5.5 -
Sametime
Sametime -, - .
- ( ) URL-, -, URL Sametime.
Sametime -,
, Sametime .
Sametime HTML . - URL- HTML-, Sametime.
Java- Sametime, Web- , Sametime.
-,
- URL-, Java- Sametime.
, - ( ) URL-
Sametime.
-, Sametime,
URL- (affinity-id) (
).
, URL- Web-
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
- id st01 Sametime, sametime.ibm.com,
id - URL-
:
http[s]://sametime.ibm.com/stcenter.nsf
-
171
/st02/*
http[s]://sametime1.ibm.com/*
/st01/*
Sametime
URL-, Sametime, .
- URL, Sametime, . , ,
URL- Web-:
http[s]://reverseproxy.ibm.com/st01/*
URL- Sametime:
http[s]://sametime.ibm.com/*
,
URL,
Sametime -.
,
Java-
URL-
Java- Sametime Web- Community Services, Meeting Services, Broadcast Services Sametime.
: Community Services, Meeting Services Broadcast Services.
Community Services
,
Java- Community Services.
URL- Java-
http[s]://proxy.ibm.com/st01/communityCBR/
http[s]://proxy.ibm.com/st01/CommunityCBR/
URL- :
http://sametime.ibm.com:8082/communityCBR
http://sametime.ibm.com:8082/CommunityCBR
172
. Community
Services ,
. Java- communityCBR ,
Java- CommunityCBR .
,
.
Meeting Services
,
Java- Meeting Services.
URL- Java-
http[s]://proxy.ibm.com/st01/MeetingCBR/
URL- :
http://sametime.ibm.com:8081/MeetingCBR
Broadcast Services
,
Java- Broadcast Services.
URL- Java-
http[s]://proxy.ibm.com/st01/BroadcastCBR/
URL- :
http://sametime.ibm.com:554/BroadcastCBR
HTTP-, Java-
Sametime HTTP- 80.
Sametime HTTP 80,
Sametime (Community Services,
Meeting Services Broadcast Services), .
HTTP- 80 , Sametime
HTTP-
. , .
Sametime HTTP- 80, Sametime .
-
173
,
Sametime, Sametime
Sametime.
HTTP- 80, Community Services Sametime HTTP- HTTP
Services, Community Services, Meeting Services Broadcast Services Sametime.
Community Services
( 80).
Sametime ( HTTP- 80), Java- . Java-
Sametime ,
.
,
URL- Java- Sametime:
http[s]://proxy.ibm.com/st01/*
- URL-:
http://sametime.ibm.com/*
. Sametime HTTP-
80, ,
Community Services.
HTTP-,
HTTP.
174
Configuration ()
Sametime Web Admin Connectivity (). Reverse Proxy Support ( ).
-,
(junction name)
Server Alias ( ).
Sametime ,
Sametime -. .
. ,
- Sametime -.
Sametime
.
. , Sametime
-, Sametime
Sametime.
5.6
, - Lotus IBM.
- .
, URL-, HTTP, . ., , .
Domino Web Access (iNotes)
iNotes Web Access
, Web- Lotus Developer Domain
http://www-10.lotus.com/ldd/today.nsf/
62f62847467a8f78052568a80055b380/
a96b7591a013173185256c79005c1af3?OpenDocument
( , ) ,
, ,
, .
-
175
. , ,
, .
, ,
, . ,
, . .
, ,
- ,
. , IP-, .
( )
NETSTAT.
netstat
an
find LISTEN
TCP
0.0.0.0:8080
find
80801
0.0.0.0:0
LISTENING
176
, , , , , , .
-, ,
[single sign on (SSO)],
, ,
Sametime.
Lotus ,
,
.
. ,
, , - (
-)
, :
, .
( ),
, ,
, .
, ,
(no-cache)
(expires), Web-.
IP-
- IP-
. , , IP-.
HTTP . ,
IP- .
HTTP, IP- . ,
.
-
177
DNS
-
DNS. , -
IP- , . , , .
, - ,
. -.
, - , /
(), .
.
, , , . ,
, .
5.7
- , . ,
.
IBM Lotus.
4, ,
.
178
, ,
[public key infrastructures (PKI)],
Notes Domino.
PKI Notes Domino,
PKI, Web, , .
(Certificate Authorities)
(Registration Authorities),
. , ,
Domino .
, SSL, ,
SSL .
SSL
Domino .
179
6.1 Notes
(PKI) Lotus Notes Domino. :
PKI Notes , . , PKI ,
.
, Notes Domino, , , PKI.
. 1
, .
: (confidentiality), (authentication) (identification), (integrity) (non-repudiation).
, Notes Domino . , ,
.
Notes
6.
6.1.1
PKI, Notes Domino, ,
.
, . Domino (Domino
Directory). Notes Domino Notes ID.
, Notes
Domino. ,
, , . . Notes Domino Notes
Notes ID.
180
6.1.2
Lotus , :
(flat certification). Notes 3 (hierarchical certification).
, , .
5; 5 6 .
Lotus Notes, ,
6, Lotus
.
. .
Lotus Notes.
:
ID , ID Notes.
,
ID Notes.
Notes ID,
(Public Address Book).
.
, ,
, .
,
. , ,
. , ,
. , ,
, .
! ,
. -
181
, , .
, , , .
Lotus Notes Domino 6 (ID) , ID
Notes R4.
, ID , ,
,
.
,
, .
, , .6-1.
Acme, , , .
,
.
Acme
.6-1.
Switzerland/Acme.
, RSA- (/).
Switzerland/Acme. , ID
Switzerland/Acme.
182
. //Acme. ,
RSA- (/).
//Acme. , ID
//Acme.
,
.
() .
Acme o=Acme.
ou=Switzerland/
o=Acme. ou=USA/o=Acme,
ou=East/ou=USA/o=Acme.
cn=Sandy/ou=Switzerland/
o=Acme.
cn=Dave/ou=East/
ou=USA/o=Acme.
, ,
ID ID .
, ,
. ,
,
Acme. ,
,
(crosscertification), .
, ,
, , [ (ID) , ] :
;
;
Notes ID;
.
183
ID- ,
Notes ID , , . Notes ID:
ID- (Certifier ID). , ID. :
ID- () ID- (OU) (organizational unit). ID- ; . ID ( ) ID-
.
ID: ID-
Notes ID1.
ID- (Server ID). ,
, Domino. .
ID- (User ID). , Domino.
.
ID- ,
. -
, . Domino 6, Domino 6 CA,
ID- Notes .
Domino ID . ID-,
:
. ID- . ID- .
184
: ID . . . .
.
, Domino
Notes: .
Notes ID- . Notes, ,
, ID- . , ID , , ID . , :
,
, .
630. (primary keys). Notes 6 Notes.
,
.
512 . Notes 6
Notes.
. (
).
. Notes ,
, , ID , .
(.) .
.
(, Notes.) -. -
SSL,
S/MIME. - [Certificate
Authority (CA)] . , -, . .
, ID , , , ,
. , ,
, .
.6-2 Notes ID, (
Notes ID), (
ID ).
185
:
1.
,
ID. Notes , ID (,
).
2. , Notes, . Notes ID ,
ID . Notes ID, Notes .
ID
#
Notes
()
()
.6-2. Notes ID
Notes
Lotus Notes Notes, Notes ID.
, ,
Notes.
, , , Notes
ID, .
Notes, -
( Notes).
Lotus Notes Lotus Domino,
Domino , ,
. Notes Domino . Notes Domino, Domino
.
.
Notes, Notes ID, , :
186
, .
, .
, Domino, ID.
Notes , ,
ID.
.
.
, , .
.6-3 Notes Notes ID.
Notes ID
ID
#
Notes
()
()
Notes
.6-3. Notes
, Notes ID. Person (), Server () Certifier ( ) Domino (Domino Directory).
Notes ID, , ,
Notes (/).
.
, Domino
Notes ID .
Notes , Notes ID .
,
Notes ID ,
.
187
. ID
Notes ID -. ; ,
Notes Notes ID.
Notes, ID
:
Notes.
Notes, ,
Notes Notes Domino. Notes ( ,
, Notes
). Notes.
Notes. . ,
, .
, . ID
(User ID), .
. Notes 4.6 , ,
.
. 5
Notes Domino ,
:
Notes ID ,
Notes 5 .
Notes
, ID Notes
: File () Security ()
User Security ( ) [ Macintosh
Notes Security () User Security ( )].
Notes ID Your
Identity ( ) Your Certificates ( ). Notes. Your Notes
Certificates ( Notes), .6-4, , Notes,
Notes Notes.
188
189
Notes
All Notes Certificates ( Notes), .6-5, ID Notes, Notes, Notes (Notes CA),
.
, R5.0.
Notes ID
. ,
Notes, .6-5.
, Frederic Dahm/Switzerland/IBM,
Frederic Dahm, Switzerland/IBM.
; . , /Switzerland/IBM,
, , , IBM. , /IBM
IBM (
).
-
Domino Notes 5.0 x.509 v3. , 5 6, Notes , Domino 6, x.509 v3
Notes ID.
Your Internet Certificates ( -), All Internet Certificates ( -). All Certificates ( )
Notes x.509.v3. ( - ).
Notes ID, , Notes. Notes. , , Notes
ID ( .6-2) Notes ID.
, .
.
, , , . , , , ,
190
, . , ,
.
R5.0 Notes ID Notes .
, .
, , .
(ACL) . ,
,
.
, . , ACL
ACL , .
Notes,
5. , :
Notes/Domino , ;
Notes/Domino
, ;
Notes ID-,
.
6.1.4 Notes
Notes ID .
Notes ID
; .
, ID Notes , Notes ID .
Notes ID
.
Notes ID .
ID Notes
. ,
ID.
191
Notes ID, . , ,
ID.
Notes (
6) Notes ID,
ID
.
ID Notes
( ). 4 6 Notes.
, Notes .
30. .
Notes
.
4 5 . 6
, (, ,
, . .),
. .6-6.
.6-6. Notes
, ,
Notes.
. , ,
Cancel ().
,
. ( ,
, .)
192
ID Notes ID .
, Notes ID
( , ).
, , .
Notes ID , Notes ID ( , ) .
(, ).
, Notes ID . ,
Notes ID , ,
Notes ID . ,
, ID .
. ,
ID Notes ID Notes.
ID Notes .
Notes ID , Notes ID.
:
1. Domino Administrator Configuration () Certification ().
2. Edit Multiple Passwords ( ).
3. Notes ID, , Open ().
4. Notes ID ( ).
5. , Notes ID,
:
) Authorized User ( ).
b) New Password ( ).
c) Confirm Password ( ).
d) Add (). Notes ID.
6. , Notes ID.
, Notes ID.
7. OK.
193
Notes
,
. , , (, ,
).
Notes Domino Notes ID
.
; , . ,
. (, 3-%9&4#_6!), .
, - (, password), .
,
, , ,
. , , , , ,
.
Domino 5 ,
. Notes 5
.
:
. , Change Password ( ).
. , Change
Password ( ), (0 , 16 ).
, . ,
, .
,
(, ,
), Notes .
ID , , , ID-, Notes 6, Notes.
194
,
.
Domino 6 , . , , . ,
. ( Lotus Domino 6 Lotus Domino 6 Administrator Help.)
Domino 6, , ,
, ID.
,
Your
Password is Insufficiently Complex ( ).
4.5 Notes , 6.
, , , Person.
, Person .
50 , .
,
, . / , ,
.
, Lotus
Notes RSA. ,
- ,
ID .
Domino Directory , , ID-.
, Notes,
Domino 4.5 . , , 4.5, . , ,
195
,
. ,
, , ID
.
Notes ID Notes ID
Notes ID
5 6.
Notes ID, ,
Notes ID.
Notes ID , , ,
Notes ID .
ID. ID, -
, .
(Recovery Authorities) ( [Registration Authorities
(RA)], Notes ID, ( ) Notes ID.
, ,
ID.
Notes ID,
.
,
Domino, .
Notes ID ,
ID-. Notes ID , .
, , Notes ID, .
Notes ID ,
(,
- CD-ROM),
, , , , ,
, . .
Notes ID 4. Notes Escrow Agent ( ).
, , ,
196
Notes ID ( ) . ID.
, Notes . Escrow Agent ,
Notes ID, Notes ID , . ,
.
, , .
Notes ID
Notes ID .
,
, Notes ID, ID ,
.
ID
Lotus Domino 6 Lotus Domino 6 Administrator Help.
Notes ID
Notes ID Notes ID
, ,
Notes ID . (RA) Notes ID Notes ID.
, Notes ID .
Notes , Notes ID , ,
,
ID . Notes ID .
Notes ID
Lotus Domino 6 Administrator Help.
6.1.5 Domino
Notes ID ( ID ,
) Domino,
Notes, Domino (Domino Directory).
Domino Person , ,
, Notes.
.6-1 Person.
197
Basics ( )
Mail ()
Certificates ()
Administration ()
; ; ; ;
; ; -
; ; ; ;
Notes; ;
; ;
; (grace period);
; ; ;
; ;
;
(Person)
Acme
Acme
Acme
Domino
Domino
.6-7. Domino
198
. ID Notes,
, Person.
, Domino ,
ID Notes .
, Domino Server, , Person, .
, Domino Certifier. .6-7 , Domino
.
6.1.6 Domino
, Domino, , .
.
Domino Domino.
Domino Domino , Domino.
Domino , ,
. , Domino
.
.
6.1.7
,
,
. , , ,
, .
,
Domino ,
Domino . , .6-8, Acme
Widget .
, , , . ,
, ; , , .
199
Acme
Widget
Domino
.6-8.
,
Domino, .6-9.
Acme : Sprocket Widget. (
Acme), , Sprocket
Widget.
, / ,
, ( Domino)
. ,
Domino, 6,
, . ,
.
Acme
Sprocket
Sprocket
Widget
Widget
.6-9.
200
6.1.8 Notes
Domino : Notes- -. Notes
, -
.
Notes , . ,
, , .
Notes?
, ,
, .
,
(
, , ).
:
? , , - ,
.
Notes Domino .
.
,
().
, , Notes
. Domino
Domino. Domino
Notes
(Personal Address Books).
, .
201
. , :
( );
;
.
, ,
.
. ,
,
.
, , .
, . ,
.
, ,
.
(ACL) .
, , , Widget Acme, .
,
.
:
1. Acme (/Acme) Widget (/Widget)
Domino Acme.
2. Widget (/Widget)
Acme (/Acme)
Domino Widget.
202
(:
Acme Widget ). .6-10.
.
Cross-Cert
Acme
Widget
.6-10.
, .
, Acme Widget , ,
, .
, .
:
Acme
Widget
/ /
.6-11. ()
203
.
, Acme Widget
, . Widget Acme
Acme, Acme , Widget,
Domino.
,
, Acme
Widget.
:
1. Acme (Server/Acme)
Widget (/Widget) Acme.
2. Widget (/Widget)
Acme (Server/Acme) Domino
Widget.
Acme
Widget
/
.6-12.
204
(:
Acme Widget ). .6-12. Acme
Widget, Acme Widget.
Domino 6,
Lotus Domino 6.
6.1.9
.
, . 1, .
, 1. ,
, , , .
, ,
, , .
. , , , ,
, ,
.
, , .
, ,
. , . , ,
.
, . , Notes Domino.
:
-, Domino .
,
.
Notes, Domino.
205
,
. , ( ).
,
Notes Domino.
, Notes . ,
/ ID /,
.
Notes , ,
,
(PKI) Notes, , Notes.
. Notes ,
, Notes Domino.
,
, .
6.1.10 Notes
, Lotus Notes Domino
1352 TCP
Notes [Notes Remote Procedure Calls (NRPC)]. , ,
Domino Notes.
Notes
. , (validation), . ,
.
Notes
:
1. , Notes ID.
2. , , .
3. ,
.
206
1.
,
.
. ID ,
, .
, Notes ID ( , , ). .6-13.
Widget
Notes ID
Widget
Widget
Widget
Widget
Notes ID
207
4. , Notes ID , .
5. /Widget, , , //Widget . ( 3, ,
.)
6. .
, .
2.
,
. . , ,
.
, , ,
, . , ,
. ,
Notes ID
10
11
208
12
(, , ).
, , ,
, , , , , .
/
.
, ,
, .6-14.
, , , .
.
7. .
8. .
9. .
10. .
11. .
12. , , , .
, . /, .
, . RSA-
-. , , .
, , . ,
,
.
. Domino,
,
. [
(User Activity).] , . ,
. . . .
209
.
,
, . , -
.
, Domino, , , ,
, . ,
, .
,
. / .
.
,
Domino Notes
Domino.
1. Domino Administrator Configuration () Server ().
2. Security ().
3. Security Settings ( ) Allow anonymous
Notes connections ( Notes).
4. .
5. Anonymous () (ACL) , .
Reader (). Anonymous ACL,
Default ( ).
6. , .
, .
, ,
, :
Server X cannot authenticate you because: the servers Address Book
does not contain any cross-certificates capable of authenticating you.
You are now accessing that server anonymously. ( , : , . .)
210
6.1.11
, . (data integrity), .
, ,
,
[ (tampering)].
, ,
.
. ,
. ,
. , ,
, .
, Notes.
. ,
. ,
, .
, Notes,
RSA-, . , Lotus Notes, .6-15.
3
1
=?
d
e
.6-15. Lotus Notes
211
.
1. Notes. Notes,
, Sign (), ( MD5)
( d digest).
2. Notes RSA-
( RC2), , RSA-
.
3. .
4. Notes RSA-
( RC2) ( d).
5. Notes
( MD5, d).
6. Notes ( d)
( d), ,
. ,
. , ,
.
, , Notes ,
, . Notes , .
:
1. , .
2. , .
, , .
6.1.12
, , (confidentiality). .
, , ,
[ ,
() ]
.
, , , , .
, , , ,
, .
. ,
212
, . : , . ,
T- , , . ( ,
, , .)
T-
, , , Notes.
Notes.
Notes . , Notes ,
. . Notes ,
. ,
. ,
Notes Domino ,
, . Notes RC2 RC4.
Notes.
Notes ID / . 5.0.4
, . , 512- RSA- 56- ,
, .
.
, Domino, Domino Administrator, Domino Designer, Lotus Notes (North American), (International) (France) Global () .
, .
, , -
213
. Notes .
Domino Notes,
ID. , .
. , (d 5.0.4 ).
.
Register New User ( )
ID. ,
. .
Lotus ,
.
. .
.
Lotus
, ,
,
.
, ID Notes Domino,
. .
ID.
, ID.
, , 5.0.4.
, Lotus Notes
ID.
. , .
5.0.4. 5.0.4 , , -
214
ID . ID .
5.0.4. Lotus Notes,
Domino, 5.0.4 , , . , , Notes Domino 5.0.4,
ID; . 5.0.4
ID,
ID. ID, ID.
ID , Notes Domino.
Notes Domino .
Notes ID
Notes ID. , .
1. Notes ID ( , Notes ID ,
), , , ( ID, ).
2. Notes ID , Notes
ID . Notes ID , , Notes ID , (, ).
, Lotus Notes , ,
. ,
Lotus Notes, .6-16.
,
. .
1. Notes
. Notes, , Encrypt (),
215
( ,
,
, Notes), .
2. Notes ( RC2) , ,
RSA- .
216
Notes
Notes, Lotus Notes
. , ,
.
ID
,
. , , ,
, , .
, .
. ,
,
.
.
File () Preferences () Ports () .
217
6.2
,
, , ,
. , ,
.
Notes, ,
.
PGP X.509. Domino X.509,
.
-
1996 . Domino 4.5.
Domino,
Domino 6.
, 11,
Domino/Notes 6.
6.2.1 -
, , -.
, .
,
STD RFC, . ,
, .
- IETF (Internet Engineering Task Force). ,
- (Internet Drafts),
[Requests for Comments (RFC)], [standards (STD)]
IESG (Internet Engineering Steering Group).
(STD)
, -, ,
(standards track). (Proposed
Standard), (Draft Standard) (Standard).
(Proposed Standard), ,
, , , , -
218
, . .
, .
,
, (Draft Standard).
, . , .
,
, - (Internet Standard).
- [ (Standard)] ,
-.
, -
, , .
- IP (Internet Protocol).
- STD . , STD1, .
STD RFC
RFC. STD , RFC, RFC . , ,
RFC, .
(RFC)
[requests for comments (RFC)] 1969 .
,
- UNIX-. RFC , - RFC. , RFC RFC 822,
(e-mail) .
RFC, IFTF ,
RFC;
, RFC . RFC .
RFC , , , ,
219
, , (ANSI).
RFC .
, , ,
,
, . RFC.
RFC , 1 .
, RFC; , , ,
, ,
.
STD RFC
STD RFC , .
Web- IETF, URL-:
http://www.ietf.org
RFC :
http://www.ietf.org/iesg/1rfc_index.txt
. RFC , :
http://www.ietf.org/rfc.html
RFC RFC RFC
2026 The Internet Standards Process, Revision 3 ( -, 3).
STD RFC
RFC -. RFC
. ,
RFC.
,
,
RFC
.
. RFC, , RFC
1796, Not All RFCs are Standards ( RFC ), :
http://www.faqs.org/rfcs/rfc1796.html
220
6.2.2 (PKI)
, PKI ,
PKI.
PKI ,
, . PKI
, .
:
SSL (Secure Socket Layer);
S/MIME (Secure Multimedia
Internet Mail Extension);
IPSec (IP Security);
SET (Secure Electronic Transactions);
PGP (Pretty Good Privacy).
, ,
, .
(PKI),
.6-17, :
[End Entity (EE)];
[Certificate Authority (CA)];
[Certificate Repository (CR)];
[Registration Authority (RA)];
[Digital Certificates (X.509 V3)];
.
[End-Entity (EE)]
PKI
, .
, PKI ,
PKI. ( , , - ) , ( , ).
221
(CRL)
X.509
X.509
, ,
X.509
& CRL
.6-17. PKI
,
. :
, .
.
().
.
222
, , ,
, . (RA), . .
, . ,
, . , , ,
.
, ,
, , . , , . , , ,
.
, HTTP- SSL Web- ,
( Trusted Roots Trusted CAs), , ( ) VeriSign, Entrust,
Thawte, Baltimore, IBM World Registry . . Web- ,
CA,
, , CA- .
, , :
.
, , .
. RA, .
(,
, . .).
(). , . , .
. , .
223
. , ,
.
. . , CA
[Certificate Revocation List (CRL)].
, , CA . ,
, CRL .
(CR)
[Certificate Repository (CR)] CRL.
CR ,
PKI.
X.509 X.500,
CR (Directory),
LDAP (Lightweight Directory Access
Protocol), LDAP v3.
LDAP ,
CR CRL. LDAP
, , , bind, search
modify unbind. LDAP, CR, [ (Schemas)].
CRL,
CR, . ,
, CR,
,
CR. : , ,
, ( ),
. Domino
Domino (Domino Directory).
224
(RA)
[Registration Authority (RA)] . RA CA.
, RA, ,
CA CA. CA RA. , RA , , . RA
CRL.
6.2.3 X.509
(
) X.509.
,
, ITU-T X.509 ( X.509
CCITT).
X.509 -,
, , , :
SSL (Secure Sockets Layer);
S/MIME (Secure Multipurpose Internet Message Extension).
X.509?
X.509 X.500.
X.509 , .
.
X.509
. X.509 , , RSA .
X.509
RFC, [Privacy Enhanced Mail
(PEM)] , 1993 .,
X.509 v1 ( RFC 1422).
, RFC 1422,
, v1 v2
225
.
.
ISO/IEC/ITU ANSI X9 X.509 3 (v3). v3 v2 .
,
. v3 1996.
X.509
X.509 :
;
;
( );
( );
;
( );
: ;
2
3 ( 2);
2 3 (
2);
3 ( 3);
.
, , . X.509 V3 .6-18.
1 (ASN. 1),
.6-19.
ASN.1,
ITU-T X.208 X.209. .
[object identifier
(OID)]. , .6-19 AlgorithmIdentifier signatureAlgorithm,
(OID)
226
X.509 V3
()
(
)
X.509 (
)
(/
)
X.500
1
.6-18. X.509
. IOD , (). , , OID, .
227
, ,
Notes.
, -, , . S/MIME-, , ,
S/MIME- .
, Notes
- SSL.
Certificate , .
(leaf certificate)2 ( , )
.
( ,
). ,
.
, , . , Sales/Acme
228
6.2.4 Web-
, .
, WWW,
HTTP (Hypertext Transfer Protocol). HTTP ,
( ) . , :
, ;
( URL-).
-
- Person, Domino , :
-, ;
.
, , (ACL) No Access ( ) ,
Domino .
,
, , Person , ACL .
.
TCP/IP SSL ( ). TCP/IP .
Web-, Web Domino, .
229
(Name-and-password authentication)
, ,
/,
,
Person Domino.
, Domino ,
- - . - -
Notes Domino , Domino Notes Domino , .
- -, ACL
Domino, Person Domino , , Domino LDAP. , Person,
, .
Domino Person ( ) .
. , Editor (), Author
(), Person.
(ACL) Editor, (Anonymous) Author.
TCP/IP,
SSL , - (LDAP, POP3,
HTTP, SMTP, IIOP IMAP).
HTTP
.6-20. .
1. ( , , GET HTTP).
1
2
3
.6-20. HTTP
230
2. , . , ( , Private
() 401 HTTP).
Web-
.
3. Web- , GET HTTP 1, , ID ( Base64).
4. , , .
, .
, , , URL, , URL- . , 401. , ID .
, ,
MIME- HTTP-:
Authorization : Basic <user ID and password block>
ID (user ID) (password block)
UserID:Password Base64.
, ID , , . ,
401 /,
ID .
ID
URL-, , , . Opera Mozilla,
Netscape Navigator Internet Explorer URL, .
401. , , ID , , , .
. -
. , HTTP , LDAP, TCP/IP, .
SSL, -
231
SSL SSL ,
SSL.
. ,
Domino SMTP-, Domino
SMTP- .
, Domino SMTP-,
SMTP- Domino.
, Domino Domino LDAP.
- (HTTP, LDAP, IMAP, POP3).
, Domino
-. Domino ,
Domino Java- IIOP Domino.
(Fewer name variations with higher security)
Fewer name variations with higher security . ,
, . , .6-2 Web- -.
6-2
Domino
CN=prefix
(,
Person,
1 first name)
- ( ,
- Person )
232
LDAP
DN
CN CN CN=prefix
UID UID UID=prefix
(More name variations with lower security)
Domino
. , . .6-3
Web-.
6-3
Domino
(Last name)
(First name)
cn=prefix
()
()
(,
Person,
first name)
Soundex-13
- ( ,
- Person )
LDAP
(Surname)
(Given name)
(CN) CN CN=prefix
DN
DN
UID UID UID=prefix
HTTP,
, :
.
, .
, cookie.
, . cookie.
, ,
.
.
(
SSL-)
, 1
Soundex . . . .
233
.
, .
, , , .
SSL
SSL , , . SSL
.
SSL ,
, , .
Web- Domino [Domino Web Server Application Programming Interface (DSAPI)] (C API),
Web- Domino. , ,
Web-.
DSAPI Lotus Domino Notes.
:
http://www.lotus.com/techzone
(Session-based name-and-password authentication)
Web-, ,
.
, Web- cookie. , , Web Site Server.
,
:
. cookie, ,
,
234
cookie,
, Web.
Web- , cookies.
,
. , . .
HTML-
HTML- ,
.
. HTTP Unicode. US-ASCII.
. .
Domino HTML- ($$LoginUserForm),
Domino (DOMCFG.
NSF). , , . , , - -.
Web- .
, cookie, Domino , .
Web-, , , .
, URL- ?logout
, :
http://acmeserver/sessions.nsf?logout
235
URL-, :
http://acmeserver/sessions.nsf?logout&redirectto=/logoutDB.nsf/
logoutApp?Open
http://acmeserver/sessions.nsf?logout&redirectto=http://www.sales.com
( ,
) URL-.
, , . ,
.
-
Domino 6 - . Lotus Domino 6 Lotus Domino 6.
. (round-robin) DNS,
(
).
DNS cookie . ,
,
, .
.
(Multi-server session-based authentication (SSO))
, single sign-on (SSO),
Web- Domino WebSphere
, Domino
WebSphere DNS, SSO,
().
Web- cookies,
(token)
cookie.
, , :
236
Domino (domain-wide
configuration document) Web SSO Configuration document. Domino .
Multi-server
Web Site Server.
Domino.
Single sign-on Domino.
Lotus, . 7,
.
- -
. Domino . , (log file)
(User Activity).
Notes, - - ,
. , ,
. Notes,
- - , .
TCP/IP SSL , LDAP, HTTP, SMTP IIOP. -, , . , SSL
HTTP-,
LDAP-, TCP/IP.
?
,
. , .
SSL, .
237
:
.
, - ,
, , Base64. , , . Base64 ,
, . , , , , HTTP-, ( , ) ,
.
, , .
, , : SSL (Secure Sockets Layer).
SSL ,
HTTP, ,
LDAP, POP3, HTTP, SMTP, IIOP IMAP.
SSL?
Netscape Inc., -
, . SSL , , , .
. SSL 3.0,
TLS (Transport Layer Security),
IETF. TLS RFC 2246: The TLS Protocol Version 1.0 ( TLS
1.0). Notes Domino TLS -
, SSL v3.
SSL 3, 1996 .,
, :
, , ;
,
, ;
, RSA;
( 3.0).
238
SSL
SSL:
(handshake),
;
(record protocol),
.
SSL
. 6-21 SSL. :
1. . ClientHello , SSL.
ClientHello
,
.
SSL
ClientHello
ServerHello
. 6-21. SSL
239
2. SSL , ServerHello
. ,
( ).
3. X.509,
.
, , :
4. .
5. .
, hello , -, ,
SSL , , (public key certificate). , (public key certificate).
, SSL (identity) -
SSL
ClientHello
ServerHello
. 6-22. SSL
240
(authenticity) . . 6.21 , .
, SSL. . 6.22.
(handshake)
,
. ,
SSL .
:
1. ClientHello
( ) .
2. , ,
ServerHello, .
3. , . ,
( . 6.22).
4. [ (pre-master) ], , , (
). , .
5. , ( 2) ( 4)
. ,
, SSL.
6. ( ChangeCipherSpec) , .
7.
.
, HTTP- SSL- .
..
. SSL-,
, SSL
, , ,
Web-, .
241
SSL
(master key),
.
,
. , , ,
. .
.
( ) ,
.
SSL . ,
message digest, MD5,
, , .
RC2 RC4, DES, Triple-DES IDEA.
, , X.509, , .
SSL
.
. .
. (
) ,
SSL.
SSL
,
Web- , .
:
?
?
?
- -?
?
Web-?
, , Web-?
,
, :
;
242
;
;
.
, Web-, ,
, , .
,
, .
, Web- SSL,
. SSL- URL http:// https://.
SSL- , . ,
.
.
,
().
,
[Certificate Authority (CA)],
. ( .)
, , . , (
),
.
Web- SSL . Web-
, .
,
-.
.
CA CA , , . ,
-,
.
243
Web- , , , Web-
. , , ,
.
( ),
, .
.6-21, SSL, SSL , . , ,
, .
. ,
,
[certificate authority (CA)].
? , SSL,
, (key ring file).
. .6-23 (
) Opera, .
. 6-23. Opera
244
, .
, - CA.
, .
, CA
( ).
, . , CA ,
, ,
, .
.
MIME, application/x-x509-ca-cert, CA,
CA. PKCS #7, URL-:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/
SSL , , , , ,
CA. ,
( CA, ).
. , -, ,
SSL-,
CA. , , ,
, ,
. ,
,
.
,
. , , . CA
, Web-
( ). ,
CA.
245
, ,
: CA ,
, , ,
, , .
. 6-24 ,
Opera , ,
SSL-.
. 6-24. , ,
:
, ;
;
,
.
, , . , CA ,
,
, CA.
. , -, ,
SSL-,
1, . ,
, ,
,
, .
, , VeriSign.
1
246
: draft-ietf-smime-ess. . . .
, , , ,
, .
CA .
online,
. -. , .
Netscape
, , (,
Mozilla, IE, Lynx . .).
Netscape <KEYGEN>, HTML,
. ,
( PKCS #10) . CA X.509 v3 MIME- ( PKCS #7), .
, Internet Explorer,
, IE
ActiveX (CERTENR3.DLL IE 3.0 XENROLL.DLL
IE 4.0). ActiveX /
PKCS #7 CA , Netscape.
6.2.6 Domino
(Certificate Authority)
PKI, , CA
, SSL. CA
(, S/MIME, ).
, .
Domino CA .
Domino 6
, X.509 ( SSL- S/MIME) IBM (IBM
Redpaper) The Domino Certification Authority, REDP ( Domino).
6.2.7
.
: ,
247
;
.
X.509 v3
SSL,
-, . , ,
,
, .
, , , , Lotus Notes - , Domino .
, - , .
-.
SMTP
SMTP (Simple Mail Transport Protocol)
,
DNS (Domain Name Service) Mail eXchange (MX)
.
, , SMTP.
SMTP, , . , SMTP, SMTP,
SMTP-.
SMTP 7- ASCII,
, ,
- , .
MIME
MIME (Multipurpose Internet Mail Extensions) , ASCII, .
248
, SMTP
,
, ASCII.
MIME ,
.
, , MIME,
Subject. .
From: frederic.dahm@ch.ibm.com
To: roger.guntli@ch.ibm.com
Subject: Map of Western Canada
MIME-Version: 1.0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID:
Content-Description:
[JPEG data]
MIME,
, - . ,
, MIME ,
, ASCII.
POP
POP IMAP ( ) , .
POP (Post Office Protocol) 3 (POP3)
. , , 24 , 7 .
, , .
, ,
, , .
POP3 .
ID , , ,
, .
249
IMAP
IMAP4 (Internet Message Access Protocol, 4, (Interactive Mail Access Protocol))
,
.
, IMAP4, POP3,
. IMAP, ,
, , .
IMAP Web- , :
http://www-camis.stanford.edu/projects/imap/ml/imap.html
, , ,
.
SMTP
SMTP -
SMTP- .
, SMTP- ,
, , .
, , ,
. , , , SMTP. , , ,
SMTP-.
, , ,
.
, ,
, ,
. ,
SMTP-. SMTP- ,
- .
, .
SMTP- TELNET 25 ,
SMTP-, :
250
POP
POP3 - .
SMTP, POP3 POP3
. USER PASS
POP3 .
RFC 1725 Post Office Protocol Version 3.
,
T-, , .
POP
, , ,
S/KEY, GSSAPI, APOP Kerberos V4. .
IMAP
IMAP4 , ,
Kerberos V4.
SSL
POP3 IMAP4
SSL. , POP3 IMAP4.
SASL
SASL (Simple Authentication and Security Layer (SASL)) RFC 2222. . , SASL, .
251
SASL
( , SMTP
SASL).
Domino SASL LDAP. Domino SASL , SSL
LDAP .
.
SMTP (ESMTP)
ESMTP,
(Extended Services for Simple Mail Transport Protocol),
SMTP , SMTP SMTP
.
SMTP
[Internet Assigned Numbers Authority (IANA)]. SMTP
: SMTP TLS/SSL (Delivery Status notifications).
SMTP
SMTP,
SMTP (AUTH=LOGIN), . , SMTP (, SMTP- ).
, , base64.
252
. 6-25. SMTP
4. SMTP Domino.
SMTP SMTP ,
-.
253
, SMTP
.
, . SMTP, , SMTP
(/ /) /
. , .
,
SMTP
, , () - .
, ,
, MIME- ( ). : PGP S/MIME. PGP.
6.2.8 PGP
PGP (Pretty Good Privacy),
,
. 1 1991 . . PGP PGP
URL-:
http://www.pgp.com/
GnuPG (Gnu Privacy Guard),
PGP. IDEA,
- . GnuPG , RFC2440 (OpenPGP). 1.0.0 7
1999 . 1.2.2. GnuPG
. ,
(General Public License) GNU. GPG URL:
http://www.gnupg.org
GNU :
http://www.gnu.org/copyleft/gpl.html
1
254
PGP .
, ,
, ,
.
, OpenPGP,
, X.509
. OpenPGP
URL-:
http://www.openpgp.org/
OpenPGP RFC2440, :
http://www.ietf.org/rfc/rfc2440.txt
PGP
, S/MIME
, .
S/MIME ,
Lotus Notes Lotus Domino.
6.2.9 S/MIME
S/MIME (Secure Multipurpose Internet Mail Extension)
, RSA
.
S/MIME , S/MIME 3. .
(draft-ietf-smime-cms; ftp://ftp.ietf.
org/rfc/rfc2630.txt).
S/MIME 3 (draft-ietf-smime-msg; ftp://ftp.ietf.
org/rfc/rfc2633.txt).
S/MIME 3 (draft-ietf-smime-cert; ftp://ftp.ietf.org/
rfc/rfc2632.txt).
(draft-ietf-smime-crs;
http://www.ietf.org/proceedings/98dec/I-D/draft-ietf-smime-crs-00.txt).
S/MIME (draft-ietf-ietf-ess1;
ftp://ftp.ietf.org/rfc/rfc2634.txt).
Lotus Notes Domino 6 S/MIMEv3.
MIME
, . S/MIME
, : Triple-DES
1
: draft-ietf-smime-ess. . . .
255
RC2. RC2
, ,
RSA.
S/MIME
, S/MIME. , Notes Domino 6
S/MIME.
S/MIME :
;
();
;
S/MIME-
;
Netscape Messenger;
.
:
, , , ;
, ,
, ;
,
.
, , S/MIME ( )
. , , Notes
Notes PKI.
S/MIME- .
, , , , . , Notes, . 6-16 6-26.
,
. . 6.26 .
1. S/MIME- .
256
, , , ( ,
; , S/MIME-) .
2. ( Triple-DES, RC2)
. 6-26. S/MIME
, , 1 RSA- .
3.
SMTP.
4. RSA- ( RC2) . ,
, ,
.
5.
( Triple-DES, RC2,
,
), ,
.
, ,
X.509 , , .
. 6-26 , ,
1
: . .
.
257
, ,
S/MIME , . ,
. ,
,
Notes.
:
S/MIME ,
( , ), ( ,
). . 6-27.
.
1. S/MIME- . -
.6-27. S/MIME
258
=?
, , ,
( MD5 SHA-1) ( d
digest).
2.
RSA- ( RC2), ,
RSA- .
3. .
4. RSA-
( RC2)
( d).
5. ( MD5, d).
6.
( d) ( d), ,
. ,
() . ,
, () .
, , , , . ,
.
:
1. , .
2. , .
, (), ,
.
! ,
.
.
, , .
,
. S/MIME , . ,
RFC , ,
, .
259
, S/MIME
, ,
.
,
.
X.509 (
, ).
, .
, (CA),
, ? S/MIME
, (chain of trust). , , ( , CA ),
CA .
CA .
- CA ,
CA, .
, CA?
,
; CA ( , , ). :
1. .
2. .
3. CA, .
, , , CA,
.
,
,
, , ,
. , , , .
,
: .
, ,
. , ,
. ?
260
, ,
. , , ,
.
/ ? , S/MIME PKCS#12, .
, , S/MIME, S/MIME-.
(opaque), ,
MIME application/pkcs7-signature (/ pkcs7).
S/MIME
pkcs7-signature ( pkcs7). S/MIME , .
(clear), , MIME multipart/signed (/).
, application/pkcs7signature MIME. ,
MIME MIME application/pkcs7-signature.
S/MIME-
PKCS #12 .
. ,
S/MIME , S/MIME, / .
PKCS #12 / , S/MIME, . ,
Internet
Explorer CA VeriSign,
Outlook Express. Netscape Navigator,
Netscape Messenger.
261
S/MIME
S/MIME, X.509.
S/MIME
CA. ( ),
S/MIME , .
,
.
.
. 6-28 ,
, S/MIME .
S/MIME
1.
S/MIME
S/MIME
S/MIME
6.
(X.509/LDAP)
2.
3.
6.
5.
Web-
Notes
4.
Web-
2.
. 6-28. S/MIME-
262
Web-
Notes
, S/MIME-,
. 6-28, .
1. , S/MIME,
.
Web- .
2. )
. (
, ,
.)
) HTTP
( PKCS #10), Web- .
3. (CA) , . URL- ID
, .
4. URL-, ID .
5. , S/MIME.
6. )
. .
) , S/MIME.
S/MIME
,
S/MIME, .
. , , S/MIME, . , ,
S/MIME, .
LDAP
(, Four11,
Bigfoot, Switchboard . .).
, , S/MIME.
263
S/MIME-
Lotus Domino 6 , X.509 , , MIME
Notes ,
-. ,
. .
264
Notes S/MIME- :
directly to Internet ( ) Send outgoing mail ( ) Mail () Location ( . 6-29). , , MIME.
MIME format ( MIME) Format for
messages addressed to Internet addresses ( ,
-) Mail ()
Location. , -,
(Personal Address Book) Domino, S/MIME.
When receiving unencrypted mail, encrypt before storing in your mail file (
) Basics () Person . , , MIME.
,
Body
265
. 6-30. : Mail
. Lotus Notes 6
File Security User Security ( ), Mail ()
(User Security) Encrypt mail that
you send ( , ), . 6-30.
266
S/MIME-
, .
, X.509 ID Notes.
Delivery Options ( ) Sign ().
File Security User
Security ( ), Mail ()
(User Security) Sign mail that you send
( , ).
S/MIME-
Notes .
, . .,
, Notes , , .
Signed By: Bob, at 10:52 AM, According To: TestCertAuthority.
, .
, .
. S/MIME-
.
.
, ,
S/MIME-. .
, X.509 .
S/MIME-
Actions Tools Add Sender to Address Book ( ). ,
. , S/MIME-,
.
267
6.3
, , , .
,
. X.509 ( , SSL)
(, S/MIME). , Notes Domino
X.509 , , Notes Domino.
268
7
(Single sign-on)
[single signon (SSO)] ,
. ,
, .
SSO:
, , , .
Web- The Open Group :
http://www.opengroup.org/security/12-sso.htm
,
( )
,
.
, .
:
.
,
.
(Single sign-on)
269
.
SSO,
.
:
.
, ,
.
.
(user security
information) ,
, . ,
.
SSO:
, ;
(credentials)
;
, , ,
.
SSO , . . . SSO
.
(credentials), (accept) . (credentials)
C , , , SSO , WebSphere Lotus.
SSO,
IBM:
HTTP (HTTP headers);
Lightweight Third Party Authentication (LTPA);
X.509;
DSAPI.
270
7.1 SSO
SSO :
1. .
2.
.
3. (users credentials) ,
.
, SSO .
SSO , , .
7.1.1 SSO
, SSO
, SSO. ID [ (credentials)], .
( ), , ,
ID .
,
ID (credentials store),
(ID) - .
()? ,
logon- , . , , , .
? ,
.
, . , Notes Windows, Notes
, Windows
. Notes
Domino -. ,
, .
(Single sign-on)
271
,
,
. , . , . . ,
. , - ,
,
(bind).
. Domino MD2-solted -
Person, (Directory Profile) Use more secure Internet
Passwords ( -).
( , IBM Tivoli Directory Server
MD5). , salt-.
(
, salted ). ()
, .
, .
(ID) , .
bind- LDAP, LDAP ID (credentials).
, , (bind) . ,
, -, ;
.
.
password IBM
Directory Server - [B@7a8ea817. ,
- Person
Domino? -, Domino
(log in) (bind) password, 355E98E7C7B59BD810ED84
272
5AD0FD2FC4. - LDAP,
([B@7a8ea817), Domino
.
,
, , ,
Notes Windows. ,
. (SSO) Web-.
7.2 LTPA
Lightweight Third Party Authentication (LTPA) IBM, cookies,
Web- Lotus, WebSphere Tivoli. ,
, DNS LTPA, . LTPA , cookie
.
LTPA , , , [Distinguished Name (DN)] a , ,
.
LTPA :
, LTPA, DNS.
( LDAP). Lotus Domino
( LDAP), IBM Directory Server, MS Active Directory
iPlanet.
, , cookies, .
, SSO
HTTPS-.
LTPA , IBM;
LTPA (
).
,
DNS, , LTPA.
LTPA cookie , cookies
RFC-2965, :
http://www.ietf.org/rfc/rfc2965.txt
(Single sign-on)
273
RFC , () cookie
, DNS, , () cookie (). -, DNS,
.
DNS . ,
cookie LTPA ,
. ,
DNS , cookie
, LTPA, . , Domino alpha.com, beta.com ,
iNotes iframe, Domino R5
,
, beta.com. Domino 6 beta.com Internet Site. ,
Domino beta.com DNS.
, , HTTP DIIOP ( IBM WebSphere), Domino . ,
,
Web- SSO (Web SSO Configuration)
Domino .
,
, .
LTPA WebSphere.
WebSphere , Lightweight Third Party Authentication
(LTPA), Domino R5.0.5 . Domino WebSphere
WebSphere Web- SSO (Web SSO
Configuration). LTPA WebSphere WebSphere.
274
7.2.1
LTPA
. ,
, Web-
. , , :
1. () LTPA ,
.
2. () LTPA, HTTP
.
LTPA ()
. LTPA , LDAP, , cookie LTPA. ,
LDAP (trusted third party),
: ( )
(Third Party Authentication).
(ID) LTPA,
LDAP. LDAP ,
- . , , . LDAP
Web- ( ) LTPA
cookie . cookie
HTTP- , cookie . , cookie, , (Lightweight). LTPA . 7-1.
7-1. LTPA
CookieName ( cookie)
CookieValue ( cookie)
LtpaToken ( LTPA)
AuthenticationToken ( )
Digital Signature ( )
LtpaToken ( LTPA)
Base64 ( LTPA)
( ,
) 3DES
+%+
+%+ Base64
( )
( ,
)
LTPA ( RSA/SHA1)
(Single sign-on)
275
. 7-1
PrivateKey-ltpa ( LTPA)
SharedKey ( )
UserData ( )
TokenExpirationDate (
)
(
,
) LTPA
;
LTPA
/
3DES,
LTPA /
,
$ ( , uid:+ID )
,
. (
,
(00:00:00)
1 1970 .)
, . ( Domino) , ( WebSphere).
() LTPA
LTPA,
Web-. Web-, , () ( LTPA) .
, .
Domino,
LTPA, WebSphere:
Base64,
( WebSphere), ,
, .
7.1
06/09/2003 05:53:39.53 PM [03071:00010-106510] SSO API> Decoding
sphere style Single Sign-On token (LTPA).
Web-
'qlP1GH6Ev5zYTaxx'
'ZoMSbBpmF7CFVkr1'
'FQEpbWnugd2EhlK1'
276
'81GndQAZLce9X2l8'
'z+9rcrvy7U2cWIDO'
'U7wFmXk+h71zg7vi'
'r6IYrFfuMLnc6bZf'
'cnCjFbvDYqjGr/ET'
'BgWlywWtq62fgtx9'
'GIqmtFCfptmqVncX'
'ClJZPPHN3Gn3iozu'
'bEw7ZG6ab38QMlTu'
'uTfq8tqYiR6WII8b'
'9XxeReOqxc5jcF5d'
'CCiNv0mJrCjhl0Qj'
'WOBaUY4vqw88WZ02'
'Boqv991reWh0SGkY'
'czbX1MKJN1kOv57C'
'ItJeSRw5zGRCM8Lh'
'efCNesLP+kXrWQCs'
'fXA7lWLS0FAi50vl'
'G2n5vPh+hId/UiB4'
'ePoOL2mGX90='
'*Su.~.?.XM,qf..l'
'.f.0.VJu..)min.]'
'..R5sQ'u..-G=_i|'
'Ookr;rmM.X.NS<..'
'y>.=s.;b/.,Wn09'
'\i6_rp#.;Cb(F/q.'
'..%K.-+-..\}..&4'
'P.&Y*Vw..RY<qM\i'
'w..nlL;dn.o..2Tn'
'97jrZ.... ..u|^E'
'c*ENcp^].(.?I.,('
'a.D#X`ZQ./+.<Y.6'
'../w]kyhtHi.s6WT'
'B.7Y.?.BR^I.9Ld'
'B3Bayp.zBOzEkY.,'
(Single sign-on)
277
'}p;.bRPPgKe.iy<'
'x~...R xxz./i._]'
'u:user\:itsosec-'
'ldap.cam.itso.ib'
'm.com\:389/UID=D'
'Hinkle,OU=Produc'
'tion,o=redbooks,'
'c=us%10552183781'
'56%AtBiF8RH7XHOl'
'GzOUEVu5VtrAzYZv'
'VgN1tSHeq6suNUrh'
'KN752fBd5ja1iiy4'
'e/hXarzZjMwYonZq'
'hxC+BA4tRzdW3KjN'
'D0qdUKHLPtrWPqH+'
'UF3ziDuOa2JKIsUX'
'ijJhgUMY5Cfb53V2'
'cb4pWFQh5jRq6vA6'
'9cbFADXZHrMtJA='
3D
278
Domino
WebSphere.
LTPA WebSphere-Domino . ,
.
, ,
(
) - (brute force cracking). WebSphere ,
, .
7.2.2
LTPA
. [distinguished
name (DN)] LDAP, . DN [ ,
(ACL) Domino], , LTPA, ,
.
Domino 6, 6.0.2 , , LTPA (DN)
( ). LTPA
( ), LDAP (DN), ,
Domino.
, Domino HTTP-, LTPA.
, . LDAP
Domino ,
. , .
Domino 11.9.4, Domino.
Domino Tivoli WebSeal
Tivoli Access Manager
, .
(Single sign-on)
279
7.2.3 LTPA
LTPA ,
, LDAP.
Lotus- search filters
base dn 75% LDAP-
.
(search
filters) ,
:
Domino Directory Assistance;
Sametime;
QuickPlace;
global security ( ) WebSphere Application Server.
Sametime . 7-1.
LTPA Domino
, LDAP,
LTPA , .
NOTES.INI , (Single Sign-On). ,
Web SSO Configuration, , ,
DEBUG_SSO_TRACE_LEVEL=1. ,
, ,
DEBUG_ SSO_TRACE_LEVEL=2.
280
1. , Domino 6 Basics
(Disabled) -.
7.3 X.509
X.509
SSL, LDAP.
, , LDAP,
.
(Single sign-on)
281
,
(CA), . .
, X.509 , X.509
: - ( ), -
(). , , X.509
.
, X.509 ( )
, ,
. , Internet Explorer X.509 Windows.
. - , , ,
, , - , .
LDAP, ,
, (
X.509). , X.509 Web-, X.509.
LDAP CA,
, SSL-
(), .
LDAP ()
LDAP, . ,
X.509,
- (PKI),
X.509, LDAP (),
() .
SSL- Web-
X.509 SASL (Simple Authentication and Security
Layer).
.
.
, SASL , SASL External ()
X.509. SASL RFC-2222,
:
http://www.ietf.org/rfc/rfc2222.txt
282
, LDAP
. LDAP,
X.509
Lotus .
7.3.1
,
, .
, .
,
SASL X.509v3.
SASL
, [
(userid)] .
LDAP LDAP,
:
1. LDAP
:
(DN), ;
;
- (), ,
;
SASL, LDAP SASL.
2. , .
3. - LDAP
LDAP.
4. SASL, ,
SASL. SASL ,
.
5. SASL (=EXTERNAL) SSL , , , CA
. , ldap_sasl_
bind, NULL, LDAP (DN), -
(Single sign-on)
283
X.509v3 . ( DN NULL),
.
6. Simple (),
, DN ,
, .
7. DN (DN)
, , . DN
NULL LDAP_AUTH_NONE .
8. , .
7.3.2
X.509 SSL- ,
, . DN , .
, DN
, .
SASL , - (proxy authorization),
.
, (DN) ,
. , . , LDAP-
DN, , LDAP
(DN) .
7.4 DSAPI
Web- Domino [Domino Web
Server Application Programming Interface (DSAPI)]
(C API), Web- Domino. DSAPI, , , HTTP-
. DSAPI SSO, , Domino SSO.
, - IBM Lotus
, Web-
284
: SASL-. . . .
DSAPI
Domino 6. Web- IBM.
DSAPI HTTP- ,
Web- Domino.
. HTTP
DSAPI o , DSAPI
, .
StartRequest 13 , DSAPI. , .
DSAPI , ()
. ,
, . .7-2
, DSAPI HTTP- Domino Web-.
DSAPI
( R5)
TCP/IP
Web- Internotes
CGI
.7-2. - Domino 6
, . HTTP . (
)
.
,
.
(Single sign-on)
285
.
, (, Filter Init Data, ). HTTP,
, :
: HTTP .
HEAD: HEAD , .
GET: GET
( ), Request-URL (URL-).
POST: POST , , , , Request-URL Requst-Line (-).
PUT: PUT ,
Request-URL.
DELETE: DELETE , , Request-URL.
TRACE: TRACE.
CONNECT: CONNECT.
OPTIONS: OPTIONS.
UNKNOWN: .
BAD: . .
.
kFilterStartRequest
, , HTTP . . ,
, .
pEventData , NULL. , , kFilterHandledEvent.
kFilterRawRequest
, , , HTTP. ,
, . ,
HTTP. pEventData FilterRawRequest.
286
kFilterParsedRequest
, , , HTTP HTTP. , , kFilterRawRequest, HTTP
HTTP , -
. . pEventData FilterParsedRequest. ,
.
HTTP. kFilterRawRequest.
kFilterRewriteURL
, , URL-
. URL- URL-, DSAPI
, , . pEventData FilterMapURL. , FilterMapURL , kFilterTranslateRequest kFilterPostTranslate.
kFilterAuthenticate
, HTTP .
, HTTP . pEventData .
kFilterUserNameList
, HTTP
. , . kFilterAuthenticate. , Domino ,
, ( ). pEventData HttpEventProc FilterUserNameList.
kFilterTranslateRequest
, HTTP URL-
.
, . pEventData
FilterMapURL.
(Single sign-on)
287
kFilterPostTranslate
, kFilterTranslateEvent. , . , . . pEventData FilterMapURL.
kFilterAuthorized
,
.
. pEventData FilterAuthorize. .
, ServerSupport kGetAuthenticatedUserInfo.
, .
, isAuthorized FilterAuthorize
0. kFilterHandledRequest, kFilterHandledEvent. DSAPI HTTP .
kFilterProcessRequest
HTTP. .
. pEventData FilterMapURL.
kFilterEndRequest
,
, HTTP. pEventData NULL.
kFilterAuthUser
kFilterAuthenticate,
DSAPI. Web-. pEventData FilterAuthenticate.
kFilterAuthenticate.
288
Web-,
. DSAPI , Domino
. DSAPI ,
,
, Web- Domino, , Domino .
, eventData
FilterAuthenticate.
1. .
eventData authName , eventData
authType kAuthenticBasic kAuthenticClientCert, kFilterHandledEvent.
2. ,
Domino .
kFilterNotHandled.
3. ,
Domino
.
eventData authType kNotAuthentic, kFilterHandledEvent.
kFilterResponse
, HTTP HTTP
. . DSAPI. pEventData FilterResponse.
kFilterRawWrite
, HTTP HTTP
. .
DSAPI. pEventData
FilterRawWrite.
SSO kFilterAuthenticate, kFilterUserNameList kFilterAuthorized. ,
kFilterAuthenticate kFilterAuthUser,
5, Domino 6 . DSAPI kFilterAuthenticate.
(Single sign-on)
289
DSAPI Lotus C API Toolkit,
:
http://www.lotus.com/ldd
DSAPI (shared library) UNIX
DLL- Win32. DSAPI Domino.
, API Notes
Domino .
. , API Lotus
Domino 6 , , ,
6., Domino. Domino R5
R5 Domino 6, R5.x.
DSAPI ,
Domino API ID .
, . Domino HTTP, FilterContext. ,
, . FilterContext
privateContext, . , , privateContext.
AllocMem
. , AllocMem, , . , ,
.
Server
DSAPI Internet Protocols (-) HTTP table ( HTTP). ,
Domino;
. ,
.
DSAPI LTPA
API Domino 6 LTPA
:
290
7.4.1
DSAPI Web-
Domino . Domino LDAP,
cookie - .
,
. DSAPI.
. , DSAPI
, .
, .
7.4.2
DSAPI
Domino.
,
HTTP, DSAPI.
,
authname .
. 1 kFilterAuthUser.
7.5 HTTP
ID Domino 6 HTTP,
Web- Domino.
WebSphere Application Server plug-in (
WebSphere) Domino, , , (plug-in) [Trust Association Interceptor (TAI)]
WebSphere, Domino,
notes.ini, HTTP Domino HTTP ID , WebSphere. SSO HTTP-.
HTTP-,
Domino, Microsoft IIS IBM HTTP Server, Domino 6
Apache iPlanet.
(Single sign-on)
291
HTTP
Domino, NOTES.INI :
HTTPEnableConnectorHeaders=1
HTTP Domino , WebSphere IIS
IBM HTTP Server. .
HTTP Domino
, NOTES.INI . .
, HTTP- Domino
; Domino , HTTP . , HTTP- HTTP Domino , HTTP-
Domino 80/443. SSO
HTTP- Domino.
7.5.1
HTTP Domino,
HTTP-.
7.5.2
Domino HTTP , Web-. (ACL) Domino - , .
Notes , , .
Domino
, URL- Domino.
, ,
(reader) (writer).
, , hide when ( ) Domino, . Domino -
292
7.6
( )
SSO. 4,
.
SSO, , Domino, Lotus Domino Lotus Sametime,
WebSphere.
SSO LTPA, .
, ,
, .7-3.
1- ().
(2) (3)
LTPA. LTPA (4),
(5).
, LTPA
, , .7-4.
Domino (1). , Domino ,
LTPA,
(2 & 3). Domino LTPA (4). Domino LTPA ACL LTPA (5). ,
(Single sign-on)
293
, Domino (6),
.
,
WebSphere
5- LTPA
1-
Web-
WebSphere
4- LTPA
3-
2-
WebSphere
2-
1- Domino
Web-
7- Domino
Domino
3- LTPA
WebSphere
4- Domino
( LTPA)
6- Domino
5- ACL
Lotus
Domino
LDAP
294
WebSphere
2-
1-
Web-
Web-
7-
Web-
( )
3- LTPA
WebSphere
4-
( LTPA)
6-
5- ACL
Lotus
Sametime
8-
9- LTPA?
10- LTPA
11-
(Single sign-on)
295
7.7
SSO Lotus Lotus Domino.
.
LTPA ,
IBM Lotus, WebSphere Tivoli Access Manager. , ,
. Domino (Dominos Directory Assistance) ,
Domino.
X.509 , ,
.
.
DSAPI , , Domino.
DSAPI .
HTTP ,
; , HTTP- Domino
.
(Enterprise Access Management), Web-.
, SSO , :
1. SSO, ,
IBM. , DSAPI, HTTP.
2. SSO
IBM.
LTPA.
3. SSO,
.
. (identity management) Tivoli IBM.
296
8
LDAP. ,
, (credentials)
.
.
297
8.1
,
, . ()
, .
, , , .
, . ,
, . ,
, .
, .
, ( ) , ( ).
, .
,
, . , ,
. IBM Directory Server, DB2.
. , ( )
, . ,
, .
8.1.1 LDAP
LDAP . LDAP
, X.500 [Directory Access Protocol (DAP)] X.500,
Lightweight DAP, LDAP (j ).
-,
LDAP TCP/IP- 389 636, SSL.
298
LDAP IETF, :
RFC-1777 c LDAPv2;
RFC-2251 LDAPv3: LDAP 3;
RFC-2252 LDAPv3: ;
RFC-2253 LDAPv3: UTF-8 ;
RFC-2254 LDAP;
RFC-2255 URL LDAP;
RFC-2849 LDAP [LDAP Data Interchange Format
(LDIF)].
,
(partitioned) (replicated);
. ,
. , - . LDAP (LDAP referrals). LDAP LDAP , , ( ) . , . ,
.
LDAP
IBM:
IBM Redbook Understanding LDAP, SG24-4986
IBM Redbook LDAP Implementation Cookbook, SG24-5110
IBM Redbook Using LDAP for Directory Integration: A Look at IBM SecureWay Directory,
Active Directory, and Domino, SG24-6163
IBM Redbook Implementation and Practical Use of LDAP on the IBM e-server iSeries
Server, SG24-6193
IBM Redpaper, LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1,
REDP3603
8.2
.
, , .
, , , :
299
8.2.1
(attributes) . . (authoritative
source) , , ,
.
,
:
: . ,
, , ,
, , . .
: , - . , ,
, .
300
: , .
( - ).
: RFC-822- (SMTP) T-.
SMTP-,
. , - .
, .
, , T- .
, name () ( ,
, ).
, . , , , , . ,
, , ,
. ,
. , .
. ,
.
, . , ,
,
-. , ,
, . ()
, . .
8.2.2
() (point of control) , . -
301
, . .
.
, ,
, . .
.
,
, .
. , . ,
.
.
,
, , .
, . ,
.
8.2.3
, (
) ( ).
. , , ,
.
, .
, , ;
, , .
,
.
, ,
,
302
. , ,
.
,
, . , . ,
,
. ,
1,
2 . . , ,
, , .
(), .
, ,
, .
8.3
.
. ,
, .
. , , .
7, (Single sign-on).
.
:
: , ;
: ;
: ;
: .
8.3.1
.
(), .
303
, ,
,
, . , [application programming interface (API)], LDAP, .
. . , . , , -.
8.3.2
. LDAP,
LDAP , .
LDAP, , .
, (person), (organization), (organizational unit), (domain component)
(groupOfNames). , , ? (top), ,
() . , LDAP . , organizational
unit top,
, .
LDAP , MUST ( ) MAY ( ).
, . LDAP
.
, , ,
.
, LDAP, :
objectclass: top
objectclass: person
objectclass: organizationalPerson
304
objectclass: inetOrgPerson
objectclass: eDominoAccount
, , , . top , , . ,
, top . LDAP ,
top, [Access Control Lists (ACL)] .
person top ,
cn (Common Name) sn (Surname), . organizationalPerson person. inetOrgPerson organizationalPerson. : eDominoAccount
top , sn userid. , person sn.
, c sn ? ,
. .
,
.
? ( LDAP ) . LDAP V3 RFC-2251 RFC-2252.
IBM Directory Server, , OpenLDAP.
objectclass: top
objectclasses=( 2.5.6.0 NAME top DESC Standard ObjectClass ABSTRACT
MUST ( objectClass ) )
objectclass: person
objectclasses=( 2.5.6.6 NAME person DESC Defines entries that
generically represent people. SUP top STRUCTURAL MUST ( cn $ sn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
objectclass: organizationalPerson
305
objectclass: inetOrgPerson
objectclasses=( 2.16.840.1.113730.3.2.2 NAME inetOrgPerson DESC Defines
entries representing people in an organizations enterprise network. SUP
organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $
carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $
manager $ mobile $ pager $ photo $ preferredLanguage $ roomNumber $
secretary $ uid $ userCertificate $ userSMIMECertificate $
x500UniqueIdentifier $ displayName $ o $ userPKCS12 ) )
objectclass: eDominoAccount
306
. OID,
, ASN.1 (Abstract Syntax Notation).
, OID .
( , 1.3.4.7.4.17)
(,
1.3.4.7.4.17.1, 1.3.4.7.4.17.2, 1.3.4.7.4.17.3 . .).
(branch) (root) (vertex) OID.
(arc) ( 1.3.4.7.4.17). [ (subarc)], ,
OID . , OID (vertex) (arc) (root) branch (), LDAP
X.500.
LDAP,
LDAP ( LDAP), ,
.oc. , , eDominoAccount, , IBM Directory Server. , IBM OID 1.3.18.0.2;
, IBM. :
1 ( OID, ISO)
1.3 ( ISO )
1.3.18 (IBM)
1.3.18.0 ( IBM)
1.3.18.0.2 ( IBM)
, (dot notation),
IETF IP-,
OID. , IP-,
OID .
,
.
, , , ( LDAP ). ,
OID ISO, IANA -
. OID,
- - . OID
307
. , (, ) ,
OID. OID ( IP-,
); OID ,
OID, OID .. OID .
, ; OID , .
(arc)
, () Web IANA :
http://www.iana.org/cgi-bin/enterprise.pl
OID,
Web-
ASN.1:
http://asn1.elibel.tm.fr/oid/faq.htm
8.3.3
, , .
cn [common name ( )], sn [surname ()], givenName, mail, uid
userPassword. OID, OID.
LDAP V3 ,
ASN.1 . .
attribute: name
attributetypes=( 2.5.4.41 NAME 'name' DESC 'The name attribute type is the
attribute supertype from which string attribute types typically used for
naming may be formed. It is unlikely that values of this type itself will
occur in an entry.' EQUALITY 1.3.6.1.4.1.1466.109.114.2 SUBSTR 2.5.13.4
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
attribute: sn
attributetypes=( 2.5.4.4 NAME ( 'sn' 'surName' ) DESC 'This is the
X.500
surname attribute, which contains the family name of a person.' SUP
2.5.4.41 EQUALITY 2.5.13.2 ORDERING 2.5.13.3 SUBSTR 2.5.13.4 USAGE
userApplications )
308
attribute: mail
attributetypes=( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822mailbox' )
DESC 'Identifies a users primary email address (the email address retrieved
and displayed by white-pages lookup applications).' EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
, (SUP) sn 2.5.4.41, name (
). name , ,
. . , , . sn, name.
, mail () rfc822mailbox. , EQUALITY
SYNTAX ASN.1.
, ASN.1 . .
, LDAP
LDAP, ,
LDAP LDAP.
8.3.4
,
, . , ,
,
. , ,
. .
, . ,
. .
, , ,
, (attribute mapping). ,
,
(data transformation).
309
, - , (record mapping). ,
. , . , . , James L Smith Jim Smith JLSmith .
, ,
(multiple identities):
( ).
, Navy Enterprise Portal Space and
Naval Warfare Systems Command (SPARWAR), ,
100 000 (identities, ID), .
720 000 -
, - 200 000 , ( ) ID.
100 000 ID ;
. , , ,
, , , ,
ID ? , UNIX- , , ID .
. :
( ). , [distinguished names (DN)] :
LDAP Directory: cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme
Active Directory: uid=bhinkle,cn=users,dc=corp,dc=acme,dc=com
, , 100%- .
, , , , , , ?
310
, ()
, (correlation keys),
.
, .
8.1. LDAP
LDAP Directory: cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
uid=bhinkle
empid=10543
mail=
Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme
internetaddress=b_hinkle@acme.com
employeeid=BC10543
Active Directory: uid=bhinkle,cn=users,dc=corp,dc=acme,dc=com
logonPrincipalName=bhinkle
mail=b_hinkle@acme.com
,
, ,
. ? mail
LDAP AD internetaddress Domino. , SMTP- Domino. Domino AD? Domino LDAP? ,
, AD LDAP. AD
, SMTP-,
Domino AD. ,
Domino LDAP Domino.
,
. , , , . ,
LDAP Domino,
. SMTP-
Domino mail
LDAP ( ).
. ,
(identity), (DN), -
311
,
,
. 7.2, LTPA, cookie . LTPA IBM
cookie , IBM.
DN cookie LTPA, HTTP- Domino,
DN (direct mapping). Domino Directory Assistance
, LDAP. 8.2.
8.2.
LDAP Directory:
cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
empid=10543
mail=b_hinkle@acme.com
notesname=cn=Brendan Hinkle,OU=Finance,O=Acme
8.3.
LDAP Directory:
cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
mail=b_hinkle@acme.com
312
313
8.3.5
(data flows)
(). , , - -.
,
.
(authoritative sources),
. , ,
, ,
-.
. , -,
.
8.3.6 -
(events) ,
.
, ,
. , -, . ,
. , .
, .
8.3.7
. ,
IBM.
Lotus Domino .
ADSync
Active Directory Synchronization, ADSync,
Active Directory (, ) Active Directory Domino Directory
Active Directory Users Computers Console.
Lotus Active Directory Synchronization Domino Administration ,
Active Directory.
314
LDAPSync Solution
LDAPSync Solution , IBM Software Services for Lotus. ,
, LDAP, Domino.
,
, Domino, Lotus.
Notes ,
. ,
Domino .
:
1. LDAPSync: LDAP Domino.
315
316
Corporate
Directory
(LDAP,
non Notes)
Target
Notes DB
3:replication
1:Download
SyncohoroNSF
Transactions
waiting
(Notes DB)
LDAPSync
Transactions
Ready
(Notes DB)
2:Format
Full Names
Run Agent
.8-1. LDAPSync
(simple synchronization) , - - ( ).
source database
destination database
.8-2.
,
Domino (),
(). .
, LDAP - Business card, , (ObjectClass=Person).
(Name), (First Name), (Address)
(Phone number).
, - ( )
. ,
LDAP, ,
Person Domino.
(broadcast) - - ( ).
317
destination database 1
source database
destination database 2
.8-3.
- -, ,
LDAP , , ,
. -
-
, -.
(summarization) - - ( ).
source database 1
destination database
source database 2
.8.4
() ().
- -
-.
(data consistency)
- (
), .
318
source database
destination database
.8.5
- ,
-. , -, ,
-.
Domino
, . , Person
Domino
. ,
Domino, , Customer management ( ),
Sales leads ( ) Purchasing ().
Person, Domino
, .
- , . , - - (
), - ( ). ,
( ).
LDAPSync () , /
, .
, (,
LDAP ), -,
, [ Domino,
Contacts () ..], -. LDAPSync ,
.
, LDAPSync
- LDAP Domino
Domino. IBM Tivoli Directory Integrator, .
319
320
,
//
(). , . , , , ..
(connectors)
. . ,
.
(Event Handler),
Directory Integrator
,
(, , ,
, HTML- Web-
, Simple Object Access Protocol
(SOAP) Web-, ).
(parsers)
, .
.
, , ,
, LDAP Data Interchange Format (LDIF),
Extensible Markup Language (XML), SOAP, Directory Services
Markup Language (DSML), .
(hooks),
.
(Link Criteria), ( ) .
, , () =
(), ,
, , f()=().
: equals (), not equals ( ), contains (), starts with
( ), ends with ( ).
.
321
(Work Entries), ,
.
Java perl-,
.
,
.
( ) :
Btree Object DB Connector,
Command Line Connector,
Domino Users Connector,
File System,
FTP Client Connector,
Old HTTP Client Connector,
HTTP Client Connector,
Old HTTP Server Connector,
HTTP Server Connector,
IBM MQ Series (JMS),
IBM Directory Changelog Connector,
JMS Connector,
JNDI,
LDAP,
Lotus Notes,
MailboxConnector Connector,
Memory Stream Connector,
Netscape/iPlanet Changelog Connector,
NT4,
Script Connector,
SNMP Connector,
TCP Connector (generic),
URL Connector (generic),
(Runtime provided) Connector,
Web Service Connector,
C.
Directory Integrator (assembly line),
.
,
.8-6
322
DS3
DS1
DS2
.8-6. Directory
Integrator
(data source) DS3,
DS1.
DS2. Directory Integrator
(assembly line).
, . ,
,
.8-7. , , . .8-7
, .
DS3
DS1
DS3
DS2
DS1
DS2
.8.7
323
, , , (,
),
. ,
. ,
. Directory Integrator
, ,
, , .
Directory Integrator (GUI).
GUI Idaptodom.
.8-8.
GUI
324
LDAP,
readldap. LDAP. Domino, updatedomuser Domino User. LDAP, LDAP GUI . .8-8 GUI.
-,
(), .8-9 ( ).
.8-9, InternetAddress, .
(Domino). .8-10 , -
.8-9.
GUI
325
.8-10.
GUI
Domino User. . 8-10 , Connector Attribute InternetAddress ,
, InternetAddress ( ).
Domino User,
.
(),
. , GUI Directory Integrator.
.
, Directory Integrator
-, , Web-.
326
JDBC
Web Service
JMS
RDBMS
LDAP
Web
8.4
, . , , , , . , , .
,
, ,
.
(unified directory service)
. , , ,
,
. (metadirectory) ; , ,
. , .
IBM ,
, .
, ,
.
. , -
327
, . , , .
, , .
.
, (ID) .
(unique keys) , . ,
- -.
,
. , ,
, . ,
SMTP- ;
.
, . ID
,
. , (primary) (secondary) . , ID , SMTP- , , .
, (
) . , :
;
.
, . .
. , , , Domino, Active
Directory, PeopleSoft HRMS ..
328
, (, , ). ,
, ,
. LDAP,
LDAP. . -,
LDAP .
.8.12, Dept 3
1, Mail 2
3. , .
CN=David Hinkle
EmpID=1234
Dept=LPS ISSL
Mail=dave@ibm.com
CN=David Hinkle
EmpID=1234
Dept=ISSL
1
CN=David Hinkle
EmpID=1234
Phone=555-1234
Mail=dave@ibm.com
.8-12.
. ,
- .
, , (, A , , ).
-,
.
.8.13,
(master record).
, -
( 1, 2 3) . ,
CN EmpID ,
1 2. , -
329
(). , ,
, ,
. , . . ,
, .
,
( ) .
CN=David Hinkle
EmpID=1234
Dept=ISSL
CN=David Hinkle
EmpID=1234
Dept=ISSL
Mail=dave@ibm.com
UID=DH9876
1
CN=David Hinkle
EmpID=1234
UID=DH9876
.8-13.
,
, , .
- ,
, .
,
. () .
.
. , .8.14, -,
- , .
, ,
330
LDAP . ,
, ,
, ( . ). LDAP,
, , .
, LDAP
, .
LDAP . , 3 LDAP.
3 Domino LDAP
Domino Notes
LDAP. ,
.8.14 ,
IBM Tivoli Directory Integrator, LDAP IBM Directory Server.
CN=David Hinkle
EmpID=1234
Dept=LPS ISSL
Mail=dave@ibm.com
Notesname=David Hinkle/Phoenix/IBM
CN=David Hinkle
EmpID=1234
Dept=ISSL
1
CN=David Hinkle
EmpID=1234
Phone=555-1234
UID=DH9876
Mail=dave@ibm.com
2
CN=David Hinkle
EmpID=1234
Dept=ISSL
Mail=dave@ibm.com
UID=DH9876
Phone=555-1234
Notesname=CN=David Hinkle,OU=Phoenix,O=IBM
LDAP
.8.14 - LDAP
331
. :
(object classes): .
, .
8.3.2, .
(attributes): . ,
OrganizationPerson Title.
Title . , , Person CN [common name ( )] SN [surname ()].
8.3.3, .
[Directory Information Tree (DIT)]:
LDAP .
,
(branches) (leaves),
(end nodes). , ,
, (Distinguished Name, DN).
, , (, CN=users), (OU=).
, LDAP
. LDAP. , , .
DIT , (DN) . DN
. , DN
CN=john q public,OU=sales,O=acme,C=us UID=jsmith4
,CN=users,DC=acme,DC=com.
X.500, C=US . , DNS DC=acme, DC=com . ,
, , , DN ( )
UID (User ID). , , ,
,
.
( 10000 ) .
, . ,
:
332
DN= uid=bhinkle,cn=users,dc=acme,dc=com
cn=Brendan C Hinkle
mail=b_c_hinkle@acme.com
DN= uid=bhinkle2,cn=users,dc=acme,dc=com
cn=Bill Hinkle
mail=b_hinkle@acme.com
, , DN.
, , , DN,
.
, .
. , ,
, , , . ,
( ),
,
:
DN= uid=bhinkle,ou=sales,dc=acme,dc=com
mail=b_c_hinkle@acme.com
DN= uid=bhinkle2,ou=hr,dc=acme,dc=com
mail=b_hinkle@acme.com
OU DC ( 10000 ) , . ,
, () .
X.500 DNS, . , X.500
,
. DNS
- X.500 SMIME-. ,
35 , . , -
. , , , , . DNS
DIT , LDAP.
333
DIT .
. - . DIT, ,
,
.
DIT
:
;
( );
;
(, );
.
, ,
LDAP? , LDAP-
X.500 Open LDAP. LDAP,
, . LDAP , LDAP- .
LDAP ,
.
LDAP LDAP , .
, .
,
, ,
Middleware
Architecture Committee for Education (MACE). :
http://middleware.internet2.edu/dir/
, ,
, .
.
.
334
, ,
:
Charles Carrington (Editor), Timothy Speed, Juanita Ellis, and Steffano Korper, Enterprise Directory and Security Implementation Guide: Designing and Implementing Directories
in Your Organization.
8.4.1
. (account provisioning) ,
.
.
.
(service) ,
, .
. Notes.
(account)
. , , . (credential)
,
,
. :
.
() ( ) .
(ID)
.
. , ,
, .
335
,
. ,
, Enterprise Directory.
, favorites,
.
,
.
(registration)
. ID, .. () .
, ,
, , ..
( ) , ,
.
, .
(entitlement)
. ,
, . ,
- , , , .
,
- . , Domino, , (Directory Integrator). - ,
, , ,
, .. ,
336
(Instant Messaging), .
,
. ,
, -.
, . ,
, ,
. ,
. , , . -
, . ,
,
.
8.4.2
, .
, , ,
.
(SSO)
, , . ,
,
(enterprise access management systems). IBM Tivoli Access Manager Netegrity Siteminder.
, ,
:
LDAP;
;
337
, ,
, , ;
Web- .
, , SSO . , SSO,
, ,
( ).
IBM Tivoli Access Manager
IBM Tivoli Access Manager for e-business, REDP3677.
8.5
.
. , , , , , .
[single sign-on (SSO)]. ,
.
.
. :
, , .
. , -,
.
, .
, ,
, .
,
-, .
:
338
;
(DIT).
.
: , , . ,
, , .
.
() :
;
;
;
;
;
.
339
9
(hardening)
, - , .
(), ,
.
, (hardening),
(. . , , )
, .
,
Lotus- , :
Windows ( NT)- :
Win32 WindowsNT4.0, Windows2000 WindowsXP;
UNIX/Linux- :
Sun Solaris 8;
Linux ( 2.4) SuSe Red Hat;
IBM AIX.
, , ,
.
(hardening)
341
9.1
.
,
- .
9.1.1
, , . ,
. , ,
. ,
, .
, .
, ,
. , ,
, . ,
.
,
.
, , , ,
Windows Linux, . , 1 , .
,
, .
, .
100% , ,
, , ,
.
,
. , . (service pack) ,
1
342
, . . .
, CD (-) .
,
, .
(,
up2date Red Hat Windows Update Tool Microsoft).
, ,
, , , .
-. ,
, , , . ,
Windows Server Internet Information Server (IIS, ), .
, ,
, ,
. , ; , , .
, ,
. :
netstat an
, , , Nessus, Nmap Stealth,
- , .
- , ,
, ,
-.
,
, -. ,
, ,
. -,
, . ( , -
(hardening)
343
.
.)
. (, , ) (PSPG Policies, Standards, Procedures Guideline) ,
.
9.1.2
,
- , . ,
, .
, ,
-. ,
,
, , ,
, ,
, 4.1, . .
,
, , , . , , , , . UNIX, Windows ( NT) , ,
.
,
, ,
. ,
, , , ,
.
,
, , . , . ,
, .
344
,
.
. ( Microsoft ISA
Server, http://www.microsoft.com/
isaserver/.)
, , ,
TCP-. IP- ( )
,
, .
, P2P ( , , KaZaa, Morpheus, eDonkey ..), . ,
P2P . HTTP , , P2P, .
, Web- URL- , Web- .
, , . , Web- IP-,
URL-. , , ( ),
, , .
,
. , , Bluetooth.
,
.
.
, , ,
. ,
.
(hardening)
345
, , , ,
, , ,
P2P-
( ) ,
, .
, , . 2, ,
, ,
, .
NMap ( Network Mapper) , URL-:
http://www.insecure.org/nmap
NMap open source1, UNIX,
Windows (NmapNT).
IP- ( ) :
;
() ;
;
.
NMap . f (), NMap
IP-. NMap TCP- ,
(Intrusion Detection Systems, IDS).
, , , , .
, Nessus, NMap ,
NMap .
9.1.3
- ,
, -.
- , .
1
346
Open source . . .
9.2
, -,
, .
, Lotus Notes,
- Sametime
, - .
,
, . ,
: 1 . ,
, .
(, , ), , ,
. -
,
.
.
, , . ,
-, -.
9.2.1
, ,
, . ,
, .
, . :
, ;
, ,
.
,
, .
1
- . . .
(hardening)
347
,
.
,
. , - ,
.
, , ,
:
1. .
(
QNX). .
, .
2. . , PDA ( Palm OS). . , .
3. . , Microsoft
Windows.
, . , , Windows Server
Operating Systems ,
,
( Terminal Services).
4. . . Linux. , ,
-
.
348
. ,
. , , .
. ,
.
. ,
.
. ( , , , ..), ,
.
. , ,
, .
. , ,
(APIs, Application Programming Interfaces).
. (Graphical User Interface, GUI),
.
, .
,
, .
.
, , .
, Windows
UNIX, :
Windows 2000 (Maximum Windows 2000 Security, Sams, 2001, ISBN 0672319659);
Linux (Maximum Linux Security, Sams, 1999,
ISBN 0672316706).
Windows Linux.
(hardening)
349
9.2.2 Windows
Microsoft Windows , ,
Windows . , . ,
Windows .
, , , Windows , :
/. Microsoft
( ).
,
:
1) ; 2)
.
. ,
Windows , ,
. , Windows
.
, , . , , , -.
. , Windows, , , (Event Viewer). Windows ,
.
. Windows ,
, .
. ,
, , Microsoft - , .
, , .
,
.
. Windows . ,
.
350
,
, .
,
.
Windows ,
. , , , ,
Windows .
, ,
Windows. ,
:
SecurityFocus:
http://www.securityfocus.com/
NT:
http://www.ntbugtraq.com/
CERT:
http://www.cert.org/nav/index_red.html
, ,
.
, Windows . Linux ,
.
9.2.3 Linux
Linux
. - ,
Linux , . Lindows Red Hat-, Linux ,
IBM. , ,
Linux.
Linux
, Windows. ,
- , - , , Linux.
, Linux
, ,
, . Linux :
(hardening)
351
352
. , ,
. , Red Hat
, , , .
,
, .
Linux- Web (, Caldera, Red Hat, SUSE, Turbolinux) ,
UNIX SecurityFocus (http://www.securityfocus.com/unix), ,
.
Linux Windows. ,
,
, .
Windows Linux,
Solaris AIX, , Domino.
Domino , zOS (OS/390) OS/400 (
zSeries - iSeries). , .
(hardening)
353
. , :
1) 2) , -.
Web- . , ,
-.
Windows NT 4.0 Server , .
, , . ,
. ,
,
,
, .
, , , , . ,
, ,
. , .
, Windows NT 4.0
:
NTFS, FAT. NTFS (access control lists,
ACLs) .
354
.
FAT, , , NTFS.
, ACLs
.
, (, , ).
, DMZ Web, Domino DNS
.
(Service Pack) , .
Service Pack 6a, .
, . :
Remote Procedure Call (RPC),
NetBIOS,
Computer Browser.
.
, , .
:
(Control Panel Network Services):
Workstation. , , at.
, Server,
.
Server. .
, .
WINS TCP/IP. (Control Panel Network Bindings).
(All Protocols). WINS Client (TCP/IP)
/ (Disable/Remove).
. DMZ- .
, :
Alerter. ,
.
ClipBook.
.
(hardening)
355
DHCP Client.
.
Messenger. ,
.
NetBIOS Interface. NetBIOS TCP/IP.
Net Logon. ( )
() .
Network DDE.
.
Network DDE DSDM.
(Dynamic Data Exchange, DDE) DDE-.
TCP/IP NetBIOS Helper. NetBIOS
TCP/IP, IP-.
,
, ,
, telnetd FTP. ,
,
. , , ,
IP- , .
IP- DMZ.
IP-, IP Windows NT.
TCP/IP (Control Panel Network Protocols TCP/IP Protocols Properties Advanced).
(Enable Security) (Configure). , .
,
; .
,
.
.
(Administrator) -
.
.
,
.
, , , . ,
.
356
. , , :
.
, .
, 24 .
. 30 .
(Everyone).
(Access This Computer From the Network),
, .
.
: ; ; , .
(
5). .
SYSKEY (Security Accounts Manager, SAM).
SYSKEY 3; ,
6a SYSKEY
.
OS/2 POSIX.
C2SECURITY Windows NT (Resource Kit) .
, ,
OS/2 HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\OS/2 Subsystem for N.
Os2LibPath Environment:
H K E Y _ L O C A L _ M AC H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \
SessionManager\EnvironmentOs2LibPath.
Optional, POSIX OS/2
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems.
%WINNT%\system32\os2 .
, ,
- ,
, .
(hardening)
357
, . ,
, , .
,
. Windows NT , ,
, .
, . :
.
(Internet Information
Server, IIS) v2.0, Windows NT, Web-. IIS
,
IIS.
, IIS
, .
, TCP/IP. . NetBEUI , IPX .
IPX NetBEUI.
.
,
DNS-. Web-,
DNS. , , ,
, (Simple Network Management
Protocol, SNMP) DMZ.
, (community) - . SNMP , ,
.
WINS. NetBIOS
DNS, LMHOSTS.
DHCP- (relay). , DMZ-
(, , , ).
IP- (IP Forwarding),
.
, IP-.
.
358
Windows NT,
. , . Windows NT .
1, , :
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogin
DontDisplayLastUserName
1, :
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\Lsa
RestrictAnonymous
, . (
3 .):
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\SecurePipeServers\winreg
1, NTFS
8.3. ( 8.3 Win16, .
,
8.3.):
(hardening)
359
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\FileSystem
NtfsDisable8dot3NameCreation
0,
(ADMIN$, C$
. .). (,
( ) net share /d.):
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\LanmanServer\Parameters
AutoShareServer
1 ,
( ):
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
RestrictGuestAccess
0 ( Windows NT 10 , , ):
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogon
CachedLogonsCount
(Access Control Lists, ACLs).
(Everyone) ,
(Full-Control) (Administrators) (SYSTEM). (Owner) (Full-Owner control):
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWAR
\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\WinLogon
360
Windows NT 4.0
Windows NT 4.0 . EventLogs, Windows.
.
Windows, .
(,
FTP, HTTP, SMTP . .), . , (Performance Monitor). EventLog,
.
, .
Windows NT , .
, , . , 100%,
,
. , .
? , . .
EventLogs
EventLogs Windows NT ,
(Event Viewer).
Windows NT EventLogs syslogs UNIX.
EventLog (Application Log), (Security Log) (System Log). , Windows NT .
, .
:
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
File
(hardening)
361
File . , .
, Windows IIS Web-,
: Web, FTP SMTP.
,
. .
Web FTP.
(Properties) .
(Performance Monitor). %SystemDrive%\PerfLogs.
DefaultLogFileFolder
:
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\SysmonLog
DefaultLogFileFolder
%SystemRoot%\SchedLgU.Txt.
,
, .
LogPath :
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\SchedulingAgent
LogPath
Windows NT. , Windows.
, , NT 4.0 Windows
,
.
362
, , ,
. , , Microsoft
Technet, .
Windows 2000 , . , , , , , Windows 2000.
Windows 2000 Windows 2000. Windows 2000 , Windows NT 4.0.
( - ),
.
Windows 2000 , ,
, . , , , . - ,
, . :
, .
, Windows NT 4.0, ,
Windows 2000 .
, . ,
,
, .
, .
Windows 2000 NTFS, FAT. NTFS
(ACLs) .
.
FAT, , , NTFS.
, ACLs
.
, ,
. DMZ
(hardening)
363
, ,
. , , IIS- FTP, HTML-. , , , Windows Media
.
Microsoft (File and Printer
Sharing for Microsoft Networks). (Custom),
.
Web
SMTP, Microsoft (Microsoft Networking Client) ,
. ,
RPC
Microsoft. IIS, SMTP.
IP (IP Protocol Properties). IP DNS DHCP.
(Advanced)
:
a) DNS.
DNS (Register This Connections Addresses in DNS).
b) WINS;
WINS. NetBIOS,
LMHOSTS. NetBIOS
TCP/IP NetBIOS TCP/IP.
c) (Options) TCP/IP-, Windows NT 4.0.
.
DMZ- .
telnetd. - telnet
, telnet
TelnetClients.
TelnetClients, , telnet . telnetd
Telnet TelnetClients.
DNS-. . DNS. (Notify)
, (Only Allow Access From Secondaries Included on Notify List).
, . ,
DNS-, Windows NT 2000,
. -
364
, ISC BIND
(Internet Software Consortium Berkeley Internet Name Daemon),
UNIX-. ,
GUI1, , BIND. ISC
:
http://www.isc.org/products/BIND/
, .
:
, CA [Certificate Authorities
( )] , . , . , Lotus Domino
SSL, , , .
, SNMP (Management and Monitoring Tools), (community) .
(Active
Directory). , DMZ-, DMZ DNS .
Windows 2000
Windows NT 4.0 ,
.
, , /
. , , , .
Windows 2000 Microsoft Microsoft (Microsoft Management Console, MMC). (Security Templates Tool) , .
(Security Configuration and Analysis Tool) 1
(hardening)
365
, , , .
MMC. .
,
(High Security for Workstations), HISECWS.INF. , Microsoft , Web-.
, Windows
NT 4.0. HISECWEB.INF Microsoft
URL:
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316347
:
1. %windir%\security\templates.
2. .
3.
.
4. (Analyze Computer
Now) .
5. .
6. , , .
.
, WordPad. , ,
.
. , , , .
;
; .
, ,
. , , .
, , ,
.
.
366
. , , SECEDIT. , Telnet. .
,
, , , -. ,
, , HTTP, FTP SMTP, .
, ,
IIS , . - . 9-1.
9-1. -, IIS
IIS
IIS SDK
Admin Scripts
Data Access
\inetpub\iissamples
\inetpub\iissamples\sdk
\inetpub\AdminScripts
\Program Files\Common Files\System\msadc\Samples
, , DMZ:
Microsoft Windows NT 4.0 and IIS 4.0:
http://www.microsoft.com/technet/security/iischk.asp
Microsoft Windows 2000 Server and IIS 5.0:
http://www.microsoft.com/technet/security/iis5chk.asp
Microsoft SQL Server:
http://www.microsoft.com/technet/SQL/Technote/secure.asp
http://www.sqlsecurity.com/faq.asp
Windows 2000.
Windows NT 4.0 Windows 2000 , .
Windows 2000 , Windows NT 4.0.
9.3.3 Windows
, .
,
(hardening)
367
, ,
Windows (NT, 2000, XP),
.
,
, Windows .
, - ( ) ( ),
: .
, Windows NT,
2000 XP; ,
.
, Windows Windows .
Lotus Collaborative,
. , , Windows,
, . ,
, .
Microsoft
( Steps to Personal Computing Security),
URL:
http://www.microsoft.com/security/articles/steps_default.asp
Windows, ,
Windows NT (NT 4.0, 2000 XP). , Windows 9x 95, 98, 98SE ME,
. , -,
9x, Windows NT.
Windows NT, 2000 XP . ( Windows 95, 98 ME,
. , 9x
.) , , .
368
, Windows,
(
) .
,
,
- .
. , ( )
, . , , . , ,
. ( , 2, , .)
,
.
Windows
. - ,
, .
, .
: , ( ). .
1. , , .
:
. (
, , ,
.)
(, , , ).
, ;
.
2. , ,
. , .
, .
(hardening)
369
,
.
,
, , , . , . ,
. , , .
Norton Anti-Virus (NAV), McAffees
VirusScan ,
. , .
Windows.
Microsoft
(Microsoft Update Center)
Microsoft Windows .
Microsoft
( ),
. , , , , .
:
1. , Microsoft (http://windowsupdate.microsoft.com/) Product Updates.
2. , - (CRITICAL UPDATES AND SERVICES PACKS); .
(Download).
, . . , , ,
, .
, ,
370
, ,
. , -,
, .
Microsoft
(Microsoft Baseline Security Advisor, MBSA)
Microsoft , . URL MBSA :
http://www.microsoft.com/technet/security/tools/tools/MBSAhome.asp1
MBSA .
2002 . , Web
, Microsofts Personal Security Advisor (MPSA),
. MBSA
Windows NT 4.0, Windows 2000 Windows XP ( ,
Windows).
MS IIS MS SQL.
MBSA ( ),
. MBSA . , , , -, .
. , ,
Microsoft,
, MBSA.
.
, ,
. , - , ,
, , ,
.
,
, -. , Microsoft ,
.
, ,
, , , , ,
.
1
: http://www.microsoft.com/technet/security/tools/
mbsahome. , Microsoft Baseline Security
Analyzer. . .
(hardening)
371
MBSA ,
. MBSA
, , .
372
Microsoft SQL-
Windows NT 4.0, 2000 XP
, (Structure
Query Language, SQL). MS SQL-.
MS IIS, .
Slammer.
Microsoft SQL- .
, , , . MS SQL-
:
1. MS SQL-, .
MS SQL-
,
. , ,
(, MS SQL-) , .
, ,
.
, MS SQL- - , -
. , .
MS SQL-
, , , - , Windows , 100% ,
- .
, MS SQL- , ,
.
2. MS SQL-
MS SQL- ( )
MBSA, .
,
MS SQL- , . MBSA , .
.
Microsoft, Hfnetchk.exe, (Q303215), .
(hardening)
373
Microsoft, Hfnetchk.exe,
(Q305385).
Microsoft, Microsoft Technet Web.
- (
). ,
, .
, Symantec, Norton Anti-Virus, Symantec
Security Check ( Symantec), . URL:
http://security.symantec.com/ssc/home.asp
Scan for Security Risks
( , . . ),
Scan for Viruses ( , Norton
Anti-Virus) Trace a Potential Attacker ( ,
IP-). , .
, , , Scan for
Security Risks ,
. , - , - .
,
, Scan for Viruses
, .
- . , , .
. .
-, Symantec - ActiveX.
, , , ,
. , Symantec
,
. ,
; .
-, Symantec . ,
, ActiveX Symantec
25.06.2003, ( ) ActiveX,
. :
http://www.sarc.com/avcenter/security/Content/2003.06.25.html
374
Symantec . ,
- . , Gibson Research
Corporation ShieldsUp!,
. URL:
http://grc.com/intro.htm
!
, Symantec Gibson Research.
,
, , -
.
9.3.4
Windows.
-, , ,
, ,
,
:
Microsoft (http://www.microsoft.com/security/)
:
http://www.microsoft.com/security/articles/steps_default.asp
http://www.microsoft.com/technet/security/tools/tools.asp
Windows NT CERT (http://www.cert.org/tech_tips/win-resources.html)
Windows NT
http://www.cert.org/tech_tips/win_configuration_guidelines.html
http://www.cert.org/tech_tips/home_networks.html
http://www.cert.org/other_sources/viruses.html
SANS
(http://www.sans.org/rr/index.php)
Windows 2000
http://www.sans.org/rr/catindex.php?cat_id=66
. Web ,
.
(hardening)
375
9.4 UNIX
UNIX-. UNIX
Windows ,
.
UNIX , ,
. UNIX , BSD AT&T System V. UNIX .
UNIX, BSD:
OpenBSD,
FreeBSD,
NetBSD,
BSDi,
MacOS X,
SunOS 4.
UNIX, System V:
HP-UX,
Solaris (SunOS 5).
. AIX, , , ,
BSD, System V , . -
AIX . . 9.5,
AIX.
, Linux? ,
Linux UNIX.
BSD System V.
, , Linux
. Linux GNU (http://www.gnu.org), -
GNU/Linux. GNU/Linux,
, , ,
.
, , Windows NT, Windows
2000 Windows XP, , UNIX Linux,
.
,
UNIX Linux. , ,
, .
376
9.4.2
, UNIX,
, , SWAP /tmp. ,
(denial-of-service) (out-of-disc-space).
: UNIX
FTP, , Domino- ,
, mail.box .
(hardening)
377
.
(/). ,
, ,
, /bin, /sbin, /etc /lib.
/dev /devices.
GNU/Linux /boot,
/lib.
/usr. , ,
. /usr
, ;
(, mount) .
/var. ,
, Web, , , ,
.. / , /var
, .
/usr/local (/opt Solaris). ,
. /usr/local . , UNIX,
.
UNIX ( GNU/
Linux),
, UNIX, .
9.4.3 inetd
inetd UNIX. -1,
, /etc/inetd.conf.
inetd IP-.
, . ,
, .
, ,
-.
inetd , ,
. - FTP, TFTP, Telnet Berkley r*, .
1
378
- ,
, . Windows
DOS. . .
9.4.4 tcp_wrappers
UNIX tcp_wrappers (
Wietse Venema), , , , , ,
IP- DNS. , , , DMZ - ( , ).
,
GNU/Linux BSD. UNIX, tcp_
(hardening)
379
wrappers ,
URL ( ):
ftp://ftp.porcupine.org/pub/security/index.html
UNIX , (single
points of failure) .
, .
, ,
, . , (DDoS, Distributed Denial of Service), //
.
tcp_wrappers , .
,
.
/etc/hosts.allow
/etc/hosts.deny
, tcp/ip- (, , ),
.
: hosts.allow, hosts.deny.
KNOWN UNKNOWN. ALL
, . man-1 hosts_access, tcp_wrappers.
9.4.5 sendmail
Sendmail UNIX ( GNU/Linux)
(Mail Transfer Agent, MTA).
, sendmail
. suid root, sendmail .
sendmail , STARTTLS
SMTP AUTH. 1
UNIX GNU/Linux , , man (man pages), man [] ////. , man hosts_access man bash.
. .
() suid (set-UID)
- (.. ), , ( ). , suid root ,
root root.
. . .
380
UNIX sendmail ( , ),
. ,
8.9.3 - .
Realtime Blackhole List ( ), , sendmail.
mc :
FEATURE(rbl)dnl
, sendmail SMTP VRFY EXPN. . :
define('confPRIVACY_FLAGS', 'novrfy,noexpn')dnl
, ,
sendmail :
authwarnings: X-Authentication-Warning,
;
needmailhelo: - SMTP HELO;
needexpnhelo: - SMTP HELO
EXPN;
needvrfyhelo: - SMTP HELO
VRFY;
noreceipts: (Delivery Status Notifications, DSNs) ;
goaway: , restrictmailq restrictqrun;
restrictmailq: mailq
;
restrictqrun: .
, Domino UNIX GNU/Linux sendmail 1.
9.4.6 , Linux
GNU/Linux.
, - 1.44 ( Minix).
,
.
GNU/Linux Red Hat, SUSE, TurboLinux,
Mandrake, Caldera, Slackware Debian.
1
(SMTP) Domino,
sendmail, 25. . . .
(hardening)
381
,
GNU/Linux, Domino, . , GNU/Linux , , , .
,
, ,
, - .
, .
Red Hat. , ,
. , Oracle, IBM Check Point,
Red Hat. ,
GNU/Linux, -
, Red Hat.
Debian. . , , ,
, .
Debian
100% . Debian
. GNU/Linux. Debian
, , . ,
Debian
, , , . Debian 3900 , .
SUSE,
, YAST2,
. GNU/Linux,
Domino, TurboLinux Caldera.
GNU/Linux, ,
(Custom
Installation) ,
. , , KDE GNOME, X Windows (
Domino, Domino ). ,
382
,
.
.
(enable shadow password); crypt
MD5.
, . Red Hat setup. Debian
shadowconfig. GNU/Linux man-. MD5 md5
/etc/pam.d.
ipchains, DMZ,
ipchains , - .
, / GNU/Linux.
Debian apt-get. Red Hat, 6.0, up2date.
, ,
GNU/Linux.
, Red Hat Linux, , Bastille Linux,
Linux, , .
Bastille Linux Red Hat Mandrake Linux1, , UNIX , .
Bastille Linux ,
, ( , ),
. , ,
. ,
, Linux. Bastille Linux
URL:
http://www.bastille-linux.org/
Linux.
Linux .
Linux :
http://www.securityportal.com/lasg/
1
(hardening)
383
9.4.7 , Solaris
Solaris :
(Core), (End-User), (Developer) (Entire Distribution). ,
, ,
. , .
Solaris ,
Sun Blueprints Online, URL:
http://www.sun.com/software/solutions/blueprints/online.html
Solaris.
Solaris : ,
(Solaris Operating Environment Minimization for Security: A Simple, Reproducible and
Secure Application Installation Methodology),
(Alex Noordergraaf) (Keith Watson).
Web- iPlanet, Apache, Domino
Web- .
Solaris (Solaris Operating Environment
Security), . Solaris.
SPARC-; Intel.
Solaris, (Solaris Operating Environment Network Settings for Security),
, .
Blueprints Online Sun , Solaris,
Web- DMZ, Domino.
(Lance Spitzner) Solaris, Check Point FireWall-1
Solaris (
8) Intel SPARC. URL:
http://www.enteract.com/~lspitz/armoring.html
, Solaris Bastille-Linux,
TITAN. TITAN URL:
http://www.fish.com/titan/
384
9.4.8
WAN-, DMZ-
, TCP/IP.
: (Strict SourceRouted) (Loose Source-Routed). , .
Traceroute , .
, .
,
TCP/IP.
:
Solaris :
ndd -set /dev/ip ip_forward_src_routed 0
GNU/Linux
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
Smurf
(direct broadcast)
, :
Solaris :
ndd -set /dev/ip ip_forward_directed_broadcasts 0
(hardening)
385
GNU/Linux :
echo 1 > /proc/sys/net/ipv4/icmp_echo_ ignore_broadcasts
GNU/Linux - ICMP. Linux
ICMP:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
ICMP-
ICMP- .
DMZ-
, :
Solaris :
ndd -set /dev/ip ip_send_redirects 0
GNU/Linux :
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
ICMP- (ICMP type 13)
. .
ICMP- rdate - .
,
.
NTP,
386
, ,
, .
ICMP 13 (
) 14 ( ) .
Solaris :
ndd -set /dev/ip ip_respond_to_timestamp_ broadcast 0
9.4.9
, , , ( ) . : , , , . .
.
. ,
- , , .
, UDP/514.
, , ,
, CD-R, WORM, .
UNIX .
,
syslog.
, /var/log.
, UNIX GNU/Linux
. , ,
(), .
UNIX GNU/
Linux, syslogd , , syslog-ng. syslogd,
, facility.priority
(.).
. Syslog-ng, ,
UNIX GNU/Linux. ,
URL:
http://www.balabit.hu/en/products/syslog-ng/
(hardening)
387
UNIX
GNU/Linux. AIX1, AIX
, .
9.5 AIX
AIX UNIX, , ,
. AIX ,
, , , .
AIX
, , . ,
, ,
, .
AIX .
AIX, ,
AIX,
Lightweight Directory Access Protocol (LDAP) Internet Protocol Security (IPSec).
, Web- IBM AIX :
http://www-1.ibm.com/servers/aix/library/index.html
, , . X11 CDE ,
.
, AIX, , ,
.
, ,
. ,
, ,
1
388
, .
,
.
, ,
, . , .
9.5.1
(login) AIX
, ,
. , . .
herald /etc/security/login.cfg.
, AIX. chsec .
chsec:
# chsec -f /etc/security/login.cfg -a default -herald
Only authorized use of this system is allowed.\n\nlogin:
/etc/
security/login.cfg herald :
default:
herald =Only authorized use of this system is allowed.\n\nlogin:
CDE
CDE (Common Desktop
Environment). CDE . , /usr/dt/config/$LANG/Xresources, $LANG
, AIX.
.
.
lock , AIX windows,
xlock.
(hardening)
389
9.5.2
AIX, . ( , AIX.)
,
.
. AIX
, , :
,
, ;
;
,
.
, , , UNIX,
. dictionlist
( ), , bos.data bos.txt.
dictionlist /etc/security/users:
dictionlist = /usr/share/dict/words
UNIX dictionlist /usr/share/dict/words.
root
, root. ID root AIX
su.
root ,
root ,
, . /var/adm/sulog.
, .
root
/etc/security/user. rlogin root
false.
390
,
.
, .
. , /etc/security/.profile , :
TMOUT=300 ; TIMEOUT=300 ; export readonly TMOUT TIMEOUT
300 , 5 .
,
. , , , .
, root , INTERNAL
FIELD SEPARATOR (IFS), , , sed,
awk cut, .
, , .
umask 077.
, ,
, .
. SP umask 022.
umask 022.
077. etc/security/user.
(hardening)
391
, , ID . ID
.netrc1. ,
, , .
, :
# find 'awk -F: '{print $6}' /etc/passwd&' -name .netrc ls
, . Kerberos.
. 9-2 ,
.
/etc/usr/security2.
- , . chsec (, , , IBM Redbook AIX
Security Tools, SG24-5971-00).
9-2
dictionlist
histexpire
histsize
maxage
maxexpired
maxrepeats
minage
minalpha
mindiff
,
UNIX
,
,
maxage,
,
,
,
/usr/share/dict/words
26
20
4
2
2
13
2
4
. AIX. .
. .
: /etc/security/user. . . .
392
0, ..
, . . . .
.9-2
minlen
minother
pwdwarntime
,
,
,
6 (8 root)
2
5
, ,
(, , ), etc/security/login.cfg1.
,
AIX
ID . , AIX, ,
, ID , . ID ,
.
. 9-3 ID, , , .
9-3 ID
ID
uucp, nuucp
lpd
imnadm
guest
, uucp
,
IMN [
(Documentation Library Search]
,
. 9-4 ID , , ,
.
9-4 ID
ID
uucp
printq
imnadm
1
, uucp nuucp
, lpd
, imnadm
/etc/security/login.cfg. . . .
(hardening)
393
ID ; ID, .
, ID.
9.5.3
Trusted Computing Base ( , TCB) , . TCB
(trusted communication path),
TCB.
TCB . TCB , preservation. TCB
(trusted shell), (Secure Attention Key, SAK).
TCB, /dev
TCB. , TCB
600 , /etc/security/syschk.cfg. TCB ,
, , , CD
, , .
9.5.4
AIX
. .
- ,
. , , .
, , Domino
DB2,
. ID,
, .
394
. , ,
. CD-ROM- CD-,
, CD , , , . , .
(Service Level Agreements,
SLAs), ,
, ,
,
. ( ).
.
(
CD, mksysb /CD).
. , , , IBM , .
root. ,
. , root,
.
AIX
- ,
.
, ,
, .
- , , .
9.5.5
,
. ,
.
(hardening)
395
/etc/security/audit/
events. cron
.
9.5.6 ,
, , .
AIX.
AIX skulker,
.
, /tmp,
a.out, core ed.hup. skulker
:
# skulker -p
skulker, cron
.
,
ID , , . , , find , :
# find / -nouser -ls
, . , .
.
.rhosts.
. .rhosts AIX.
HACMP .rhosts 1. 600 root.system.
.rhosts :
# find / -name .rhosts -ls
1
396
HACMP 5.x . . . .
, . , , ,
root SUID SGID.
, ,
. ,
, AIX. :
# find / -perm -4000 -user 0 -ls
# find / -perm -2000 -user 0 -ls
cron at
cron at .
, ,
cron.allow at.allow, root.
/var/adm/cron cron.deny at.deny.
, cron at root.
/etc/rc.dt
CDE , .
CDE , .
CDE (dt). - , , /etc/rc.dt, CDE.
X-
, X11,
. X-
xwd xwud,
, .
,
(hardening)
397
,
root.
xwd xwud X11.apps.clients.
xwd xwud , OpenSSH
MIT Magic Cookies. , xwd xwud.
X- xhost+ AIX. , xhost+ , X- .
,
X-.
xhost :
# xhost +
xhost
, xhost ,
. chmod /usr/bin/X11/xhost 744, :
# chmod 744/usr/bin/X11/xhost
, xhost . , X-.
. , .
9.5.8
,
.
- ,
.
, ,
; ,
. , , ,
.
, , .
netstat:
398
TCP-, LISTEN, UDP-, .
lsof, netstat -af. lsof AIX 5.1 AIX Toolbox for
Linux Applications CD.
, TCP-, LISTEN,
UDP-, IDLE, lsof :
# lsof -i | egrep COMMAND|LISTEN|UDP
ID
, :
# ps -fp PID#
,
man- .
9.6
, .
, , ,
,
.
,
.
, , , 100% 100% .
, , ,
, .
- , ,
.
.
(hardening)
399
Lotus
, Lotus. Lotus Notes Domino 6, Sametime 3, QuickPlace 2.08, Domino Web
Access (iNotes) 6.x, WebSphere Portal 4.x
IBM/Lotus. ,
Lotus, , Lotus.
10
Notes/Domino
,
Notes/Domino. Domino . , Notes/Domino, .
, Notes/Domino.
Notes/Domino
403
10.1 Notes/Domino
Notes:
() , . , , . 10-1.
. 10-1. Notes
, : ,
Notes. . 10-2.
Notes
. 10-2.
,
,
Notes, ( ) Notes.
,
.
: . .
404
10
10.2
, ,
, , . 10-3.
Notes
. 10-3.
Domino.
.
, , .
, , .
:
, .
, . .
.
Domino Domino (Administration Tools), Lotus, .. Domino Administration 6 Client ( , Web-) Web Administrator 6, WebAdmin.nsf.
Notes/Domino
405
- ,
Notes Web- (. ., Telnet,
FTP ).
10.3
Notes, . 10-4.
Notes
. 10-4.
Notes ,
,
.
10.3.1
,
.
, . - , Notes
Notes
. 10-5.
406
10
: .
(routers) , . (gateways) , , .
, - . IP,
,
.
, . , . , FTP, DNS
(Domain Name System) X11.
; , . ,
. IP, , .
-. -
. ,
UNIX- SendMail 20 000 ,
- SendMail 700 . -
.
. ,
. .
,
, , .
-
Notes/Domino
407
. , .
(demilitarized
zone, DMZ), ,
( ).
, , - .
, , , .
.
Ethernet, Fast Ethernet, Gigabit Ethernet Token Ring, MAC- , , MAC-, .
(shutdown mode) (restrictive mode). ,
.
. , , .
, MAC- , . MAC- , ,
, ,
, . .
OSI, TCP/IP (
), TCP UDP,
, .
.
, , Network Mapper (NMap). :
http://www.insecure.org/nmap/
Nmap
. , . Nmap IP-
, , , () , ( ) -
408
10
, ,
. Nmap ; . Nmap , GNU GPL.
10.3.2 Notes
Notes Domino,
Notes , Notes,
. 10-6.
Notes
. 10-6.
Notes
Notes.
Notes/Domino
409
, Person,
Server Certifier Domino Directory.
. . ,
,
Domino .
, ,
.
, ,
, ,
.
, -.
, Domino
Notes . ,
-
Domino Certificate Authority (CA), (Certificate Authority). Domino 6
-, x.509v3,
x.509, [Certificate Revocation Lists (CRL)] [Certificate Distribution Points (CDP)].
, , ( ) , , ,
. . (, ), (
) .
.
, , .
(ciphertext). . .
, Notes Domino,
, ,
,
(, RSA Security BSAFE Engine Notes Domino)
, , .
410
10
Notes Domino
( ), ( ), .
,
,
( ).
, . , ; . Notes Domino
.
,
.
, .
. , Notes, Notes.
;
,
, , , (
, ,
, ).
, ,
( ), , (
). non-repudiation (
).
, .
(
) :
1. (message digest)
. ( ), .
2.
, -
Notes/Domino
411
( ) .
3. ,
, .
4.
, . , , .
, , -,
[access control list, (ACL)], Domino .
, Domino , . .
, , , . , , , . Manager ACL
, .
( ): No Access, Depositor, Reader, Author, Editor, Designer, Manager.
ECL, Notes 4.5, (e-mail bombs), ,
(Trojan horses) . ECL ,
.
ECL
. , ,
, ,
,
, .
ECL . , Notes ,
ECL , ,
. , , ECL ( , , : */Lotus, Default) -
412
10
, . ECL , , , ,
, ,
( ), , ECL. : Abort (), Execute Once ( ) Trust Signer ( ). ,
No Signature ( )
ECL.
ID-.
Notes.
Notes.
, - , , Notes ID, . ,
.
, Notes.
, , ,
. Notes
Domino, . ,
, .
10.4
, Lotus Notes Domino.
.
Notes/Domino
413
11
Domino/Notes 6
Domino
Notes 6,
. . Domino 6 Administration Guide
Notes 6.
Domino Notes. Domino Designer 6 . Domino 6 Designer: A Developers Handbook, SG24-6854.
Domino
, , Domino, ,
. ( ) , .
. , ,
,
, .
:
Domino;
;
Domino;
;
Notes Domino;
Web-;
;
.
Domino/Notes 6
415
11.1 Domino
Domino
Security () Server (. 11.1). :
;
;
Domino;
;
.
416
11
11.1.1 Domino
Domino. . Notes, Domino Server ,
. ,
.
Notes . 6, .
Domino 6
Server Notes
. R6 Only allow server access to users listed in this Directory ( , ), Access server ( ) Not access server ( ) Notes.
Domino 6 -,
Notes.
, -
- ( ).
Server Ports () Internet Ports (-),
, , . Yes () Enforce server access settings (
).
11-1 Notes
Server access list
( )
Notes, Domino
, - (HTTP,
IMAP, LDAP, POP3)
Deny access list
Notes -.
( )
, ,
,
,
Notes Person Domino
Directory - , ,
-
Notes ID lock out ( Notes.
Notes)
, Notes
,
,
. Notes
,
, ,
Domino/Notes 6
417
. 11-1
Anonymous access
( )
Notes Domino
.
,
.
Domino (LOG.
NSF) User Activity ( )
Notes
Domino ,
. , Alan Jones/Sales/
East/Acme, , ,
TCP/IP
Notes Domino
.
Notes Domino
11.1.2
Domino
, ,
Domino. , ,
.
Security () Server.
. :
Full access administrator ( )
, Server;
Administrator () (
);
Full console administrator ( )
( );
418
11
System administrator ( )
.
.
, , , . , , . ,
(, */Sales/Acme).
Administrators (), ; ,
. Administrators () , .
. 11-2. Server
Domino 6
Domino 6. Notes .
, , .
Domino/Notes 6
419
:
;
, ACL ;
Web- (WEBADMIN.NSF);
,
;
,
;
.
. .
, ,
.
, ,
.
ACL .
, :
Full Access Administrators (
) Administrators () Security () Server. .
Full Access Administration ( ) , Administration () Full Access Administration ( ).
, , Server.
Administrator ().
, , , ,
, ,
.
, Domino Designer
( Domino) Lotus Notes.
, .
, Server, , -
420
11
. ,
. , Server .
Full Access Administrators ( ) SECURE_DISABLE_FULLADMIN = 1
NOTES.INI. ,
, Server.
NOTES.INI , , NOTES.INI .
, Server.
:
Full Admin, Full Admin/Sales/Acme, Full Admin. , , .
, .
, Jane Admin/Full Admin/Acme.
Full access administrators ( )
.
.
Full Access Administrators ( ) .
:
Event Handler ( )
EVENTS4.NSF ;
, , ,
Database Properties ( ).
.
Domino/Notes 6
421
11.1.3 Web-
Domino, Web- , Domino.
Web- Web- (WEBADMIN.
NSF). HTTP- Web- Domino Domino. Web- .
Web-:
Microsoft Explorer 5.5 Windows 98, Windows NT 4, Windows 2000 Windows XP;
Netscape 4.7x Windows 98, Windows NT 4, Windows 2000, Windows XP
Linux 7.x.
.
Domino/Notes 6.
Domino:
Web- Administration Process (AdminP);
Certificate Authority (CA) Domino 6,
Issued Certificate List ( ) ;
HTTP- Web-, .
Domino
Web- (WEBADMIN.NSF) . , Full Access Administrators ( ) Administrators () Server, Web-.
, HTTP- ( 20 ) ACL Web-, ,
Server Full Access Administrators ( ) Administrators (), ACL.
webadmin.nsf
ACL Web- . . 11-2.
,
Administrators () Server.
11-2. ACL Web-
,
Server:
422
11
. 11-2
Full Access Administrators (
);
Administrators ()
- Default ( )
Anonymous ()
OtherDomainServers ( )
Web- -,
SSL-. Web- , SSL . Web- , / Web-
Domino (WEBADMIN.NSF) SSL-.
Web- SSL.
HTTP .
11.1.4
, ,
Server.
, Server
. Run unrestricted methods
and operations ( ) , Run Simple and Formula agents ( ) . , . , ,
.
. ,
.
Domino/Notes 6
423
(Restricted mode).
(Unrestricted mode).
(Unrestricted
mode with full administration rights).
,
Do not allow restricted operations ( ).
Lotus Notes.
Server, ACL (, , ACL ).
.
, (),
, Full Access Administrators (
), Agent Builder.
Full Access Administrators ( )
.
. , ,
, ACL.
424
11
11.1.5
Notes. ,
. , , .
, , .
Domino .
, . -
. 2, .
:
(Registration).
, , -,
.
(Setup). Notes Location .
- -, .
(Desktop).
. ,
,
.
Domino/Notes 6
425
(Mail archiving). .
.
(Security). ECL
, -
Notes.
o -
HTTP.
. - , , (session authentication).
o - Notes.
( Notes - . 11.7, -
Notes.)
o Notes.
o Notes / -.
, (grace periods) history ( Notes).
o . .
426
11
! Person
Server. Domino
, .
Domino ,
, .
ECL, :
ECL ECL .
ECL . Refresh ECL , , ECL; ECL ECL
. Replace ECL ECL. ECL .
ECL : Once Daily
,
ECL ECL; When Admin ECL
Changes ECL
, ECL
; Never ECL .
. 11-4. :
: (organizational) (explicit).
.
, . ,
, Sales/Acme,
*/Sales/Acme. Sales/Acme -
Domino/Notes 6
427
.
,
(Sales) (Marketing),
. ,
Sales/Acme Marketing/Acme , ,
*/Marketing/Acme.
.
. , 6-
, ,
,
.
: , Person
Assign Policy.
,
, , .
, .
,
.
, . , , */Acme ,
60 . Acme . , , ,
. . ,
.
. Policies () User and Server Configuration ( ) Domino 6 Administration Guide.
428
11
11.1.6 -
Domino 6
Internet Site -, Domino. Internet Site [Web (HTTP), IMAP, POP3, SMTP Inbound, LDAP IIOP]
Domino. ,
:
Web Site. Web-,
Domino.
LDAP Site. LDAP- .
IMAP Site, POP3 Site SMTP Site. , IP-, Internet
Site.
IIOP Site. Domino
IIOP (DIIOP) . Domino Domino Object Request Broker (ORB).
Internet Site - . ,
Domino 6 Web-
Domino Mapping, Web realms
() File Protection. .
Domino 6 Web Site,
Web-, ,
Web realm.
Internet Site :
e WebDAV (Web-based Distributed Authoring and Versioning) Web- Domino;
e SSL
(Certificate Revocation Lists) -, ;
e hosted organization (
).
Domino . Domino 6 Administration Guide.
Internet Site ( Site)
.
Site .
.
Domino/Notes 6
429
, Internet
Site ;
.
Domino Internet Site,
Server. , Server .
Internet Site Internet Sites, -, Internet Site .
. 11-5. Server,
-
430
11
Domino/Notes 6
431
Internet Site
Internet Site SSL- ,
- .
SSL -, SSL Server SSL ,
(key ring) .
SSL-
(server key ring file) Internet Site. Internet Site , , .
Security
() .
(Certificate Revocation
List, CRL) -, Domino .
SSL , IP-
Host names or addresses mapped to this site ( ,
) Basics ( )
Internet Site.
Web- (common name)
DNS-, IP-
Web Site. IP- Host name or addresses to map to this
site ( , ) Web
Site. Redirect TCP to SSL ( TCP SSL) Web Site , IP- .
Domino 6 Internet Site,
No Internet Site.
TCP-, SSL- TCP.
Internet Site
Domino. Web Server Server.
SSL . 6, .
Domino 6
. 11.5.1, Domino.
11.1.7
, . :
432
11
, , .
.
Domino 6
- . - . Notes,
Domino Domino 6 Administration Guide.
11.2 HTTP-
Domino 6
Domino 6, Lotus Domino HTTP-.
HTTP , , Domino
HTTP Domino 4.5. Domino 6
HTTP HTTP- IBM
( ICS). , Domino 6 API HTTP.
Web-
, HTTP 1.1
.
denial of service ( , DOS) , ,
URL length . . IP- IP-.
,
HTTP, HTTP- Domino Web-
( Web- Domino),
DSAPI, HTTP- Domino. ( DSAPI HTTP) .
Domino/Notes 6
433
GO Server GWAPI (Go Webserver Application Programming Interface). Domino 5.0 , - API . Domino 5 DSAPI HTTP- ICS,
Domino 5, GWAPI
( , ).
, HTTP-
Domino 6, DSAPI.
DSAPI,
Domino 6 DSAPI R5, . DSAPI, Domino5,
Lotus Domino 6,
HTTP-, . , , , API,
, HTTP, Domino 6.
, Domino 6 API, R5 DSAPI, , R5 DSAPI
100% , HTTP- ( ,
DSAPI 100% ). Domino 6
DSAPI -, 100% , .
11.2.2 HTTP-
Domino 6
Domino R6 Web- WebSphere.
Domino for IIS, Release
5. Web-
(, IIS)
( ), NSF- HTTP- Domino.
HTTP Domino;
HTTP-
, , HTTP-
434
11
Domino, .
Domino [ Domino,
Lotus iNotes Web Access, Lotus Domino Off-Line Services (DOLS), Lotus Discovery Server];
HTTP-
HTTP- .
, Domino,
Domino.
HTTP-
. Domino 6.0 :
IBM HTTP Server (IHS) AIX, Windows NT 4.0 Windows 2000 Server;
Microsoft IIS Windows NT 4.0 Windows 2000 Server.
Domino 6, Domino ( ,
, ,
Domino 6).
Lotus Domino 6 plugins data/domino. plug-ins
WAS 4.x 5.x , Microsoft
IIS IBM Apache HTTP. , Domino 6, HTTP-
(, IIS).
HTTP- Domino
notes.ini (HTTPEnableConnectorHeaders=1). notes.ini Domino , USER,
HTTP- .
HTTP . . C,
HTTP Domino 6.
HTTP Domino6, IBM iSeries . Lotus
Domino 6 for iSeries Implementation, SG24-6592.
11.3 (xSP)
Domino 6
Domino ( , , ,
..)
Domino.
,
Domino/Notes 6
435
Domino. , .
- , , . xSP- (.. ),
Domino .
, , ,
.
, . ,
,
, .
Domino
Domino
Domino
, . xSP, , ,
.
, ACL
Domino Directory
. ACL,
xSP, . , ACL ACL
xSP: .
Site
, -.
ACL ACL Domino Directory.
, - , . help common
Domino, ,
.
,
,
.
436
11
11.4
Domino 6
, Notes Notes,
Notes . ,
(roaming users),
,
. Notes ID- , ,
. ,
, . Notes.
.
-. -
, ,
Notes. , -
- .
11.5 Domino
(certificate authority, CA), (certifier), , .
, - SSL S/MIME .
,
, ,
.
(trusted root certificates), , , , .
Notes- -. Domino
Notes- Notes
Notes. Notes
Domino, Domino. Notes-
Domino/Notes 6
437
, Web-.
, - - (X.509),
(SSL, TLS . .). - Domino
.
, SSL Domino, , , SSL
.
. SSL . ,
SSL , , IMAP, POP3 SMTP.
SSL , -. Domino, , . , ;
, , . ,
.
(PKI) Domino
SSL . 6, , The Domino Certificate Authority IBM Redpapers.
. SSL ,
Domino, Domino.
11.5.1 Domino
Domino 6
Domino 6 Domino-, ( CA) .
CA Domino, . ,
Notes- CA -.
CA , CA.
CA;
. Domino
CA Domino Tell.
Domino 6 ,
:
Notes- -.
438
11
(ICL)
(Issued Certificate List,
ICL),
CA. ICL ,
, CA.
. CA
:
, , .
CA, .
RA/CA, , .
.
Domino/Notes 6
439
ID-,
.
CA ( Certifier) Domino Directory .
(CRL)
(Certificate Revocation List, CRL)
, -, , . CA
CRL -. CRL
, ICL
. CRL Domino Directory,
.
CRL -. , CRL , CRL. CRL
.
CRL , . ,
. HTTP Web- CRL, ,
,
. Internet Site - Domino CRL
.
CRL: . CRL ( , CRL ) CRL. CRL , CRL . , , ,
CRL, .
CRL CRL.
CRL. CRL
, CRL.
(,
) (. . ) CRL .
CRL.
CRL Tell.
440
11
-
(CERTREQ.NSF)
. ,
Administration Process .
, .
, , .
. , CA, Notes- - ,
.
. , ,
Domino 6 , CA.
Domino
Domino (certificate authority administrator,
CAA) :
.
. , CA Notes-.
CA RA, .
Domino Directory , Editor ().
. , , .
. , ,
.
,
.
Domino/Notes 6
441
Domino
(registration authority, RA) Notes Domino, - -. , , Domino , . , Domino ,
CA.
,
. CA Configuration,
ICL .
Domino, Notes,
Notes-.
Web Administrator
Notes. Web Administrator, , Web Administrator, .
Domino :
, Notes-;
-;
, ,
.
.
Domino Directory , Editor ().
, CA
CA , CA . , CA . CA Tell
.
CA , ,
12 . , Administration Requests CA, .
Tell AdminP CA.
442
11
. CA ca
Server NOTES.INI.
, CA,
:
1. :
Notes- O () OU (),
CA.
Notes- CA.
-
CA.
2. .
3. CA.
4. - .
. Domino 6 Administering the Domino
System.
11.6
Domino,
Domino.
11.6.1
Domino
Domino Directory.
Administration Process, Domino Directory. , ,
Domino Directory.
11.6.2
Domino .
, ,
, . .
:
Domino
Directory, Configuration Directory;
Domino/Notes 6
443
LDAP;
Dircat (directory
catalogs);
, ;
Domino Directory, Directory Assistance.
Notes ,
, .
Domino
Domino 6 , Domino Domino Directory .
: , , Person Group, , Domino.
Domino 6
,
Domino Directory, Domino Directory. Configuration Directory, Domino Directory
, Domino. , Configuration Directory, Domino Directory
( Domino Directory) Person, Group, Mail-In Database Resource,
, .
, .
,
, ,
Domino Directory, . , Configuration
Directory , , .
, . ,
Domino Directory.
444
11
Domino/Notes 6
445
Directory Assistance
, Domino - (Web (HTTP),
IMAP, POP3 LDAP), , Directory Assistance.
X.509
.
, Directory Assistance, Directory Assistance :
Basics ( ) Make this
domain available to ( ) Notes clients
and Internet Authentication/Authorization (/ Notes -);
Naming Contexts (Rules) [ ()] , (distinguished names) , , Trusted for Credentials (
) Yes ().
, Web-
LDAP-, Web-
Web- Domino
LDAP- .
,
- , , .
Security () Internet Access ( )
Server Domino Directory More name variations with lower
security ( ) Fewer name
variations with higher security ( ( ).
,
Domino Directory.
446
11
,
Directory Assistance, , . , ,
cn=alice browning,o=Acme, alice browning. , alice browning. , , cn=alice browning,o=acme
.
Domino,
ACL , , ACL ,
Server, File Protection Web-.
, ,
, , X.509. X.509 ,
, X.509.
Domino -,
.
.
, Domino HTTP Web LDAP ,
, .
Notes
Notes Domino Directory Person Notes.
Compare Notes public keys against those stored in Directory ( Notes ) Basics
( ) Server Notes, ,
Notes, Person .
Domino/Notes 6
447
LDAP-
LDAP- :
, LDAP-;
LDAP Domino, Notes, LDAP
448
11
11.6.4
Domino 6
(ACL) , ,
PUBNAMES.NTF, Domino Directory Extended Directory Catalog. ACL ACL
Domino Directory Extended Directory Catalog.
Notes-,
LDAP-.
ACL ACL ,
Access Control List ( )
Notes 6 Domino Administrator 6. ACL
, ; ,
. ACL
:
, ,
OU=West/O=Acme;
,
Person;
;
.
Domino/Notes 6
449
ACL :
Domino,
, ;
;
,
Readers Authors;
: Notes (NRPC), Web (HTTP), LDAP, POP3 IMAP.
. , Router, ,
ACL. Router,
Readers
, ,
. , Readers,
, Router .
, ACL,
, ACL , , ACL . , ACL
Reader, ACL
Write.
User Creator ACL , ACL
Person Create.
, , , ACL. , Readers , , Browse ACL , Readers.
Domino Directory ACL . , ACL
ACL . ACL Domino Directory Extended Directory Catalog.
:
Domino Directory?
,
ACL, -
450
11
. , .
ACL? ACL ,
.
? Configuration Settings Domino Directory
LDAP-.
LDAP Read .
Anonymous () ACL
No Access ( )
, LDAP. ACL Anonymous () ACL ACL LDAP. Anonymous () Reader.
11.6.5 LDAP-
LDAP (Lightweight Directory Access Protocol) - . Domino Notes LDAP :
LDAP, Domino LDAP LDAP-;
LDAP Notes, Notes
LDAP- LDAP-;
Directory Assistance, Domino LDAP- .
Directory Assistance
LDAP-
Domino 6
LDAP- , Directory Assistance LDAP-. ,
.
Type of search filter to use ( )
Directory Assistance. . 11-3.
Domino/Notes 6
451
11-3.
Standard LDAP (
)
LDAP,
LDAP-, Domino, IBM
Directory Server, Netscape/iPlanet Directory Server
Active Directory
,
Active Directory. ,
LDAP- Active Directory
Custom
,
. , LDAP- .
Custom Type of search filter to use (
) ,
, . 11-4.
11-4.
(Mail filter)
Directory Assistance ,
Notes ,
. ,
: (|(cn=%*)(|(&
(sn=%a)(givenname=%z))(&(sn=%z)(give nname=%a))))
(Authentication filter)
LDAP- .
,
: (|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(s
n=%z)(give nname=%a))))
(Authorization filter)
Notes. ,
: (|(&(objectc
lass=groupOfUniqueNames)(UniqueMember =%*))(&(obje
ctclass=groupOfNames)(Member=%*)))
,
, RFC 2251 2254.
LDAP
,
LDAP , , .
452
11
11-5. LDAP
(RFC 822)
(RFC 822)
( )
Alex M Davidson
%a
Alex M Davidson
%z
Alex M Davidson
amd@acme.com
%*
%l
amd@acme.com
%d
11-6. LDAP
Alex M Davidson
Directory Assistance
(|(gn=%a)(sn=%z)(cn=%*)(mail=%l))
amd
amd
amd
amd
amd@acme.com
amd@acme.com
amd@acme.com
blue
(EmpID=%*)
(EmpID=%z)
(mail=%*@acme.com)
(mail=%*@*)
(mail=*@%d)
(mail=%*)
(uid=%l)
(color=%*)
(|(gn=Alex)(sn=Davidson)(cn=Alex M
Davidson)(mail=))
(EmpID=amd)
(EmpID=)
(mail=amd@acme.com)
(mail=amd@*)
(mail=*@acme.com)
(mail=amd@acme.com)
(uid=amd)
(color=blue)
11.7 - Notes
Domino 6
- ,
Person Domino Directory Notes- . , Domino
Notes Web-. Notes -
- Notes
.
. 11.1.5, .
Notes -.
Domino/Notes 6
453
! , ,
, Notes -
User Security ( )
Notes -. ,
.
User Security ( )
. 11.14, Notes.
11.8 Notes
ID- Notes mail-in ID- Notes. ,
( -Recovery Authorities) Notes.
mail-in :
-Default- Anonymous No Access;
Reader.
ACL
Notes, .
ACL.
ID :
1. Domino Administrator Configuration (),
Certification ().
2. Edit Recovery Information ( ).
3. Choose a Certifier ( ) Server,
Domino Directory (
).
4. , .
Use the
CA process ( CA),
. ,
.
, Supply
certifier ID and password ( ). ,
Certifier ID ( ),
ID- .
454
11
. Export ()
. ,
.
9. OK.
10. ,
load ca
CA
, .
Domino/Notes 6
455
Notes
-
-, Notes
-.
, Notes -,
:
1. , .
2. , .
3. Action () Accept Recovery Information
( ).
4. Backup ID File ( ID-) Send (), .
. ID- Notes
Notes, .
ID- Notes
ID- Notes
Notes ID- Notes. Notes
Notes. , Notes
.
, Notes ID- Notes - .
, , ,
, Notes
.
Notes,
:
1. ( ,
), ( ,
Notes), Notes.
Notes .
456
11
.
Notes, ,
Notes.
Notes
.
2.
Notes. Password ()
Notes OK, .
3. Wrong Password ( ) Recover
Password ( ).
. -
Backup ID File ( ID-).
4. Choose ID File to Recover ( ID- )
, .
5. Enter Passwords ( ) ,
, ,
.
6. Notes,
.
. , , ,
Notes.
7. ,
Notes Notes
Notes.
Notes
. :
,
;
, Notes
.
(.. ) - .
Domino/Notes 6
457
11.9 Web-
Web-, Web- Domino. :
.
HTTP .
cookie- cookies, .
HTML-
. , Domino ,
cookie- .
, HTML . (single sign-on).
, , LTPA-cookie ,
. LTPA- ,
. ,
(single sign-on) .
6.2.4, Web-,
LTPA 7.2, LTPA.
,
.
11.9.1
, Domino Domino Directory LDAP-. - (HTTP, LDAP, IMAP, POP3). ,
- Domino. Domino
, Java-,
Domino,
Domino IIOP.
458
11
LDAP-
DN
CN CN CN=prefix
UID UID UID=prefix
cn=prefix
()
()
(, User name Person,
, )
Soundex-
- ( ,
Internet address Person)
LDAP-
(CN) CN CN=prefix
DN
DN
UID UID UID=prefix
Domino/Notes 6
459
11.9.2 (SSO)
, (single sign-on, SSO), Web- Domino WebSphere Domino WebSphere DNS,
(SSO), .
Web- cookie-,
LTPA- , , cookie-.
:
( Web SSO Configuration)
Domino Directory ( Domino Web SSO Configuration,
, , );
Multi-server Web Site Server.
LTPA . 14, , , .
Domino, SSO.
URL, , ,
(fully qualified domain name, FQDN),
IP-. cookie-
, DNS- cookie-, DNS-
cookie- URL . cookie-
. , SSO,
DNS-).
Web Site Server
(FQDN). Internet
Cluster Manager (ICM)
SSO. DNS-, ICM URL Web-, TCP/IP, cookie-,
DNS- URL.
460
11
WebSphere
WebSphere Domino LDAP-. , (SSO),
(Distinguished Name, DN) , cn=john
smith, ou=sales, o=ibm, c=us. LDAP ,
Directory Assistance Domino , LDAP-, WebSphere. , LDAP Domino Directory WebSphere LDAP- Domino.
, ,
WebSphere, LDAP- Domino,
(flat) (
Domino, SSO
flat- ).
SSO- WebSphere
Domino. WebSphere LTPA- SSO, Domino.
Domino/Notes 6
461
, SSO
.
4. .
.
462
11
11.9.4 Domino
Domino Web-
Domino
LDAP- Domino Notes/Domino
ACL Domino.
,
:
Domino Portal.
Domino WebSphere Portal,
Portal LDAP-,
LTPA- LDAP, uid=twor
ek,ou=users,o=redbooks,c=us.
, Domino , Domino
LTPA- ( , Portal Domino
LTPA SSO). ACL
Notes, William Tworek/Cambridge/IBM.
LTPA- LDAP-, Domino , , .
Domino LDAP-.
Domino Directory Assistance LDAP- ,
LDAP- Domino
LDAP. Domino Notes, ,
Domino , LDAP- .
, Domino ,
Domino 6:
1. LDAP- ACL .
2. LDAP DN Person
Domino. Domino 5.x Domino 6.02+.
3. Domino LDAP-. Domino 6.x Directory Assistance.
LDAP- ACL
,
ACL Domino , LDAP-. ACL
, LDAP
Notes.
Domino/Notes 6
463
LDAP DN Domino
Domino Directory , LDAP Person .
. 11-7.
464
11
Domino LDAP-
Domino , LDAP-. , , , . .
Domino LDAP-.
:
1. LDAP-, , LDAP .
2. LDAP- , LDAP-
Notes.
3. , Domino Directory Assistance LDAP Directory Assistance. DA, LDAP
.
Directory Assistance . 11-8.
Domino/Notes 6
465
11.10 Domino
Password Checking ( ) , . . - - ID- Notes
Notes, Notes. Password Checking , ID- Notes,
. -
ID- Notes, .
Password Checking Required Change Interval ( ) ( ), ID- Notes .
Notes . Grace Period ( ). ( ), ( ),
. R5, Version 6
, Person . Notes
R4.67. R5 Version 6.
ID- Notes
ID- Notes
:
;
466
11
;
, ;
;
49 .
Domino Directory
Domino Directory , . 11-9 11-10.
11-9. , Server
11-10. , Person
Check password? ( ?)
Required Change Interval (
)
Grace Period ( )
-
. ,
,
, Notes
(
Person)
,
, .
,
Notes
. .
1. . Server
, .
Server Security (), .11-9.
Check passwords on Notes IDs ( Notes)
Enabled ().
.
, Server.
Domino/Notes 6
467
, Notes Domino, ,
Notes . ,
.
. 11-9.
2. ,
AdminP.
, .
Person.
:
) Domino Directory People View ,
.
) Actions () Set Password Fields (
).
) Notes Set Password Fields ( )
You are about to set the password fields for the selected person records.
Do you want to continue? (
. ?). Yes ().
) . Check Password ( ) Check password ( ), Required Change Interval ( )
Grace Period ( ); . ,
, ,
90 , 30
, 90 30 ( -
468
11
, ).
) OK. Administration Process (adminp)
Domino (Domino Server Administration Request Database, admin4.nsf), Notes Completed
Successfully ( ), ,
.
3. Adminp .
, Set password information ( ).
, Adminp, ,
. . 2 . 11-10.
. 11-10. Adminp
4. Adminp .
Adminp
,
.11-11.
Person , ,
Check Password ( ), Change Interval ( )
Grace Period ( ) .
Domino/Notes 6
469
, Password digest ( )
Person . , .
, Notes ( ), Notes
, , , , , Person.
true.
. 11-11. Adminp
, admin4.nsf
. Adminp Grace Period ( ) Change
Interval ( ) ID- Notes.
admin4, , Notes Grace Period ( )
Change Interval ( ).
ID- .
Notes, , , 11.1.
470
11
11.1. Notes
PWD_KEY_HDR
Type: 0000
Version: 0000
LastChanged: TIMEDATE
NumDomains: 0001
NumOldPwds: 0001
OldPwdTotLen: 0214
Adminp ,
Password digest ( ) Person
Last Changed Date ( ), . , Person, . 11-12.
, Person , Notes .
. 11-12. Person ,
Domino/Notes 6
471
ID- Notes
, , , .
11.10.2
, Notes , . Notes
.
NOTES.INI CertificateExpChecked. ID- Notes, ,
Notes. Lotus Notes Notes .
, CertificateExpChecked, , Notes,
, , ,
, , ; , 11.2.
11.2.
Where = (
+ )
{
If ( - ) < (25% )
{
}
, CertificateExpChecked,
.
. 11-13.
472
11
Password Expiry
( ), . 11-13.
.
OK , .
Server,
, . , Person
Check Password ( ).
, , . 11.13.
,
, .
, . 11-14. .
22/04/2001 :
( ) + ( , ID)
. 11-14.
R4 , OK. ,
, . .
R4.6.7, R5 Version 6
, .
OK , , , , . 11-15.
, .
,
, ,
.
.
Domino/Notes 6
473
. 11-15.
R5 Version 6
, ,
(
, ).
R4.6.7
; , ,
.
30. R5 Version 6,
30- , ID- Notes, -
. 30- ,
, Person
; 30- , ,
,
.
, ,
, . 11.16.
Notes .
, Person, , -
474
11
. 11-16.
. , ,
, ,
, Notes, .
.
,
, adminP. , ,
, .
, Person .
, ,
Adminp .
, Person, , ( , ID- Notes
).
ID-, user.id ,
Person ,
. , , Person, Adminp.
. 11.17 Adminp, .
Administration Process
Person Password Digest (
) Last Change Date ( ), ID- .
ID- . .
,
49 , Notes ( ), , . 11-18.
Domino/Notes 6
475
. 11-17. Adminp,
,
, , .
. 11-18. ,
11.10.3
,
. , -.
, , -,
. , , . ,
, , , .
476
11
: Connection failed because of a problem with clock synchronization and password change intervals. Check your clock setting, change your password, or
consult your system administrator ( -
.
, ).
-, , Notes Person .
NOTES.INI
CertificateIsExpChecked
=
>
Server?
Person?
Person = EMPTY?
,
dd-mm-yyyy
:
,
D
B
ID
Person
(
+ )
< (
)
Person
= EMPTY?
Person = EMPTY?
+ 3
<
(
)
< (25%
)
<
:
dd-mm-yyyy
?
ID =
Person
ID-
.
,
ID ?
:
dd-mm-yyyy
D
E
AdminP,
. 11-19. -
Domino/Notes 6
477
- . 11.19, 11.3.
11.3.
if NOTES.INI CertificateIsExpChecked =
{
//
else
{
//
if ( > ) or ( < )
{
//
print , dd-mm-yyyy
}
else
{
//
if ( - ) < (25% )
{
print : ddmm-yyyy
}
}
}
if
{
//
if Server
{
if Person
{
if Person = EMPTY
{
//
478
11
if Person = EMPTY
{
//
ID
Person
AdminP,
else
{
//
if + 3 >
{
//
ID
Person
AdminP,
else
{
//
AdminP,
}
}
}{
//
if Person = EMPTY
{
//
Domino/Notes 6
479
print :
(...)
ID-
else
{
//
If ( + ) <
- )
{
//
print :
(...)
ID-
else
{
//
if
{
//
ID
Person
AdminP,
else
{
//
if ID = Person
{
//
480
11
if ID-
{
//
print :
(...)
ID
Person
AdminP,
else
{
//
}
}
else
{
//
}
}
}
}
}
}
}
Domino/Notes 6
481
11.10.4
Adminp. Person Adminp
Notes,
.
,
(, Warning: Your password will expire on dd/mm/yy),
Server .
Notes
. ,
, Last
Change Date ( ), Grace Period ( ) Expiration Date ( ), .
. 11-20. ( )
. , . names.nsf , Domino , . Person (, )
,
, Domino Directory.
482
11
. ,
adminp-. 12 . , adminp-.
. , , adminp- . , ,
Person.
. adminp
adminp. , adminp
, adminp
, Person.
11.10.5 iNotes
iNotes Web Access Domino, : iNotes
,
?
iNotes - ,
. ,
, Notes.
iNotes Web Access Notes,
Notes. -.
11.11
Notes
(ACL),
.
ACL . Domino Designer 6 .
IBM Redbooks Domino 6 Designer: A Developers Handbook, SG24-6854.
Domino Notes , ,
. , ,
, , , , , .
Domino/Notes 6
483
, ,
.
.
. , UserCreator ACL Domino Directory
, Person.
ACL:
-Default-;
Anonymous ();
;
LocalDomainServers ( );
OtherDomainServers ( ).
ACL Anonymous ()
Person ACL.
ACL : Anonymous () -Default-. Anonymous () . -Default-
, Anonymous () .
Anonymous () -Default- , Domino Directory. , LocalDomainServers ( ) Domino Directory
ACL . Anonymous () .
-Default , -Default-,
, , , -. , ACL Anonymous (), ,
, -Default-.
-Default-
.
, -Default-, . No Access ( ), ,
. Author () Reader (), . -Default-
Unspecified ().
-Default- ACL .
484
11
Anonymous ()
Anonymous () - Notes, .
ACL- Anonymous ()
(.NTF-) Reader (),
.NSF- .
ACL- Anonymous ()
(.NSF-) No Access ( ).
-
-
, . ,
, Manager (). Manager ()
Designer ().
LocalDomainServers ( )
LocalDomainServers ( )
, , , Domino Directory.
LocalDomainServers ( ) Manager
().
Designer
(). LocalDomainServers ( )
, OtherDomainServers
( ).
OtherDomainServers ( )
OtherDomainServers ( ) , , ,
Domino Directory.
OtherDomainServers ( ) No Access ( ).
ACL
-
, ACL
(*).
. , ACL
Domino/Notes 6
485
, , , -.
ACL- .
*/Illustration/Production/Acme/US
:
Mary Tsen/Illustration/Production/Acme/US
Michael Bowling/Illustration/Production/Acme/US
:
Sandy Braun/Documentation/Production/Acme/US
Alan Nelson/Acme/US
ACL. ,
*/Illustration/*/Acme/US
Michael Bowling/Illustration/West/Acme/US
Karen Richards/Illustration/East/Acme/US
- ACL
Unspecified, Mixed Group Person Group.
ACL Notes -, SSL-.
Notes
, John Smith/Sales/Acme, ,
, .
- , User name ( ) Person.
. User name ( ) ,
;
. ACL
Domino, Server .ACL-.
ACL ,
. , (, Server1/Sales/Acme), ,
, .
486
11
(, Training) ACL , .
. . ACL,
Domino Directory, Domino Directory LDAP, Directory Assistance.
ACL . ACL :
ACL
. ACL, Domino Directory LDAP-, .
, .
.
. ,
, Manager () Designer
(). , Domino Directory
, ACL . , .
Domino Directory Deny List Only, . Deny Access ( ) Server
Notes, Domino.
, ACL
. Domino Directory,
Add deleted user to deny access group [ Deny Access ( )], ;
, No Deny Access group selected or
available [ Deny Access ( ) )].
, Notes. ACL. , . , Sandra Brown/West/Sales/Acme
Sandra Smith/ANWest/ANSales/ANAcme, AN .
Domino/Notes 6
487
LDAP
-
LDAP-. - ACL
.
LDAP- ,
-, ACL Notes. , - Web- Domino. Web- , ACL Web (),
- Web (), LDAP-, Domino Directory.
, , ,
Directory Assistance Web- LDAP Directory Assistance LDAP- Group Expansion ( ).
Notes, LDAP- ACL .
LDAP- ACL LDAP- , (/), (,). , LDAP- :
uid=Sandra Smith,o=Acme,c=US
ACL :
uid=Sandra Smith/o=Acme/c=US
LDAP- ACL . , LDAP-
cn=managers
ACL
managers
LDAP- ACL. ,
cn=managers,o=acme
ACL
cn=managers/o=acme
, , , (cn, ou, o, c), ACL .
, ACL :
cn=Sandra Smith/ou=West/o=Acme/c=US
Notes, ACL
:
Sandra Smith/West/Acme/US
488
11
. LDAP-,
Domino Directory, Domino 6 -
, Domino ACL.
. 8, .
Anonymous ()
, , Anonymous (). - Notes, .
, . , , Anonymous () . Reader () .
. 11-11 .
11-11.
-
Anonymous
no access (
) ACL
Anonymous () No Access ( )
Read Public Docu-ments
( ) Write Public
Documents ( ),
Anonymous ()
.
ACL
,
Anonymous
()
ACL
-Default-.
, -Default- Reader () ACL Anonymous, ,
,
Reader ()
.
(
, -
),
-Default-
Domino/Notes 6
489
[ ,
Anonymous (), ,
-Default-], , , . , Anonymous () Reader () ,
.
. , ,
, ACL Anonymous () No Access
( ), Read Public Documents (
) Write Public Documents ( ).
- ACL .
Domino Anonymous ()
. , Anonymous ()
Author () ACL , Authors () . Domino
Notes,
- Authors () .
Authors () , , ;
, .
@DbColumn @DbLookup ,
, , ACL , . , , Reader () , .
.
ACL : 85255B42:005A8fA4. , ,
.
,
,
-Default- Reader () .
ACL
ACL , , , . , ,
Anonymous ().
490
11
ACL
ACL. ACL . , Sandra E
Smith/West/Acme Sandra E Smith/West/Acme/US Sandra E
Smith. ,
(, ),
, ,
, ACL. ,
.
. ACL, ,
, ACL,
, ,
.
, ACL -. ,
, -,
, -.
, ACL ,
, -Default-.
ACL
, ACL .
, ,
. 20 , .
Manager () ACL ACL.
Domino/Notes 6
491
-
,
, Notes , Notes. Maximum Internet name & password access ( - )
. Notes.
,
TCP/IP- SSL-. SSL- , SSL-.
SSL- , ACL .
Anonymous () ACL ,
.
, , .
, Notes
, ,
, Maximum Internet name & password access ( -
).
! ,
ACL ,
.
, Sandra Smith/West/Sales/Acme
Web- .
Sandra Smith/West/Sales/Acme ACL Editor (),
Maximum Internet name & password access ( ) Reader (), Sandra
Reader (). , Sandra Smith/West/Sales/Acme ACL Reader (), Editor (), Sandra Reader ().
Sandra Smith Notes
, Sandra Editor ().
Editor (). , , , -.
492
11
! , .
No Access ( ),
Notes -,
SSL- .
Domino 6
, ,
, . ,
,
, .
.
Effective Access ( )
Effective Access ( ) . Domino Directory
.
,
ACL Effective Access ( ). , :
, ACL .
.
, .
Full Access Administrators (
), ,
.
, Names () Calculate Access (
).
! ,
Unrestricted with Full Access ( ),
ACL . ,
Effective Access ( ), ACL . ,
,
, .
Domino/Notes 6
493
ACL
Domino 6
Domino 6 , , enforce consistent ACL ( ACL), .
,
. R6 Domino
. , , Enforce a consistent Access Control List ( ). ,
.
.
, Enforce a consistent access control list ( ) ACL , . . , , . ,
, ACL. , , ,
ACL , .
Enforce consistent ACLs ( ACL):
,
( );
,
( ) Domino Directory.
Enforce consistent ACLs ( ACL):
,
( );
, ( ).
ACL
ACL
-Default- No access ( ). , Default-, ,
494
11
, -. Default- No Access ( )
, ACL (
-Default- ACL).
, ( ), Manager (). , ,
. Designer (), .
LocalDomainServers (
) Manager (). LocalDomainServers ( ) , , , Domino Directory. LocalDomainServers ( )
Manager ().
Designer ().
ACL
,
, ACL.
(, Server1/Sales/Acme), ,
, .
ACL .
, Person Group , .
, ACL
. adminp
. Domino Directory
ACL , .
ACL, . ,
, Designers ().
, , . Designer
() ACL.
Domino/Notes 6
495
, ACL,
. ,
, . , , , , , , , .
ACL . Administrators (). .
, .
, Administration Process ACL. Administration Process
, , , , , Domino
Directory ACL , , Administration Process .
Readers () Authors () .
Administration Process Access Control List ( ) Multi-ACL
Management ( ACL) .
Depositor () No Access
( )
, . ,
, , , .
Enforce a consistent Access Control List (
) ,
Manager () ,
.
. ,
.
, ,
SSL-. Secure Sockets Layer (SSL)
,
Domino, TCP/IP.
SSL-
.
496
11
11.12
:
.
, , (inbound relay controls) - ,
(inbound recipient controls) .
. , Domino Secure Sockets Layer
SMTP-, IMAP POP3. Notes Notes ID- - X.509. X.509.
Notes ( ) S/MIME
, .
S/MIME
Notes . 6, .
11.12.1
80-, . ,
(flooding). SMTP-, . , .
. . Domino
, .
Domino, ,
, . IBM Redbooks Lotus Domino 6 spam
Survival Guide, SG24-6930.
,
, ,
. . .
, :
, ;
-, .
Domino/Notes 6
497
. , , Domino
, .
.
,
Configuration Settings [Router/SMTP
Restrictions and Controls ( ) SMTP Inbound
Controls ( SMTP)].
. ,
.
Allow messages to be sent only to the following external Internet domains
( -)
-, Domino . Domino
.
- .
, abc.com xyz.com Domino , abc.com xyz.com.
.
@ . ,
@xyz.com, , xyz.com, User@xyz.com. , xyz.com, User@
uvwxyz.com User@abc.xyz.com, .
Domino, ,
(%); , %AcmeEast, ,
Domino- AcmeEast.
Deny messages to be sent to the following external Internet domains ( -)
-, Domino .
(*) -.
Domino ,
. .
, abc.com, Domino -, abc.com. Domino abc.com.
@ . ,
@xyz.com, , -
498
11
, xyz.com, user@xyz.
com, , xyz.com, user@server.xyz.com.
Domino (%);
%AcmeEast Domino- AcmeEast. SMTP-
Domino , FAX-.
Allow messages only from the following Internet hosts to be sent to external
Internet domains ( - -)
, Domino SMTP .
, Domino , . .
IP- , Domino ,
-. , lotus.com
ibm.com, Domino , -, , lotus.com ibm.com. Domino , .
Deny messages from the following Internet hosts to be sent to external Internet domains ( -)
, Domino SMTP .
, Domino ,
. Domino .
IP- ,
Domino ,
-.
, lotus.com. Domino
- , , lotus.com. Domino
- lotus.com.
Domino,
(*) .
.
(*) . ,
Allow...
.
;
[127.*.0.1].
Domino/Notes 6
499
. , [123.234.45-*.0-255] ,
, 45.
; Domino
, .
IP- ,
[127.0.0.1].
Allow... . , ,
,
, . ,
, , , .
, Allow.... . 11-12 , Domino
Allow... Deny... .
11-12.
xyz.com
xyz.com,
smtp.efg.
com
smtp.efg.com smtp.efg.com
-
, xyz.com,
11-13.
qrs.com
, ,
relay.abc.com,
Allow messages only from the following Internet
relay.abc.com Relay.abc.com
hosts to be sent to external Internet domains
(
,
- qrs.com
)
500
11
qrs.com
. Domino Release 5, ,
, -
,
. Release 5
SMTPRelayAllowHostsandDomains NOTES.INI.
, Domino Deny.... , Domino xyz.com . 11-14.
11-14.
-
Domino 6
(blacklist, blackhole list) (, Open Relay Database Spamhaus Project).
(unsolicited commercial e-mail, UCE), , ,
Domino - SMTP-
DNS (DNS blacklists, DNSBL).
DNS , DNSBL-, SMTP-,
.
DNS SMTP-
Domino DNS- . Domino Mail Routing Events (
) Notes Log. ,
( DNS-) IP- ,
, .
, Domino , ,
Notes ($DNSBLSite) ,
.
Domino/Notes 6
501
DNS
- DNS
, SMTP , ,
. , IP- DNS.
Domino -
, .
, Domino DNS- .
,
, DNS.
Domino DNS- . DNS-, -, . DNS-, , ,
, Domino DNS- .
DNS- DNS- .
.
, ,
.
, ,
, ,
. , .
-,
DNS.
, DNS
DNS- Domino
DNS , ,
SMTP.
, , . , Domino [Router/SMTP Restrictions and Controls
( ) SMTP Inbound Controls (
SMTP) Perform Anti-Relay enforcement for
these connecting hosts ( )]. , ,
.
502
11
, DNS
Domino , -
:
;
;
.
Notes : IP ( DNS- ), , .
.
. , Domino ,
, ,
, .
Domino Notes , , . Domino
, , $DNSBLSite , , MAIL.BOX. $DNSBLSite , .
$DNSBLSite , , . ,
, , .
,
, ,
DNS. ,
, ; , , . , , , .
DNS
SMTP ,
, DNS , , . SMTP, , , .
Domino Administrator SHOW STAT SMTP . -
Domino/Notes 6
503
, , IP-
DNS. SMTPExpandDNSBLStats NOTES.INI . - , , Domino
.
Domino 6
Configuration Settings SMTP
, .. , -.
Domino , , .
,
,
. :
. Domino ,
-. ,
,
, Domino - ( ).
. Domino
SMTP-.
, .
IP-. . ( IP- ), .
Domino 6
Domino . ,
Domino ,
Deny messages from the following Internet hosts to be
504
11
,
(, ) . IMAP- POP3-, Domino - , ,
Domino .
Domino/Notes 6
505
IP-
.
,
(, sendmail,
Domino) IP- Exclude these connecting hosts from anti-relay checks ( ).
Domino .
, , -, SMTP- Domino
Domino -.
506
11
.
, IMAP- POP3-,
-, , .
Yes (), POP3- SMTP- . POP3- SMTP-.
11.12.2
Configuration Settings Domino , , , Domino , .
Domino 6
ND6 (Inbound Intended
Recipients Controls) . , . MAIL.BOX.
Verify that local domain recipients exist in the Domino Directory (
Domino Directory) Enabled (), Domino ,
DNS-. Domino DNS PTR-,
IP- . Domino
- DNS
PTR-, .
Domino , SMTP- Mail From.
All messages intended only
for the following ( , ).
. REDP-3622.
Domino 6
, , .
, , MAIL.BOX, Domino . , ,
.
:
Domino/Notes 6
507
;
MAIL.BOX;
;
;
.
, , ,
make money fast, .
,
, ,
(EXE, VBS, VBE, SCR . .), ,
, , .
, Domino
, .
, , Domino
, . ,
Dont deliver message/Send NDR ( / NDR), , , .
. Domino ,
dont accept message ( ),
MAIL.BOX,
, . , SMTP- Domino
, SMTP-
, , .
, ,
-. ,
, Notes, MAIL.BOX,
, , .
. ,
, , .
Messaging Settings. Domino ,
Configuration Settings.
Configuration Settings
MAIL.BOX.
508
11
Messaging ()
Configuration Settings , .
,
, (. 11-15).
11-15.
Notes, Router
, .
: Sender (), Subject (), Body (
), Importance (), Delivery priority ( ),
To (), CC, BCC, To or CC ( CC), Body or subject (
), Internet domain (-), Size (in bytes) [
()], All documents ( ), Attachment name (
), Number of attachments ( ), From (),
Recipient count ( ) Any recipient (
). All Documents ( ),
, MAIL.BOX
Router .
, Attachment Name (
) is () ,
, ,
.
:
contains (, );
does not contain ( , );
is ();
is not ( );
is less than (, );
is greater than (, ).
.
, Attachment Name (
) contains () .VBS,
, ,
, .VBS, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT MY.VBS.CARD.EXE.
, (*).
, contains ()
. ,
, ,
.VBS, Attachment
Name contains .VBS, Attachment Name is *.VBS..
.
, (. . 2, two)
Domino/Notes 6
509
:
.
. .
, , , , Add Action ( ) (. 11-16). .
11-16.
Journal this
message
(
)
Move to database
(
)
Dont accept
message
(
)
Dont deliver
message
(
)
Change routing
state (
510
11
Router .
Router/SMTP Advanced () Journaling
()
Router MAIL.BOX ,
, GRAVEYARD.NSF.
. .
Domino , Router
.
NDR , .
Domino SMTP-,
SMTP , ,
.
SMTP ( 500) ,
,
.
.
, Notes, Domino
, ,
.
, Notes,
, ,
Domino , , ,
:
Silently delete ( ) Domino MAIL.BOX
;
Send NDR ( NDR) Domino . MIME Notes Richtext,
Notes,
Domino , .
RoutingState
HOLD.
Router MAIL.BOX ,
. Domino ,
, , .
. ,
(,
) RoutingState
, . , , . , , , .
Configuration Settings ,
.
Configuration Settings .
.
. , Server Configuration Settings. 5 .
,
set rules.
MAIL.BOX (
Notes, S/MIME, PGP . .), , (, ), ,
.
. , .
, , .
Notes ( Form
); , MIME. , MAIL.BOX,
Notes, -
MIME. , SMTP, Memo, SMTP,
Domino NonDelivery Report. Notes:
Appointment,
Delivery Report,
Memo,
NonDelivery Report,
Notice,
Reply,
Return Receipt,
Trace Report.
Domino/Notes 6
511
DOLS
Offline Security Policy. , ,
,
, .
Offline Security Policy Offline
Services Configuration () Domino Administrator. Security () DOLS subscriptions (. 11-17).
11-17. DOLS
ACL subscription ,
. Anonymous ()
No Access ( )
, Offline
Subscription Configuration Profile ,
DOLS Offline Configuration ( DOLS)
subscription Lotus Domino Designer 6
Tighten security on offline
data (
subscription
)
, Offline
Subscription Configuration Profile
Tighten security for all
DOLSsubscriptions on the server subscriptions ,
(
DOLS Resource (DOLRES.NTF);
) DOLRES.NTF; Designer
512
11
11.14 Notes
Domino 6
Notes . Notes 6 ,
Notes, User Security ( ). Notes 6
.
User Security ( ) :
Notes Windows
Web/- Domino;
Notes Notes,
;
;
-,
- Notes ;
Notes -;
Notes -
;
Notes
; , , ,
;
,
.
User Security ( )
. Notes 6 Client Help.
, . , :
Notes -, Person
.
,
( Notes -) ;
, ,
, ,
.
Notes - . 11.7, - Notes.
-.
Domino/Notes 6
513
! , -,
-
, / Person
-.
.
ECL.
(Execution Security Alerts, ESA) ,
, . ECL . ECL , , .
11.14.1 -
- , . -
Notes. , - -, .
- , . Notes - -, PIN
- .
- Notes . Notes 6 Client Help.
- . Domino 6 Administration Guide.
-
- , /
Person -.
.
, ID- (ID File Recovery),
-.
11.14.2
(Execution Control List, ECL)
-
514
11
, . ECL , , , ,
.
, ECL , , .
,
, , , ,
, , ,
(hot spots), (,
).
ECL: ECL , Domino Directory (NAMES.NSF), ECL ,
(NAMES.NSF). ECL ECL
. ECL
Notes. ECL Domino Directory
Notes ECL .
ECL . ,
. , , Domino
Notes, Lotus Notes Template Development. , , , .
ECL , ,
, ,
,
.
,
, ECL, Notes
(Execution Security Alert, ESA),
,
ECL. :
Do not execute the action ( ). .
Execute the action this one time ( ). . .
ECL.
Start trusting the signer to execute this action ( ).
ECL ECL.
.
Domino/Notes 6
515
. ECL ,
ECL .
.
Domino 6
More Info ( ). ,
, , Notes,
, .
, , ,
. More Info ( ),
, .
Domino 6
Notes 6 ECL User Security ( ). What Others Do ( )
User Security ( ), , JavaScript.
, , JavaScript
.
Domino 6 Administration Guide Lotus Notes 6 Client Help.
ECL
Domino ECL
, . ECL
ECL .
Notes ECL Domino Directory Notes.
ECL Notes . , John Doe
John Doe ECL.
Notes (,
), ECL , ECL .
. ECL
. ECL
ECL ECL
ECL ,
. ECL
. ECL
ECL .
ECL ECL . ECL
ECL. , -
516
11
ECL
, , , .
, ECL .
ECL :
ECL , , ECL .
.
, ( ) .
.
. ECL (,
, , ECL), Allow user to
modify ( ) ECL .
.
, , . ECL,
, , .
,
(, Enterprise ECLApp Signer/West/Acme). ,
,
. ECL .
Domino/Notes 6
517
12
Lotus
Notes Domino
Lotus, .
, Lotus:
Lotus Team Workplace (QuickPlace);
Lotus Web Conferencing and Instant Messaging (Sametime);
Lotus Domino Web Access (iNotes);
Lotus Workplace Messaging;
WebSphere Portal Server;
Lotus Domino Everyplace;
Lotus Sametime Everyplace.
Notes Domino,
Notes/Domino.
Lotus
519
. 12-1. /
520
12
12.1.2
(place) QuickPlace , .
.
QuickPlace (Contacts1.nsf) .
, .
.
, , . , , .
.
Lotus
521
LDAP-
QuickPlace LDAP-
,
LDAP- . (, ) LDAP- QPTool
, .
QPTool ,
. QPTool
:
;
;
;
;
;
;
;
;
PlaceTypes ( );
PlaceTypes;
;
;
PlaceTypes;
Place Catalog ( );
;
;
dead mail ( );
E-Mail API.
, John Smith LDAP- , LDAP- QPTool- updatemember .
QPTool , QuickPlace, . Lotus QuickPlace 3.0
Adminstrators Guide, Lotus QuickPlace, Web- :
http://doc.notes.net/uafiles.nsf/docs/QP30/$File/na5d3fus.pdf
522
12
.
. LDAP-
, .
,
, .
QuickPlace
, LDAP (Lightweight Directory Access
Protocol) 3, Domino LDAP
LDAP-. , QuickPlace
LDAP- .
12.1.3 QuickPlace
QuickPlace Web-
QuickPlace:
. . . .
Lotus
523
. 12-2.
12.1.4 QuickPlace
QuickPlace
, .
, (room) QuickPlace Server
Settings ( ),
Members Customize ( ).
QuickPlace
QuickPlace. , :
524
12
QuickPlace.
,
QuickPlace.
, QuickPlace.
. , , .
( super user) QuickPlace.
,
QuickPlace. ,
.
. ,
.
12.1.5
Server Settings QuickPlace . ,
:
ActiveX Java- ;
(PlaceBots) ;
,
;
Sametime;
Domino Offline Passthru Server;
Alternate Offline Download URL;
URL- ,
QuickPlace -;
, .
Lotus
525
Sametime 3 Connect :
1. Sametime (handshake)
(630-) Sametime.
2. ,
( 10 ).
3.
, .
4. , .
, Sametime
connect.ini. connect.ini . , connect.ini, RSA RC2
40.
, .
Sametime- Sametime , Sametime 1.5 .
! - Sametime
(, AOL), .
.
RSA RC2 128- . Sametime Connect.
526
12
12.2.2 - Sametime
. 12-1 -, .
12-1. -
Sametime
-
SOCKS 4
-
SOCKS 5
-
HTTP
-
HTTPS
Connect
Meeting Room
(. )
Meeting Room
Meeting Room
Broadcast
Sametime
Lotus
527
, Sametime
Connect .
SSL Web- Sametime. SSL HTTP, . SSL Domino SSL Sametime-. Domino SSL . 6.2.5, Secure
Sockets Layer.
Sametime-
Sametime- , , , .
.
, ,
.
528
12
! , .
.
(Online
meeting center). ,
Meeting Center. . , . Meeting
Center , unlisted meeting ( )
, .
, .
. .
, , , NetMeeting,
, .
Web- Sametime , .
Sametime.
, Sametime , SSL (Secure Sockets Layer)
HTTP- Sametime- ( ), Web- HTTP-.
Sametime
HTTP- Sametime Web-. , Sametime
Sametime (stcenter.nsf), .
Lotus
529
Sametime.
(access control list,
ACL) Sametime Sametime
Sametime Meeting.
Sametime,
Sametime,
ACL, :
Sametime Online Meeting Center (STCONF.NSF), ACL
No Access ( ) .
.
Sametime Web Admin (STADMIN.NSF), ACL
.
Sametime. -
Sametime.
ACL
ACL Domino,
Sametime Meeting Center.
Anonymous () Default No
Access ( ), ACL
. Anonymous () Default No Access ( ) , ,
ACL, .
Default.
ACL ,
,
. , ACL ,
Default.
530
12
Sametime
Sametime , Sametime. Sametime Development/Lotus Notes
Companion Products.
,
Sametime, ,
Sametime:
STCONF.NTF,
STDISC50.NTF,
STTEAM50.NTF,
STSRC.NSF.
,
ACL Run unrestricted
agents ( ) Server Sametime.
ACL :
: Reader ();
: Group Creator ( ), Group Modifier ( ),
UserCreator ( ), UserModifier ( ).
LDAP-
SSL
, Sametime- LDAP-. , Sametime- LDAP-,
, Sametime.
, Sametime- LDAP-,
:
1. Use SSL to authenticate and encrypt the connection between the
Sametime and the LDAP server ( SSL
Sametime LDAP-) Sametime Administration Tool.
2. Directory Assistance LDAP- .
3. Sametime LDAP-. SSL , Sametime- LDAP, :
Encrypt all data ( ).
( ),
Sametime LDAP-.
Lotus
531
SSL-
Sametime LDAP-. , .
Encrypt only user passwords ( ).
(, ), Sametime- LDAP-. ,
Sametime- LDAP- SSL.
, .
Encrypt no data ( ).
Sametime- LDAP- .
, ,
, Sametime- LDAP-, .
, Sametime- LDAP-, . Sametime Server Administrators Guide,
Sametime, Lotus Developer Domain :
http://doc.notes.net/uafiles.nsf/docs/QP30/$File/na5d3fus.pdf
Configuration () Meeting Services
( ) Sametime Administrator Encrypt all Sametime meetings ( Sametime-). T.120 , , Sametime Meeting Room Sametime
Broadcast Sametime . RSA RC2 128-
. , , , .
, Configuration () Meeting Services (
) Sametime Administrator Require all scheduled
meetings to have a password ( -
532
12
), . 12-3.
, .
,
.
12.3.1
Domino Notes,
ID- Notes .
Domino iNotes Web Access Web- ID- Notes . , Domino
.
Notes
, iNotes.
X.509
, ID- Notes, Web-, X.509 iNotes. ,
ID- Notes, X.509
.
6, .
. ,
, .
Save this password in your password list (
) . . (replay attack),
.
Lotus
533
(realm),
Domino . ,
URL-, ( ), .
yourserver/mail.
, , yourserver/help/help5_client.nsf, , yourserver/help
yourserver/mail.
,
Domino.
, , 30 , , .
, . iNotes Web Access
Logout, ,
.
,
back ()
,
.
,
iNotes Web Access.
, - .
! .
iNotes Web Access ,
.
Forms5.nsf
Forms5.nsf , iNotes Web Access.
JavaScript-, HTML- , iNotes Web Access.
iNotes Web Access , Anonymous () Reader () {
}\iNotes\Forms5.nsf. Catalog.nsf , , Domino
Administrator Files () Notes.
,
, iNotes.
534
12
12.3.2
Domino R5.09 iNotes
iNotes. . , .
:
(snooping). , .
.
.
,
, .
Preferences ()
iNotes. Other () Encrypt mail file locally ( ). .
, , , . , :
1. , Offline Sync Manager.
2. iNotes Web Access Preferences () - Other (),
Encrypt local mail file ( ).
3. Go Offline ( ), Install
Subscription ( ), (
).
12.3.3
-
iNotes Web Access Notes, , , (to do list) : , - .
Lotus
535
-
Internet Explorer -. Internet Explorer 5.01 Tools () Internet Options ( ) Advanced (), Empty temporary Internet
file folders when browser is closed (
).
536
12
12.3.5
Notes
(Execution Control List, ECL). ECL
.
, ECL , Domino . ECL . Lotus Domino Administrator 6 Help.
,
. Web- ECL
. iNotes
Web Access, , , . . ,
, .
.
,
.
, (, ,
ECL).
12.3.6
() iNotes Web Access.
Cookie-
, cookie- , . Cookie-
/ .
iNotes Web Access , cookie-. iNotes Web Access cookie-
Shimmer, . cookie-
.
iNotes Web Access iNotes Web Access
. HTML-,
, ( HTTP- Cache-Control) no-cache, , . , , JavaScript, .gif-
Lotus
537
538
12
Lotus
539
Web-
WebSphere Portal
Lotus Collaboration
540
12
12.5.1
Portal Server ,
. .
. WebSphere Portal Server IBM
WebSphere Application Server. - Trust Association Interceptor (TAI).
WebSphere Application Server
LDAP- CustomRegistry , LDAP. WebSphere Application Server Trust Association Interceptor (TAI) Netegrity SiteMinder, Tivoli Policy Director Tivoli Access Manager,
, WebSphere Application Server. , WebSphere Application Server (single sign-on) Domino, WebSphere Application Servers
, Tivoli Access Director Policy Director WebSEAL.
WebSphere Portal Server (Custom Form-based Authentication mechanism), WebSphere Application Server , .
WebSphere
Application Server /wps/myportal WebSphere Application Server All Authenticated Users ( ) Custom Form-Based Challenge ( ).
WebSphere Application Server
, Portal Server.
WebSphere Application Server
: WPS, (, LDAP-) - CustomRegistry.
(, Policy Director WebSEAL)
. WebSphere Application Server
Portal Server TAI.
Portal Server
,
WebSphere Application Server -
. -
Lotus
541
-
WebSphere Application Server,
(, Policy Director
WebSEAL). WebSphere Application Server Trust Association Interceptor (TAI) -
. - , WebSphere Application Server, LTPA-. Policy Director WebSEAL.
Trust Association Interceptor WebSphere Application Server, (Security Center)
WebSphere Application Server trustedservers.properties.
, WebSphere Application Server TAI, , .. , , . TAI (Distinguished Name, DN), . WebSphere Application Server
,
. , , WebSphere Application Server . , WebSphere Application Server LTPA-
cookie- .
WebSphere Application Server TAI Tivoli Access Manager Tivoli
Policy Director. WebSphere Portal Server TAI SiteMinder,
TAI Portal
Server.
TAI .
- , Portal Server -
TAI LTPA-.
WebSphere Application Server -
542
12
WebSphere Portal Server Portal
Server, LDAP-,
( ).
WebSphere Application Server CustomRegistry
. LDAP
WebSphere Portal Server , WebSphere
Application Server,
.
.
, . , LDAP-
,
. Member Services Portal Server, ,
.
WebSphere Application Server .
(, LDAP-)
Portal, WebSphere Portal Server,
Customer User Registry (CUR). Member Services
.
, . , , . WebSphere
Portal Server .
(single sign-on) WebSphere Portal Server ,
,
.
Lotus
543
Credential Service
Credential Service , LTPA- .
Principal JAAS Subject,
(credential vault service). Credential Service
JAAS Subject. Credential Service
Tivoli Access Manager SiteMinder JAAS Subject .
(Credential Vault) , , . -
544
12
, ,
, .
WebSphere Portal Server
. (Default Vault)
, , ,
. , , , POP3, ,
. , , ;
.
, base64.
, ,
(Vault Adapter) . (Vault
Adapter Implementation):
was_root/lib/app/config/services/VaultServices.properties
,
. (Vault Segment) Credential Vault.
WebSphere Portal Server , , Tivoli Access Manager. Portal Server
Tivoli Access Manager, AIX, Solaris Windows. . . . Credential Vault.
12.5.2
,
Access Control List.
Application Server - . Application Server
EJB (Enterprise Java Beans). WebSphere Portal Server
, , . WebSphere Portal Server .
WebSphere Portal Server ,
Tivoli Access Manager SiteMinder
.
Lotus
545
. ,
WebSphere Application Server
Administrative Role. ,
, (Security Center)
Application Server.
, .
, DELEGATE, ,
.
: VIEW, EDIT, MANAGE CREATE. -
546
12
,
. WebSphere Application Server. .
DELEGATE
DELEGATE . DELEGATE, (, ),
.
(VIEW, EDIT, MANAGE, CREATE), ,
. DELEGATE . DELEGATE ,
. , Sandy EDIT DELEGATE
Financial DELEGATE , Fred, Sandy Fred VIEW EDIT Financial.
Sandy MANAGE , MANAGE .
.
, , . MANAGE DELEGATE
. Access Control List,
, .
, . .
, . ,
.
Access Control List .
WebSphere Portal Server
.
, wpsadmin wpsadmins.
,
, wpsadmin. LDAP . wpsadmins ,
Lotus
547
LDAP.
, ,
LDAP .
MANAGE PORTAL,
.
WebSphere Portal Server , XML- . MANAGE DELEGATE
. VIEW
. VIEW , .
Access Control List.
.
MANAGE .
DELEGATE DELEGATE
, . Portal Server . ,
,
.
WebSphere Portal Server
, , . WebSphere Portal Server
: Tivoli Access Manager Netegrity SiteMinder.
WebSphere Portal Server. ,
MANAGE DELEGATE
ACL.
,
Access Control List . , EXTERNAL_ACL, MANAGE DELEGATE.
. ,
, , ,
, MANAGE DELEGATE.
548
12
. Access Control List . Access Control List ,
,
MANAGE DELEGATE. Access Control List
.
, , ACL . ,
Tivoli Access Manager ACL Tivoli Access Manager.
WebSphere Portal Server
. WebSphere Portal Server.
.
. TAM SiteMinder . WebSphere Portal Server.
SSL
, SSL (Secure Sockets Layer)
.
SSL . , SSL .
WebSphere Application Server
Web-. ; . .
, WebSphere Portal.
.
-, Web- HTTPS. ,
(Certificate Authority, CA). IKEYMAN
.
, Web- , , Web-,
. SSL
Web- .
Web- , ikeyman,
HTTPD WebSphere Application Server.
Lotus
549
. SSL
Web- WebSphere Application Server IBM WebSphere V4.0 Advanced
Edition Security, SG24-6520.
12.5.3
.
, , .
(Setup Manager) (, DB2) , 42 .
.
. ,
, , wpsbind wpsadmin , WebSphere
Portal Server.
12.5.4
install.log wps_root/install.
WebSphere Portal Server
LDAP XML-:
AppServer_home/lib/app/xml/wms.xml
AppServer_home Application Server.
LDAP Member Services,
.
was_root/lib/app/xml/wms.xml.
550
12
Member Services :
(Profile management). , Manage Users.
(User repository). ,
. . .
. WebSphere Portal Server.
(Group membership). Member Services
Portal Server.
.
Member Services :
. ,
, . , , ,
, , ,
. ,
(generic user). .
.
. ,
. .
,
, , Portal Server
, .
,
,
. Manage Groups.
. . ( LDAP-, ,
, ) .
Member Services LDAP-
.
Lotus
551
, , , , . , , ,
, . .
, .
, , -, .
.
. .
WebSphere Portal Server. LDAP-
.
, LDAP.
<was_root>/lib/app/wms.xml
WebSphere Portal Server WebSphere Application Server . WebSphere Application Server
.
Member Services
LDAP- , Member Services,
.
, .
552
12
Member Services
Portal Server
Member Services XML-:
<was_root>/lib/app/xml/wms.xml
,
.
Portal Server :
.
CustomRegistry. XML-:
<was_root>/lib/app/xml/wms.xml
LDAP XML-:
<wp_root>/wms/xml/attributeMap.xml
,
. LDAP- inetOrgPerson, LDAP-.
wms.xml Member Services
. WebSphere Portal Server. ,
<DIRECTORY.../> , Member Services .
LDAP
Member Services ,
Java-, ,
. LDAP-,
LDAP- XML-:
<wp_root>/wms/xml/AttributeMap.xml
LDAP- Java- ,
Java- , LDAP-.
LDAP- , , , . LDAP- attributeMap.xml.
: , , ,
.
Lotus
553
Portal Server ,
. , . WebSphere
Portal Server ,
. , Portal Server
. , ,
GlobalMarketing, , USMarketing. Portal Server
, USMarketing GlobalMarketing. USMarketing , GlobalMarketing. , GlobalMarketing File Server USMarketing World Clock, USMarketing
File Server World Clock. , Fred
GlobalMarketing File Server,
Sandy USMarketing
File Server, World Clock.
554
12
.
, WebSphere Portal, . WebSphere Portal Server.
, /wps/myportal, , /wps/portal/.scr/Login, . WEBSEAL TAI
Portal Server. /
wps/myportal.
WebSphere Portal Server , . , .
.
(common
names), WebSphere Portal Server. WebSphere Portal Server
, . , was_root\lib\
app\config\puma.properties:
WebSphere Portal Server . .
.
WebSphere Portal Server (self-care)
. ,
.
Lotus
555
, , . .
,
.
, WebSphere Portal .
Portal Server (turbine
actions) .
Puma.properties Registration Servlet.
puma.UserValidator , .
JSP (Java Server Pages):
UserProfileForm.jsp , ;
UserProfileConf.jsp , ;
Congrats.jsp , ;
RegistrationError.jsp .
JSP-
JSP- WebSphere Portal Server
, . JSP- , , wps.Name, Name , . Name
inetOrgPerson LDAP-,
attributeMap.xml, , LDAP-. Portal Server, : 64 255
.
(Self-care) , ,
. Portal Server
, . Puma.properties
Registration Servlet. puma.UserValidator
, .
556
12
JSP-:
UserProfileForm.jsp . . , .
UserProfileConf.jsp . Continue
(). UserProfileForm.jsp
Cancel ().
RegistrationError.jsp .
DEAS- ,
Manager () Domino,
. , , DEAS-
Manager () Delete . localdomainserver .
Domino Everyplace
:
, .
.
Notes ( ) .
Internet password (-) Person.
Lotus
557
IP- WAP- /
IP- WAP-.
Web- DEAS.
,
IP- WAP-, , Server. IP- WAP-,
IP-. IP-, ,
Permitted WAP gateway IP Addresses ( IP- WAP-).
IP- Restricted WAP gateway IP Addresses ( IP- WAP-).
( Phone.com).
, Phone.com, . , Server, Person, , . ,
.
( Phone.com).
DEAS- ( , , ),
.
, . , - - .
. ,
, .
558
12
.
STEP , WAP
1.1. . , STEP-.
STEP
STEP-
Sametime. STEP Sametime
. Sametime :
(STAUTHS.NSF) (STAUTHT.NSF), STEP Sametime.
STEP Sametime. STEP
.
STEP
STEP Sametime .
STEP . STEP- ,
STEP- , STEP- .
Sametime , ,
STEP. STEP Domino, , Sametime Domino,
STEP.
STEP Sametime, (STAUTHS.NSF)
(STAUTHT.NSF) STEP-.
STEP Domino
STEP Sametime, ,
Domino. STEP- Domino,
Sametime .
STEP Sametime , :
1. - STEP- Sametime.
2. STEP- Sametime.
3. Directory Assistance, STEP- .
Lotus
559
12.8
Lotus, Notes
Domino, . Lotus, ,
, .
:
Lotus Team Workplace (QuickPlace),
Lotus Web Conferencing and Instant Messaging (Sametime),
Lotus Domino Web Access (iNotes),
Lotus Workplace Messaging,
WebSphere Portal Server,
Lotus Domino Everyplace,
Lotus Sametime Everyplace.
Notes Domino, ,
, Notes Domino.
560
12
, Lotus. ,
.
, , .
13
Lotus, , .
, .
,
.
563
13.1
Redbooks Company. Redbooks : , , . , . , ,
, , .
,
.
.
, .
.
: .
.
.
13.2 1.
, RedbooksCo , , . , ,
;
Web-. ,
Lotus Domino Domino Web Access (iNotes) , Lotus
Team Workplaces (QuickPlace) Lotus Instant Messaging (Sametime) .
, RedbooksCo , ,
. ,
, ,
.
Redbooks . (single sign-on, SSO) .
URL ( Matt Milza):
http://itsosec-dom.cam.itso.ibm.com/mail/mmilza.nsf
564
13
URL Web- .
. 13-1.
. 13-1.
,
. Lotus Sametime QuickPlace
, .
iNotes , , . 13-2.
iNotes RedbooksCo . RedbooksCo -
. 13-2.
565
, iNotes.
. ,
, .
566
13
13.3 2.
, RedbooksCo
. RedbooksCo .
, , ,
.
,
- (reverse proxy). - , - . , . - , .
. :
-, -; ,
- / ,
.
,
, ,
.
, .
SSL (Secure Sockets
Layer) -. , -.
Redbook
, URL, :
https://itsosec-dom.cam.itso.ibm.com/mail/mmilza.nsf
, SSL URL HTTPS.
- Domino SSL.
,
,
( SSL -)
.
,
-
. -.
-
567
Domino. -
, . , ,
https://itsosec-dom.cam.itso.ibm.com
you are not authorized ( ), . 13-5. - ,
.
. 13-5.
13.4 3.
RedbooksCo ,
: Domino,
, ,
. ,
, . ,
,
,
Domino Directory, .
, LDAP,
. -
568
13
13.5 4.
RedbooksCo , ,
, .
. , -
Lotus . ,
-, - Sametime
Sametime, RedbooksCo
. Sametime (3.1)
.
,
URL . (QuickPlace, Sametime, iNotes ..),
.
WebSphere Portal. . - , .
WebSphere Portal , RedbooksCo . - , , SSL- .
569
URL, :
https://itsosec-wps.cam.itso.ibm.com/wps/myportal
, . 13-6.
13.6 5.
RedbooksCo Web-
, .
Lotus
570
13
13.7 6.
RedbooksCo SSL -. , LDAP-,
, , .
,
- WebSphere Portal / Lotus
.
.
RedbooksCo ,
,
- ,
. , -
, .
IBM Tivoli Access Manager (TAM). -
571
- - . ,
TAM , -. TAM
, - .
TAM -
TAM- -. TAM-
LDAP-. - . ,
TAM- . .
13.8 7.
RedbooksCo Web- .
Sametime, . , Sametime, .
, RedbooksCo,
, RedbooksCo.
13.9
RedbooksCo.
. Lotus.
.
.
572
13
14
,
, Redbooks.
(single sign-on, SSO)
.
573
14.1
(Domino, Sametime QuickPlace)
Lotus Domino, Sametime QuickPlace .
. 14-1 . ,
Web- Lotus, Domino. Lotus Domino LDAP,
Lotus Sametime Domino LDAP.
ITSOSEC-QP
ITSOSEC-DOM
ITSOSEC-ST
. 14-1.
14.1.1
Lotus Domino
:
1. Linux RedHat 8. sendmail telnet vncserver.
Lotus Domino.
2. Lotus Domino 6.01.
3. Redbooks
Servers. itsosec-dom/Servers/Redbooks.
4. Sametime QuickPlace.
itsosec-st/Servers/Redbooks itsosec-qp/
Servers/Redbooks .
5. : East West.
6. / East West
Lotus iNotes/Domino Web Access.
Lotus Sametime :
574
14
575
576
14
. 14-5.
9. Domino Directory . , Web SSO Configuration
Server .
HTTP, Web SSO. HTTP Tell HTTP Restart Domino.
14.1.3
SSO (Fully
Qualified Domain Names, FQDN).
Server . Basics (
) Server, . 14-6.
, FQDN, Ports () Notes
Network Ports ( Notes) Server, . 14-7.
577
14.2 -
, . WebSphere Edge,
SSL . Web-, , ,
Domino Directory.
. 14-9 ( ), .
-, Lotus Domino, ,
( ). /
.
578
14
. 14-9. Edge
14.2.1 SSL
SSL- SSL Lotus.
SSL / SSL-/.
, , Verisign.
Domino CA (untrusted) SSL-/ .
579
580
14
Edge Server
Web- :
http://itsosec-rp.cam.itso.ibm.com/admin-bin/webexec/frameset.html
:
, Proxy Settings ( -), HTTP.
. 14-12.
. 14-12. -
Privacy Settings ( )
HTTP- . Forward clients IP address to destination
server ( IP- ).
HTTP-, IP-
. . 14-13.
. 14-13.
581
. 14-14. SSL
Caching Filters ( ) - , -.
-
, HTTP-.
, . *//itsosec-dom.cam.itso.ibm.com/*
WebSphere Edge Server, . 14-15.
Last Modified Factor ( )
Domino, Edge.
URL- ?OpenImageResource ?OpenElement&FieldElemFormat=gif. Domino, -
( , HTML). . 14-16.
Basic Settings ( ) IP-, . . ,
IP-. . 14-17.
582
14
. 14-15.
583
. 14-17.
HTTP Methods (HTTP-) ,
Edge. ,
Domino, GET, HEAD POST.
, . . 14-18.
Request Routing ( )
. ,
. . 14-1 , Request Routing ( ). , , 192.168.0.3 IP- itsosecdom.cam.itso.ibm.com.
, , Edge , /mail /iNotes . . URL, 192.168.0.3 Domino.
14-1.
Index
()
1
2
584
Action
()
Proxy
Proxy
14
Request template
( )
/mail*
/iNotes/*
. 14-1
Index
()
3
4
5
6
Action
()
Proxy
Proxy
Proxy
Proxy
Request template
( )
/inotes5/*
/icons/*
/domjava/*
/names.nsf
. 14-19.
. 14-18. HTTP-
. 14-19.
IBMPROXY.CONF
. IBMPROXY.CONF :
SignificantUrlTerminator ?OpenImageResource;
SignificantUrlTerminator ?OpenElement;
SignificantUrlTerminator /?OpenImageResource;
585
SignificantUrlTerminator /?OpenElement;
fail /*;
Reversepass http://192.168.0.3/* http://itsosec-dom.cam.itso.ibm.com/*.
fail /* -. URL:
https://itsosec-dom.cam.itso.ibm.com
, . 14-20.
. 14-20.
- Domino Directory
(names.nsf) (/mail). Domino Directory
. -
.
14.2.3
- WebSphere Edge Server
.
, - Domino. Domino, QuickPlace Sametime
. .
,
80 443 . . 14-21.
586
14
, , Domino -.
. 14-21.
14.3 LDAP-
Domino Domino Directory LDAP LDAP. ,
LDAP-, LDAP- , Lotus. LDAP
Domino, , Redbook , LDAP-, Lotus,
.
, , Lotus , LDAP-, LDAP- (. . ) LDAP-. . 14-22 , Lotus,
LDAP-. , -
Lotus Domino
-,
LDAP-.
Lotus
ITSOSEC-RP
ITSOSEC-LDAP
-
. 14-22. LDAP-
587
14.3.1 LDAP-
LDAP- IBM Directory Server
Windows 2000 Service Pack 3.
LDAP- LDIF-. LDIF- LDAP-,
Domino LDAP (East West). ,
, Admin, Sales, Production Editorial.
.
14-1 LDIF- , , .
14-1. LDIF-
dn: UID=MMilza,OU=Admin,O=Redbooks,C=US
objectclass: eDominoAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
mail: M.Milza@redbooks.com
givenName: Matt
sn: Milza
uid: MMilza
userid: mmilza
mailDomain: Redbooks
mailServer: CN=itsosec-dom,OU=Servers,O=Redbooks
mailFile: mail\mmilza
. LDIF-, dn
LDAP, fullName
Lotus Notes.
588
14
5. .
589
590
14
14.3.3
, Domino, LDAP- LDAP-.
Matt Milza East Domino LDAP UID=
MMilza,OU=Admin,O=Redbooks,C=US, Admin. Domino R5,
LDAP ACL ,
Matt Milza .
, Domino 6.01, LDAP-, Domino
, Domino 6.
. 14-25 Attribute to be used as Notes Distinguished Name (, Notes) Directory Assistance. fullName LDAP-,
Lotus Notes LDAP- LDIF
14.3.1, LDAP-.
, Domino
LDAP-.
. 11.9.4,
Domino.
591
. 14-27. LDAP-
. 14-28. LDAP-
592
14
9. LDAP- , . ,
LDAP- .
593
. 14-34. Sametime
594
14
6. Change Directory ( ).
7. LDAP Server (LDAP-).
8. LDAP- Name ().
itsosec-ldap.cam.itso.ibm.com
9. Port Number ( ) 389 (
LDAP).
10. LDAP,
. o=redbooks,c=us.
. 14-35.
. 14-35.
595
, QuickPlace
Domino 5.x; , Domino 5.x LDAP.
LDAP ACL .
. 14-36 ACL main.nsf.
Lotus
-
ITSOSEC-WPS
ITSOSEC-RP
ITSOSEC-LDAP
596
14
Domino -.
iNotes.
. 14-37.
WebSphere Portal Extend
Windows 2000 Service Pack 3 DB2
.
LMS . WebSphere Portal Handbook Volume 1, SG24-6883.
14.4.1 SSO
WebSphere Portal .
:
1. Java- WebSphere Administrator.
2. wpsadmin , wpsadmin
.
3. Console () Security Center ( ) Java.
4. Authentication (); , . 14-38.
597
13. , WebSphere 7.
14. LDAP Realm (LDAP-) (\) :389.
LDAP- LTPA WebSphere (. 14-40).
598
14
14.4.2 -
- , WebSphere Portal, Domino.
ibmproxy.conf, URL
.
:
remove proxy /mail* http://itsosec-dom.cam.itso.ibm.com/mail*
remove proxy /iNotes/* http://itsosec-dom.cam.itso.ibm.com/iNotes/*
remove proxy /inotes5/* http://itsosec-dom.cam.itso.ibm.com/inotes5/*
remove proxy /icons/* http://itsosec-dom.cam.itso.ibm.com/icons/*
remove proxy /domjava/* http://itsosec-dom.cam.itso.ibm.com/domjava/*
remove proxy /names.nsf http://itsosec-dom.cam.itso.ibm.com/names.nsf
Proxy /* http://192.168.0.6/*itsosec-wps.cam.itso.ibm.com
proxy /* http://192.168.0.3/*itsosec-dom.cam.itso.ibm.com
proxy /* http://192.168.0.4/*itsosec-qp.cam.itso.ibm.com
Reversepass http://192.168.0.6/*http://itsosec-wps.cam.itso.ibm.com/*
Reversepass http://192.160.0.3/*http://itsosec-dom.cam.itso.ibm.com/*
Reversepass http://192.168.0.4/*http://itsosec-qp.cam.itso.ibm.com/*
conf-
-.
14.5
IBM Lotus Learning Management System (LMS).
Learning Management System 1.01
Windows 2000 Service Pack 3. LMS LMS,
DB2 WebSphere 5.
LMS . IBM Lotus Learning Management System Handbook, SG24-7028.
599
14.5.1 LMS
LMS
:
1. WebSphere Application Server LMS- . WebSphere 5 , WebSphere 4, Java-.
2. Security () Authentication Mechanisms ( ) LTPA WebSphere.
. 14-42. LTPA
600
14
6. Save (), ,
, SSO LMS; Domino WebSphere
Portal, LMS (. 14-43).
. 14-43.
14.5.2 LMS
, LMS , WebSphere Portal,
LMS- WebSphere Portal, LMS .
SSO, WebSphere Portal, ,
, LMS- .
LMS LMS WebSphere (My
Courses, Search Catalog My Calendar). WebSphere Portal,
:
1. WebSphere Portal (wpsadmin).
2. Portal Administration ( ).
3. Install portlets ( ).
4. My Courses.war LMS,
Next ().
5. , war-;
Install () , .
6. 4 5 Search catalog.war My Calendar.war.
601
WebSphere
, LMS- Web- LMS-,
LMS.
:
1. Portal Administration ( ) Manage
portlets ( ).
2. Myourses Modify Parameters (
) (. 14-44).
. 14-44. LMS-
3. ,
(. 14-45):
webserviceport: 80;
webservicepath: /lms-lmm/auth-api;
webserviceserver: itsosec-lms.cam.itso.ibm.com.
. 14-45. LMS-
4. 2 3 Search Catalog My Calendar,
.
602
14
14.6.2 WebSeal
Websphere Edge Server
WebSeal-Lite
-, :
1. Tivoli Access Manager Edge Server:
) .
603
cdrom_drive\windows\PolicyDirector\Disk Images\Disk1
c) Select Packages ( )
Edge Server.
2. Edge Server:
) wslconfig.exe.
b) :
- Edge Server.
80.
Tivoli Access Manager, TAM. , sec_master
.
:
;
(ivacld-servers SecurityGroup);
SSL-;
SSL- Tivoli Access
Manager;
- Edge Server
Edge Server, - Edge Server (ibmproxy.conf);
- Edge Server (ibmproxy).
Edge Server wesosm.
Tivoli Access Manager
Edge Server.
Edge Server .
- Edge Server
Edge Server. sec_master
-.
604
14
2. pdadmin.
3. Lotus Domino, :
(-t);
(-h);
TCP-, (-p);
(-A);
(-F);
(-Z);
JavaScript (-j);
(/).
605
606
14
required delegate=com.ibm.wps.sso.GetCORBACredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.CORBACredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.LTPATokenLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.tivoli.mts.PDLoginModule;
};
,
, Tivoli Access
Manager ( WebSphere Edge Server)
.
(. . WebSphere Portal, Lotus
Domino . .) . ,
ACL, , , TAM, . TAM
,
.
14.7
, Redbook RedbooksCo Redbooks.
.
607
(, html- ),
. ,
HTML- , HTTP-. ,
, , . , .
, , , ,
.
,
. , (, TCP, HTTP, HTML).
611
, .
:
EtherReal.
http://www.ethereal.com
CommView. ,
http://www.tamos.com/products/commview/
CommView , . , ,
. ,
.
,
Web-.
. A-1
Web- Domino,
. A-2
IE ( HTTP,
HTML)
612
. A-1 , .
. A-2 HTML- .
. A-3 HTML- .
613
. A-4
. A-5 HTML-
(), , . , View Source ( HTML-) Web-,
HTTP-. .
, , .
614
B
DSAPI
DSAPI-, Web- Domino
.
DSAPI, 7, .
DSAPI- Windows- Domino Windows. Domino
UNIX,
UNIX.
: , Windows
UNIX. , make- Domino 6 C API Samples,
Admin.
1. DSAPI-
Domino ,
DSAPI- Domino.
2. , ,
Domino Domino,
,
. Domino -
DSAPI
615
. Domino .
3.
Domino Web-. ACL
. Reader ()
Default No Access ( )
Anonymous (). No Access
Anonymous () .
DSAPI- Domino
1. DLL
Domino.
2. Domino.
3. Notes UI Lotus Domino (
names.nsf).
4. Server () Servers () Server
.
5. Internet Protocols (-) DLL
DSAPI-.
6. .
Domino
1. Domino.
2. Domino Administrator.
3. , Server () , Local.
Local, File () Open Server
( ) , Domino.
4. People () .
5. People () Register
().
6. First name (), Last name (), Short name ( ) Password (). .
7. Register () Domino.
8. Domino Administrator.
9. Domino.
616
DSAPI- secdom
( Windows). DSAPI Windows,
Act as part of the operating system (
). ,
.
Windows , .
Windows , Windows Windows.
1. Lotus Domino , http server .
:
<operating-system-user-name>@<operating-system-domain>
: jdoe@os_domain
Domino UNIX, :
<operating-system-user-name>
: jdoe
5. OK .
6. .
DSAPI-.
B-1.
/******************************************************************
: SECDOM
: SECDOM.C ( )
DSAPI
617
: C API,
, Domino
Web DSAPI.
******************************************************************/
/* - */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* Notes SDK */
#include global.h
#include osmem.h
#include lookup.h
#include dsapi.h
#include addin.h
#define MAX_BUF_LEN 512
#define USER_DOMAIN_SEPARATOR @
/*--*
*/
/* Notes SDK Unix */
STATUS FAR PASCAL MainEntryPoint (void);
/* , DSAPI */
unsigned int Authenticate(FilterContext* context, FilterAuthenticate* authData);
/* Notes */
int getUserNames (FilterContext* context,
char *userName,
char **pUserFullName,
int *pUserFullNameLen,
char **pUserShortName,
int *pUserShortNameLen);
int getLookupInfo (FilterContext* context,
char *pMatch,
unsigned short itemNumber,
char **pInfo,
int *pInfoLen);
int doAuthenticate(char *userName, char *domain, char *password);
#ifdef UNIX
int unixAuthenticate(char *userName, char *password);
#else
int separateUsernameAndDomainname(char *userName,char *separator,char
**user,char**domain);
618
DSAPI
619
620
* * .
*/
/* ,
*/
switch (eventType) {
case kFilterAuthenticate:
return Authenticate(context, (FilterAuthenticate *)eventData);
default:
break;
}
return kFilterNotHandled;
}
/*--*
*/
unsigned int Authenticate(FilterContext* context,
FilterAuthenticate* authData)
{
/*
* :
* dsapi kFilterAuthUser.
*
* : dsapi
*
* authData ,
*
* userName
*
* foundInCache = TRUE,
* e
* .
*
* : authType authName
*
* authType filed
* kNotAuthentic -
* kAuthenticBasic -
* .
*
* : kFilterNotHandled - ,
* e,
DSAPI
621
* ,
* .
* kFilterHandledEvent -
.
*/
/* e, * .
*/
if (!authData || authData->foundInCache) {
AddInLogMessageText (\n user is found in the cache \n, NOERROR);
return kFilterNotHandled;
}
/* .
*/
if (authData->userName && authData->password) {
char *fullName = NULL;
int fullNameLen = 0;
char *shortName = NULL;
int shortNameLen = 0;
char *user = NULL;
char *domain = NULL;
#if defined SOLARIS || AIX
user=(char*)authData->userName;
#else
separateUsernameAndDomainname(authData->userName,USER_DOMAIN_SEPARA
TOR,&user,&domain);
#endif
/* .
* (,
* )
* (, ,
* dsapi).
*/
if (NOERROR == getUserNames (context,
user,
&fullName,
&fullNameLen,
&shortName,
&shortNameLen) )
{
/* / */
if (NOERROR != doAuthenticate(shortName, domain,
622
(char *)authData->password))
{
return kFilterNotHandled;
}
else
{
/* ,
* dsapi. */
strncpy ((char *)authData->authName, fullName,
authData->authNameSize);
authData->authType = kAuthenticBasic;
authData->foundInCache = TRUE;
}
return kFilterHandledEvent;
}
}
return kFilterNotHandled;
}
int getUserNames (FilterContext* context,
char *userName,
char **pUserFullName,
int *pUserFullNameLen,
char **pUserShortName,
int *pUserShortNameLen) {
/*
* :
* .
*
* : context - ,
* userName - ,
* : pUserFullName -
* pUserFullNameLen -
* pUserShortName
* pUserShortNameLen -
*
* : -1 - , 0 -
*/
STATUS error = NOERROR;
HANDLE hLookup = NULLHANDLE;
DWORD Matches = 0;
char *pLookup;
char *pName = NULL;
DSAPI
623
624
/* */
if ( getLookupInfo (context,
pMatch,
0,
pUserFullName,
pUserFullNameLen) )
goto Exit;
AddInLogMessageText (full name=%s,length=%d\n, 0,*pUserFullName,*
pUserFullNameLen);
/* */
if ( getLookupInfo (context,
pMatch,
1,
pUserShortName,
pUserShortNameLen) )
goto Exit;
else
rc = 0;
AddInLogMessageText (short name=%s,length=%d\n, 0,*pUserShortName
,*pUserShortNameLen);
Exit:
if ( pLookup && hLookup )
OSUnlock(hLookup);
NoUnlockExit:
if (NULLHANDLE != hLookup)
OSMemFree(hLookup);
return rc;
}
int getLookupInfo (FilterContext* context,
char *pMatch,
unsigned short itemNumber,
char **pInfo,
int *pInfoLen) {
/*
* :
*
*
*
*
*
*
*
: context - ,
pMatch
itemNumber
: pInfo
pInfoLen
DSAPI
625
* : -1 - , 0 -
*/
626
itemNumber, /*
* */
0, /*
* */
*pInfo, /*
* */
MAX_BUF_LEN); /* */
if (!error) {
*pInfoLen = strlen(*pInfo)+1;
return 0;
}
return -1;
}
int doAuthenticate(char *userName, char *domain, char *password) {
/*
* : ,
* , , .
*
* : userName -
* domain - (NULL - UNIX)
* password -
*
* : -1 - , 0 -
*/
if (!userName) {
AddInLogMessageText (\nERROR: User must be specified\n, NOERROR);
return -1;
}
#if defined SOLARIS || AIX
printf(\nin doAuthenticate()\n);
return(unixAuthenticate(userName, password));
#else
if (!domain) {
AddInLogMessageText (\nERROR: Domain must be specified. Use username@domainname format\n,
NOERROR);
return -1;
}
return(winAuthenticate(userName, domain, password));
#endif
}
/* ----- secdom.c */
DSAPI
627
B-2. Windows
/******************************************************************
: SECDOM
: W_SECDOM.C ( Windows)
: C API,
, Domino
Web DSAPI.
******************************************************************/
/* W32 */
#include <windows.h>
#include <winbase.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* ************************************************************* */
/* * Windows API . * */
/* ************************************************************* */
int separateUsernameAndDomainname(char *userName,char *separator,
char **user, char **domain)
{
*user=strtok(userName,separator);
*domain=strtok(NULL,separator);
return 0;
}
/* ************************************************************* */
/* * Windows API . * */
/* ************************************************************* */
int winAuthenticate(char *userName, char *domain, char *password)
{
char *lpMsgBuf;
HANDLE phToken;
printf(\n Executing Windows-specific authentication for user %s
in domain
%s\n,userName,domain);
if (LogonUser(userName,domain,password,LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,&phToken))
{
printf( ** Successful return from Windows-specific authentication
\n);
return NOERROR;
}
else
628
{
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
printf(***** Error from Windows-specific authentication: ***\n);
printf( %s\n,lpMsgBuf);
LocalFree(lpMsgBuf);
return -1;
}
}
B-3. UNIX
/******************************************************************
: SECDOM
: U_SECDOM.C ( UNIX)
: C API, , Domino Web
DSAPI.
******************************************************************/
/* */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* UNIX */
#ifdef SOLARIS
#include <shadow.h>
#endif
#ifdef AIX
#include <sys/types.h>
#include <pwd.h>
#endif
int unixAuthenticate(char *userName, char *password)
{
char buffer[1024];
int error = -1;
int success = 0;
int unknown = 1;
/* UNIX- */
DSAPI
629
#ifdef SOLARIS
struct spwd result;
#endif
#ifdef AIX
struct passwd *result;
#endif
/* UNIX- */
#ifdef SOLARIS
if (getspnam_r(userName, &result, buffer, sizeof(buffer))) {
/*
* .
*/
char *thisCrypt = NULL;
thisCrypt = (char *)crypt(password, result.sp_pwdp);
if (strcmp (result.sp_pwdp, thisCrypt) == 0) {
return success;
} else {
return error;
}
}
#endif
#ifdef AIX
result = getpwnam(userName);
if (result && result->pw_passwd) {
/*
* .
*/
char *thisCrypt = NULL;
thisCrypt = (char *)crypt(password,
result->pw_passwd);
if (strcmp (result->pw_passwd, thisCrypt) == 0) {
return success;
} else {
return error;
}
}
#endif
return unknown;
}
630
C
Domino 6 HTTP
Domino
6 HTTP, 11.2.2, HTTP-.
HTTP-
, HTTPEnableConnectorHeaders
Notes.ini Domino HTTP , WebSphere, Web- .
HTTP-
Domino, ,
.
HTTPEnableConnectorHeaders :
Domino 6 HTTP
631
0. Domino HTTP .
HTTP , .
1. Domino HTTP .
. , ,
, , http.
notes.ini HTTP- Domino HTTP-.
. 14-46. HTTP
HTTPEnableConnectorHeaders=1
. LogLevel TRACE XML-
,
.
$WSAT. , .
$WSCC. , .
Web- base64,
base64, .
632
$WSCS. , Web- .
, .
$WSIS. True False,
, ( SSL/TLS).
$WSSC. , . http https.
$WSPR. HTTP-, .
HTTP/1.1.
$WSRA. IP- , .
$WSRH. , .
, IP-.
$WSRU. , .
$WSSN. , .
, HOST .
$WSSP. , .
, .
$WSSI. SSL-, . Web- base64, base64,
, Domino , HTTP-. , IP- , HTTP- Domino HTTP-, Domino IP-, $WSRA. :
, Domino , $WSRU, Domino
, !
HttpEnableConnectorHeaders=1
notes.ini, ,
Domino , HTTP . , ,
HTTP-.
,
Domino IP Web- IP- Domino 6.
Domino 6 HTTP
633
IIS-
!
PlugIn (Plug-In)
(Plugin Config) .
, , ,
. , , ,
NAME ,
( EventViewer) .
WebSphere Application Server Microsoft IIS.
1. IIS (
) Domino
IIS-:
data/domino/plug-ins/plugin-cfg.xml
c:\WebSphere\AppServer\config.
. C-1. , C IIS-
2. RegEdit.exe ( Windows)
: HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere Application Server - 4.0.
WAS5.x
( RegEdit):
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. '5.0' BinPath. , (C:\WebSphere\AppServer\bin).
634
. C-2. , !
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'InstallLocation'.
, WAS (C:\WebSphere\AppServer).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'LibPath'. (C:\WebSphere\AppServer\lib).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'MajorVersion'.
(5).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 ' p l u g - i n
Config' .
plug-in-cfg.xml (C:\WebSphere\AppServer\config\plug-in-cfg.xml).
Domino 6 HTTP
635
! IIS
Domino, , Web-
.
) Alias () sePlugins ( ).
) Directory () WebSphere bin (C:\WebSphere\
AppServer\bin).
) Execute ()
.
) Finish (). sePlugins.
636
. C-5.
. C-6.
6. ( ) Web- .
) ISAPI Filters ( ISAPI). Add ()
iisWASPlugin Filter Name ( ).
Executable ( ), Browse (),
WebSphere bin iisWASPlugin_http.dll.
Domino 6 HTTP
637
. C-7. ,
. C-8.
sePlugIns
. C-9.
638
. C-10. Web-
! , ;
ISAPI- .
) , OK.
! OK ISAPI , Priority ()
ISAPI- *Unknown*. ,
IIS ISAPI- ,
.
) OK , ,
, *Unknown* , . C-13. .
, -, .
, , ,
Domino 6 HTTP
639
. C-11. ISAPI-
. C-12. OK
640
. C-13.
. C-14. !
Domino 6 HTTP
641
, .
.
XML
WebSphere\AppServer\config\plugin-cfg.xml
. Domino,
plugin-cfg.xml,
URL, , Domino.
, .
Web- .
. Windows!
plugin-cfg.xml:
1. plugin-cfg.xml Notepad () XML-.
2. <Transport> ,
Domino. Hostname Port , ,
HTTP .
:
<Transport Hostname=mydomino.server.com
Protocol=http/>
Port=81
</Server>
</ServerGroup>
3. <UriGroup>. URL-, Web-
Domino.
<UriGroup Name=default_host_URIs>
<Uri Name=*/icons/*>
<Uri Name=*/domjava/*>
<Uri Name=*/.nsf*>
642
. URI .
WebSphere Application Server
( ,
) .
, Web-
. IIS World Wide
Web Publishing Service Windows
- Internet Services Manager. Web-
, . Web- IIS
IIS, .
Domino , <Uri> .
! , ,
XML. ,
(< >) ,
plugin-cfg.cml Internet Explorer (). IE
XML-.
plugin-cfg.xml
plugin-cfg.xml,
,
.
C-1. plug-in.xml :
<?xml version=1.0 encoding=ISO-8859-1?>
<!-###################################################################
C:\Websphere\AppServer\config\plugin-cfg.xml chiesa@dotNSF.com
(c) IBM Corp 2003. (c) dotNSF
Inc MMIII
###################################################################
WAS...
.xml- !!!
( : !)
###################################################################
, WAS plugin-cfg-service.xmi,
. !!!
###################################################################
-->
Domino 6 HTTP
643
644
<Uri Name=/*.nsG*
<Uri Name=/*.nSG*
<Uri Name=/*.NsG*
<Uri Name=/*.NSG*
<!-- *.??h -->
<Uri Name=/*.nsh*
<Uri Name=/*.nSh*
<Uri Name=/*.Nsh*
<Uri Name=/*.NSh*
<!-- *.??H -->
<Uri Name=/*.nsH*
<Uri Name=/*.nSH*
<Uri Name=/*.NsH*
<Uri Name=/*.NSH*
<!-- *.??2 -->
<Uri Name=/*.ns2*
<Uri Name=/*.nS2*
<Uri Name=/*.Ns2*
<Uri Name=/*.NS2*
<!-- *.??3 -->
<Uri Name=/*.ns3*
<Uri Name=/*.nS3*
<Uri Name=/*.Ns3*
<Uri Name=/*.NS3*
<!-- *.??4 -->
<Uri Name=/*.ns4*
<Uri Name=/*.nS4*
<Uri Name=/*.Ns4*
<Uri Name=/*.NS4*
<!-- *.??5 -->
<Uri Name=/*.ns5*
<Uri Name=/*.nS5*
<Uri Name=/*.Ns5*
<Uri Name=/*.NS5*
<!-- *.??6 -->
<Uri Name=/*.ns6*
<Uri Name=/*.nS6*
<Uri Name=/*.Ns6*
<Uri Name=/*.NS6*
</UriGroup>
<ServerGroup
Name=DominoGroup
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
Domino 6 HTTP
645
LoadBalance=Round Robin
RemoveSpecialHeaders=true
RetryInterval=60
>
<Server
Name=Domino1
CloneId=TestingClone
MaxConnections=50
>
<Transport
Hostname=localhost.dotnsf.com
Port=81
Protocol=http
/>
</Server>
<Server
Name=Domino2
CloneId=ProductionClone
MaxConnections=50
>
<Transport
Hostname=server203.dotNSF.com
Port=80
Protocol=http
/>
<!--<Transport
Hostname=server100.dotNSF.com
Port=443
Protocol=https
/>
-->
</Server>
<Server
Name=Domino3
MaxConnections=50
CloneId=ProductionClone>
<Transport
Hostname=server101.dotnsf.com
Port=80
Protocol=http
/>
</Server>
646
</ServerGroup>
<Route
VirtualHostGroup=DominoHosts
UriGroup=DominoHostsURIs
ServerGroup=DominoGroup
/>
</Config>
: TRACE (log)
(Trace mode),
( C:/WebSphere/AppServer/logs/native.log).
( ),
,
, . , , URI .
C-2. C:/WebSphere/AppServer/logs/native.log
[Mon Jun 09 11:59:14 2003] 00000b0c 00000c44 - PLUGIN:
------------------------------------------------------------------[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Plugins
loaded.
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: -------------------System Information---------------------------------------[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Bld date:
Apr 28 2002, 01:26:50
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Webserver: IIS
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Hostname =
VAIOR600
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: OS version
5.1, build 2600, Service Pack 1
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN:
------------------------------------------------------------------[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: iis_plugin:
HttpFilterProc: In
HttpFilterProc for SF_NOTIFY_PREPROC_HEADERS
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: iis_plugin:
checkRequest: In checkRequest
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: lib_util:
decodeURI: Decoding /wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: lib_util:
decodeURI: Decoded to
/wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereCheckConfig: Current time is 1055174814, next stat time
is 1055174766
Domino 6 HTTP
647
648
websphereUriMatch: Comparing
/*.ns4* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NS3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.Ns3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nS3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.ns3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NS2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.Ns2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nS2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.ns2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NSH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NsH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nSH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nsH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NSh* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.Nsh* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
Domino 6 HTTP
649
650
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
C-3
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Accept| to value |image/gif, image/xxbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_
htrequest: htrequestSetHeader:
Setting the header name |Accept-Language| to value |en-gb|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Connection| to value |Keep-Alive|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Host| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |User-Agent| to value |Mozilla/4.0
(compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Accept-Encoding| to value |gzip, deflate|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |x-ibm-incoming-enc-url| to value |/wmi.NSF|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
Domino 6 HTTP
651
htrequestSetHeader:
Setting the header name |$WSAT| to value |Negotiate|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSIS| to value |false|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSSC| to value |http|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSPR| to value |HTTP/1.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSRA| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSRH| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSRU| to value |VAIOR600\MyUserChiesa|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSSN| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSSP| to value |80|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleSessionAffinity: Checking for session affinity
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleSessionAffinity: Checking the SSL session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestGetCookie:
Looking for cookie: SSLJSESSION
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestGetCookie: No
cookie found for: SSLJSESSION
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Parsing session id from /wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Failed to parse session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleSessionAffinity: Checking the app server session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
652
htrequestGetCookie:
Looking for cookie: JSESSIONID
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestGetCookie: No
cookie found for: JSESSIONID
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Parsing session id from /wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Failed to parse session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_server_
group:
serverGroupNextRoundRobinServer: Round Robin load balancing
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereFindTransport:
Finding the transport
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereFindTransport:
Setting the transport: dotNSF.theconifers.com on port 80
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Executing
the transaction with the app server
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereGetStream: Getting
the stream to the app server
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_transport:
transportStreamDequeue:
Checking for existing stream from the queue
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_stream:
openStream: Opening the stream
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereGetStream: Created a
new stream; queue was empty
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestWrite: Writing
the request:
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: GET /wmi.NSF
HTTP/1.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Accept:
image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.
ms-powerpoint,
application/msword, */*
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: AcceptLanguage: en-gb
Domino 6 HTTP
653
654
charset=US-ASCII
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ContentLength: 1601
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_
htresponse:
htresponseSetContentLength: Setting the content length |1601|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Cachecontrol: no-cache
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_stream:
flushStream: Flushing the stream
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Read the
response; breaking out of loop
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Done with
Request to app server processing
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheWriteHeaders: In cacheWriteHeaders
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
cb_write_headers: In the write headers callback
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheWriteBody: In cacheWriteBody
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
cb_write_body: In the write body callback
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
cb_write_body: Writing chunk
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleRequest: Done:
host=127.0.0.1; uri=/wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereEndRequest: Ending the request
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_transport:
transportStreamEnqueue:
Adding existing stream to the queue
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheFinish: In cacheFinish
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
HttpFilterProc: In
HttpFilterProc for SF_NOTIFY_LOG
Domino 6 HTTP
655
,
, .
IBM Redbooks
. IBM Redbooks. , .
Lotus Notes and Domino R5.0 Security Infrastructure Revealed, SG24-5341
IBM WebSphere V5.0 Security WebSphere Handbook Series, SG24-6573
Upgrading to Lotus Notes and Domino 6, SG24-6889
Deploying QuickPlace, SG24-6535
Enterprise Security Architecture using IBM Tivoli Security Solutions, SG24-6014
A Deeper Look into IBM Directory Integrator, REDP-3728
IBM Tivoli Access Manager for e-business, REDP-3677
Enterprise Business Portals II with IBM Tivoli Access Manager, SG24-6885
Deploying a Public Key Infrastructure, SG24-5512
Understanding LDAP, SG24-4986
LDAP Implementation Cookbook, SG24-5110
Using LDAP for Directory Integration: A Look at IBM SecureWay Directory, Active Directory, and Domino, SG24-6163
Implementation and Practical Use of LDAP on the IBM e-server iSeries Server,
SG24-6193
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1, REDP-3603
Active Directory Synchronization with Lotus ADSync, REDP-0605
IBM WebSphere V4.0 Advanced Edition Security, SG24-6520
WebSphere Portal Handbook Volume 1, SG24-6883
IBM Lotus Learning Management System Handbook, SG24-7028
.
Maximum Windows 2000 Security (Sams, 2001, ISBN 0672319659)
Web- URL .
RFC 2316, Report of the IAB Security Architecture Workshop (April 1998)
http://www.ietf.org/rfc.html
Digital Signature Guidelines, American Bar Association (1996), Section 1.35
http://www.abanet.org/scitech/ec/isc/dsgfree.html
Information Technology--Security Techniques--Evaluation Criteria for IT Security-Part 1: Introduction and General Model, ISO/IEC 15408-1 (1999)
http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/lttf_Home/PubliclyAvailableStan
dards.htm
Information Technology--Security Techniques--Evaluation Criteria for IT Security-Part 2: Security Functional Requirements, ISO/IEC 15408-2 (1999). and Information
Technology--Security Techniques--Evaluation Criteria for IT Security--Part 3: Security
Assurance Requirements, ISO/IEC 15408-3 (1999).
http://www.commoncriteria.org/protection_profiles/pp.html
Guide for Development of Protection Profiles and Security Targets, ISO/IEC PDTR
15446
http://csrc.nist.gov/cc/t4/wg3/27n2449.pdf
RFC 1825, Security Architecture for the Internet Protocol (August 1995)
http://www.ietf.org/rfc.html
Security Architecture for Open Systems Interconnection for CCITT Applications,
ITU-T Recommendation X.800/ISO 7498-2 (1991)
http://www.itu.int/itudoc/itu-t/rec/x/x500up/x800.html
J. J. Whitmore, Security and e-business: Is There a Prescription?, Proceedings, 21st
National Information Systems Security Conference, Arlington, VA (October 6-9,
1998)
http://csrc.nist.gov/nissc/1998/proceedings/paperD13.pdf
IBM Redbooks
, Redbooks, Redpapers, Hints and Tips, , Redbooks - Web-
ibm.com/redbooks
IBM
IBM Support :
ibm.com/support
IBM Global Services:
ibm.com/services