Вы находитесь на странице: 1из 682

IBM

International Technical Support Organization

Lotus Security Handbook

William Tworek
George Chiesa
Frederic Dahm
David Hinkle
Amanda Mason
Matthew Milza
Amy Smith

April 2004

Note: Before using this information and the product it supports, read the information
in Notices.

First Edition (April 2004)

Copyright International Business Machines Corporation 2004. All rights reserved.


Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.

IBM

Lotus:







2007

. , . , .

IBM Certified Advanced Technical Expert IBM System p5
.

(2004 .)
(2007 .)
IBM Corporation ( International Business Machines Corporation), 2004 .
.
: ,
GSA
ADP Schedule IBM.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1.2 / . . . . . . . . . . . . . 5
1.1.3 CERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.3 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
1.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
1.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

1.4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
1.4.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
1.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

2. . . . . . . . . . . . . . . . . . . . . 43

2.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
2.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
2.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

2.2 ISO17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
2.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
2.2.2 ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.2.3 ISO 17799 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

2.3 ( 15408) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

2.4 (MASS, Method for Architecting


Secure Solutions) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
2.4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
2.4.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
2.4.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
2.4.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
2.4.8 . . . . . . . . . . . . . . . . . . . 72
2.4.9 . . . . . . . . . . . . . . . . . . . . . . . 73
2.4.10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
2.4.11 (MASS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

2.5 ISSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.5.2 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
2.5.3 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
2.5.4 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
3. . . . . . . . . . . . . . . . . . . . . . . . 91

vi

3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.1.3 , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
4.1.4 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
4.1.6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
4.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.2.1 DMZ-: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
4.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
4.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
4.2.4 : . . . . . . . . . . . . . . . . . . . . . 141
4.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
4.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

4.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
(IP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

5. - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

5.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
5.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
5.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
5.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

5.4 Lotus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163


5.4.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
5.4.2 HTTP-, Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

vii

5.4.3 URL, Domino


Domino 164

5.5 Lotus Sametime 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166


5.5.1 Sametime 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
5.5.2 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
5.5.3 Sametime - . . . . . . . . . . . 168
5.5.4 SSL, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
5.5.5 -
Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
5.5.6 Sametime 3.1 . . . . . . . . . . . . . . 174

5.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
. . . . . . . . . . . 177
IP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

5.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

6.1 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180


6.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
6.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
6.1.3 (ID) Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
6.1.4 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
6.1.5 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6.1.6 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
6.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
6.1.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
6.1.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
6.1.10 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
6.1.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
6.1.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
6.1.13 Notes PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
6.2.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
6.2.2 (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . 221
6.2.3 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

viii

6.2.4 Web- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229


6.2.5 SSL (Secure Sockets Layer) . . . . . . . . . . . . . . . . . . 237
6.2.6 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
6.2.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
6.2.8 PGP . . . . . . . . . . . . . . . . . . . . . 254
6.2.9 S/MIME . . . . . . . . . . . . . . . . . . . 255
6.2.10 Lotus Notes 6 S/MIME- . . . . . . . . . . . . . . . . . . . . . 264

6.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

7. (Single sign-on) . . . . . . . . . . . . . . . . . . . . . . . . . . . 269


7.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271


7.1.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

7.2 LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273


7.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
7.2.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
7.2.3 LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

7.3 X.509 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281


7.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
7.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

7.4 DSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
DSAPI LTPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
7.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
7.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

7.5 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291


7.5.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
7.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

7.6 ( ) . . . . . . . . . . . . . . . . . . . . . . . . . 293

7.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

8.1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
8.1.1. LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

8.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
8.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
8.2.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
8.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

8.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
8.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

ix

8.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
8.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
8.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
8.3.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
8.3.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
ADSync 314
LDAPSync Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
IBM Tivoli Directory Integrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

8.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
8.4.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
8.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

9. (hardening) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

9.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
9.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
9.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

9.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
9.2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
9.2.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
9.2.3 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

9.3 Windows ( NT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353


9.3.1 Windows NT 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
9.3.2 Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
9.3.3 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
9.3.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
9.4 UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
9.4.1 UNIX Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
9.4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
9.4.3 inetd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
9.4.4 tcp_wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
9.4.5 sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
9.4.6 , Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
9.4.7 , Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
9.4.8 . . . . . . . . . . . . . . . . . . . . . 385
9.4.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

9.5 AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388


9.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
9.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
9.5.3 . . . . . . . . . . . . . . . . . 394
9.5.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
9.5.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
9.5.6 , . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
9.5.7 , X11 CDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
9.5.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

9.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

3. Lotus . . . . . . . . . . . . . . . . . . . . . . . . . 401
10. Notes/Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

10.1 Notes/Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

10.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405

10.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
10.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
10.3.2 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

11. Domino/Notes 6 . . . . . . . . . . . . . . . . . . . . . . . . . . 415


11.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416


11.1.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . 417
11.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
11.1.3 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
11.1.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
11.1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
11.1.6 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
11.1.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

11.2 HTTP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433


11.2.1 Domino Web Server API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
11.2.2 HTTP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

11.3 (xSP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

11.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

11.5 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437


11.5.1 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

11.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
11.6.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
11.6.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

xi

11.6.3 Directory Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445


11.6.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
11.6.5 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

11.7 - Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

11.8 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

11.9 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
11.9.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
11.9.2 (SSO) . . . . . . . . . . . . . . . . . . . . 460
11.9.3 - Domino Directory
LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
11.9.4 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

11.10 Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466


11.10.1 Notes Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
11.10.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.10.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
11.10.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
11.10.5 iNotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

11.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

11.12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
11.12.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
11.12.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

11.13 Domino Off-Line Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

11.14 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513


11.14.1 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
11.14.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

12. Lotus . . . . . . . . . . . . . . . . . 519


12.1 Lotus Team Workplace (QuickPlace) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520


12.1.1 QuickPlace SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
12.1.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
12.1.3 QuickPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
12.1.4 QuickPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
12.1.5 . . . . . . . . . . . . . . . . . . 525

12.2 Lotus Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525


12.2.1 Sametime Connect . . . . . . . . . . . . . . . . . . . . 526
12.2.2 - Sametime . . . . . . . . . . . . . . . . . . . . . . . . . . 527
12.2.3 Sametime Java Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
12.2.4 Sametime Meeting Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
12.2.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

xii

12.3 Domino Web Access (iNotes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

12.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
12.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
12.3.3
- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
12.3.4 iNotes Web Access Notes . . . . . . . . . . . . . . . . . . . . 536
12.3.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
12.3.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

12.4 Lotus Workplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

12.5 IBM WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540


12.5.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541
12.5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
12.5.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550
12.5.4 . . . . . . . . . . . . . . . . . . . . . . . . . . 550
12.5.5 Member Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

12.6 Domino Everyplace Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557

12.7 Sametime Everyplace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

12.8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
13. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563

13.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

13.2 1: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564

13.3 2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

13.4 3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 568

13.5 4: . . . . . . . . . . . . . . . . . 569

13.6 5: . . . . . . . . . . . . . . . . . . . . . . . . . 570

13.7 6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

13.8 7: . . . . . . . . . . . . . . . . . . . . . . . . 572

13.9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572

14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

14.1 (Domino, Sametime QuickPlace) . . . . . . . . . . . . . 574


14.1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
14.1.2 Web SSO Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
14.1.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577

14.2 - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578
14.2.1 SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
14.2.2 WebSphere Edge Server ( -) . . . . . . . . . . . 580
14.2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586

xiii

14.3 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587


14.3.1 LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
14.3.2 Lotus Domino LDAP- . . . . . . . . . . . . . . . . . . . . . . 588
14.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
14.3.4 Sametime LDAP- . . . . . . . . . . . . . . . . . . . . . . . . . 591
14.3.5 QuickPlace LDAP- . . . . . . . . . . . . . . . . . . . . . . . . 594

14.4 WebSphere Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596


14.4.1 SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
14.4.2 - . . . . . . . . . . . . . . . . . . . 599

14.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
14.5.1 LMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
14.5.2 LMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

14.6 Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603


14.6.1 Tivoli Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
14.6.2 WebSeal Websphere Edge Server . . . . . . . . . . 603
14.6.3 Domino TAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
14.6.4 WebSphere Portal TAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

14.7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607

5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
. . . . . 611
. DSAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
.
Domino 6 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

xiv


, .
IBM , , , . IBM. , IBM
. , ,
IBM.
.
IBM , .
. : IBM Director of Licensing, IBM Corporation, North
Castle Drive Armonk, NY 10504-1785 USA.

, : INTERNATIONAL BUSINESS MACHINES
, , , ( ) , . ,
.
.
, . IBM
/
.


IBM: , , .
- IBM
.

, , -

xv

. IBM
, , . , ,
.
, . , ,
. , .


, . ,
IBM, , , (application programming interface, API) ,
. . IBM ,
. , - IBM, , ,
IBM.


International Business Machines / .
@server

OS/390

DominoTM

@server

OS/400

iNotesTM

RedbooksTM

Lotus Discovery ServerTM

Secure Way

Lotus Notes

SP1

Lotus

SP2

Mobile NotesTM

Redbooks (logo)
AIX
DB2
Everyplace

TM

TM

Extended Services

Tivoli

HACMP

Tivoli Enterprice

QuickPlaceTM

IBM

WebSphere

Sametime

ibm.com

zSeries

Workplace MessagingTM

OS/2

Domino Designer

xvi

TM

Notes
TM

TM

:
Intel, Intel Inside () Intel
/ ;
Microsoft, Windows, Windows NT Windows () Microsoft / ;
Java , Java, Sun Microsystems, Inc. /
;
UNIX The Open Group .
, .

xvii


IBM Redbook
Lotus. Redbooks TM, The Domino Defense: Security in Lotus
Notes 4.5 and the Internet Lotus Notes and Domino R5.0 Security Infrastructure
Revealed, , Lotus. , ,
Notes Domino TM, , , Lotus IBM.
, Lotus Notes Domino,
Lotus. , .


. ,
- .
, . (security zoning),
(single sign-on, SSO), (public key infrastructure, PKI) .
, ,
, , Lotus .
Lotus.
, Lotus Notes Domino 6, Sametime 3,
QuickPlace TM 2.08, Domino Web Access (iNotes TM), WebSphere Portal IBM/Lotus. ,
, Lotus, ,
Lotus.
, ,
Lotus, ,
. ,
, .

xviii

,
Lotus Notes Domino -.
Notes Domino IBM Redbook, Lotus Notes and Domino
R5.0 Security Infrastructure Revealed, SG24-5341, :
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245341.html

,
Redbook , (International Technical Support Organization, ITSO), .
(William Tworek) , , .
, Redbook , IBM Lotus Software. , ITSO,
- , Andersen Consulting/Accenture, IBM Software Services for Lotus. -, .
(George Chiesa, Jorge Garcia-Chiesa,
Giorgio) (Chief Technical Officer, CTO) dotNSF Inc. (http://dotNSF.com). dotNSF - IBM, , ,
/
. -, - (MBA) SDA
(SDA Bocconi University), IBM /
14- Notes. Best Practicies IBM Lotusphere/Symposium , .
(Frederic Dahm) ,
IBM Software Services for Lotus , . 14- , 10
-.
(David Hinkle) - IBM Software Services for
Lotus , (Phoenix, AZ). 19- , Lotus Notes/Domino . Domino, , LDAP (Lightweight Directory Access
Protocol) Web-. LotusSphere
, IBM
Microsoft.

xix

(Amanda Mason) Lotus Software , (Austin, Texas).


Principal CLP , CLS (Collaborative Solutions)
Windows 2000 Microsoft.
(Matthew Milza) -, - (New York, NY). Domino,
Domino. Domino
, : .
(Amy Smith) (Global Development Organization) Lotus Software.
Domino Notes. Lotus
Developer Domain, , 21CFR Part 11 Requirements for Notes and Domino. 20

(high-tech) . Redbook.

:
IBM Lotus Software
Charlie Kaufman, Matthew Flaherty, Mike Kerrigan, Joseph Russo, Mary Ellen Zurko,
Alan Eldridge, Jane Marcus, Kevin Lynch, Rich Epstein, Scott Davidson .
IBM Software Services for Lotus
Tim Speed, David Byrd, Mary LaRoche
IBM International Technical Support Organization
John Bergland, Axel Buecker, Alison Chandler


26- (residency program). IBM Redbook , . , IBM.

. IBM,
.
, :
http://ibm.com/redbooks/residencies.html

xx


!
, Redbooks ,
.
Redbooks :
Contact us :
http:/ibm.com/redbooks

redbook@us.ibm.com

xxi



.
, - , ,

.

1
-
,
Redbooks.
, , , .
, -.
,
, .
:
, -
,
- , ;
, -
;
, -
, , , , Redbooks
.
, ,
- , -, .

1.1
,
, . ,
, , .
1980- . IBM Personal Computer,
. ,
, .
. -,
.
1990- , 20-
(, , ARPANet) Web-. .
. Web- Web-
. , ,
. , ,

, , ,
, - .

1.1.1
. , ,
, . , . , ,
, , .
, , ,
. ,
( ).
: , , (
).


- .
, , , ,
, .
,
-. , -. ; .
,
,
.

1.1.2 /

, ,
:



.

,
.
/ ,
() :
http://www.gocsi.com/forms/fbi/pdf.html


(CSI, Computer Security Institute), 1974 .,
- .
, .
, (FBI, Federal Bureau of Investigation) , ,
(NIPC, National Infrastructure Protection Center), - , (Regional Computer Intrusion
Squads),
. NIPC, -

, . (
, , , ,
).

(Computer Fraud and Abuse Act,
Title 8, Section 1030), ,
,
, ,
.

7
-
.
, .
503
, , ,
, 2002 . (2002 Computer Crime and Security Survey)
, .

2002 .
(
) 12 .
.
( )
. 223 $445,848,000.
,
(26
$170,827,000) (25
$115,753,000).
, , (74%), , (33%).
. ( 1996 . 16% .)

.
:
40% ;
40% ;
78% , ( ,
,
);
85% .
. :
WWW-.
.
12
Web. , ,
.
, ,
. .
( 2000 . 64%).

( 60% 2000 .).
.
( 3% 2000 .).
,
. .

1.1.3 CERT
CERT (CERT/CC) (DARPA, Defense Advanced Research Program Agency) 1988 . ,
. -
,
,
. , , :
,
;
;

, ;
, ;
.
CERT/CC (NSS, Networked
Systems Survivability) (SEI, Software Engineering Institute),
(Carnegie Mellon University). NSS , ,
.
CERT/CC . URL:
http://www.cert.org/annual_rpts/index.html
1988- 2001 .
60,000
52,658

50,000

30,000
21,756

20,000

9,859

10,000

.1-1. 1988- 2001 .


( CERT)

1
20
0

19
99

3,734

19
98

19
97

19
96

19
95

2,340 2,412 2,573 2,134

19
94

1,334

19
93

773

19
9

406

19
9

252

19
90

19
88

132

19
89

20
00

40,000

, , .

1995- 2002 .

4,000

3,000
2,420

2,000

1,090

1,000

345
171

311

427

262

20
02

20
01

0
20
0

19
9

8
19
9

7
19
9

6
19
9

19
9

.1-2. 1995- 2002 .



( CERT)
.
2002 . CERT/CC 204,841 880 , . . 1-1 1988- 2001.
, .
,
. , ( ), . . 1-2 1995- 2002 .
2002 . CERT/CC 4,129 82,094 , .
,

, . , .
-. :
-: , , -,
;
: , ,
, , , (non-repudiation);
: , , , , , .

(. . Notes Domino), , ,
.

1.2
,
, .

1.2.1
Redbooks ,
Notes Domino
(.. 6.0), , .
(, ,
) (. .
).
,
,
. , , .
, ,
.

10

1.2.2
, , , .
:
,
.
, .
,
. [, (, hub) (switch)], Ethernet , , , .
, , . , ( ) , , , , , . .

1.2.3 -
- , .
- , . , , :
( , );
(, );
(, . .).
, - , ,
- (, ).
(extranet). -
, , .
, -
, , , ,
.

11

1.2.4
, (NIST, National Institute
ofStandards and Technology)
: (An Introduction to Computer Security: The NIST
Handbook, Special Publication 800-12). PDF URL-
http://csrc.nist.gov/publicatiuons/nistpubs/800-12/handbook.pdf
5 .

: , ,
, ,
( , ,
, , / ).
,
. - .

()
, , :
, , ;
, ,
.
, , .

( )
- , ,
:
, - ,
-;
, - ,
-.
- , -
,
-.
-, ,
; - ( ) ,
.

12

()
, -, ,
,
, :
, , ;
().
, , .
().
, , ,
().
, , , .
, ( ).
, .
,
(
).
,
, , .

1.2.5
, , ,
.
, ,
(sensitive information). ,
, .

1987 ., 100-235 ( 145), 8 1988 . (Computer Security
Act of 1987, Public Law 100-235 (H.R. 145), January 8, 1988).
(EPIC,
Electronic Privacy Information Center) :
http://www.epic.org/crypto/csa/csa.html
,
3, :

13

() : (4) , , ,
,
, ,
552 ( ),
()
.
, , , . , ,
. , ,
.
, (, , ,
) . , , , , . , .
. ,
( ) . ,
, , : , , , , , ( ) .
. ,
, ,
. Web-
, ,
,
.
(
, )
.
, .

,
, ,
.
. -
.
Web- -
, .

14


, , , , , (
, ). , .
. , Web-, , .



, , . .

,
. ,
(, )
, .


,
, ,
.
1. . . , , .


,
, . . .

. , .
1

,
,
. . ..

15

1.2.6
, ,
,
.
, Web- ,
, . 30-day interest-free loan (30- ) interest-fee loan ( , ). , Web- ( ),
.

1.3
, , ,
.
, ,
IBM (IBM Security Architecture),
ISO1(ISO Security Framework, 7498-2).
IBM , , ,
.

.

(Enterprise-Wide Security Architecture and Solutions Presentation Guide, SG24-4579),
IBM Redbooks. PDF- :
http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg244579.html
:
( );
( );
(, ).
1

16

ISO International Standardisation Organisation, . . .

(, );
( ).
, ; ,
.

1.3.1
:
, , , , ,
[INFOSEC-99];
, , , ;
.
IBM ,
.
, ,
-. ,
:
;

;

;
, ;
, , , .
, ,
, , .
, .
. :
;
;

17

,
;
, .

1.3.2
:
, , [INFOSEC-99];
,
,
,
- (-) .
IBM- ,
.
, .
.
ISO (8730, 8731
9564).

1.3.3
(I&A) .
,
.
, , (, , , , ).

. , -, ,
, (, Notes), .
.

18

, , :
, , ID1 .
, .
, ,
-. PGP x.509. , (PKI, Public Key Infrastructure).
, , , -, , -, .

(ATM, automated teller machine) , (PIN, personal identification number).
.
, ,
.
( ),

.
, . , , , . , :
, Notes ID .
- ,
, ,
. - : , 3,5''
( Suns Java TM). ,
, ,
. - , , . , ? ,
.
1

ID identifier, . tx. .

19

-
.
,
(IC, integrated circuit) - . - ( -).
- -, . .
, ,
- -; , -
- . USB-,
USB-, .

1.3.4
. , , - .
.
, , , ID .
,
.
, , , , .
, ,
.
, , .
, , /
.

, .
, ,
, (,
, ).
, , , ,
( ).

20

1.3.5

, ,
, . , , , , .
, , , .
,
, / ,

.
100- , , .

1.4
, , .
, ,
.
,
, . , .
,
:
( );
() ;
() ;
;
.
, , , , , ,
. ,
, ,
RSA , 4.1
(RSA Laboratories Frequently Asked Questions About Todays Cryptography, Version 4.1),
:
http://www.rsasecurity.com/rsalabs/faq/

21

1.4.1
, ,
.
, , . ,
, . ( ,
, ,
, .)
,
. , , ,
. , - , . ,
. ( ,
, .)
.
, , . :
1. , 1
.
2. ,
,
; ;
.
, . .
, , ( ) (
).

. ,
(. . ), , , (. . ).
( ), 2. ,
.

1
2

22

. . .
10 ( ) . . . . .

1.4.2

, .
; ,
. :
:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
:
GHIJKLMNOPQRSTUVWXYZABCDEF
1,
, HELLO WORLD NKRRU CUXRJ.
, , , .
.
,
, . ,
, , , / ( ) (),
.



. 2, .
.
,
, ,
.
, , , , A3.
, , , ,
- ( : ), , ,
.
. ,
, . 1

, ;
. . .
. . .
, , ,
A. , , . . .
. : - . . . . .

23

.
, , . , , .
,

- ,
.
,
, , ; . . .
, 25 ,
.
1, ,
, .
, , 40 256 .
2 39- , -
550,000,000,000 . .


,
, . ,
. . 1-3.

.1-3.
, -
. x x + 1 ( , ).
, ,
, .
, , . ,
, .
1

24

(brute force attack)


. . .


, .
,
.
, A, B C
. , - . ,
, ,
. , .
, , , -, .

(The Alice and Bob after-dinner speech), (John Gordon) 1984 . :
http://www.conceptlabs.co.uk/alicebob.html
, . ,
, , , ,
. . 1-4 , .

"THINK"

"THINK"

M0B4Q4Rg2s

M0B4Q4Rg2s

"THINK"

.1-4.
:
1. .
2. ; , ,
.
3. , ,
.
4. .

25

. .
, ,
.


: . , ,
. .

DES (Data Encryption Standard, )
(FIPS, Federal Information Processing Standard)
46-3 (DEA, Data Encryption Algorithm). DEA ANSI110X3.92. DEA 64-
56- (
64- 8 ).
3DES (Triple-DES, DES) ANSI X9.52
DES, : DES-EDE DES-EEE.
: DES-EDE DES,
(Encryption), (Decryption) (Encryption)
. DES-EEE (Encryption, Encryption, Encryption).
AES (Advanced Encryption Standard, ). FIPS PUB 197 NIST DES, AES 128, 192 256 , 56- , DES. Rijndael, (Joan
Daemen) (Vincent Rijmen),
. AES
: 128- .
RC2 [ (Ron
Rivest); RC Rons Code ( ),
Rivest Cipher ( ). DES].
RC2 64-
- , DES.
Blowfish [ (Bruce Schneier) Counterpane
Systems]. 64- ;
( 448 )
. 32-
, DES.
1

26

ANSI American National Standards Institute, .


. .

Twofish [ (Bruce Schneier) Counterpane


Systems]. AES,
Blowfish. , . , ,
.
IDEA [International Data Encryption Algorithm,
, (Xuejia Lai)
(James Massey)]. PES Proposed Encryption Standard
( ). IPES,
IDEA; , PGP.
64- 128- .
, IDEA DES.
CAST [ , (Carlisle Adams) (Stafford Tavares)]. 64- , 128 . CAST
, Carlisle Adams Stafford Tavares. CAST-128 Entrust Technologies, , . CAST256 CAST-128,
256 128 . CAST-256 AES.

RC4 ( ,
RSA Security).
, Web-, SSL. RC4 2048
(256 ).
SEAL [Software Efficient Algorithm, - , 1993 . (Phil Rogaway) (Don
Coppersmith) IBM]. 5,454,039.
32- , 4
160- . .
WAKE [World Auto Key Encryption algorithm,
. (David J Wheeler)].

. ,
, .

. : RC1
, RC3 RSADSI .

27


, . , , ,
Notes, Domino Lotus. , .
- ,
,
.
, .


,
,
. , , ?
, ,
, .


,
, .
, .
(NSA, National Security Agency).
, :
,
,
;
,
, , , , NSA.
, , , . , , , .
Redbooks,
40 .

28

,
40-
. , 56 , ,
. ( , , -); 56 , , , 40,
2 16- , 65,536 , .
18 1998 .,
. : 56 DES (. . RC2, RC4, RC5 CAST) 1,024 RSA
, , , , ,
, . , .
, , , , - ,
.
, 6 2002 . (BIS, Bureau of Industry and Security) ,
(EAR, Export Administration Regulations) , , 111 2,12
EAR, .

64 , 5A992
5D992 (ECCNs, Export Control Classification
Numbers), (NLR, No License Required) 30- BIS.
5, II ( )
(CCL, Commerce Control List) , ECCN 5B002, License Exception ENC.
, , :
, , :

1

http://w3.access.gpo.gov/bis/fedreg/ear_fedreg.html#67fr38855

-/
, . 1994 . () . 1995 . . .
,
, . . .

29

, , :
http://www.bxa.doc.gov/encryption/EncFactSheet6_17_02.html
, ,
:

http://www.bxa.doc.gov/Wassenaar/Default.htm

1.4.3
, , .
.
, . . , ,
, , .


, . (, , ), (, , ). ,
, .
, , ,
, . , , ,
, , .
,
.
.1-5 , .

"THINK"

"THINK"

M0B4Q4Rg2s

M0B4Q4Rg2s

"THINK"

.1-5. :

30

:
;

( , , );
, , , ;
;
.

. ,
, .


. :
(D-H, DiffieHellman) , (
, )
. ,
.
1975- 1976 .
(Whitfield Diffie), (Martin Hellman)
(Ralph Merkle)
.

GCHQ , GCHQ
1997., . RSA ,
,
.
(RSA, RivestShamirAdleman).
.
1977 . (Ron Rivest),
(Adi Shamir) (Len Adleman); RSA
. (Clifford Cocks), ,
GCHQ, 1973 .
. , , ,
1997 ., . 1983 . (MIT, Massachusetts Institute of Technology). 2000 . -

31

, .
RSA ,
.
. , RSA
1024 64
.
(ECC, Elliptic Curve Cryptography). D-H RSA, ECC , . , D-H
RSA, .
, . ECC ,
, .
. : NIST ANSI X9
1024 RSA 160 ECC, 80-
. NIST ( 80, 112, 128, 192 256).


, . , ,
, Notes, Domino Lotus.
,
.

, . , .
, , , . , ,
.
, , . .


, . , , -

32

. ,

.

1.4.4
. ,
,
.

, . .
, . , . , , Notes, SSL, S/MIME.
.

, .
.
. 1-6, .

"THINK"

"THINK"

M0B4Q4Rg2s

M0B4Q4Rg2s

"THINK"

.1-6. :

33

. :
;
;
(, ,
, ) ( , ,
, , );
.
:
;
() ,
( , ,
) ;
.

1.4.5
, .
,
.
, , , , ( ,
, ).
, ? . ,
,
. .
,
, ( ),
,
, .

-
,
- ( ).

, , - .
. - .

34

, - ,
. , ,
, . :
,
( ).
-
. .
.

. -, -, 1
.
. ,
.
- ? ,
,
. RSA .
, -

.
- . MD5, RSA Data Security,
Inc. Notes. 128-
RFC1321.
, , - (SHS, Secure Hash Standard). 160- , , MD5.


, .
. 1-7. ,
, ,
.
. :
;
, ( ,
, );
;

35

;
.

=?
d'

.1-7.
:
(
, );
, (- );
(
,
- );
.
:
, , : (
) (, 1
).
( ). - -
,
.
, ,
( ), , -
(
).

36

-
- ( -), , MD5 SHA-1.
,
MD5 SHA-1, MD2, MD4 SHA.
MD2 MD5 -, ,
R RSA. , , .
128- . -
RFC 1319-1321. (SHA, Secure
Hash Algorithm) NIST (SHS, FIPS 180, Secure Hash Standard).
MD2 1989 . , ,
16.
16- -.
, , , MD2
. , , , MD2.
MD5 1991 . MD4 , , MD4, .
,
MD4.
SHA-1 SHA, 1994 . SHA.
- MD4. SHA-1 ANSI X9.30
( 2). 264
160- . , MD5,
.
-
, . MD2 MD5,
, MD1, MD3 MD4? : .
MD ( Message Digest, RSADSI) . MD3 MD4 ,
. MD4 ,
. ,
, , MD5, RFC 1321.
, SHA-1, SHA-0? : . SHA
- NIST. NSA 1993 . MD4.
1995- NSA ( SHA-1;

37

SHA-0). , ,
.
, ,
MAC.
MAC (message authentication code) , . (Media Access
Control Layer) OSI.


, ,
, , , , , .

, . ,
(, . .).
(. .
) ( ), . ,
,
.

1.4.6
, .
, , ,
,
. : , , ?
, ,
. (
),
. , .
.
,
, .
, ,
. .

38

, , , , .
. , ,
, SSL Notes.

1.4.7

,
. (PKCS, Public Key Cryptographic Standards).
PKCS ,
1991 . RSA Laboratories Apple, Digital, Lotus,
Microsoft, MIT, Northern Telecom, Novell Sun. 1991 . PKCS ,
Notes Domino.
RSA , , , , ,
.
:
PKCS #1: RSA;
PKCS #2: (. );
PKCS #3: ;
PKCS #4: (. );
PKCS #5: ;
PKCS #6: ;
PKCS #7: ;
PKCS #8: ;
PKCS #9: ;
PKCS #10: ;
PKCS #11: ;
PKCS #12: ;
PKCS #13: ;
PKCS #15 (): .

. PKCS-2 PKCS-4 PKCS-1.

39

PKCS #1, PKCS #7, PKCS #10,


PKCS #11 PKCS #12.
PKCS #1 RSA. , PKCS #7. PKCS #1 RSA. PKCS #1
X.509.
PKCS #7 . ,
. PKCS #7
-
(SMIME, Secure Multipurpose Internet Mail Extension),
. PKCS #7 , , PKCS #12.
PKCS #10 .
, . .
,
X.509.
PKCS #12 -
, , ,
. , Web-,
. - -.
PKCS, ,
RSA :
http://www.rsasecurity.com/products/bsafe/whitepapers/IntroToPKCSstandards.pdf
, FAQ1,13
RSA Security Inc.,
RSA , 4.1 :
http://www.rsasecurity.com/rsalabs/faq/index.html

1.5
-
, .
:
-, , , , , -, ;
1

40

(FAQ, Frequently Asked Questions). . .

, ,
, ,
( );
, , ,
, ,
.
, . . .
,
.

41

2


,
.
,
-, , ,
,
.
,
.
: , . . , .
.
, .
.

43

2.1 -
, ,
(. . , -).

2.1.1
, , , .
, .
, , . , , . , .

(threat) thrat,
, . :
1. , , .
2. .
3. , .

: .

, -
, . , : :
1. ; .
2. , , - , ; , , , :
, ,
( ).
3. ; ,

.
, :
,
, , :
.
.
( 1), - ,

44

( 2), ( 3).
- , . , , .

, .
- .
( ,
) , , .
,
, ,
, ,
.
, , :
(Clifford Stohl: The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage, Mass Market Paperback Reprint edition, July 1995, Pocket Book, ISBN, 0671726889).
, , ,
.
,
, .
.
: , . ,
, ,
. . , .
,
.
,
.
, , .
.

45

2.1.2
. . , -.
, , ,
- , .
, ,
, - - , ,
, . ( , , , .)
(
),
.
,
.

.2-1.
. 2-1, , , ,
, .
, . .

46

, ( )
.
, . .
. /
:
(, , );
( , ,
);
(, , , , );
(. ., , - ).
. ,
(DOS attack, Denial-Of-Service attack) , , , , TCP/IP,
DOS- (, SYN Floods),
, , , , DOS, DOS-. ,
, ,
.
, . . , - (
).
. 2-1, , :
1. , , ,
.
2. ,
.
3. , , ( ), , .
4. , ,

47

, ,
, .
.
,
, ; .

2.1.3
- , .
, , . , , , .
, .
. 2-2 , . 80% ( ), 20%
. , 80% , , 55% , .
. . ,
.
.

.2-2.
, , , .
- ,
,
.

.

48

. , ,
, , ,
-, .
, , ,
, .
, ,
.

2.1.4
,
.

, ,
.
.
, ,
, . ,
,
, .
,
. ,
ISO17799.

2.2 ISO17799
ISO17799 (ISO), 146 ,
: , , , .
ISO : , .
ISO . ,
, , . , , .
ISO
,
, , , .

49

Web- ISO :
http://www.iso.org
ISO 17799 ( ISO/IES 17799:2000)
(Information technology Code of
practice for information security management). (. . ) 71 ,
.
:
http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=33441
&ICS1=35&ICS2=40&ICS3=

, .
[ISO17799]. [BS7799-2].
ISO17799
, , , .
, .

2.2.1
ISO17799 . DTI (United Kingdom, UK), 1995.
BS7799. BS 7799 ,
, , -.
-
BS7799, 2, 1999 . , ISO
BS , .
.
BS 7799 , (British Standards Institution, BSI)
. BS 7799 :
7799-1 ( 1): -

50

.
BS7799-1 , (Information Security Management System, ISMS). BS 7799-1 . , ISO/IEC 17799 (
) BS7799-1.
7799-2 ( 2): , .
BS 7799-2 ISMS, .
ISO/IEC 17799.
BS 7799
, 1999 . , ISO,
2000 . ISO 2002 .
2. ISO 17799 2002 .
ISO 17799 .
ISO-, .

2.2.2 ISO 17799


ISO 17799 ,
. , , , ISO 17799 . , . , , , . ,
. , , 10 , .
:
1.

-, .

2.

; ;
; ; -

51

; .
3.

, ;
, : ,
; , - ; .

4.

,
; ,
; ,
.

5.

, , ; ;
.

6.

, , ; , ,
;
.

7.

; , ; , .

8.

52

; ; ; ; ;

; ,
.
9.

,
.

10.

, ,
.

2.2.3 ISO 17799


ISO 17799 , ,
, , , . ISO 17799,
,
,

. ISO 17799 ,
,
.

2.3 ( 15408)

(CC, Common Criteria for Information Technology Security Evaluation)
-,
. -, -
.
CC
-, .
1980- . (TCSEC, Trusted Computer System Evaluation Criteria).
1990- . (ITSEC, Information Technology Security Evaluation Criteria),
TCSEC. 1990 . ISO
.
CC 1993 ., ( )
-.
-. . 2-3 , .

53

, , .

, .
-.


TSSEC

NIST

CTCPEC

ITSEC
v 1.2

CC
v 0.9

CC
v 1.0

CC
v 2.1

ITSEC
v 1.0

ISO
ISO 15408

.2-3.
, , :
1. . .
-
. 1 -,
- . ,
CC .
2. .

(TOEs, Targets
of Evaluation). 2 , .

54

3. .

TOEs. 3 , . (PPs, Protection Profiles)
(STs, Security Targets) ,
CC
TOEs, (EALs, Evaluation Assurance Levels).
CC
, .
, .
, ( PDF-), :
http://www.commoncriteria.org/
,
.

, .

2.4

(MASS, Method for Architecting Secure Solutions)
IBM , IBM Global Services (IGS) . (MASS, Method for Architecting Secure Solutions).
, -.

IBM (IBM Systems Journal on End-to-End Security,
Volume 40, N 3). :
http://www.research.ibm.com/journal/sj/403/whitmore.html

2.4.1
, , .
IBM Global Services
:
1. -
.

55

2. - .
3. ,
, ,
; , , , .
,
,
.

IBM Global Services, :
, ,
;
-,
;
, ,
,
.

2.4.2
, . ,
,
.
.
,
, .

,
. , , . ,
, .
,
[3].
- , , , -

56

. ,
.
- :
1. ,
.
2.
, , , [4]
[5].
3.
. , -, .

,
ISO 7498-2[6]
-. ,
OSI (Open Systems Interconnection,
) .
5 ,
OSI . 8 OSI,
, .
OSI:
, , ,
-. ISO 7498-2 ,
OSI ,
, , , , OSI.
, OSI.

. . (TCSEC, Trusted Computer System Security Evaluation Criteria).


, ITSEC (Information Technology Security Evaluation Criteria),
, CTCPEC (Canadian Trusted Computer Product Evaluation Criteria). 1996 . , ,
CC (Common Criteria) [7]. 1999 . [7-9].
.

57



.
11 :
;
;
;
;
;
;
;
;
;
;
.
11 66 , . 130 ,
- .

, :
http://www.commoncriteria.org

. , [10], , . . ,
.
. -
.

/

. . -

58

:
, [11].
, , .


[8]:
( TOE, Target Of Evaluation) ; TOE ( TSF, TOE Security Functions) TOE, .
;
.


.
, -,
,
.
, -, .
: .
.
, :
1. , .
2.

.

2.4.3
(Eberhardt Rechtin) ,
(, ), ( , ), ( )
( , ,
, , , , ).

59

- (NIS, Networked Information System). , , NIS,


. NIS- ,
. :
1. .
2. .
3. .
, , . NIS , . , , , NIS
.
, NIS
.

. ;
,
. , ,
, -.
, . 130 NIS-
: , , , , . CC-
. 2-1.

2-1

60


, ,
, , ,
, ,
, , /
, , ,
, /,

. 2-1

/


, , ,
, ,
, /
, , ,
,

, .
.

2.4.4
, , , . , , . 2-1,
, , . ; . . 2-4
, ,
, .

CC- . -

.2-4. -

61

, , , .

,
- , , . ,
.


- ,
,
, -.
, , , .

. ,
, , . , , -

.2-5.

62

, .
:
,
, ;
,
, ;
, , , ;
, .
. 2-5.


- ,

.
,
. ,
.
.
:
;
, , ,
, , , . .;
, , ;
; ;
;
;
;

.
. 2-6.

63


- ,
, , . ,

()

.2-6.
,
.
, , , , .
.
:
;
;
, , ( )
- ;
, ;

64



;
, ,
, , -, .
. 2-7.

.2-7.


-
,
, , .
.

, , , , .
-

65

.
:
;
;
: , , , ,
;
: ();
: ;
- : ,
, , , , .
. 2-8.

:
/
/
/

/
/

.2-8.

66


- , ,
,
, , .
,
, .

.2-9.
,
. ,
, , ,
. :
- ;
;

67

, -;
, : ;
, : ,
;
, ;
;
;
.
. 2-9.


, - , , ,
.
-.

2.4.5
, . ,
,
. . 2-10 .
.
.
-, -, . -.
-, :
1. , -- .
2. ,
(..) -- , .

68

.2-10.
:
,
.

2.4.6 -
. 2-11 - -. ,
, , .
- ,
-,
.


OSI: , , ,
. -.
. ,
.

. , -

69

,
,


- ,

,


( - ( ),
( ),
)
,
,


( )


( ,
)

.2-11. --
.
1.
.
2.
.
3.
.
4. .
5. .
6.
, .
7. - .

70

2.4.7
. . 2-2.
, (), () . .

2-2

, , . . 2-3
.
.

2-3

1 n

1 m

1 k


.
.

.




.
OSI: , ,
, , .

.
.

.

71

2.4.8
,
-. . 2-12 2-13 .
.
,
,
.
. .
,
,
.

,
;

. , ,

.2-12.

72

. .
-

.2-13.


.

2.4.9
. : , , ,

.

73



. .
,
.
(ESS, Enterprise Solutions Structure) .


, . .
.
, .
, , , . . . , - ,
, .
, :
,
, .
:
, ,
;
, , , , ;
, , ;
,
.

2.4.10
. .
,
.

74

1.
. 2-14
,
.

.2-14.
. , . ,
.
;
,
.
.
, ,
.
,
. .

75

2. -
. 2-15 -
, . . -.

.2-15. -
, . .
. ,
, .
. :
1. -,
.
2. , . . .

76

3. ,
,
, .
4. .


, -.
5. ( ) . .
6. , .
7. , -.
, . , , , ,
- .


-, ,

.

3.
(PKI)


, PKI.
-, -,
, , , -,
PKI.
. 2-16 1. 2.
3. 4 , . 5
, 6
, 7 .-

77

1
4

7
3

1
3

.2-16. PKI


. .
, ,
, .

-.
, .
.


. -, ,
, : ,
, , . , , , ,

78

, -
. ,
:
;

-;
, , ;
;
, , ;
.


- . , - . , ,
-.
.

2.4.11 (MASS)
, .
.

:
-.
. ,
.
, , - , .
,
, , IPSec SSL (Secure Socket Layer), ,
. -

79

, , , , , .
,
. ,
. , , , , , .


, , IBM Global
Services. , ,
, . , (MASS), .
, ,
MASS ,
.

2.5 ISSL
IBM Software Services for Lotus (ISSL),
, (,
Blowfish Twofish): , .
ISSL-. ,
. ,
. , , , , , .

2.5.1
, , . . ,

, . , .
, - :
1) ? 2) ? 3) ?
: , .

80

. 2-17, , ,
.
10 , . 2-18.
.

.2-17.

1.

2.

? ?

3.

4.

5.

6.

7.

e ?

8.

, ?

9.

e ,
?

10.

? ?

.2-18. ISSL

81

2.5.2 1.
, .
, . , .

1. -
, .
, , , , , ,
( ), , , . ,
.
:
1. :
a) ;
b) ;
c) ;
d) ;
e) -;
f) ;
g) .
2. :
a) ;
b) .
3. (
).
4. , :
a) ;
b) ;
c) ;
d) ;
e) ;
f) ;
g) ;
h) ;

82

i) ;
j) ;
k) ;
l) ;
m) .
,
, -. -,
, , , . (, .) , .

2.
:
= + + .
, , . , . .
, ,
.
:
1. .
2. .
3. .
4. .
5. .

.
,
.

3.
:
1. ( ).
2. ( ).
, : ? ? -

83

? - ?
:
? ?
( )?

4.
. , (,
, ,
) . - . ,
.

5.
. .
, ,
, - ,
,
-, . ,
.
ISSL ,
.
, , .
, , : ? ? ,
? , ?
, .
, , , ,
,
, , - ,
.

84

2.5.3 2.
. , . . . .

6.
, ,
. (PKI), , , . , , ,
,

.
. ,
; , -. ,
, , .

7.
, , .
4 :
a) ,
, ;
b) ,
;
c) ,
( ,
), , ;
d) , .

2.5.4 3.
, ,
, .

85

8.
.
.
,
. , , ,
, , .
: . , , ,
, -,
. , ,
, , ,
, ,
, .
, , , , , , (
, ),
. , ,

, , , .

9.
. ,
, .
, ,
, ,
.
,
. ,
, , , . ,
.

86

10.
, , ,
, ; ;
, , , . ,
, .
, , . , , , , ,
, , , , , , .

2.6
,
.
:
, ;
;
: ISO 17799, , IBM (MASS);
, IBMs Software Services for Lotus.
.

87

,
. , (single sign-on, SSO), (PKI),
.
, ,
, , Lotus .

, , , .
, T-
.
.
Web-,

.
. :
, ;
(
-).
, ,
( ,
, , ).
()
.

91

3.1

, ,  .
,
. , .
,
, .
, , . ,
, . , (, ), ,
, , . , ( ), ,
, ,
.

.
, ,
, ,
, . . ,
, ,
. ,
, ,
.
.
, , . , ,
.
, .
.

92

(appropriate) (adequate), . . . .

3.2

. , - , . , , ,
.
, ,
, , .
, , :
;
;
;
;
.
.
,
, , .

3.2.1

:

;
,
, ;
() ;
, ;
Web- (proxy);

(IDS).

93


-, ,

( / ).
, ,
,
. 1.4, , 6, .
-, , .
.
, . , , Notes
Domino. , ,
Domino Domino, . , ,
. Notes
.
, Notes Domino
. Notes ( Domino Notes) , , ,
. ,
(ID), . Domino ,
, , , . 3-1.
( )
, , ,

mymail.nsf
(
)

Domino

!
,

Acme
.
-
.

. 3-1.

94

()

mymail.nsf
(
)

, . , ,
Domino . () .
VPN,
VPN. VPN .

( ). ,
() . , (, Domino) ,
. , ,
.

! , Domino, ,
, ID . ID Domino
( ), ID-
, .
, ID-
Windows- Notes root
Unix.



. ,
, .
, .

.
.
(, firewall).

. .
, , ,
, DNS (Domain Name Services). DNS IP- IP- . IP-, IP-.

95

, ,
.
(MX) . , , :
IP-
IP-. DNS 4, .
,
- .
, . ,
; , ,
. . T- , ,
. , ! , .


,
( ). , . Ethernet- , Ethernet .
Ethernet-
, .
(
, TCP/IP). , , , .
:
1. TCP/IP-. , Ethernet- , .

. TCP/IP , . -

96

,
, (VLAN).
2. , .
. , , , SSL, ,
, ( ,
).
ID , .
Ethernet- 802.11
.
, , , . netstumbler.com ,
Wi-Fi- ,
, ,
. IEEE 802.11i 2004 .,
. , WEP (Wired Equivalent Privacy) , , WPA (Wi-Fi Protected Access),
( - ).
, , , WEP, , ( ) , .
, .



. ()
, .
.
, 8, . ,
, , ,
-

97

. ,
. , , ,
ID- , , . . . ,
, ( ) . ,
,
.
T- , . , . :
?
, ?
, ?
, ,
, , , , . .

.
, . , ,
-, .
( ).
, ,
. :
1. . , . , , ( ), .
2. .
, . : , , , ,
. .

98

3. . , ,
-
.
.

-
-
Web-. , ,
TCP/IP.
, .
HTTP, FTP telnet,
TCP/IP. - . ,
.
, .

-. , , -, .
, , . , ( ), , , . , ,
,
, .
-
, . - ,
, . TCP/IP , (NAT), . - ,

,
.


, ( )
, ,
. -

99

, . , , , , , . . (IDS) ,
( ).
, , , .
TCP/IP
. .
,
, ,
. , Web-, .
, :
? , . ,
, ,
. ,
() . ,
.
,
, (
).
(IDS): (NIDS), , . IDS,
, e-mail- , IDS.
IDS 4.1.5, .

( ). ,
. IDS , ,
, . . ,
, IDS.
.

100


:
1. .
2.
.
3. .
4. .
5. , .
6. , .
7. .


, . :
.
(IP) . ( ) ,
.
, IP- .
; ,

.
, , , , ,
() , .
, .
, .
, ,
( )
. , , .
, ,
.
. () , , .

101

, ( ) .
,
. .



. , .
, , ,
.
,
,
.
,
.
,
. .

.
:
;
, ;

.




. , DoS- ( ) ,
.
, DoS-
-.
, , .

102

,
. ,
, , , .
.
,
, .


, , ,
, . , , , .
:

?

?
,
, ID
? ,
?
, , ID ?
(, ,
), , , ?
, , ?
?

, ?
,
,

103


. , . ,
,
, .
( )
. , ,
,
. , ,
(
). ,
, .


, . , , UNIX- telnet. telnet-, .
telnet-
:
/
telnet;
, , , .
[SSH (Secure Shell)] telnet. SSH .
Cisco SSH , SSH telnet.
, .
, . ,
4, .

104

,
, (, , , )
, .
,
: (exploits).
. ,
, ( )
, .
, , .
, .
DoS- ( ).
. , , . ,
, . , , : ,
. , . , .
, , :
1. .
2. .
3. .
.
, .
, .
, .

.
, , ,
,
, -

105

. , , -,
,
, - . ,
( ), . ,
, . , ,
.
, , ,

, .
. ,
, .
. ,
,
,
. , , , . , ,
,
, ,
. , .
, ,

.
, . , CERT.
Web- :
http://www.cert.org
, () ,
, -

106

, . , , , , . ,

-, , Patchlink Update (www.patchlink.com), BigFix Patch Manager (www.bigfix.com), Security Update Manager (www.configuresoft.com), LANguard Network (www.gfi.com) .


. , ,
().
, .
1. ,
( ) - . ,
.
, . 60 ,
.
2. . , , ( ).
.
3. ,

( , ,
). ,
,
, : ID , , , , , , , NETID.
4. . ,
. , , ,
, .

107

5. , . , , .
,
.


, .
, , ,
.
, ,
.
, , ,
, . ,
, .
.
,
, , .
. , - .
,

.
, , ,
. , ,
, , , , .

3.3
, ,
.
:

108


, .
, .
.
, .
Web- .
,
(IDS).

, .
.

.
.

, .
, .
.
, ,
,
,
.

109


Metagroup . ?
,
. IBM .
, .
. (,
.)
.

, .
( ) ,
.

111

4.1
, .
:
;
, ;
-;
;
;
.
, . ,
, - , , .

4.1.1
The American Heritage Dictionary of the English Language:

(firewall)
1. , .
2. . , .
,
. ,
-
, , ,
IP-.

.
, , , ,
.
:
;
.

112

,
:
;
;
(VLAN);
;
.


IP-
. .
,
( ) ,
. ,
, , :
IP- ;
;
;
, (UDP, TCP, ICMP . .).
.4-1 ,
TCP- 80 .

80

STOP 80


ASYNC 9-16
AUI
ASYNC 1-8

SERIAL 0

SERIAL 1

CON

AUX

2511

.4-1.
, , IP ,
, .
, , , ICMP, IP-.

113

,
,
.
.
, , . ( )

,
-.



; . ,

, .
TCP-

. , , TCP TCP-, . . ,
. .
, 4 ( ), . (ACL) , . -
.
, IP-, ,
, , , . .
, .

114


,
.
, ,
(circuit-level proxies). .
- .
.
,
. . ,
:
http://www.aventail.com

.
,
, .

SOCKS
SOCKS - TCP/IP, IETF- (RFC 1928). SOCKS
.
SOCKSv5 ( 5.0) IETF
(Internet Engineering Task Force) (RFC 1928) -
TCP/IP. SOCKS
.
SOCKS . - SOCKS
, SOCKS
OSI. . SOCKS -
SOCKS SOCKS TCP/IP-. - SOCKS
OSI .4-2.
,
- SOCKS. - . ,
. - , .
SOCKS: v4 v5. , - -

115

SOCKS-

SOCKS

SOCKS

.4-2. SOCKS- SOCKS-1


. , SOCKSv5 . -,
, SOCKS- . SOCKS- SOCKS-.
, SOCKS, ..
SOCKS- TCP/IP SOCKS-. ,
SOCKS- , , , TCP/IP.

IPsec
IPSec IETF ( RFC RFC 2401, RFC, IPSec). O , IPSec, :
1. [Authentication Header (AH)]:
. AH
, IP- . AH , . ,
.
1

116

OSI : 1) (physical); 2) (data link); 3.) (network); 4) (transport); 5) (session); 6) (presentation); 7)


(application). IP- . . . .

2. [Encapsulating Security Payload (ESP)]: .


ESP , .
3. IP [IP payload compression (IPcomp)]: IPcomp ESP.
,
ESP .
4. - [Internet Key Exchange (IKE)]: AH ESP . IKE
.
IPSec IP-. IPSec ,
IP-,
. IPSec
SOCKS, -. IPSec
. , , , , . , IPSec
, SOCKS,
OSI (, ). IPSec
VPN- (VPN )
(, ) , .

4.1.2
. , , Lotus WebSphere
.
, . ,

.
.
,

, . , .

! ,
.
, , ,
.

117

Firewall-1 Check Point


Firewall-1 Check Point ,
. .
. .
Firewall-1 (NAT). Check Point
, (VPN).
Check Point Firewall-1 on
AIX: A cookbook for Stand-Alone and High Availability, SG24-5492 Web-
Check Point:
http://www.checkpoint.com

Cisco PIX
Cisco PIX
Cisco. Cisco PIX ,
. , [ , (DMZ)]
.
,
.
Web- Cisco:
http://www.cisco.com

Raptor Firewall
Raptor Firewall Axent Technologies,
Symantec. Raptor Management Console (RMC) , VPN (IPSec IKE)
,
WWW Internet Usenet. Web-, Symantec:
http://www.symantec.com

IBM SecureWay Firewall


- IBM 1985 . IBM
10 . IBM SecureWay Firewall , , VPN

118

IPSec. . : A Secure Way to


Protect Your Network: IBM Secure Way Firewall for AIX Version 4.1, SG24-5855 Redhat
Linux Integration Guide for IBM eServers xSeries and Netfinity, SG24-5853,
Web-, IBM:
http://www.tivoli.com/products/index/firewall

TIS Firewall Toolkit (FWTK)


Trusted Information Systems, Inc. (TIS) TIS Internet Firewall Toolkit (FWTK),
.

Linux.
:
http://www.fwtk.org/
TIS Network Associates 1998 .
:
http://www.tis.com/ http://www.nai.com/

4.1.3 ,
(routers), (switches) (hubs) , ,
OSI: ,
, . , , , , .
, , , , , . , , -.
, (, FTP).
, , : . ,
.
( )
. .
,

.

119


, ,
. .
. , ,
, , , , . .
,
.
. , - (ISP), .
-
. , ( )
.
,
.
, , .
. ,
, .


Ethernet-
Ethernet, . Ethernet, , . ,
,
. , , .
( ).

NAT
[Network Address Translation (NAT)]
RFC 1918 IETF
IP-.
IP- [ Internet Assigned Numbers Authority (IANA)].
,

120

. IP-,
. NAT RFC 1631.
,
-
. IP- IP-
, - ,
.
NAT IP-
. NAT
IP; IP . . ,
IP- ( ,
), NAT IP-,
IP- . ,
NAT , ,
.
, NAT
TCP UDP. [Internet Control Message Protocol
(ICMP)] NAT-. , ping
ICMP, , , NAT,
NAT-, , IP- .
, NAT
[Port Address Translation (PAT)]. IP . PAT
, .

VLAN
(VLAN) ( 1998 .) , .
. VLAN ,
, , NetBIOS IPX. ,
.
, ,
. , .

121

VLAN
, .
,
.
, ()
. , , Cisco Catalyst,
.
VLAN ,
,
VLAN .
VLAN ,
(, ) , .
, VLAN
.
VLAN, . ,
thernet- MAC- . , VLAN , VLAN .
VLAN IEEE 802.1q :
http://standards.ieee.org/reading/ieee/std/lanman/802.1Q-1998.pdf
, VLAN, VLAN-
. ,
VLAN ,
. , VLAN , . VLAN ( VLAN,
,
ID, VLAN) , , , - VLAN .

122

4.1.4 -


. .

-.
- .
.
:
.
.
- ,
, . ,
( 4), ( 7).
,
, ,
. ,
, , , .
, . , ,
.


,
() .
. . ,
, ,
. .


, , . , , .

123

-
. ,
, 5, -.

4.1.5
, , . [intrusion detection system (IDS)] , .
IDS :
1. [Network intrusion detection systems (NIDS)]. O TCP/IP . DoS- (
). NIDS
.
,
,
. NIDS
. , NIDS
TCP- TCP-. NIDS , . , , , , . ,
NIDS
.
2. .

.
. , , ; ,
. , Tripwire, , , IBM Tivoli Risk Manager Tivoli
Enterprise Console.
: http://tivoli.tripwire.com/
3. .
.

124

. . ,

HTTP
(get) URL.
4. . , (, -, - Web-) . ,
.
, ,
. Web- HTTP-, -
,

. , ,
() , , .
-
Sametime IBM Working with
the Sametime Community Server Toolkit, SG24-6667, . 63-84.
IDS Lotus Sametime. ,
-
. , , ,
, IDS.
IDS ( ), IDS, , Purdue University COAST
(Computer Operations, Audit, and Security Technology):
http://www.cerias.purdue.edu/coast/ids/ids-body.html#systems
IDS , IDS
.
NIDS, ,
, .
IDS
,
(, -).
,
, cookies Web-,
/.

125

4.1.6

,
, . , . , ,

.
IBM Tivoli Tivoli Access Manager,
. IBM Tivoli Access Manager Tivoli , , IBM:
Identity Management Design Guide with IBM Tivoli Identity Manager, SG24-6996
Enterprise Security Architecture using IBM Tivoli, SG24-6014
IBM Tivoli Access Manager for e-business, REDP3677

4.1.7
.
, , DNS DHCP,
- . , , , ,
,
.


:
DNS;
- SMTP;
- FTP.
.

DNS
[domain name service (DNS)]
IP- ,
IP- .

126

, MX- , , SMTP- .
, ,
DNS, , DNS. DNS, , . , DNS
, DNS, . DNS
, IP-.
DNS , .
DNS
( NS) MX. , , , , DNS-.
,
.
. ,
DNS ,
, , Web-, FTP-
-. DNS
, ,
.
DNS ,
. ,
DNS.
,
, , , .
, - , DNS, ,
DNS.
DNS- ,
- . DNS . DNS, , IP-.

- SMTP
- SMTP ,
SMTP- ,
. - SMTP , SMTP,
SMTP- (, UNIX sendmail Domino).

127

SMTP, - .
- SMTP . - - . - , ,
. -
. .4-3 - SMTP,
SMTP .
DNS MX
(mail exchanger), smtp1
acme.com. smtp1 , smtp2.

DNS:

acme.com
acme.com

MX preference = 10, mail exchanger = smtp1.acme.com


MX preference = 20, mail exchanger = smtp2.acme.com

DNS
()

SMTP1

FTP-

SMTP2

DNS ( -)

relay.acme.com
relay.acme.com

MX preference = 10, mail exchanger = smtp2.acme.com


MX preference = 20, mail exchanger = smtp1.acme.com

DNS
()

.4-3. - SMTP

128

, , -, relay.acme.com. DNS MX relay.acme.com,


-,
smtp2. , (). ,
smtp1 smtp2. ; smtp2 ,
smtp1. , DNS -,
. DNS , .
( ) - Lotus Domino 6 spam Survival Guide for IBM e-Server,
SG24-6930.

FTP
FTP- ,
File Transport Protocol (FTP).
(),
- . , FTP- ,
SMTP. , - SMTP .
,
, FTP (
). FTP- , , IP- , .

SSL
[Secure Sockets Layer (SSL)]
. . ,
, SSL. SSL (SSL record protocol) . , () SSL (SSL handshaking protocol),

129

, . SSL .
SSL. SSL SSL. :
1. .
2. .
3. , .
4. ,
,
( , ).
5. .
6. HTTP- HTTP- .

4.2
- ,
, Web-.
Web-, -
(, -, , , . .). , - . ,
, c
.
,
( ) Web- IBM.
, :
1. .
2. .
3. .

4.2.1 DMZ-:
. , ,
DMZ, (demilitarized zone).
DMZ 38- , 1953 .

130

.
, .
, .
DMZ T-
,
, .
DMZ . ,
(. 4-4).


( )
DMZ
( )

()

.4-4. DMZ
DMZ (, ) ,
(. 4-5). , ,
IP-.
DMZ

DMZ .
, , , (,
IP- ) .
, -

131

DMZ, , - .
DMZ .
.

. , DMZ -
.
, , DMZ, . DMZ .
,
, DMZ .
DMZ .

Firewall (filtering)

DMZ

()

.4-5. DMZ
DMZ- DMZ ,
, . : .
, .
Web- (HTTP) , , (FTP),

132

- (). - , , ,
, Web- , - -, . . . DMZ , .

4.2.2
,
,
.
,
, .

. ,
, .

,
. .
, , , , , , , , .

. , .

.

, (root). ,
,
, ,
. , UNIX-
( ); ,
, chroot jail1
. Google chroot
breaking out :
http://www/bpfh.net/simes/computing/chroot-break.html

, .

; UNIX-
chroot. . . .

133

, .
, , ,
.
,
-.
. , , -.
, , :
1. -.
2. -.
3. .
4. -.

, , . , ,

. , , . , ,
, , , ; , . , .


1. -
, , , .
, ,
. ,
; ( , ) , .
- :
- .
- -
.
- -. , , , .

134

2. -
, .
,
- (, DNS, -,
- c , -). - :
. ,
-.
.
,
. , - - ,
, .
IP- .
- -
.
, -,
.
.
.
-
.
, ,
.
( , , , ISDN, ADSL, VPN . .).

3.

, IP- .
- , , , . :
( RFC 1918), IP ,
- -.

135

.
-. ,
.
. .

T-.
.

.
( )
( -).

.
, .

4. -
IP-. . - :
IP- ,
, ,
.

.
.
, ,
-.
, T- .
.
( )
, -

136

(, ).
, ,
. , , .
, - .
- -, , . ,
.
, , .
,
/ .

4.2.3
. ,
. :
, ;
;
, ,
;
, ,
;

, .
.

? . , . ,
. , IP-
, . , . , ,
IP-,

137

. , .
, -
. ,
, . ,

. ,
.
.
,
, . T- ,
.
, ,
,
. ;
IPSec NAT- IPSec NAT-. , -, T-. ,

, T- . T- - .

, . , . ,
.
.
, -,
.
- T-, .

138


.
( ).
.
, ,
.


IP- , .
(NAT).
.
(VPN):
SSH (
);
.

( )
SOCKS V5.
, , .
.
.

, :
, , (). (. 4-6).
, . , . , , . ,
, .4-7
, .
,
. Cisco PIX ,

139

.4-6.

AUI

SERIAL 0

SERIAL 1

ASYNC 1-8

CON

AUX

2509


CISCO SECURITY PIX 535
F

E W

CATALYST 3550

SERIES

MODE

POW ER

SYST EM
RPS
11

STAT
UTIL
DUPLX
SPEED

10

12

AC TIVE

Cisco 3600

SERIES

( )

PS2

ACTIVE

FE
SYSTEM PS1

READY
0/0 0/1

(IDS)

11

13

15

17

19

21

23

10

12

14

16

18

20

22

24

CATALYST 3550
1

SYSTEM
RPS
STAT
UT IL
DUPLEX
SPEED

.4-7.
, , , ,
VPN, . ,

140

. ,
.
.
, (),
, .
:
HTTP, ;
DNS;
SMTP.

, .
,
, , ,
.
, , , .

4.2.4 :

,
, , . , .

. - .
. ,
,
.
,
. ?
, , ,
x y. ,
x y
. ,
. .
.

141

- . - , , -.
-, , , ,
, . - ; , - . .4-8 ,
.

()-()

()-()

()-()

.4-8.
, . ,
-.
- (firewall routers) .
, ( )
- . , - ( ) . -. , , -

142


.
.
.4-8: ,
. , -
- ( -). , -.
, ,
- . ;
, .
.4-9 .
- .

. , - -

IP
IP
-

(
)

IP -
IP 1

(
)

(
)


IP 2

IP
-

.4-9.

143

. ,
, ,
.
-, -. 2 1 . , , ,
- . ,
-.
Web- -.
-.

4.2.5
, .
, . , 1.3.3,
.
,
.


, .

-
() . - (challenge-response)
. .509
Notes.
LTPA cookie HTTP. .
, ,
.

-
, . .509 Notes. - (challenge-response). ,
, .
.

144


, ,
. , ,
SSL, Notes Domino Domino Domino
Domino.


1, T-.
, .


, , .
.
. , ;
. , IP-, ,
.
. , , .


.
-, .
, SSL . , . -
.

,
,
Secure Sockets Layer (SSL). ,
. -

145

- .
.
- -
, , .
,
,
. , . ,
-, . ().

.

4.2.6
4.2.3, , ,
, .
,
, .
, .
4.2.4,
: .
/
:
1. ;
2. ;
3. ;
4. ;
5. ;
6. ;
7. ;
8. ;
9. .
. 4-1 4-9
:

146

H ( ; );
(
, ).
.4-10 , , FTP .4-1.

-
FTP: X

FTP: H

.4-10. FTP - -
. . ,
.

1. - -
4-1 - - ()

HTTP

TCP

80

HTTPS
(SSL

TCP

443

FTP
FTP
DNS

TCP
TCP
UDP

20
21
53


X
X
80 , HTTP (DNS, SMTP ..)
X
X

443 ,

HTTP (DNS, SMTP ..)
X
H
FTP-
X
H
FTP-
X
H

H
X

147

2. - -
4-2 - - ()

TCP
25
H
SMTP

DNS

UDP

53

HTTP

TCP

80

HTTPS
(SSL)

TCP

443

( -
SMTP)
DNS DMZ-
NAT-,

NAT-,

H
X

3. -
4-3 - ()

HTTP

TCP

80

SSL
(HTTPS)
DNS

TCP

443

X
-.

X
-

UDP

53

LDAP (SSL)

TCP

636

SMTP

TCP

25

SNMP Trap

UDP

162

NTP

UDP

123

TSM/ADSM
Backups

TCP

1500/1501

H
X

148

-


:


(traps)



.
-
.
- ,

4. -
4-4 - ()

SMTP
SSH

TCP
TCP

25
22


H
H
X
X

LDAP (SSL)

TCP

636

DNS

UDP

53

HTTP

TCP

80

HTTPS
(SSL)

TCP

443


& ;
(
)
-
:

/
DNS
NAT -
/
NAT -
/

H
X

5. -
4-5 - ()

25

SMTP

TCP

UDP

53

NTP
SNMP Trap

UDP
UDP

123
162

H
H

H
H


/ IP-
DNS-,


TMR/GW/Netview
Netview.
(traps)

DNS

Domino
Replication
MQ Series
MQ (HACMP)
DB2
(JDBC -
DPROPR)

TCP

1352

TCP
TCP
TCP

1414
1415
37xx

H
H
H

H
H
H

/
/
3700-371x

H
X

149

6. -
4-6 - ()

FTP
FTP
DNS
SNMP
SNMP Trap
LDAP
DB2 Admin
LDAP (SSL)

TCP
TCP
UDP
UDP
UDP
TCP
TCP
TCP

20
21
53
161
162
389
523
636



X
H
X
H
X
H
H
H
H
H
X
H
X
H
X
H

Domino
Replication
MQ Series
MQ (HACMP)
DB2
(JDBC - DPROPR)
net.commerce
ESM

TCP

1352

TCP
TCP
TCP

1414
1415
37xx

X
X
X

H
H
H

TCP
TCP

X
H

H
X

Tivoli

TCP

4444
5599,
5600,5601
20001

zOS/390
zOS/390

/
/
3700-3719

ESM Mgr Agent Access 5599,


ESM
dmproxy-

H
X

7.
4-7 (-)

HTTP

TCP

80


X
X

HTTPS (SSL) TCP

443

LDAP

TCP

389

LDAP (SSL)

TCP

636

Domino
Replication

TCP

1352

H
X

150

/XML
( )
/XML
( )
(
)
(
)
(
)

8. -
4-8 - () NAT/PAT

HTTP

TCP

HTTPS (SSL) TCP

80

443

NAT/PAT
/
NAT/PAT
/

H
X

9. - -
- -
, , ,
. , - , . , IBM.
, HTTP-
- -, HTTP-.
80 443 - HTTP-.
.4.9 , . ,
, ,
.

4-9 - - ()

TCP
25
SMTP
DNS

UDP

53

HTTP

TCP

80

HTTPS

TCP

443


X
X
SMTP-

X
X
DNS

X
X
Web-

X
X
Web-

H
X

4.3
.
.

151

,
, . .

,
. , :
1.
, .
2.

.
.

. :
1. . ,
- -.
2.
.
.

4.3.1
, . Acme Web- . Lotus Domino. WebSphere. ID , () LDAP.
URL- Tivoli Access Manager.
Acme [ ,
()] . , [ , ()],
. , .

152

.4-11 .
.4-11 , .
.

( )

IP

WebSeal

WebSeal
6

Tivoli Access Manager


2

DNS

- 1

- 2

11

8
8

Websphere

Websphere

Domino
()

Domino
()

10


IBM (LDAP)
12

Websphere
()

.4-11.

153

,
/ . ,
URL-, URL DNS-. URL IP-, IP- - 1. 1
HTTP GET ,
-. ( LTPA), Tivoli Access Manager ( 2) .
(ID , 3),
, Tivoli Access Manager ( 4). Tivoli Access Manager
LDAP ( 5), , - LTPA
GET ( 6) ( 7). WebSphere Domino (8). , , . , , .
1.
-. - LDAP (SSL, 636) Tivoli Access Manager. ,
-, - Tivoli Access Manager,
Tivoli Access Manager
SSL. LDAP SSL -
. , SSL (-) X.509 .
2. Web- - . SSL, ;
, SSL
- .
-
HTTP . 80 - 1 Web-
1.

Domino . ( 9 .4-11)
Domino Domino ( 10). -

154

Domino ( 11). ,
, :
(Notes ID ) ; -
. Domino ,
.
, . . , .
, ,
, . .
- ,

. , , , , ,
.

4.4
, :
;
;
;
.
, :
1. -.
2. -.
3. .
4. -.
,
, .
,
, .
,
.

155

(IP)
.
( ).
.
NAT ( ).
.
.
IPSec, SOCKS, .


DNS .
- .
- SMTP
.
- ( -)
IP-.
- .
( DoS-
).
(SSL).
.
.


.
.
.
HTTP-.

156

5
-

. , ,
, ,
.
-.
- ( ) ,
.
IP-,
.
( ),
, . , ,
.

-

157

5.1
proxy, , , . , proxy - ( -),
.
,
-,
( ) . ,
, , , ,
. https- 443 http-
80.
,
, , , , ( ) . .
( ), ,
- .
, . ,
( )
() , , ,
.
() . , ,
,
.

5.2
, .
,
( bind), .
, ,
. ,
, , .
, . , ,

158

,
. Notes, Lotus Notes
Notes .
,
-.

5.3
, . , -. , - .
.
, , :
(forward proxies);
(transparent proxies);
(caching proxies);
(security proxies);
(reverse proxies).

5.3.1
-,
,
, ( ) (
, , - ).
, ( )
. .
,
Web- .
( , ) - WAN- ( ),
.

-

159

5.3.2
-, ,
, . Linux/UNIX ,
, . , () , , ,
, .
, ,
, , ( : HTTP) . , proxy.mydomain.com, proxy.mydomain.com, . , (HTTP),
.
, ,
, .
,
. , , , ,
, .
, , .

5.3.3
, , -, , . , , .

, ,
. ,
, , . HTTP- HTTP
cache.
. ,
IBM Edge Server: IBM
Caching Proxy. .5-1
-.

160

1
2
1

1 -
2 -
3 -
4 - /
5 -
6 - Web-

.5-1. ,

5.3.4
- .
( )
.
-. , .
, , - , .

[plug-in ()] ( , IBM Tivoli WebSeal Plug-In IBM WebSphere Edge
Server). , , IBM Tivoli Access Manager for
e-Business, .
4.1.6, .

5.3.5
,
.
, , -

-

161

4
5

x


z

 

.5-2.
(
, ) , , . ., .
:
!
.


, . -. ,
, .
, , ,
.



. ,
.
,
, .
, .

162


, .
,
. , ,
. , Web- .


[Reverse Proxies Secure Servers (RPSS)] ( ) , .
RPSS
, , .
(blade). ,

IBM Tivoli Access Manager; ,
(WebSeal , WebSeal-lite).

5.4 Lotus
Lotus Domino . Lotus Sametime.
.
Domino
Lotus Domino (Notes/Domino, iNotes, QuickPlace . .).

5.4.1 Domino
, ,
Domino . ,
HTTP.
Domino , .
, ,
, ,
Java- . , Domino


blade () , .,
, IBM Blade Center. . . .

-

163

, -
. - Domino
:
?OpenImageResource
?OpenElement&FieldElemFormat = gif URL
IBM WebSphere Edge Server
(Last Modified Factor).

5.4.2 HTTP-, Domino


HTTP (HTTP Methods) -
, -. , , Domino GET, HEAD
POST. .

5.4.3 URL, Domino


Domino

, Domino. -.
requests for /* go to http://xxx.xxx.xxx.xxx/*
,
,
, .
,
, -
Domino, HTTP.

. ,
Domino, iNotes, :
requests for /mail* go to http://xxx.xxx.xxx.xxx/mail*
requests for /iNotes* go to http://xxx.xxx.xxx.xxx/iNotes*
requests for /inotes5* go to http://xxx.xxx.xxx.xxx/inotes5*
requests for /icons* go to http://xxx.xxx.xxx.xxx/icons*
requests for /domjava* go to http://xxx.xxx.xxx.xxx/domjava*
requests for /names.nsf go to http://xxx.xxx.xxx.xxx/names.nsf

164

/mail*. , ( , /mail[1-3]), .
, , , /pubmail/*.
,
iNotes Web Access.
, ,
/names.nsf, .
Domino Directory, ,
.
URL- Domino . Domino,
/names.nsf?Login. -
Domino. , ,
(Groups) /names.nsf/Groups?Openview /names.
nsf/85255ed5006cafef852556d4006ca21c?OpenView, Domino, - , .
403, .

URL- Domino
- URL, -,
URL .
URL ( IBM WebSphere Edge Server SignificantUrlTerminator)
Domino, URL- Domino ? - URL- .
URL, Domino, :
SignificantUrlTerminator ?OpenImageResource
SignificantUrlTerminator ?OpenElement
SignificantUrlTerminator /?OpenImageResource
SignificantUrlTerminator /?OpenElement

Domino
ReversePass ( ) - 302 Domino
. URL- , , , :
ReversePass http://xxx.xxx.xxx.xxx/* http://proxy.formymailserver.
web/*

-

165


Domino
- Lotus Developer Domain
(LLD) Web- iNotes - WebSphere Edge. LDD :
http://www-10.lotus.com/ldd/today.nsf/62f62847467a8f78052568a80055b380/ ff0e8350
68e03c3685256cda0054a213?OpenDocument&Highlight=0,reverse,proxy

5.5 Lotus Sametime 3.1


Lotus
- , Lotus Instant Messaging and Web Conferencing (Sametime) 3.1.
- HTTP Sametime 3.1, ,
Lotus.
Sametime 3.1 Sametime 3.1 Administrators Guide,
.
Lotus Developer Domain :
http://www.lotus.com/ldd

5.5.1 Sametime 3.1


Sametime 3.1 -, - Sametime
Sametime. Sametime, Sametime
, -.
-
. Sametime -
- Sametime.
- .

5.5.2 -
,
- Sametime 3.1.

URL ( id)
Sametime -,
(affinity-id)

166

( ) URL-, . , -
URL :
http[s]://hostname:port/affinity-id/
hostname
(FQDN) (DNS-) -, affinity-id
, -.
URL
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
st01
(affinity-id). id Sametime
(, sametime.ibm.com), . id -
Sametime.

-
-
, Sametime
-, :
-
DNS-
.

, - reverseproxy.
ibm.com, - reverseproxy.ibm.com. - DNS, Sametime
Sametime, -. Web- -
, (, IBM WebSphere Edge Server).

-
.

-
URL-, Web- -,
Sametime. URL URL- Sametime -, Sametime
Sametime, -.

-

167

- cookies
-, URL- , . - HTML URL-,
.
-.
- ,
URL-
. Sametime -,
.
,
cookies. ,
cookies ,
-.
cookies
- cookie . , cookie
,
Sametime, -.

5.5.3 Sametime
-
Sametime 3.1 -,
Sametime.

JVM
Sametime Sametime -. :
Sametime Meeting Room Sametime Broadcast.

Sametime Meeting Room Sametime Broadcast Sametime - ,


Web- Java- [Java
Virtual Machines (JVM)]:
IE 6 + MS VM Sun Microsystems JVM 1.4.1 + Java Plug-In;
Netscape + Sun Microsystems JVM 1.4.1 ( Java Plug-In).

Sametime Connect (Java- Sametime Connect) Sametime Links,


Sametime.

168

Sametime Connect Sametime Links


Sametime -

, Explorer 6 Netscape 7,
Sun Microsystems JVM 1.4.1.

Sametime Connect Sametime Links


Java, Internet Explorer Microsoft.

. Sametime Connect (Microsoft Windows-


Sametime Connect) Sametime,
-.


Sametime -, :
/. /-
Sametime, Sametime
-.
TeamRoom Discussion. , Sametime -, Sametime TeamRoom Discussion.
Sametime Administration Tool. , Sametime -, Sametime Administration Tool.
Sametime Administration Tool
Sametime Web-. Sametime Administration Tool
Sametime
, HTTP- -.
Sametime Enterprise Meeting Server.
Sametime 1.0 Enterprise Meeting Server, Sametime
3.1, -.

5.5.4 SSL,
Sametime - [Secure Sockets
Layer (SSL)]. SSL , Sametime -. Sametime .

. Web- SSL, Sametime


,
Web- HTTPS Sametime HTTP.

-

169

SSL Sametime, Sametime Java Plug-in Web- ( , . .). Java Plug-in - SSL, SSL.
, , , Java Plug-in, .


- SSL, SSL- ( handshake) Web- SSL . Web- Java 1.4.1
Plug-in (Signer certificate),
(Certificate Authority (CA)), .
Java Plug-in
, . Java Plug-in 1.4.1 Java Plug-in :
1. Windows [Start () Settings
() Control Panel ( )].
2. Java Plug-in 1.4.1 Java Plug-in.
3. Certificates ().
4. Signer CA ( ).
( ) SSL- , - Web- , (CA) .


-
, Java Plug-in 1.4.1 . Java Plug-in Certificates () Java Plug-in.
:
1. Windows
[Start () Settings () Control Panel ( )].
2. Java Plug-in 1.4.1 Java Plug-in.
3. Certificates ().

170

4. Certificates () Secure Site ( ).


5. Import () .

5.5.5 -
Sametime
Sametime -, - .
- ( ) URL-, -, URL Sametime.
Sametime -,
, Sametime .

Sametime HTML . - URL- HTML-, Sametime.
Java- Sametime, Web- , Sametime.
-,
- URL-, Java- Sametime.
, - ( ) URL-
Sametime.


-, Sametime,
URL- (affinity-id) (
).
, URL- Web-
http[s]://reverseproxy.ibm.com/st01/stcenter.nsf
- id st01 Sametime, sametime.ibm.com,
id - URL-
:
http[s]://sametime.ibm.com/stcenter.nsf

-

171

Sametime, -, Sametime id, :


http[s]://sametime2.ibm.com/*

/st02/*

http[s]://sametime1.ibm.com/*

/st01/*


Sametime
URL-, Sametime, .
- URL, Sametime, . , ,
URL- Web-:
http[s]://reverseproxy.ibm.com/st01/*
URL- Sametime:
http[s]://sametime.ibm.com/*
,
URL,
Sametime -.

,
Java-
URL-
Java- Sametime Web- Community Services, Meeting Services, Broadcast Services Sametime.
: Community Services, Meeting Services Broadcast Services.

Community Services
,
Java- Community Services.
URL- Java-
http[s]://proxy.ibm.com/st01/communityCBR/
http[s]://proxy.ibm.com/st01/CommunityCBR/

URL- :
http://sametime.ibm.com:8082/communityCBR
http://sametime.ibm.com:8082/CommunityCBR

172

. Community
Services ,
. Java- communityCBR ,
Java- CommunityCBR .
,
.

Meeting Services
,
Java- Meeting Services.
URL- Java-
http[s]://proxy.ibm.com/st01/MeetingCBR/

URL- :
http://sametime.ibm.com:8081/MeetingCBR

Broadcast Services
,
Java- Broadcast Services.
URL- Java-
http[s]://proxy.ibm.com/st01/BroadcastCBR/

URL- :
http://sametime.ibm.com:554/BroadcastCBR

HTTP-, Java-
Sametime HTTP- 80.
Sametime HTTP 80,
Sametime (Community Services,
Meeting Services Broadcast Services), .
HTTP- 80 , Sametime
HTTP-
. , .
Sametime HTTP- 80, Sametime .

-

173

,
Sametime, Sametime
Sametime.
HTTP- 80, Community Services Sametime HTTP- HTTP
Services, Community Services, Meeting Services Broadcast Services Sametime.
Community Services
( 80).
Sametime ( HTTP- 80), Java- . Java-
Sametime ,
.
,
URL- Java- Sametime:
http[s]://proxy.ibm.com/st01/*
- URL-:
http://sametime.ibm.com/*

. Sametime HTTP-
80, ,
Community Services.

5.5.6 Sametime 3.1



Sametime 3.1
, Sametime Sametime Administration Tool Sametime -.
, Sametime HTTP-.

HTTP-,
HTTP.

174

Configuration ()
Sametime Web Admin Connectivity (). Reverse Proxy Support ( ).

-,
(junction name)
Server Alias ( ).

Reverse Proxy Discovery ( )



.

Sametime ,
Sametime -. .

. ,
- Sametime -.
Sametime
.
. , Sametime
-, Sametime
Sametime.

5.6

, - Lotus IBM.


- .
, URL-, HTTP, . ., , .

Domino Web Access (iNotes)
iNotes Web Access
, Web- Lotus Developer Domain
http://www-10.lotus.com/ldd/today.nsf/
62f62847467a8f78052568a80055b380/
a96b7591a013173185256c79005c1af3?OpenDocument



( , ) ,
, ,
, .

-

175

(client affinity) (sticky sessions). cookies,


.., - . Network Dispatcher WebSphere Edge Server IBM.
: ,
. ,
(gracefully transition).


. , ,
, .
, ,
, . ,
, . .


, ,
- ,
. , IP-, .

( )
NETSTAT.
netstat

an

find LISTEN

TCP

0.0.0.0:8080

find

80801

0.0.0.0:0

LISTENING

0.0.0.0:8080 ( *.*:8080) () , , , TCP/IP-,


. , , IP-,
.
, . ,
127.0.0.1:xx , ,
IP- .
1

176

UNIX find grep. . . .



, , , , , , .
-, ,
[single sign on (SSO)],
, ,
Sametime.
Lotus ,
,
.

. ,
, , - (
-)
, :
, .
( ),

, ,
, .
, ,
(no-cache)
(expires), Web-.

IP-
- IP-
. , , IP-.

HTTP . ,
IP- .
HTTP, IP- . ,
.

-

177

DNS
-
DNS. , -
IP- , . , , .


, - ,

. -.


, - , /
(), .
.

, , , . ,
, .

5.7
- , . ,
.
IBM Lotus.
4, ,
.

178


, ,
[public key infrastructures (PKI)],
Notes Domino.
PKI Notes Domino,
PKI, Web, , .
(Certificate Authorities)
(Registration Authorities),
. , ,
Domino .
, SSL, ,
SSL .
SSL
Domino .

179

6.1 Notes

(PKI) Lotus Notes Domino. :
PKI Notes , . , PKI ,

.
, Notes Domino, , , PKI.
. 1
, .
: (confidentiality), (authentication) (identification), (integrity) (non-repudiation).
, Notes Domino . , ,
.
Notes
6.

6.1.1
PKI, Notes Domino, ,
.

, . Domino (Domino
Directory). Notes Domino Notes ID.

, Notes
Domino. ,
, , . . Notes Domino Notes
Notes ID.

180

6.1.2
Lotus , :
(flat certification). Notes 3 (hierarchical certification).
, , .
5; 5 6 .


Lotus Notes, ,
6, Lotus
.
. .
Lotus Notes.

:
ID , ID Notes.
,
ID Notes.
Notes ID,
(Public Address Book).

.
, ,
, .
,
. , ,
. , ,
. , ,
, .
! ,
. -

181

, , .
, , , .
Lotus Notes Domino 6 (ID) , ID
Notes R4.


, ID , ,
,
.
,
, .
, , .6-1.
Acme, , , .
,
.

Acme

.6-1.
Switzerland/Acme.
, RSA- (/).
Switzerland/Acme. , ID
Switzerland/Acme.

182

. //Acme. ,
RSA- (/).
//Acme. , ID
//Acme.
,
.


() .
Acme o=Acme.
ou=Switzerland/
o=Acme. ou=USA/o=Acme,
ou=East/ou=USA/o=Acme.
cn=Sandy/ou=Switzerland/
o=Acme.
cn=Dave/ou=East/
ou=USA/o=Acme.
, ,
ID ID .
, ,
. ,
,
Acme. ,
,
(crosscertification), .
, ,
, , [ (ID) , ] :
;
;
Notes ID;
.

183

6.1.3 (ID) Notes


Notes (ID)
Notes. Notes ID ( ), , , Notes (PKI).
Notes ID.

ID- ,
Notes ID , , . Notes ID:
ID- (Certifier ID). , ID. :
ID- () ID- (OU) (organizational unit). ID- ; . ID ( ) ID-
.
ID: ID-
Notes ID1.
ID- (Server ID). ,
, Domino. .
ID- (User ID). , Domino.
.
ID- ,
. -
, . Domino 6, Domino 6 CA,
ID- Notes .
Domino ID . ID-,
:
. ID- . ID- .

184

: ID . . . .

.
, Domino
Notes: .
Notes ID- . Notes, ,
, ID- . , ID , , ID . , :
,
, .
630. (primary keys). Notes 6 Notes.
,
.
512 . Notes 6
Notes.
. (
).
. Notes ,
, , ID , .
(.) .

.
(, Notes.) -. -
SSL,
S/MIME. - [Certificate
Authority (CA)] . , -, . .
, ID , , , ,
. , ,
, .
.6-2 Notes ID, (
Notes ID), (
ID ).

185

:
1.
,
ID. Notes , ID (,
).
2. , Notes, . Notes ID ,
ID . Notes ID, Notes .

ID


#
Notes

()

()

.6-2. Notes ID

Notes
Lotus Notes Notes, Notes ID.
, ,
Notes.
, , , Notes
ID, .
Notes, -
( Notes).
Lotus Notes Lotus Domino,
Domino , ,
. Notes Domino . Notes Domino, Domino
.
.
Notes, Notes ID, , :

186

, .
, .
, Domino, ID.
Notes , ,
ID.
.
.
, , .
.6-3 Notes Notes ID.

Notes ID

ID


#
Notes

()

()

Notes
.6-3. Notes
, Notes ID. Person (), Server () Certifier ( ) Domino (Domino Directory).
Notes ID, , ,
Notes (/).
.
, Domino
Notes ID .
Notes , Notes ID .
,
Notes ID ,
.

187

. ID
Notes ID -. ; ,
Notes Notes ID.


Notes, ID
:
Notes.
Notes, ,
Notes Notes Domino. Notes ( ,
, Notes
). Notes.
Notes. . ,
, .
, . ID
(User ID), .
. Notes 4.6 , ,
.
. 5
Notes Domino ,
:
Notes ID ,
Notes 5 .

Notes
, ID Notes
: File () Security ()
User Security ( ) [ Macintosh
Notes Security () User Security ( )].
Notes ID Your
Identity ( ) Your Certificates ( ). Notes. Your Notes
Certificates ( Notes), .6-4, , Notes,
Notes Notes.

188

.6-4. Notes Notes ID, Your Notes Certificates ( Notes)

.6-5 Notes All Notes Certificates ( Notes)

189

Notes
All Notes Certificates ( Notes), .6-5, ID Notes, Notes, Notes (Notes CA),
.
, R5.0.
Notes ID
. ,
Notes, .6-5.
, Frederic Dahm/Switzerland/IBM,
Frederic Dahm, Switzerland/IBM.
; . , /Switzerland/IBM,
, , , IBM. , /IBM
IBM (
).

-
Domino Notes 5.0 x.509 v3. , 5 6, Notes , Domino 6, x.509 v3
Notes ID.
Your Internet Certificates ( -), All Internet Certificates ( -). All Certificates ( )
Notes x.509.v3. ( - ).


Notes ID, , Notes. Notes. , , Notes
ID ( .6-2) Notes ID.
, .
.
, , , . , , , ,

190

, . , ,
.


R5.0 Notes ID Notes .
, .
, , .

(ACL) . ,
,
.
, . , ACL
ACL , .
Notes,
5. , :
Notes/Domino , ;
Notes/Domino
, ;
Notes ID-,
.

6.1.4 Notes
Notes ID .
Notes ID
; .


, ID Notes , Notes ID .
Notes ID
.
Notes ID .
ID Notes
. ,
ID.

191

Notes ID, . , ,
ID.
Notes (
6) Notes ID,
ID
.



ID Notes
( ). 4 6 Notes.
, Notes .

30. .
Notes
.
4 5 . 6
, (, ,
, . .),
. .6-6.

.6-6. Notes
, ,
Notes.
. , ,
Cancel ().
,

. ( ,
, .)

192


ID Notes ID .
, Notes ID
( , ).
, , .
Notes ID , Notes ID ( , ) .

(, ).
, Notes ID . ,
Notes ID , ,
Notes ID . ,
, ID .

. ,
ID Notes ID Notes.
ID Notes .
Notes ID , Notes ID.
:
1. Domino Administrator Configuration () Certification ().
2. Edit Multiple Passwords ( ).
3. Notes ID, , Open ().
4. Notes ID ( ).
5. , Notes ID,
:
) Authorized User ( ).
b) New Password ( ).
c) Confirm Password ( ).
d) Add (). Notes ID.
6. , Notes ID.
, Notes ID.
7. OK.

193


Notes
,
. , , (, ,
).
Notes Domino Notes ID
.

; , . ,
. (, 3-%9&4#_6!), .
, - (, password), .
,
, , ,
. , , , , ,
.
Domino 5 ,
. Notes 5
.
:
. , Change Password ( ).
. , Change
Password ( ), (0 , 16 ).
, . ,
, .
,
(, ,
), Notes .
ID , , , ID-, Notes 6, Notes.

194

,
.
Domino 6 , . , , . ,
. ( Lotus Domino 6 Lotus Domino 6 Administrator Help.)
Domino 6, , ,
, ID.
,
Your
Password is Insufficiently Complex ( ).


4.5 Notes , 6.
, , , Person.
, Person .
50 , .
,
, . / , ,
.
, Lotus
Notes RSA. ,
- ,
ID .
Domino Directory , , ID-.
, Notes,
Domino 4.5 . , , 4.5, . , ,

195

,
. ,
, , ID
.

Notes ID Notes ID
Notes ID
5 6.
Notes ID, ,
Notes ID.
Notes ID , , ,
Notes ID .
ID. ID, -
, .
(Recovery Authorities) ( [Registration Authorities
(RA)], Notes ID, ( ) Notes ID.
, ,
ID.
Notes ID,
.
,
Domino, .
Notes ID ,
ID-. Notes ID , .
, , Notes ID, .
Notes ID ,
(,
- CD-ROM),
, , , , ,
, . .
Notes ID 4. Notes Escrow Agent ( ).
, , ,

196

Notes ID ( ) . ID.
, Notes . Escrow Agent ,
Notes ID, Notes ID , . ,
.
, , .

Notes ID
Notes ID .
,
, Notes ID, ID ,
.
ID
Lotus Domino 6 Lotus Domino 6 Administrator Help.

Notes ID
Notes ID Notes ID
, ,
Notes ID . (RA) Notes ID Notes ID.
, Notes ID .
Notes , Notes ID , ,
,
ID . Notes ID .
Notes ID
Lotus Domino 6 Administrator Help.

6.1.5 Domino
Notes ID ( ID ,
) Domino,
Notes, Domino (Domino Directory).
Domino Person , ,
, Notes.
.6-1 Person.

197

6-1 Person Domino

Basics ( )
Mail ()
Certificates ()
Administration ()

; ; ; ;
; ; -
; ; ; ;
Notes; ;
; ;
; (grace period);
; ; ;
; ;

;

(Person)

Acme

Acme

Acme

Domino

Domino
.6-7. Domino

198

. ID Notes,
, Person.
, Domino ,
ID Notes .
, Domino Server, , Person, .
, Domino Certifier. .6-7 , Domino
.

6.1.6 Domino
, Domino, , .
.
Domino Domino.
Domino Domino , Domino.
Domino , ,
. , Domino
.
.

6.1.7
,
,
. , , ,
, .

,
Domino ,
Domino . , .6-8, Acme
Widget .
, , , . ,
, ; , , .

199

Acme

Widget

Domino
.6-8.

,
Domino, .6-9.
Acme : Sprocket Widget. (
Acme), , Sprocket
Widget.
, / ,
, ( Domino)
. ,
Domino, 6,
, . ,
.

Acme

Sprocket

Sprocket

Widget

Widget

.6-9.

200

6.1.8 Notes
Domino : Notes- -. Notes
, -
.
Notes , . ,
, , .

Notes?
, ,

, .
,
(
, , ).
:
? , , - ,
.
Notes Domino .
.
,
().
, , Notes
. Domino
Domino. Domino
Notes
(Personal Address Books).
, .

201


. , :
( );
;
.
, ,
.

. ,
,

.
, , .
, . ,
.

, ,
.


(ACL) .


, , , Widget Acme, .
,
.
:
1. Acme (/Acme) Widget (/Widget)
Domino Acme.
2. Widget (/Widget)
Acme (/Acme)
Domino Widget.

202

(:
Acme Widget ). .6-10.

.
Cross-Cert

Acme

Widget


.6-10.


, .
, Acme Widget , ,
, .

, .
:

Acme

Widget

/ /
.6-11. ()

203

1. Acme (Server/Acme) Widget (Server/Widget) Acme.


2. Widget (Server/Widget)
Acme (Server/Acme) Widget.
(:
Acme Widget ). .6-11.
.



.
, Acme Widget
, . Widget Acme
Acme, Acme , Widget,
Domino.
,
, Acme
Widget.
:
1. Acme (Server/Acme)
Widget (/Widget) Acme.
2. Widget (/Widget)
Acme (Server/Acme) Domino
Widget.

Acme

Widget

/
.6-12.

204

(:
Acme Widget ). .6-12. Acme
Widget, Acme Widget.


Domino 6,
Lotus Domino 6.

6.1.9
.
, . 1, .
, 1. ,
, , , .
, ,
, , .
. , , , ,
, ,
.
, , .
, ,
. , . , ,
.
, . , Notes Domino.
:
-, Domino .
,
.
Notes, Domino.

205

,
. , ( ).
,
Notes Domino.
, Notes . ,
/ ID /,
.
Notes , ,
,
(PKI) Notes, , Notes.

. Notes ,
, Notes Domino.
,
, .

6.1.10 Notes
, Lotus Notes Domino
1352 TCP
Notes [Notes Remote Procedure Calls (NRPC)]. , ,
Domino Notes.


Notes
. , (validation), . ,
.
Notes
:
1. , Notes ID.
2. , , .
3. ,

.

206

1.
,
.
. ID ,
, .
, Notes ID ( , , ). .6-13.

Widget

Notes ID

Widget

Widget

Widget

Widget

Notes ID

.6-13. Notes Domino


.
1. ,
Notes ID , Widget.
,
.
2. Widget Notes ID
. ( 1,
, Notes ID .)
3. Widget ( ,
Notes ID ) , /Widget . ( 2,
, , , .)

207

4. , Notes ID , .
5. /Widget, , , //Widget . ( 3, ,
.)
6. .
, .

2.
,
. . , ,
.
, , ,
, . , ,
. ,

Notes ID

10

11

.6-14. Notes Domino

208

12

(, , ).
, , ,
, , , , , .
/
.
, ,
, .6-14.
, , , .
.
7. .
8. .
9. .
10. .
11. .
12. , , , .
, . /, .
, . RSA-
-. , , .


, , . ,
,
.
. Domino,
,
. [
(User Activity).] , . , 

. . . .

209


.
,
, . , -

.
, Domino, , , ,
, . ,
, .
,
. / .
.
,
Domino Notes
Domino.
1. Domino Administrator Configuration () Server ().
2. Security ().
3. Security Settings ( ) Allow anonymous
Notes connections ( Notes).
4. .
5. Anonymous () (ACL) , .
Reader (). Anonymous ACL,
Default ( ).
6. , .
, .
, ,
, :
Server X cannot authenticate you because: the servers Address Book
does not contain any cross-certificates capable of authenticating you.
You are now accessing that server anonymously. ( , : , . .)

210

6.1.11
, . (data integrity), .
, ,
,
[ (tampering)].
, ,
.
. ,
. ,
. , ,
, .

, Notes.

. ,
. ,
, .
, Notes,
RSA-, . , Lotus Notes, .6-15.

3
1

=?
d

e
.6-15. Lotus Notes

211

.
1. Notes. Notes,
, Sign (), ( MD5)
( d digest).
2. Notes RSA-
( RC2), , RSA-
.
3. .
4. Notes RSA-
( RC2) ( d).
5. Notes
( MD5, d).
6. Notes ( d)
( d), ,
. ,
. , ,
.
, , Notes ,
, . Notes , .
:
1. , .
2. , .
, , .

6.1.12
, , (confidentiality). .
, , ,
[ ,
() ]
.
, , , , .
, , , ,
, .
. ,

212

, . : , . ,
T- , , . ( ,
, , .)
T-
, , , Notes.
Notes.
Notes . , Notes ,
. . Notes ,
. ,
. ,
Notes Domino ,
, . Notes RC2 RC4.

Notes.
Notes ID / . 5.0.4
, . , 512- RSA- 56- ,
, .
.

, Domino, Domino Administrator, Domino Designer, Lotus Notes (North American), (International) (France) Global () .
, .
, , -

213

. Notes .

Domino Notes,
ID. , .

. , (d 5.0.4 ).
.
Register New User ( )
ID. ,

. .
Lotus ,
.

. .

.
Lotus
, ,
,
.


, ID Notes Domino,
. .
ID.
, ID.
, , 5.0.4.
, Lotus Notes
ID.
. , .
5.0.4. 5.0.4 , , -

214

ID . ID .
5.0.4. Lotus Notes,
Domino, 5.0.4 , , . , , Notes Domino 5.0.4,
ID; . 5.0.4
ID,
ID. ID, ID.
ID , Notes Domino.
Notes Domino .

Notes ID
Notes ID. , .
1. Notes ID ( , Notes ID ,
), , , ( ID, ).
2. Notes ID , Notes
ID . Notes ID , , Notes ID , (, ).


, Lotus Notes , ,
. ,
Lotus Notes, .6-16.
,
. .
1. Notes
. Notes, , Encrypt (),

215

( ,
,
, Notes), .
2. Notes ( RC2) , ,
RSA- .

.6-16. Lotus Notes


3.
Notes.
4. Notes RSA- ( RC2)
. , , ,
.
5. Notes
( RC2), , .
:
Notes ( ,
Notes ID , , , ),
.
, , S/MIME, . S/MIME .

216

Notes
Notes, Lotus Notes
. , ,
.
ID
,
. , , ,
, , .


, .
. ,
,
.

.
File () Preferences () Ports () .

6.1.13 Notes PKI


Notes
(Notes PKI) , Notes Domino ,
, Notes, . PKI Lotus Notes, Notes
, ,
, PKI .
Notes Domino , , , Notes Domino
- ,
.

217

6.2
,
, , ,
. , ,
.
Notes, ,
.
PGP X.509. Domino X.509,
.
-
1996 . Domino 4.5.
Domino,
Domino 6.
, 11,
Domino/Notes 6.

6.2.1 -
, , -.
, .
,
STD RFC, . ,
, .
- IETF (Internet Engineering Task Force). ,
- (Internet Drafts),
[Requests for Comments (RFC)], [standards (STD)]
IESG (Internet Engineering Steering Group).

(STD)
, -, ,
(standards track). (Proposed
Standard), (Draft Standard) (Standard).
(Proposed Standard), ,
, , , , -

218

, . .
, .
,
, (Draft Standard).
, . , .
,
, - (Internet Standard).
- [ (Standard)] ,
-.
, -
, , .
- IP (Internet Protocol).
- STD . , STD1, .
STD RFC
RFC. STD , RFC, RFC . , ,
RFC, .

(RFC)
[requests for comments (RFC)] 1969 .

,
- UNIX-. RFC , - RFC. , RFC RFC 822,
(e-mail) .
RFC, IFTF ,
RFC;
, RFC . RFC .
RFC , , , ,

219

, , (ANSI).
RFC .
, , ,
,
, . RFC.
RFC , 1 .
, RFC; , , ,
, ,
.

STD RFC
STD RFC , .
Web- IETF, URL-:
http://www.ietf.org
RFC :
http://www.ietf.org/iesg/1rfc_index.txt
. RFC , :
http://www.ietf.org/rfc.html
RFC RFC RFC
2026 The Internet Standards Process, Revision 3 ( -, 3).

STD RFC
RFC -. RFC
. ,
RFC.
,
,
RFC
.
. RFC, , RFC
1796, Not All RFCs are Standards ( RFC ), :
http://www.faqs.org/rfcs/rfc1796.html

220

, , Domino -, STD RFC.

6.2.2 (PKI)
, PKI ,
PKI.
PKI ,
, . PKI

, .
:
SSL (Secure Socket Layer);
S/MIME (Secure Multimedia
Internet Mail Extension);
IPSec (IP Security);
SET (Secure Electronic Transactions);
PGP (Pretty Good Privacy).
, ,
, .
(PKI),
.6-17, :
[End Entity (EE)];
[Certificate Authority (CA)];
[Certificate Repository (CR)];
[Registration Authority (RA)];
[Digital Certificates (X.509 V3)];
.

[End-Entity (EE)]
PKI
, .
, PKI ,
PKI. ( , , - ) , ( , ).

[Certificate Authority (CA)]


[Certificate Authority (CA)] ,
. ,

221

( ), (). , , (security domain), -


(CRL)

X.509

X.509


, ,

X.509

& CRL

.6-17. PKI
,
. :
, .


.

().
.

222

, , ,
, . (RA), . .
, . ,
, . , , ,
.
, ,
, , . , , . , , ,
.
, HTTP- SSL Web- ,
( Trusted Roots Trusted CAs), , ( ) VeriSign, Entrust,
Thawte, Baltimore, IBM World Registry . . Web- ,
CA,
, , CA- .
, , :
.
, , .
. RA, .
(,
, . .).
(). , . , .
. , .

223



. , ,
.



. . , CA
[Certificate Revocation List (CRL)].
, , CA . ,
, CRL .

(CR)
[Certificate Repository (CR)] CRL.
CR ,
PKI.
X.509 X.500,
CR (Directory),
LDAP (Lightweight Directory Access
Protocol), LDAP v3.
LDAP ,

CR CRL. LDAP
, , , bind, search
modify unbind. LDAP, CR, [ (Schemas)].
CRL,
CR, . ,
, CR,
,
CR. : , ,
, ( ),
. Domino
Domino (Domino Directory).

224

(RA)
[Registration Authority (RA)] . RA CA.
, RA, ,
CA CA. CA RA. , RA , , . RA
CRL.

6.2.3 X.509
(
) X.509.
,
, ITU-T X.509 ( X.509
CCITT).
X.509 -,
, , , :
SSL (Secure Sockets Layer);
S/MIME (Secure Multipurpose Internet Message Extension).

X.509?
X.509 X.500.
X.509 , .
.
X.509
. X.509 , , RSA .

X.509
RFC, [Privacy Enhanced Mail
(PEM)] , 1993 .,
X.509 v1 ( RFC 1422).
, RFC 1422,
, v1 v2

225

.
.
ISO/IEC/ITU ANSI X9 X.509 3 (v3). v3 v2 .
,
. v3 1996.

X.509
X.509 :
;
;
( );
( );
;
( );
: ;
2
3 ( 2);
2 3 (
2);

3 ( 3);

.
, , . X.509 V3 .6-18.
1 (ASN. 1),
.6-19.
ASN.1,
ITU-T X.208 X.209. .
[object identifier
(OID)]. , .6-19 AlgorithmIdentifier signatureAlgorithm,
(OID)

226

X.509 V3
()

(
)
X.509 (
)
(/
)
X.500




1

.6-18. X.509
. IOD , (). , , OID, .

: Subject Unique Identifier . .


. .

227

Certificate ::= SEQUENCE {


tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] EXPLICIT Extensions OPTIONAL
}
.6-19. X.509
1 (ASN. 1)


, ,
Notes.
, -, , . S/MIME-, , ,
S/MIME- .
, Notes
- SSL.
Certificate , .
(leaf certificate)2 ( , )
.
( ,
). ,
.
, , . , Sales/Acme

228

Sales/ABC Fred/Sales/Acme. Fred/Sales/Acme


Fred/Sales/Acme.
, ,
Lotus Domino Administrator 6.
X.509 .
, , , Notes.
, ,
.

6.2.4 Web-
, .
, WWW,
HTTP (Hypertext Transfer Protocol). HTTP ,
( ) . , :
, ;
( URL-).
-
- Person, Domino , :
-, ;
.
, , (ACL) No Access ( ) ,
Domino .
,
, , Person , ACL .
.

TCP/IP SSL ( ). TCP/IP .
Web-, Web Domino, .

229

(Name-and-password authentication)
, ,
/,
,
Person Domino.
, Domino ,
- - . - -
Notes Domino , Domino Notes Domino , .
- -, ACL
Domino, Person Domino , , Domino LDAP. , Person,
, .
Domino Person ( ) .
. , Editor (), Author
(), Person.
(ACL) Editor, (Anonymous) Author.
TCP/IP,
SSL , - (LDAP, POP3,
HTTP, SMTP, IIOP IMAP).
HTTP
.6-20. .
1. ( , , GET HTTP).

1
2
3

.6-20. HTTP

230

2. , . , ( , Private
() 401 HTTP).
Web-
.
3. Web- , GET HTTP 1, , ID ( Base64).
4. , , .
, .
, , , URL, , URL- . , 401. , ID .
, ,
MIME- HTTP-:
Authorization : Basic <user ID and password block>
ID (user ID) (password block)
UserID:Password Base64.

, ID , , . ,
401 /,
ID .
ID
URL-, , , . Opera Mozilla,
Netscape Navigator Internet Explorer URL, .

401. , , ID , , , .
. -
. , HTTP , LDAP, TCP/IP, .

SSL, -

231

SSL SSL ,
SSL.

. ,
Domino SMTP-, Domino
SMTP- .
, Domino SMTP-,
SMTP- Domino.
, Domino Domino LDAP.
- (HTTP, LDAP, IMAP, POP3).

, Domino
-. Domino ,
Domino Java- IIOP Domino.


(Fewer name variations with higher security)
Fewer name variations with higher security . ,
, . , .6-2 Web- -.

6-2

Domino

CN=prefix

(,
Person,
1 first name)
- ( ,
- Person )

232

LDAP
DN
CN CN CN=prefix
UID UID UID=prefix

first name, : , name, , alice. . . .


(More name variations with lower security)
Domino
. , . .6-3
Web-.

6-3

Domino
(Last name)
(First name)
cn=prefix
()
()

(,
Person,
first name)
Soundex-13
- ( ,
- Person )

LDAP
(Surname)
(Given name)
(CN) CN CN=prefix
DN
DN
UID UID UID=prefix

HTTP,
, :
.
, .
, cookie.
, . cookie.

, ,
.
.


(
SSL-)
, 1

Soundex . . . .

233

.
, .
, , , .

SSL
SSL , , . SSL
.
SSL ,
, , .


Web- Domino [Domino Web Server Application Programming Interface (DSAPI)] (C API),
Web- Domino. , ,
Web-.
DSAPI Lotus Domino Notes.
:
http://www.lotus.com/techzone


(Session-based name-and-password authentication)
Web-, ,
.
, Web- cookie. , , Web Site Server.
,
:
. cookie, ,
,

234

cookie,
, Web.
Web- , cookies.


,
. , . .

HTML-
HTML- ,
.
. HTTP Unicode. US-ASCII.

. .
Domino HTML- ($$LoginUserForm),
Domino (DOMCFG.
NSF). , , . , , - -.


Web- .
, cookie, Domino , .

Web-, , , .
, URL- ?logout
, :
http://acmeserver/sessions.nsf?logout

235

URL-, :
http://acmeserver/sessions.nsf?logout&redirectto=/logoutDB.nsf/
logoutApp?Open
http://acmeserver/sessions.nsf?logout&redirectto=http://www.sales.com
( ,
) URL-.


, , . ,
.

-
Domino 6 - . Lotus Domino 6 Lotus Domino 6.

. (round-robin) DNS,

(
).
DNS cookie . ,
,
, .

.


(Multi-server session-based authentication (SSO))
, single sign-on (SSO),
Web- Domino WebSphere
, Domino
WebSphere DNS, SSO,
().
Web- cookies,
(token)
cookie.
, , :

236

Domino (domain-wide
configuration document) Web SSO Configuration document. Domino .
Multi-server
Web Site Server.
Domino.
Single sign-on Domino.
Lotus, . 7,
.


- -
. Domino . , (log file)
(User Activity).
Notes, - - ,
. , ,
. Notes,
- - , .
TCP/IP SSL , LDAP, HTTP, SMTP IIOP. -, , . , SSL
HTTP-,
LDAP-, TCP/IP.

?
,
. , .
SSL, .

6.2.5 SSL (Secure Sockets Layer)


, , :
. ,

237

:
.
, - ,
, , Base64. , , . Base64 ,
, . , , , , HTTP-, ( , ) ,
.
, , .
, , : SSL (Secure Sockets Layer).
SSL ,
HTTP, ,
LDAP, POP3, HTTP, SMTP, IIOP IMAP.

SSL?

Netscape Inc., -
, . SSL , , , .

. SSL 3.0,
TLS (Transport Layer Security),
IETF. TLS RFC 2246: The TLS Protocol Version 1.0 ( TLS
1.0). Notes Domino TLS -
, SSL v3.
SSL 3, 1996 .,
, :
, , ;
,
, ;
, RSA;
( 3.0).

238

SSL
SSL:
(handshake),
;
(record protocol),
.

SSL
. 6-21 SSL. :
1. . ClientHello , SSL.
ClientHello
,
.

SSL

ClientHello

ServerHello

. 6-21. SSL

239

2. SSL , ServerHello
. ,
( ).
3. X.509,
.
, , :
4. .
5. .
, hello , -, ,
SSL , , (public key certificate). , (public key certificate).
, SSL (identity) -

SSL

ClientHello


ServerHello

Change cipher spec


( )

Change cipher spec


( )

. 6-22. SSL

240

(authenticity) . . 6.21 , .
, SSL. . 6.22.
(handshake)
,
. ,
SSL .
:
1. ClientHello
( ) .
2. , ,
ServerHello, .
3. , . ,
( . 6.22).
4. [ (pre-master) ], , , (
). , .
5. , ( 2) ( 4)
. ,
, SSL.
6. ( ChangeCipherSpec) , .
7.
.
, HTTP- SSL- .
..

. SSL-,
, SSL
, , ,
Web-, .

241

SSL
(master key),
.
,
. , , ,
. .
.
( ) ,
.
SSL . ,
message digest, MD5,
, , .
RC2 RC4, DES, Triple-DES IDEA.
, , X.509, , .
SSL
.
. .
. (
) ,
SSL.

SSL
,
Web- , .
:
?
?
?
- -?
?
Web-?
, , Web-?
,
, :
;

242

;
;
.


, Web-, ,
, , .
,
, .
, Web- SSL,
. SSL- URL http:// https://.
SSL- , . ,
.


.
,
().
,
[Certificate Authority (CA)],
. ( .)
, , . , (
),
.
Web- SSL . Web-
, .

,
-.
.
CA CA , , . ,
-,
.

243


Web- , , , Web-
. , , ,
.
( ),
, .
.6-21, SSL, SSL , . , ,
, .
. ,
,
[certificate authority (CA)].
? , SSL,
, (key ring file).
. .6-23 (
) Opera, .

. 6-23. Opera

244

, .
, - CA.
, .
, CA
( ).
, . , CA ,
, ,
, .

.
MIME, application/x-x509-ca-cert, CA,
CA. PKCS #7, URL-:
http://www.rsasecurity.com/rsalabs/pkcs/pkcs-7/
SSL , , , , ,
CA. ,
( CA, ).

. , -, ,
SSL-,
CA. , , ,
, ,
. ,
,
.


,
. , , . CA
, Web-
( ). ,
CA.

245

, ,
: CA ,
, , ,
, , .
. 6-24 ,
Opera , ,
SSL-.

. 6-24. , ,
:
, ;
;
,
.
, , . , CA ,
,
, CA.

. , -, ,
SSL-,
1, . ,
, ,
,
, .

, , VeriSign.
1

246

: draft-ietf-smime-ess. . . .


, , , ,
, .
CA .
online,
. -. , .
Netscape
, , (,
Mozilla, IE, Lynx . .).
Netscape <KEYGEN>, HTML,
. ,
( PKCS #10) . CA X.509 v3 MIME- ( PKCS #7), .
, Internet Explorer,
, IE
ActiveX (CERTENR3.DLL IE 3.0 XENROLL.DLL
IE 4.0). ActiveX /
PKCS #7 CA , Netscape.

6.2.6 Domino
(Certificate Authority)
PKI, , CA
, SSL. CA

(, S/MIME, ).
, .
Domino CA .
Domino 6
, X.509 ( SSL- S/MIME) IBM (IBM
Redpaper) The Domino Certification Authority, REDP ( Domino).

6.2.7

.
: ,

247

;

.
X.509 v3
SSL,
-, . , ,
,
, .
, , , , Lotus Notes - , Domino .
, - , .



-.

SMTP
SMTP (Simple Mail Transport Protocol)
,
DNS (Domain Name Service) Mail eXchange (MX)
.
, , SMTP.
SMTP, , . , SMTP, SMTP,
SMTP-.
SMTP 7- ASCII,
, ,
- , .

MIME
MIME (Multipurpose Internet Mail Extensions) , ASCII, .

248

, SMTP
,
, ASCII.
MIME ,
.
, , MIME,
Subject. .
From: frederic.dahm@ch.ibm.com
To: roger.guntli@ch.ibm.com
Subject: Map of Western Canada
MIME-Version: 1.0
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-ID:
Content-Description:
[JPEG data]
MIME,
, - . ,
, MIME ,
, ASCII.

POP
POP IMAP ( ) , .
POP (Post Office Protocol) 3 (POP3)
. , , 24 , 7 .
, , .
, ,
, , .
POP3 .
ID , , ,
, .

249

IMAP
IMAP4 (Internet Message Access Protocol, 4, (Interactive Mail Access Protocol))
,
.
, IMAP4, POP3,
. IMAP, ,
, , .
IMAP Web- , :
http://www-camis.stanford.edu/projects/imap/ml/imap.html


, , ,
.

SMTP
SMTP -
SMTP- .
, SMTP- ,
, , .
, , ,
. , , , SMTP. , , ,
SMTP-.
, , ,
.
, ,
, ,
. ,
SMTP-. SMTP- ,
- .
, .
SMTP- TELNET 25 ,
SMTP-, :

250

Telnet <SMTP host> 25


HELO foobar.com
MAIL FROM: <reverse-path>
RCPT TO: <forward-path>
DATA
SEND FROM: whatever.address@you.like

POP
POP3 - .
SMTP, POP3 POP3
. USER PASS

POP3 .
RFC 1725 Post Office Protocol Version 3.


,
T-, , .

POP

, , ,
S/KEY, GSSAPI, APOP Kerberos V4. .

IMAP
IMAP4 , ,
Kerberos V4.

SSL
POP3 IMAP4
SSL. , POP3 IMAP4.

SASL
SASL (Simple Authentication and Security Layer (SASL)) RFC 2222. . , SASL, .

251

SASL
( , SMTP
SASL).
Domino SASL LDAP. Domino SASL , SSL
LDAP .
.

SMTP (ESMTP)
ESMTP,
(Extended Services for Simple Mail Transport Protocol),
SMTP , SMTP SMTP
.
SMTP
[Internet Assigned Numbers Authority (IANA)]. SMTP
: SMTP TLS/SSL (Delivery Status notifications).

SMTP
SMTP,
SMTP (AUTH=LOGIN), . , SMTP (, SMTP- ).
, , base64.

SMTP SMTP SSL TLS


SSL TLS TCP-
. SSL TLS HTTP, , TCP.
TLS SSL ;
. MD5, TLS HMAC.
SMTP SSL TLS
. ,
.
SMTP-, , , SSL TLS ,
SMTP .

252

. SMTP Domino 6 SMTP,


SSL- TCP/IP.
SMTP, Lotus Domino Administrator
Lotus Notes :
1. Lotus Domino Administrator ( Domino Directory Notes) Configuration (). Messaging ( ), Configurations ().
2. Add Configuration ( ),
Edit Configuration ( )
Configuration ().
3. Router/SMTP (/SMTP),
Advanced (). SMTP, . 6-25.

. 6-25. SMTP
4. SMTP Domino.


SMTP SMTP ,
-.

253

, SMTP
.
, . SMTP, , SMTP
(/ /) /
. , .
,
SMTP

, , () - .
, ,
, MIME- ( ). : PGP S/MIME. PGP.

6.2.8 PGP
PGP (Pretty Good Privacy),
,
. 1 1991 . . PGP PGP
URL-:
http://www.pgp.com/
GnuPG (Gnu Privacy Guard),
PGP. IDEA,
- . GnuPG , RFC2440 (OpenPGP). 1.0.0 7
1999 . 1.2.2. GnuPG
. ,

(General Public License) GNU. GPG URL:
http://www.gnupg.org
GNU :
http://www.gnu.org/copyleft/gpl.html
1

254

: PGP (Phil Zimmermann). .: http://www.pgp.com/company/


history.html. . . .

PGP .
, ,
, ,

.
, OpenPGP,
, X.509
. OpenPGP
URL-:
http://www.openpgp.org/
OpenPGP RFC2440, :
http://www.ietf.org/rfc/rfc2440.txt
PGP
, S/MIME
, .
S/MIME ,
Lotus Notes Lotus Domino.

6.2.9 S/MIME
S/MIME (Secure Multipurpose Internet Mail Extension)
, RSA
.
S/MIME , S/MIME 3. .
(draft-ietf-smime-cms; ftp://ftp.ietf.
org/rfc/rfc2630.txt).
S/MIME 3 (draft-ietf-smime-msg; ftp://ftp.ietf.
org/rfc/rfc2633.txt).
S/MIME 3 (draft-ietf-smime-cert; ftp://ftp.ietf.org/
rfc/rfc2632.txt).
(draft-ietf-smime-crs;

http://www.ietf.org/proceedings/98dec/I-D/draft-ietf-smime-crs-00.txt).

S/MIME (draft-ietf-ietf-ess1;
ftp://ftp.ietf.org/rfc/rfc2634.txt).
Lotus Notes Domino 6 S/MIMEv3.

MIME
, . S/MIME
, : Triple-DES
1

: draft-ietf-smime-ess. . . .

255

RC2. RC2
, ,
RSA.

S/MIME
, S/MIME. , Notes Domino 6
S/MIME.
S/MIME :
;
();
;
S/MIME-
;
Netscape Messenger;
.
:
, , , ;
, ,
, ;
,
.


, , S/MIME ( )
. , , Notes
Notes PKI.
S/MIME- .
, , , , . , Notes, . 6-16 6-26.
,
. . 6.26 .
1. S/MIME- .

256

, , , ( ,
; , S/MIME-) .
2. ( Triple-DES, RC2)

. 6-26. S/MIME
, , 1 RSA- .
3.
SMTP.
4. RSA- ( RC2) . ,
, ,
.
5.
( Triple-DES, RC2,
,
), ,
.
, ,
X.509 , , .
. 6-26 , ,
1

: . .
.

257

S/MIME (digital envelope),



, .
, ,
. ,
.


, ,
S/MIME , . ,
. ,
,
Notes.

:
S/MIME ,
( , ), ( ,
). . 6-27.
.
1. S/MIME- . -

.6-27. S/MIME

258

=?

, , ,
( MD5 SHA-1) ( d
digest).
2.
RSA- ( RC2), ,
RSA- .
3. .
4. RSA-
( RC2)
( d).
5. ( MD5, d).
6.
( d) ( d), ,
. ,

() . ,
, () .
, , , , . ,
.
:
1. , .
2. , .
, (), ,
.

! ,
.
.
, , .
,
. S/MIME , . ,
RFC , ,
, .

259


, S/MIME
, ,
.
,
.
X.509 (
, ).
, .
, (CA),
, ? S/MIME
, (chain of trust). , , ( , CA ),
CA .
CA .
- CA ,
CA, .
, CA?
,
; CA ( , , ). :
1. .
2. .
3. CA, .
, , , CA,
.
,
,
, , ,
. , , , .
,
: .
, ,
. , ,
. ?

260

, ,
. , , ,
.
/ ? , S/MIME PKCS#12, .


, , S/MIME, S/MIME-.
(opaque), ,
MIME application/pkcs7-signature (/ pkcs7).
S/MIME
pkcs7-signature ( pkcs7). S/MIME , .
(clear), , MIME multipart/signed (/).
, application/pkcs7signature MIME. ,
MIME MIME application/pkcs7-signature.

S/MIME-

PKCS #12 .

. ,
S/MIME , S/MIME, / .
PKCS #12 / , S/MIME, . ,
Internet
Explorer CA VeriSign,
Outlook Express. Netscape Navigator,
Netscape Messenger.

261

S/MIME

S/MIME, X.509.
S/MIME
CA. ( ),
S/MIME , .
,
.
.
. 6-28 ,
, S/MIME .
S/MIME

1.

S/MIME

S/MIME

S/MIME

6.

(X.509/LDAP)


2.

3.

6.

5.

Web-

Notes

4.

Web-

2.

. 6-28. S/MIME-

262

Web-

Notes

, S/MIME-,
. 6-28, .
1. , S/MIME,
.
Web- .
2. )
. (
, ,
.)

) HTTP
( PKCS #10), Web- .

3. (CA) , . URL- ID
, .
4. URL-, ID .
5. , S/MIME.
6. )
. .

) , S/MIME.

S/MIME
,
S/MIME, .

. , , S/MIME, . , ,
S/MIME, .
LDAP
(, Four11,
Bigfoot, Switchboard . .).
, , S/MIME.

263

6.2.10 Lotus Notes 6 S/MIME-


Lotus Notes
CA ,
S/MIME-,
Notes. , Lotus Notes 6,
Domino Server 6 S/MIME.

S/MIME Notes R5.0


Notes, , Notes
Notes ID,
.
6 Notes ID, Notes,
X.509 v3. Web- ( Domino, ,
), Notes. , ID Notes.
Notes ID
Notes. , , . Notes X.509.
S/MIME- Notes
PKCS #12.
S/MIME
X.509 Notes ID.
, Notes, , Domino, ,
, , .
,
Domino.
, ,
. Notes . Lotus Notes 6 Domino (Domino Directory).

S/MIME-
Lotus Domino 6 , X.509 , , MIME
Notes ,
-. ,
. .

264

Notes S/MIME- :
directly to Internet ( ) Send outgoing mail ( ) Mail () Location ( . 6-29). , , MIME.
MIME format ( MIME) Format for
messages addressed to Internet addresses ( ,
-) Mail ()
Location. , -,
(Personal Address Book) Domino, S/MIME.
When receiving unencrypted mail, encrypt before storing in your mail file (
) Basics () Person . , , MIME.
,
Body

. 6-29. Location : Mail

265

Store contents as HTML and MIME ( HTML


MIME). Notes,
MIME ( Notes Person), MIME.
, S/MIME, X.509
Domino.
Notes ,
.
,

Delivery Options ( ) Encrypt (). , Notes.

. 6-30. : Mail
. Lotus Notes 6
File Security User Security ( ), Mail ()
(User Security) Encrypt mail that
you send ( , ), . 6-30.

266

S/MIME-

, .
, X.509 ID Notes.

Delivery Options ( ) Sign ().
File Security User
Security ( ), Mail ()
(User Security) Sign mail that you send
( , ).

S/MIME-
Notes .
, . .,
, Notes , , .
Signed By: Bob, at 10:52 AM, According To: TestCertAuthority.
, .
, .

. S/MIME-
.
.
, ,
S/MIME-. .
, X.509 .
S/MIME-
Actions Tools Add Sender to Address Book ( ). ,
. , S/MIME-,
.

267

6.3
, , , .
,
. X.509 ( , SSL)
(, S/MIME). , Notes Domino
X.509 , , Notes Domino.

268

7

(Single sign-on)
[single signon (SSO)] ,
. ,
, .
SSO:
, , , .
Web- The Open Group :
http://www.opengroup.org/security/12-sso.htm
,
( )
,
.

, .
:
.
,
.

(Single sign-on)

269


.
SSO,
.
:

.
, ,
.
.
(user security
information) ,
, . ,
.
SSO:
, ;
(credentials)
;
, , ,
.
SSO , . . . SSO
.
(credentials), (accept) . (credentials)
C , , , SSO , WebSphere Lotus.
SSO,
IBM:
HTTP (HTTP headers);
Lightweight Third Party Authentication (LTPA);
X.509;
DSAPI.

270

7.1 SSO
SSO :
1. .
2.
.
3. (users credentials) ,
.
, SSO .
SSO , , .

7.1.1 SSO
, SSO
, SSO. ID [ (credentials)], .

( ), , ,
ID .
,
ID (credentials store),
(ID) - .
()? ,
logon- , . , , , .
? ,

.


, . , Notes Windows, Notes
, Windows
. Notes
Domino -. ,
, .

(Single sign-on)

271


,
,
. , . , . . ,
. , - ,
,
(bind).

. Domino MD2-solted -
Person, (Directory Profile) Use more secure Internet
Passwords ( -).
( , IBM Tivoli Directory Server
MD5). , salt-.
(
, salted ). ()

, .


, .
(ID) , .
bind- LDAP, LDAP ID (credentials).
, , (bind) . ,
, -, ;
.
.
password IBM
Directory Server - [B@7a8ea817. ,
- Person
Domino? -, Domino
(log in) (bind) password, 355E98E7C7B59BD810ED84

272

5AD0FD2FC4. - LDAP,
([B@7a8ea817), Domino
.
,
, , ,
Notes Windows. ,
. (SSO) Web-.

7.2 LTPA
Lightweight Third Party Authentication (LTPA) IBM, cookies,

Web- Lotus, WebSphere Tivoli. ,
, DNS LTPA, . LTPA , cookie
.
LTPA , , , [Distinguished Name (DN)] a , ,
.
LTPA :
, LTPA, DNS.

( LDAP). Lotus Domino
( LDAP), IBM Directory Server, MS Active Directory
iPlanet.
, , cookies, .
, SSO
HTTPS-.
LTPA , IBM;
LTPA (
).
,
DNS, , LTPA.
LTPA cookie , cookies
RFC-2965, :
http://www.ietf.org/rfc/rfc2965.txt

(Single sign-on)

273

RFC , () cookie
, DNS, , () cookie (). -, DNS,
.
DNS . ,
cookie LTPA ,
. ,
DNS , cookie
, LTPA, . , Domino alpha.com, beta.com ,
iNotes iframe, Domino R5
,
, beta.com. Domino 6 beta.com Internet Site. ,
Domino beta.com DNS.
, , HTTP DIIOP ( IBM WebSphere), Domino . ,
,
Web- SSO (Web SSO Configuration)
Domino .
,
, .
LTPA WebSphere.
WebSphere , Lightweight Third Party Authentication
(LTPA), Domino R5.0.5 . Domino WebSphere

WebSphere Web- SSO (Web SSO
Configuration). LTPA WebSphere WebSphere.

. , WebSphere Lotus, Tivoli,


, LTPA WebSphere
.
WebSphere , Domino
, WebSphere. , Domino SSO, 20- , SHA-1, . LTPA Domino
server only ( Domino) LTPA WebSphere.

274

7.2.1
LTPA
. ,
, Web-
. , , :
1. () LTPA ,
.
2. () LTPA, HTTP
.

LTPA ()
. LTPA , LDAP, , cookie LTPA. ,
LDAP (trusted third party),
: ( )
(Third Party Authentication).
(ID) LTPA,
LDAP. LDAP ,
- . , , . LDAP
Web- ( ) LTPA
cookie . cookie
HTTP- , cookie . , cookie, , (Lightweight). LTPA . 7-1.

7-1. LTPA

CookieName ( cookie)
CookieValue ( cookie)
LtpaToken ( LTPA)
AuthenticationToken ( )

Digital Signature ( )

LtpaToken ( LTPA)
Base64 ( LTPA)
( ,
) 3DES
+%+
+%+ Base64
( )
( ,
)
LTPA ( RSA/SHA1)

(Single sign-on)

275

. 7-1

PrivateKey-ltpa ( LTPA)

SharedKey ( )

UserData ( )
TokenExpirationDate (
)

(
,
) LTPA
;
LTPA
/
3DES,
LTPA /
,
$ ( , uid:+ID )
,
. (
,
(00:00:00)
1 1970 .)

, . ( Domino) , ( WebSphere).

() LTPA
LTPA,
Web-. Web-, , () ( LTPA) .
, .
Domino,
LTPA, WebSphere:
Base64,
( WebSphere), ,
, .

7.1
06/09/2003 05:53:39.53 PM [03071:00010-106510] SSO API> Decoding
sphere style Single Sign-On token (LTPA).

Web-

06/09/2003 05:53:39.53 PM [03071:00010-106510] SSO API> Dumping memory


of encoded token [364 bytes].
00000000: 6C71 3150 4847 4536 3576 597A 6154 7878

'qlP1GH6Ev5zYTaxx'

00000010: 6F5A 534D 4262 6D70 3746 4643 6B56 3172

'ZoMSbBpmF7CFVkr1'

00000020: 5146 7045 5762 756E 6467 4532 6C68 314B

'FQEpbWnugd2EhlK1'

276

00000030: 3138 6E47 5164 5A41 634C 3965 3258 386C

'81GndQAZLce9X2l8'

00000040: 2B7A 7239 7263 7976 5537 6332 4957 4F44

'z+9rcrvy7U2cWIDO'

00000050: 3755 4677 586D 2B6B 3768 7A31 3767 6976

'U7wFmXk+h71zg7vi'

00000060: 3672 5949 4672 7566 4C4D 636E 6236 665A

'r6IYrFfuMLnc6bZf'

00000070: 6E63 6A43 6246 4476 7159 476A 2F72 5445

'cnCjFbvDYqjGr/ET'

00000080: 6742 6C57 7779 7457 3671 6632 7467 3978

'BgWlywWtq62fgtx9'

00000090: 4947 6D71 4674 6643 7470 716D 6E56 5863

'GIqmtFCfptmqVncX'

000000A0: 6C43 5A4A 5050 4E48 4733 336E 6F69 757A

'ClJZPPHN3Gn3iozu'

000000B0: 4562 3777 475A 6136 3362 5138 6C4D 7554

'bEw7ZG6ab38QMlTu'

000000C0: 5475 7166 7438 5971 5269 5736 4949 6238

'uTfq8tqYiR6WII8b'

000000D0: 5839 6578 6552 714F 6378 6A35 4663 6435

'9XxeReOqxc5jcF5d'

000000E0: 4343 4E69 3076 4A6D 4372 686A 306C 6A51

'CCiNv0mJrCjhl0Qj'

000000F0: 4F57 6142 5955 7634 7771 3838 5A57 3230

'WOBaUY4vqw88WZ02'

00000100: 6F42 7671 3939 7231 5765 3068 4753 596B

'Boqv991reWh0SGkY'

00000110: 7A63 5862 4D31 4A4B 314E 4F6B 3576 4337

'czbX1MKJN1kOv57C'

00000120: 7449 654A 5253 3577 477A 4352 384D 684C

'ItJeSRw5zGRCM8Lh'

00000130: 6665 4E43 7365 504C 6B2B 7258 5157 7343

'efCNesLP+kXrWQCs'

00000140: 5866 3741 576C 534C 4630 6941 3035 6C76

'fXA7lWLS0FAi50vl'

00000150: 3247 356E 5076 2B68 4968 2F64 6955 3442

'G2n5vPh+hId/UiB4'

00000160: 5065 4F6F 324C 476D 3958 3D30

'ePoOL2mGX90='

06/09/2003 05:53:39.55 PM [03071:00010-106510] SSO API> Dumping memory


of encoded token before decryption step [272 bytes].
00000000: 53AA 18F5 847E 9CBF 4DD8 71AC 8366 6C12

'*Su.~.?.XM,qf..l'

00000010: 661A B017 5685 F54A 0115 6D29 EE69 DD81

'.f.0.VJu..)min.]'

00000020: 8684 B552 51F3 75A7 1900 C72D 5FBD 7C69

'..R5sQ'u..-G=_i|'

00000030: EFCF 726B F2BB 4DED 589C CE80 BC53 9905

'Ookr;rmM.X.NS<..'

00000040: 3E79 BD87 8373 E2BB A2AF AC18 EE57 B930

'y>.=s.;b/.,Wn09'

00000050: E9DC 5FB6 7072 15A3 C3BB A862 AFC6 13F1

'\i6_rp#.;Cb(F/q.'

00000060: 0506 CBA5 AD05 ADAB 829F 7DDC 8A18 B4A6

'..%K.-+-..\}..&4'

00000070: 9F50 D9A6 56AA 1777 520A 3C59 CDF1 69DC

'P.&Y*Vw..RY<qM\i'

00000080: 8AF7 EE8C 4C6C 643B 9A6E 7F6F 3210 EE54

'w..nlL;dn.o..2Tn'

00000090: 37B9 F2EA 98DA 1E89 2096 1B8F 7CF5 455E

'97jrZ.... ..u|^E'

000000A0: AAE3 CEC5 7063 5D5E 2808 BF8D 8949 28AC

'c*ENcp^].(.?I.,('

000000B0: 97E1 2344 E058 515A 2F8E 0FAB 593C 369D

'a.D#X`ZQ./+.<Y.6'

000000C0: 8A06 F7AF 6BDD 6879 4874 1869 3673 D4D7

'../w]kyhtHi.s6WT'

000000D0: 89C2 5937 BF0E C29E D222 495E 391C 64CC

'B.7Y.?.BR^I.9Ld'

000000E0: 3342 E1C2 F079 7A8D CFC2 45FA 59EB AC00

'B3Bayp.zBOzEkY.,'

(Single sign-on)

277

000000F0: 707D 953B D262 50D0 E722 E54B 691B BCF9

'}p;.bRPPgKe.iy<'

00000100: 7EF8 8784 527F 7820 FA78 2F0E 8669 DD5F

'x~...R xxz./i._]'

06/09/2003 05:53:39.55 PM [03071:00010-106510] SSO API> Dumping memory


of encoded token after decryption step [271 bytes].
00000000: 3A75 7375 7265 3A5C 7469 6F73 6573 2D63

'u:user\:itsosec-'

00000010: 646C 7061 632E 6D61 692E 7374 2E6F 6269

'ldap.cam.itso.ib'

00000020: 2E6D 6F63 5C6D 333A 3938 552F 4449 443D

'm.com\:389/UID=D'

00000030: 6948 6B6E 656C 4F2C 3D55 7250 646F 6375

'Hinkle,OU=Produc'

00000040: 6974 6E6F 6F2C 723D 6465 6F62 6B6F 2C73

'tion,o=redbooks,'

00000050: 3D63 7375 3125 3530 3235 3831 3733 3138

'c=us%10552183781'

00000060: 3635 4125 4274 4669 5238 3748 4858 6C4F

'56%AtBiF8RH7XHOl'

00000070: 7A47 554F 5645 3575 7456 4172 597A 765A

'GzOUEVu5VtrAzYZv'

00000080: 6756 314E 5374 6548 3671 7573 554E 6872

'VgN1tSHeq6suNUrh'

00000090: 4E4B 3537 6632 6442 6A35 3161 6969 3479

'KN752fBd5ja1iiy4'

000000A0: 2F65 5868 7261 5A7A 4D6A 5977 6E6F 715A

'e/hXarzZjMwYonZq'

000000B0: 7868 2B43 4142 7434 7A52 5764 4B33 4E6A

'hxC+BA4tRzdW3KjN'

000000C0: 3044 6471 4B55 4C48 7450 5772 7150 2B48

'D0qdUKHLPtrWPqH+'

000000D0: 4655 7A33 4469 4F75 3261 4B4A 7349 5855

'UF3ziDuOa2JKIsUX'

000000E0: 6A69 684A 5567 594D 4335 6266 3335 3256

'ijJhgUMY5Cfb53V2'

000000F0: 6263 7034 4657 6851 6A35 7152 7636 3641

'cb4pWFQh5jRq6vA6'

00000100: 6339 4662 4441 5A58 7248 744D 414A

'9cbFADXZHrMtJA='

3D

06/09/2003 05:53:39.56 PM [03071:00010-106510] SSO API> -LDAP Realm


= itsosec-ldap.cam.itso.ibm.com\:389
06/09/2003 05:53:39.56 PM [03071:00010-106510] SSO API> -Username
= UID=DHinkle/OU=Production/o=redbooks/c=us
06/09/2003 05:53:39.56 PM [03071:00010-106510] SSO API> -Expiration
Ticks = 1055218378666 [06/10/2003 12:12:58 AM].
06/09/2003 05:53:39.56 PM [03071:00010-106510] WebAuth> LOOKUP in view
$Users (user='UID=DHinkle/OU=Production/o=redbooks/c=us')
, Domino
, ,
LTPA WebSphere. Domino LTPA:
, ;
( LDAP);
/ .
, WebSphere Domino / , , (PKI)

278

Domino
WebSphere.
LTPA WebSphere-Domino . ,
.
, ,
(
) - (brute force cracking). WebSphere ,
, .

7.2.2
LTPA
. [distinguished
name (DN)] LDAP, . DN [ ,
(ACL) Domino], , LTPA, ,
.
Domino 6, 6.0.2 , , LTPA (DN)
( ). LTPA
( ), LDAP (DN), ,
Domino.
, Domino HTTP-, LTPA.

, . LDAP
Domino ,
. , .

Domino 11.9.4, Domino.
Domino Tivoli WebSeal
Tivoli Access Manager
, .

(Single sign-on)

279

7.2.3 LTPA
LTPA ,
, LDAP.
Lotus- search filters
base dn 75% LDAP-
.
(search
filters) ,
:
Domino Directory Assistance;
Sametime;
QuickPlace;
global security ( ) WebSphere Application Server.
Sametime . 7-1.

. 7-1. LDAP Sametime

LTPA Domino
, LDAP,
LTPA , .
NOTES.INI , (Single Sign-On). ,
Web SSO Configuration, , ,
DEBUG_SSO_TRACE_LEVEL=1. ,
, ,
DEBUG_ SSO_TRACE_LEVEL=2.

. Domino 6 SSO (Web,


POP . .), , -. ,
SSO Domino 5/6, ,
5 Internet Site. , Domino 6
R5 Web config, SSO
. SSO Domino 6
, Web 5. Internet Site.
:

280

1. , Domino 6 Basics
(Disabled) -.

2. SSO, Domino . Create Web (R5)


[ Web (R5)...] SSO Configuration ( SSO),
LTPAToken.

3. (Organization name) Web


SSO ( -).
, SSO - .

7.3 X.509
X.509
SSL, LDAP.
, , LDAP,
.

(Single sign-on)

281

,
(CA), . .
, X.509 , X.509
: - ( ), -
(). , , X.509
.
, X.509 ( )
, ,
. , Internet Explorer X.509 Windows.
. - , , ,
, , - , .
LDAP, ,
, (
X.509). , X.509 Web-, X.509.
LDAP CA,
, SSL-
(), .
LDAP ()
LDAP, . ,
X.509,
- (PKI),
X.509, LDAP (),
() .
SSL- Web-
X.509 SASL (Simple Authentication and Security
Layer).
.
.
, SASL , SASL External ()
X.509. SASL RFC-2222,
:
http://www.ietf.org/rfc/rfc2222.txt

282


, LDAP
. LDAP,
X.509
Lotus .

7.3.1
,
, .
, .
,
SASL X.509v3.
SASL
, [
(userid)] .
LDAP LDAP,
:
1. LDAP
:
(DN), ;
;
- (), ,
;
SASL, LDAP SASL.
2. , .
3. - LDAP
LDAP.
4. SASL, ,
SASL. SASL ,
.
5. SASL (=EXTERNAL) SSL , , , CA

. , ldap_sasl_
bind, NULL, LDAP (DN), -

(Single sign-on)

283

X.509v3 . ( DN NULL),
.
6. Simple (),
, DN ,
, .
7. DN (DN)
, , . DN
NULL LDAP_AUTH_NONE .
8. , .

7.3.2
X.509 SSL- ,
, . DN , .
, DN
, .
SASL , - (proxy authorization),
.
, (DN) ,
. , . , LDAP-
DN, , LDAP
(DN) .

7.4 DSAPI
Web- Domino [Domino Web
Server Application Programming Interface (DSAPI)]
(C API), Web- Domino. DSAPI, , , HTTP-
. DSAPI SSO, , Domino SSO.
, - IBM Lotus
, Web- 

284

: SASL-. . . .

DSAPI
Domino 6. Web- IBM.
DSAPI HTTP- ,

Web- Domino.
. HTTP
DSAPI o , DSAPI
, .
StartRequest 13 , DSAPI. , .
DSAPI , ()
. ,
, . .7-2
, DSAPI HTTP- Domino Web-.

DSAPI


( R5)


TCP/IP

Web- Internotes

CGI

.7-2. - Domino 6
, . HTTP . (
)
.
,
.

(Single sign-on)

285

.
, (, Filter Init Data, ). HTTP,
, :
: HTTP .
HEAD: HEAD , .
GET: GET
( ), Request-URL (URL-).
POST: POST , , , , Request-URL Requst-Line (-).
PUT: PUT ,
Request-URL.
DELETE: DELETE , , Request-URL.
TRACE: TRACE.
CONNECT: CONNECT.
OPTIONS: OPTIONS.
UNKNOWN: .
BAD: . .
.

kFilterStartRequest
, , HTTP . . ,

, .
pEventData , NULL. , , kFilterHandledEvent.

kFilterRawRequest
, , , HTTP. ,
, . ,
HTTP. pEventData FilterRawRequest.

286

kFilterParsedRequest
, , , HTTP HTTP. , , kFilterRawRequest, HTTP
HTTP , -
. . pEventData FilterParsedRequest. ,
.
HTTP. kFilterRawRequest.

kFilterRewriteURL
, , URL-
. URL- URL-, DSAPI
, , . pEventData FilterMapURL. , FilterMapURL , kFilterTranslateRequest kFilterPostTranslate.

kFilterAuthenticate
, HTTP .
, HTTP . pEventData .

kFilterUserNameList
, HTTP
. , . kFilterAuthenticate. , Domino ,
, ( ). pEventData HttpEventProc FilterUserNameList.

kFilterTranslateRequest
, HTTP URL-
.
, . pEventData
FilterMapURL.

(Single sign-on)

287

kFilterPostTranslate
, kFilterTranslateEvent. , . , . . pEventData FilterMapURL.

kFilterAuthorized
,
.

. pEventData FilterAuthorize. .
, ServerSupport kGetAuthenticatedUserInfo.
, .
, isAuthorized FilterAuthorize
0. kFilterHandledRequest, kFilterHandledEvent. DSAPI HTTP .

kFilterProcessRequest
HTTP. .
. pEventData FilterMapURL.

kFilterEndRequest
,
, HTTP. pEventData NULL.

kFilterAuthUser
kFilterAuthenticate,
DSAPI. Web-. pEventData FilterAuthenticate.
kFilterAuthenticate.

288

Web-,
. DSAPI , Domino
. DSAPI ,
,
, Web- Domino, , Domino .
, eventData
FilterAuthenticate.
1. .
eventData authName , eventData
authType kAuthenticBasic kAuthenticClientCert, kFilterHandledEvent.
2. ,
Domino .
kFilterNotHandled.
3. ,
Domino
.
eventData authType kNotAuthentic, kFilterHandledEvent.

kFilterResponse
, HTTP HTTP
. . DSAPI. pEventData FilterResponse.

kFilterRawWrite
, HTTP HTTP
. .
DSAPI. pEventData
FilterRawWrite.

SSO kFilterAuthenticate, kFilterUserNameList kFilterAuthorized. ,
kFilterAuthenticate kFilterAuthUser,
5, Domino 6 . DSAPI kFilterAuthenticate.

(Single sign-on)

289


DSAPI Lotus C API Toolkit,
:
http://www.lotus.com/ldd
DSAPI (shared library) UNIX
DLL- Win32. DSAPI Domino.
, API Notes
Domino .

. , API Lotus
Domino 6 , , ,
6., Domino. Domino R5
R5 Domino 6, R5.x.
DSAPI ,
Domino API ID .
, . Domino HTTP, FilterContext. ,
, . FilterContext
privateContext, . , , privateContext.
AllocMem
. , AllocMem, , . , ,
.
Server
DSAPI Internet Protocols (-) HTTP table ( HTTP). ,
Domino;
. ,
.

DSAPI LTPA
API Domino 6 LTPA
:

290

SECTokenValidate LTPA SSO;


SECTokenGenerate LTPA SSO.
LTPA,
, LTPA.

7.4.1
DSAPI Web-
Domino . Domino LDAP,
cookie - .
,
. DSAPI.
. , DSAPI
, .
, .

7.4.2
DSAPI
Domino.
,
HTTP, DSAPI.
,
authname .
. 1 kFilterAuthUser.

7.5 HTTP
ID Domino 6 HTTP,
Web- Domino.
WebSphere Application Server plug-in (
WebSphere) Domino, , , (plug-in) [Trust Association Interceptor (TAI)]
WebSphere, Domino,
notes.ini, HTTP Domino HTTP ID , WebSphere. SSO HTTP-.
HTTP-,
Domino, Microsoft IIS IBM HTTP Server, Domino 6
Apache iPlanet.

(Single sign-on)

291

HTTP
Domino, NOTES.INI :
HTTPEnableConnectorHeaders=1
HTTP Domino , WebSphere IIS
IBM HTTP Server. .
HTTP Domino
, NOTES.INI . .
, HTTP- Domino
; Domino , HTTP . , HTTP- HTTP Domino , HTTP-
Domino 80/443. SSO
HTTP- Domino.

7.5.1
HTTP Domino,
HTTP-.

7.5.2
Domino HTTP , Web-. (ACL) Domino - , .
Notes , , .

Domino
, URL- Domino.
, ,
(reader) (writer).
, , hide when ( ) Domino, . Domino -

292

(ID UNID), URL-.


HTTP
Notes Notes. Notes , ACL Domino,
(ACL) Domino,
.
, Domino LDAP Notes, 11.9.4, Domino.

7.6
( )
SSO. 4,
.
SSO, , Domino, Lotus Domino Lotus Sametime,
WebSphere.
SSO LTPA, .
, ,

, .7-3.
1- ().
(2) (3)
LTPA. LTPA (4),
(5).
, LTPA
, , .7-4.

Domino (1). , Domino ,
LTPA,

(2 & 3). Domino LTPA (4). Domino LTPA ACL LTPA (5). ,

(Single sign-on)

293

, Domino (6),
.
,

WebSphere

5- LTPA
1-
Web-

WebSphere

4- LTPA

3-

2-

.7-3. SSO LTPA


WebSphere

2-
1- Domino
Web-

7- Domino
Domino

3- LTPA

WebSphere

4- Domino
( LTPA)
6- Domino

5- ACL

Lotus
Domino

LDAP

.7-4. Domino SSO LTPA


. , ACL,
Domino. ACL , ,
.

294


WebSphere

2-
1-
Web-
Web-

7-
Web-
( )

3- LTPA

WebSphere

4-
( LTPA)
6-

5- ACL

Lotus
Sametime

8-
9- LTPA?
10- LTPA
11-

.7-5. , Sametime SSO -


LTPA
, .7-5 SSO LTPA.
Web- Sametime (1).
, (meeting)
Sametime , LTPA, (2 & 3).
Sametime LTPA (4). Sametime LTPA ACL
LTPA (5). , , Sametime (6), Web- (7).
,
, Sametime
(8), (9).
LTPA (10) (11).
,
, .

(Single sign-on)

295

7.7
SSO Lotus Lotus Domino.
.
LTPA ,
IBM Lotus, WebSphere Tivoli Access Manager. , ,
. Domino (Dominos Directory Assistance) ,
Domino.
X.509 , ,

.
.
DSAPI , , Domino.
DSAPI .
HTTP ,
; , HTTP- Domino
.
(Enterprise Access Management), Web-.
, SSO , :
1. SSO, ,
IBM. , DSAPI, HTTP.
2. SSO

IBM.
LTPA.
3. SSO,
.

. (identity management) Tivoli IBM.

296

8


LDAP. ,

, (credentials)
.
.

297

8.1
,
, . ()
, .
, , , .
, . ,
, . ,
, .
, .
, ( ) , ( ).

, .
,
, . , ,
. IBM Directory Server, DB2.
. , ( )
, . ,
, .

8.1.1 LDAP
LDAP . LDAP
, X.500 [Directory Access Protocol (DAP)] X.500,
Lightweight DAP, LDAP (j ).
-,
LDAP TCP/IP- 389 636, SSL.

298

LDAP IETF, :
RFC-1777 c LDAPv2;
RFC-2251 LDAPv3: LDAP 3;
RFC-2252 LDAPv3: ;
RFC-2253 LDAPv3: UTF-8 ;
RFC-2254 LDAP;
RFC-2255 URL LDAP;
RFC-2849 LDAP [LDAP Data Interchange Format
(LDIF)].
,
(partitioned) (replicated);
. ,
. , - . LDAP (LDAP referrals). LDAP LDAP , , ( ) . , . ,
.
LDAP
IBM:
IBM Redbook Understanding LDAP, SG24-4986
IBM Redbook LDAP Implementation Cookbook, SG24-5110
IBM Redbook Using LDAP for Directory Integration: A Look at IBM SecureWay Directory,
Active Directory, and Domino, SG24-6163
IBM Redbook Implementation and Practical Use of LDAP on the IBM e-server iSeries
Server, SG24-6193
IBM Redpaper, LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1,
REDP3603

8.2

.
, , .
, , , :

299

, LDAP (: Domino, IBM Directory


Server, Microsoft Active Directory, Netscape/iPlanet/SunONE,
Novell NDS);
X.500 (: Syntegras Aphelion/CDCRialto, Bomara/Isocor Global Directory Server, Nexor Directory);
(: PeopleSoft HRMS, Siebel ERM, JD Edwards, Oracle HRMS);
(: Siebel CRM,
Microsoft CRM, PeopleSoft CRM, Oracle CRM);
, ( , Oracle, DB2,
SQL Server);
;
(: XML, SAML, LDIF
SOAP);
, , LDAP;
;
(: ).
, .
, ,
,
.

8.2.1
(attributes) . . (authoritative
source) , , ,
.
,
:
: . ,
, , ,
, , . .
: , - . , ,
, .

300

: , .

( - ).
: RFC-822- (SMTP) T-.
SMTP-,
. , - .
, .
, , T- .
, name () ( ,
, ).
, . , , , , . ,

, , ,
. ,
. , .
. ,
.
, . , ,
,
-. , ,
, . ()
, . .

8.2.2
() (point of control) , . -

301

, . .
.
, ,
, . .

.
,
, .
. , . ,
.

.
,
, , .
, . ,
.

8.2.3
, (
) ( ).
. , , ,
.
, .
, , ;
, , .
,
.

, ,
,

302

. , ,
.
,
, . , . ,
,
. ,
1,

2 . . , ,
, , .
(), .
, ,
, .

8.3

.
. ,
, .
. , , .

7, (Single sign-on).
.
:
: , ;
: ;
: ;
: .

8.3.1
.

(), .

303

, ,
,
, . , [application programming interface (API)], LDAP, .
. . , . , , -.

8.3.2
. LDAP,
LDAP , .
LDAP, , .
, (person), (organization), (organizational unit), (domain component)
(groupOfNames). , , ? (top), ,
() . , LDAP . , organizational
unit top,
, .
LDAP , MUST ( ) MAY ( ).
, . LDAP
.
, , ,
.
, LDAP, :
objectclass: top
objectclass: person
objectclass: organizationalPerson

304

objectclass: inetOrgPerson
objectclass: eDominoAccount
, , , . top , , . ,
, top . LDAP ,
top, [Access Control Lists (ACL)] .
person top ,
cn (Common Name) sn (Surname), . organizationalPerson person. inetOrgPerson organizationalPerson. : eDominoAccount
top , sn userid. , person sn.
, c sn ? ,
. .
,
.
? ( LDAP ) . LDAP V3 RFC-2251 RFC-2252.
IBM Directory Server, , OpenLDAP.

objectclass: top
objectclasses=( 2.5.6.0 NAME top DESC Standard ObjectClass ABSTRACT
MUST ( objectClass ) )

objectclass: person
objectclasses=( 2.5.6.6 NAME person DESC Defines entries that
generically represent people. SUP top STRUCTURAL MUST ( cn $ sn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )

objectclass: organizationalPerson

objectclasses=( 2.5.6.7 NAME organizationalPerson DESC Defines entries


for people employed by or associated with an organization. SUP person
STRUCTURAL MAY ( title $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ internationalISDNNumber $
facsimileTelephoneNumber $ street $ postalAddress $ postalCode $
postOfficeBox $ physicalDeliveryOfficeName $ ou $ st $ l ) )

305

objectclass: inetOrgPerson
objectclasses=( 2.16.840.1.113730.3.2.2 NAME inetOrgPerson DESC Defines
entries representing people in an organizations enterprise network. SUP
organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $
carLicense $ departmentNumber $ employeeNumber $ employeeType $ givenName $
homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledURI $ mail $
manager $ mobile $ pager $ photo $ preferredLanguage $ roomNumber $
secretary $ uid $ userCertificate $ userSMIMECertificate $
x500UniqueIdentifier $ displayName $ o $ userPKCS12 ) )

objectclass: eDominoAccount

objectclasses=( 1.3.18.0.2.6.122 NAME eDominoAccount DESC Represents a


Domino account. SUP top STRUCTURAL MUST ( sn $ userid ) MAY (
certificateExpirationDate $ certifierId $ certifierPassword $ clienttypereg
$ createAddressBookEntry $ createFullTextIndex $ createIdFile $
createMailDatabase $ createNorthAmericanId $ createNotesUser $ description
$ fullName $ givenName $ idFilePath $ idtype $ initialPassword $
initialPopulation $ internetAddress $ l $ localadmin $ location $ mail $
mailDomain $ mailFile $ mailFileOwnerAccess $ mailFileTemplate $
mailProgram $ mailServer $ mailSystem $ middleName $ minPasswordLength $ ou
$ overwriteaddressbook $ overwriteidfile $ principalPtr $ profiles $
proposedaltcommonname $ proposedAltFullNameLanguage $ proposedAltOrgUnit $
registrationServer $ saveIdInAddressBook $ saveIdInFile $ setDbQuota $
setWarningThreshold $ shortName ) )
, ,
.
OID (object identifier). OID (NAME),
(DESC).
, [SUP (superior)] .
, , (MUST), (MAY).
OID , . OID ,
[International Organization for Standardization (ISO)] (Web- ISO
http://www.iso.ch/) [International Telecommunication Union (ITU)[ (Web- ITU http://
www.itu.ch/). ISO ITU OID
OID.
OID

306

. OID,
, ASN.1 (Abstract Syntax Notation).
, OID .
( , 1.3.4.7.4.17)
(,
1.3.4.7.4.17.1, 1.3.4.7.4.17.2, 1.3.4.7.4.17.3 . .).
(branch) (root) (vertex) OID.
(arc) ( 1.3.4.7.4.17). [ (subarc)], ,
OID . , OID (vertex) (arc) (root) branch (), LDAP
X.500.
LDAP,
LDAP ( LDAP), ,
.oc. , , eDominoAccount, , IBM Directory Server. , IBM OID 1.3.18.0.2;
, IBM. :
1 ( OID, ISO)
1.3 ( ISO )
1.3.18 (IBM)
1.3.18.0 ( IBM)
1.3.18.0.2 ( IBM)
, (dot notation),
IETF IP-,
OID. , IP-,
OID .
,
.
, , , ( LDAP ). ,
OID ISO, IANA -

. OID,
- - . OID

307

. , (, ) ,
OID. OID ( IP-,
); OID ,
OID, OID .. OID .
, ; OID , .
(arc)
, () Web IANA :
http://www.iana.org/cgi-bin/enterprise.pl
OID,
Web-
ASN.1:
http://asn1.elibel.tm.fr/oid/faq.htm

8.3.3
, , .
cn [common name ( )], sn [surname ()], givenName, mail, uid
userPassword. OID, OID.
LDAP V3 ,
ASN.1 . .

attribute: name
attributetypes=( 2.5.4.41 NAME 'name' DESC 'The name attribute type is the
attribute supertype from which string attribute types typically used for
naming may be formed. It is unlikely that values of this type itself will
occur in an entry.' EQUALITY 1.3.6.1.4.1.1466.109.114.2 SUBSTR 2.5.13.4
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )

attribute: sn
attributetypes=( 2.5.4.4 NAME ( 'sn' 'surName' ) DESC 'This is the
X.500
surname attribute, which contains the family name of a person.' SUP
2.5.4.41 EQUALITY 2.5.13.2 ORDERING 2.5.13.3 SUBSTR 2.5.13.4 USAGE
userApplications )

308

attribute: mail
attributetypes=( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822mailbox' )
DESC 'Identifies a users primary email address (the email address retrieved
and displayed by white-pages lookup applications).' EQUALITY 2.5.13.2
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 USAGE userApplications )
, (SUP) sn 2.5.4.41, name (
). name , ,
. . , , . sn, name.
, mail () rfc822mailbox. , EQUALITY
SYNTAX ASN.1.
, ASN.1 . .
, LDAP
LDAP, ,
LDAP LDAP.

8.3.4
,
, . , ,
,
. , ,
. .
, . ,
. .
, , ,
, (attribute mapping). ,
,
(data transformation).

309

, - , (record mapping). ,
. , . , . , James L Smith Jim Smith JLSmith .
, ,
(multiple identities):
( ).


, Navy Enterprise Portal Space and
Naval Warfare Systems Command (SPARWAR), ,
100 000 (identities, ID), .
720 000 -
, - 200 000 , ( ) ID.
100 000 ID ;
. , , ,
, , , ,
ID ? , UNIX- , , ID .
. :
( ). , [distinguished names (DN)] :
LDAP Directory: cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme
Active Directory: uid=bhinkle,cn=users,dc=corp,dc=acme,dc=com
, , 100%- .
, , , , , , ?

310

, ()
, (correlation keys),
.
, .

8.1. LDAP
LDAP Directory: cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
uid=bhinkle
empid=10543
mail=
Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme
internetaddress=b_hinkle@acme.com
employeeid=BC10543
Active Directory: uid=bhinkle,cn=users,dc=corp,dc=acme,dc=com
logonPrincipalName=bhinkle
mail=b_hinkle@acme.com
,
, ,
. ? mail
LDAP AD internetaddress Domino. , SMTP- Domino. Domino AD? Domino LDAP? ,
, AD LDAP. AD
, SMTP-,
Domino AD. ,
Domino LDAP Domino.
,
. , , , . ,
LDAP Domino,
. SMTP-
Domino mail
LDAP ( ).



. ,
(identity), (DN), -

311

,
,
. 7.2, LTPA, cookie . LTPA IBM
cookie , IBM.
DN cookie LTPA, HTTP- Domino,
DN (direct mapping). Domino Directory Assistance
, LDAP. 8.2.

8.2.
LDAP Directory:

cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
empid=10543
mail=b_hinkle@acme.com
notesname=cn=Brendan Hinkle,OU=Finance,O=Acme

Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme


internetaddress=b_hinkle@acme.com
employeeid=BC10543
, DN cookie LTPA cn=Brendan C Hinkle,
ou=West, o=Acme, dc=Acme, dc=com Domino Directory Assistance notesname Notes LDAP, Domino
LDAP DN LDAP,
notesname . , Domino cn=Brendan Hinkle, OU=Finance, O=Acme,
CN=Brendan Hinkle/OU=Finance/O=Acme.
, ,
ACL Domino. , ,
Domino 6 .
,
, Domino 6.02+
Domino 5.x. Notes LDAP, Directory Assistance
. (DN)
LDAP Domino (
Notes ), ,
8.3.

8.3.
LDAP Directory:

cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
mail=b_hinkle@acme.com

Domino Directory: CN=Brendan Hinkle/OU=Finance/O=Acme

312

fullname= CN=Brendan Hinkle/OU=Finance/O=Acme,


cn=Brendan C Hinkle,ou=West,o=Acme,dc=acme,dc=com
internetaddress=b_hinkle@acme.com
, Domino cookie LTPA
(DN) cn=Brendan C Hinkle, ou=West, o=Acme, dc=acme, dc=com,
Domino person, Directory Assistance
LDAP. SMTP-
, ,
Domino person .
Domino 11.9.4,
Domino.
cookie , , cookie
DN . (indirect mapping)
cookie
(cookie) (DN) . ,
8.2, LDAP notesname,
, empid, emploeeid Domino. ,
Domino DSAPI.
, cookie LDAP empid=10543, Domino DN , LDAP
empid=10543,
cn=Brendan C Hinkle, ou=West, o=Acme, dc=acme, dc=com.
DN , Domino , DN , Directory Assistance
LDAP. , DSAPI ,
, cookie, empid, Notes. ,
DSAPI empid=10543 Domino.
employeeid Domino ID , , Domino ,
CN=Brendan Hinkle/OU=Finance/O=Acme.
, .
, ,
cookie , !

313

8.3.5
(data flows)
(). , , - -.
,
.
(authoritative sources),
. , ,
, ,
-.

. , -,
.

8.3.6 -
(events) ,
.
, ,
. , -, . ,
. , .

, .

8.3.7
. ,
IBM.
Lotus Domino .

ADSync
Active Directory Synchronization, ADSync,
Active Directory (, ) Active Directory Domino Directory
Active Directory Users Computers Console.
Lotus Active Directory Synchronization Domino Administration ,
Active Directory.

314

, ADSync . , Windows Domino Directory, ADSync . Domino Windows


, .
ADSync , ADSync
Domino , , ,
Domino Administrator. , ,
Domino .
ADSync , Domino 6. C
Active Directory Domino Directory, person
group, Notes ID, .
Active Directory Notes ID
Domino Directory. Domino 6 ,
Domino Administration 6 .
, (sub policies), , , Domino,
. Active Directory
, .
ADSync
IBM Active Directory Synchronization with Lotus ADSync,
REDP0605, PDF- :
http://www.redbooks.ibm.com/redpapers/pdfs/redp0605.pdf

LDAPSync Solution
LDAPSync Solution , IBM Software Services for Lotus. ,

, LDAP, Domino.
,
, Domino, Lotus.

Notes ,
. ,
Domino .
:
1. LDAPSync: LDAP Domino.

315

2. SynchroNSF: Domino, ( , , Domino,


).
3. RunAgent: - Domino.
LDAP Domino.
LDAPSync . ,
:
, -,
Domino. , , LDAP: (, ..),
. LDAPSync
Domino.
, LDAP, . , , , LDAP. , , Employee
Change Requests Travel Requests.
/ LDAPSync.
Notes (Notes
Names&Address Books) .
RunAgent ,
. LDAPSync. ,
Notes (Notes Full Names),
X.500 (X.500 Distinguished Name).
SynchroNSF Domino .
, Software Bug Reports, Domino.
.8.1 , .
LDAPSync
:
(simple synchronization);
(broadcast);
(summarization);
(consistency).

316

Corporate
Directory
(LDAP,
non Notes)

Target
Notes DB

3:replication

1:Download

SyncohoroNSF

Transactions
waiting
(Notes DB)

LDAPSync

Transactions
Ready
(Notes DB)

2:Format
Full Names

Run Agent

.8-1. LDAPSync


(simple synchronization) , - - ( ).

source database

destination database

.8-2.
,
Domino (),
(). .
, LDAP - Business card, , (ObjectClass=Person).
(Name), (First Name), (Address)
(Phone number).
, - ( )
. ,
LDAP, ,
Person Domino.

(broadcast) - - ( ).

317

destination database 1

source database
destination database 2

.8-3.
- -, ,
LDAP , , ,
. -
-
, -.

(summarization) - - ( ).

source database 1
destination database
source database 2

.8.4

() ().
- -
-.


(data consistency)
- (
), .

318

source database

destination database

.8.5
- ,
-. , -, ,
-.
Domino
, . , Person
Domino
. ,
Domino, , Customer management ( ),
Sales leads ( ) Purchasing ().
Person, Domino
, .
- , . , - - (
), - ( ). ,
( ).
LDAPSync () , /
, .
, (,
LDAP ), -,
, [ Domino,
Contacts () ..], -. LDAPSync ,
.
, LDAPSync
- LDAP Domino
Domino. IBM Tivoli Directory Integrator, .

319

IBM Tivoli Directory Integrator


IBM Tivoli Directory Integrator
, ; ; ;
, (HR), (CRM), (ERP) .
, Directory Integrator .
,
, Directory Integrator

, .
(connectors),
Java
c Directory Integrator :
-;
,
, , (provisioning);
, (, Web-),
.
IBM Tivoli Directory Integrator
(identity management) IBM,
, ,
(online), , .
IBM
(, ), ( , ),
( Web- ) (
) ,
.
Directory Integrator :
(assembly line),

320

,
//
(). , . , , , ..
(connectors)

. . ,
.
(Event Handler),
Directory Integrator
,
(, , ,
, HTML- Web-
, Simple Object Access Protocol
(SOAP) Web-, ).
(parsers)

, .

.
, , ,
, LDAP Data Interchange Format (LDIF),
Extensible Markup Language (XML), SOAP, Directory Services
Markup Language (DSML), .
(hooks),

.
(Link Criteria), ( ) .
, , () =
(), ,
, , f()=().
: equals (), not equals ( ), contains (), starts with
( ), ends with ( ).
.

321

(Work Entries), ,
.
Java perl-,
.
,
.
( ) :
Btree Object DB Connector,
Command Line Connector,
Domino Users Connector,
File System,
FTP Client Connector,
Old HTTP Client Connector,
HTTP Client Connector,
Old HTTP Server Connector,
HTTP Server Connector,
IBM MQ Series (JMS),
IBM Directory Changelog Connector,
JMS Connector,
JNDI,
LDAP,
Lotus Notes,
MailboxConnector Connector,
Memory Stream Connector,
Netscape/iPlanet Changelog Connector,
NT4,
Script Connector,
SNMP Connector,
TCP Connector (generic),
URL Connector (generic),
(Runtime provided) Connector,
Web Service Connector,
C.
Directory Integrator (assembly line),
.
,
.8-6

322

DS3

DS1

DS2

.8-6. Directory
Integrator
(data source) DS3,
DS1.
DS2. Directory Integrator
(assembly line).
, . ,
,
.8-7. , , . .8-7
, .

DS3

DS1

DS3

DS2

DS1

DS2

.8.7


323

, , , (,
),
. ,
. ,
. Directory Integrator
, ,
, , .

Directory Integrator (GUI).
GUI Idaptodom.

.8-8.
GUI

324

LDAP,
readldap. LDAP. Domino, updatedomuser Domino User. LDAP, LDAP GUI . .8-8 GUI.
-,
(), .8-9 ( ).
.8-9, InternetAddress, .
(Domino). .8-10 , -

.8-9.
GUI

325

.8-10.
GUI
Domino User. . 8-10 , Connector Attribute InternetAddress ,
, InternetAddress ( ).
Domino User,
.
(),
. , GUI Directory Integrator.
.
, Directory Integrator
-, , Web-.

326

JDBC

Web Service

JMS

RDBMS

LDAP

Web

.8-11. Directory Integrator


Web service

8.4
, . , , , , . , , .
,
, ,
.
(unified directory service)
. , , ,
,
. (metadirectory) ; , ,
. , .
IBM ,
, .
, ,
.


. , -

327

, . , , .

, , .

.

, (ID) .


(unique keys) , . ,
- -.
,
. , ,
, . ,
SMTP- ;
.
, . ID
,
. , (primary) (secondary) . , ID , SMTP- , , .



, (
) . , :
;
.

, . .

. , , , Domino, Active
Directory, PeopleSoft HRMS ..

328

, (, , ). ,
, ,
. LDAP,
LDAP. . -,
LDAP .
.8.12, Dept 3
1, Mail 2
3. , .
CN=David Hinkle
EmpID=1234
Dept=LPS ISSL
Mail=dave@ibm.com

CN=David Hinkle
EmpID=1234
Dept=ISSL

1
CN=David Hinkle
EmpID=1234
Phone=555-1234
Mail=dave@ibm.com

.8-12.

. ,
- .
, , (, A , , ).
-,
.
.8.13,
(master record).
, -
( 1, 2 3) . ,
CN EmpID ,
1 2. , -

329

(). , ,
, ,
. , . . ,
, .
,
( ) .
CN=David Hinkle
EmpID=1234
Dept=ISSL

CN=David Hinkle
EmpID=1234
Dept=ISSL
Mail=dave@ibm.com
UID=DH9876

1
CN=David Hinkle
EmpID=1234
UID=DH9876

.8-13.
,
, , .
- ,
, .
,
. () .
.
. , .8.14, -,
- , .

, ,

330

LDAP . ,
, ,
, ( . ). LDAP,
, , .
, LDAP
, .
LDAP . , 3 LDAP.
3 Domino LDAP
Domino Notes
LDAP. ,
.8.14 ,
IBM Tivoli Directory Integrator, LDAP IBM Directory Server.
CN=David Hinkle
EmpID=1234
Dept=LPS ISSL
Mail=dave@ibm.com
Notesname=David Hinkle/Phoenix/IBM
CN=David Hinkle
EmpID=1234
Dept=ISSL

1
CN=David Hinkle
EmpID=1234
Phone=555-1234
UID=DH9876
Mail=dave@ibm.com

2
CN=David Hinkle
EmpID=1234
Dept=ISSL
Mail=dave@ibm.com
UID=DH9876
Phone=555-1234
Notesname=CN=David Hinkle,OU=Phoenix,O=IBM

LDAP

.8.14 - LDAP

331


. :
(object classes): .
, .
8.3.2, .
(attributes): . ,
OrganizationPerson Title.
Title . , , Person CN [common name ( )] SN [surname ()].
8.3.3, .
[Directory Information Tree (DIT)]:
LDAP .
,
(branches) (leaves),
(end nodes). , ,
, (Distinguished Name, DN).
, , (, CN=users), (OU=).
, LDAP
. LDAP. , , .
DIT , (DN) . DN
. , DN
CN=john q public,OU=sales,O=acme,C=us UID=jsmith4
,CN=users,DC=acme,DC=com.
X.500, C=US . , DNS DC=acme, DC=com . ,
, , , DN ( )
UID (User ID). , , ,
,
.
( 10000 ) .

, . ,
:

332

DN= uid=bhinkle,cn=users,dc=acme,dc=com
cn=Brendan C Hinkle
mail=b_c_hinkle@acme.com
DN= uid=bhinkle2,cn=users,dc=acme,dc=com
cn=Bill Hinkle
mail=b_hinkle@acme.com
, , DN.
, , , DN,
.
, .
. , ,
, , , . ,
( ),
,
:
DN= uid=bhinkle,ou=sales,dc=acme,dc=com
mail=b_c_hinkle@acme.com
DN= uid=bhinkle2,ou=hr,dc=acme,dc=com
mail=b_hinkle@acme.com
OU DC ( 10000 ) , . ,
, () .
X.500 DNS, . , X.500
,
. DNS
- X.500 SMIME-. ,
35 , . , -
. , , , , . DNS
DIT , LDAP.

333

DIT .
. - . DIT, ,
,
.
DIT
:
;
( );
;
(, );
.
, ,
LDAP? , LDAP-
X.500 Open LDAP. LDAP,
, . LDAP , LDAP- .
LDAP ,
.
LDAP LDAP , .

, .
,
, ,
Middleware
Architecture Committee for Education (MACE). :
http://middleware.internet2.edu/dir/
, ,
, .
.
.

334

, ,
:
Charles Carrington (Editor), Timothy Speed, Juanita Ellis, and Steffano Korper, Enterprise Directory and Security Implementation Guide: Designing and Implementing Directories
in Your Organization.

8.4.1

. (account provisioning) ,
.

.

.

(service) ,
, .
. Notes.


(account)
. , , . (credential)
,
,
. :
.
() ( ) .
(ID)
.
. , ,
, .

335

,
. ,
, Enterprise Directory.
, favorites,
.
,
.

(registration)
. ID, .. () .
, ,
, , ..
( ) , ,
.
, .


(entitlement)
. ,
, . ,
- , , , .


,
- . , Domino, , (Directory Integrator). - ,
, , ,
, .. ,

336

(Instant Messaging), .
,

. ,
, -.

, . ,
, ,
. ,
. , , . -
, . ,
,
.

8.4.2

, .
, , ,
.
(SSO)
, , . ,
,
(enterprise access management systems). IBM Tivoli Access Manager Netegrity Siteminder.
, ,
:
LDAP;
;

337

, ,
, , ;
Web- .
, , SSO . , SSO,
, ,
( ).
IBM Tivoli Access Manager
IBM Tivoli Access Manager for e-business, REDP3677.

8.5
.
. , , , , , .


[single sign-on (SSO)]. ,

.

.
. :
, , .

. , -,
.

, .
, ,
, .
,
-, .
:

338

;
(DIT).


.
: , , . ,
, , .
.
() :
;
;

;

;
;

.

339

9
(hardening)
, - , .
(), ,
.
, (hardening),
(. . , , )
, .
,
Lotus- , :
Windows ( NT)- :
Win32 WindowsNT4.0, Windows2000 WindowsXP;
UNIX/Linux- :
Sun Solaris 8;
Linux ( 2.4) SuSe Red Hat;
IBM AIX.
, , ,
.

(hardening) 

341

9.1
.
,
- .

9.1.1
, , . ,
. , ,
. ,
, .
, .
, ,
. , ,
, . ,
.


,
.
, , , ,
Windows Linux, . , 1 , .
,
, .
, .


100% , ,
, , ,

.
,
. , . (service pack) ,
1

342

, . . .

, CD (-) .
,
, .
(,
up2date Red Hat Windows Update Tool Microsoft).
, ,
, , , .


-. ,
, , , . ,
Windows Server Internet Information Server (IIS, ), .
, ,
, ,
. , ; , , .
, ,
. :
netstat an
, , , Nessus, Nmap Stealth,
- , .


- , ,
, ,
-.
,
, -. ,
, ,
. -,
, . ( , -

(hardening) 

343

.
.)
. (, , ) (PSPG Policies, Standards, Procedures Guideline) ,
.

9.1.2
,
- , . ,
, .
, ,
-. ,
,
, , ,

, ,
, 4.1, . .
,
, , , . , , , , . UNIX, Windows ( NT) , ,
.
,
, ,
. ,
, , , ,
.
,
, , . , . ,
, .

344


,
.
. ( Microsoft ISA
Server, http://www.microsoft.com/
isaserver/.)
, , ,
TCP-. IP- ( )
,
, .
, P2P ( , , KaZaa, Morpheus, eDonkey ..), . ,
P2P . HTTP , , P2P, .
, Web- URL- , Web- .
, , . , Web- IP-,
URL-. , , ( ),
, , .


,
. , , Bluetooth.
,
.
.
, , ,
. ,
.

(hardening) 

345

, , , ,
, , ,
P2P-
( ) ,
, .
, , . 2, ,
, ,
, .


NMap ( Network Mapper) , URL-:
http://www.insecure.org/nmap
NMap open source1, UNIX,
Windows (NmapNT).
IP- ( ) :
;
() ;
;
.
NMap . f (), NMap
IP-. NMap TCP- ,
(Intrusion Detection Systems, IDS).
, , , , .
, Nessus, NMap ,
NMap .

9.1.3

- ,
, -.

- , .
1

346

Open source . . .

9.2
, -,
, .
, Lotus Notes,
- Sametime

, - .
,
, . ,
: 1 . ,
, .

(, , ), , ,
. -
,
.
.
, , . ,
-, -.

9.2.1
, ,
, . ,
, .


, . :
, ;
, ,
.
,
, .
1

- . . .

(hardening) 

347

,
.
,
. , - ,

.


, , ,
:
1. .
(
QNX). .
, .
2. . , PDA  ( Palm OS). . , .
3. . , Microsoft
Windows.
, . , , Windows Server
Operating Systems ,
,
( Terminal Services).
4. . . Linux. , ,
-
.

348

PDA Personal Digital Assistant, , , / .


. .



. ,
. , , .
. ,
.
. ,
.
. ( , , , ..), ,
.
. , ,
, .
. , ,

(APIs, Application Programming Interfaces).
. (Graphical User Interface, GUI),
.
, .
,
, .
.
, , .
, Windows
UNIX, :
Windows 2000 (Maximum Windows 2000 Security, Sams, 2001, ISBN 0672319659);
Linux (Maximum Linux Security, Sams, 1999,
ISBN 0672316706).

Windows Linux.

(hardening) 

349

9.2.2 Windows
Microsoft Windows , ,
Windows . , . ,
Windows .
, , , Windows , :
/. Microsoft
( ).
,
:
1) ; 2)
.
. ,
Windows , ,
. , Windows
.
, , . , , , -.
. , Windows, , , (Event Viewer). Windows ,

.
. Windows ,
, .
. ,
, , Microsoft - , .
, , .
,
.
. Windows . ,
.

350

,

, .
,
.
Windows ,
. , , , ,
Windows .
, ,
Windows. ,
:
SecurityFocus:
http://www.securityfocus.com/
NT:
http://www.ntbugtraq.com/
CERT:
http://www.cert.org/nav/index_red.html
, ,
.
, Windows . Linux ,
.

9.2.3 Linux
Linux
. - ,
Linux , . Lindows Red Hat-, Linux ,
IBM. , ,
Linux.
Linux
, Windows. ,
- , - , , Linux.
, Linux
, ,
, . Linux :

(hardening) 

351

root. , , root . , root , . Administrator Windows NT, root


,
Linux. , , . ,
root Web- , root
, . , (, Lindows) root .
. , Linux
, , . ,
,
Linux. () Linux
,
, Linux -
,
rpm, .
,
. , HTTP-, FTP-, .., .
. Linux (Maximum Linux Security): Linux
( ),
.
, ,
,
-. .
(open source).
Linux , , Linux . , Linux , ,
, , , . , , . , ,
Linux -

352


. , ,
. , Red Hat
, , , .
,
, .
Linux- Web (, Caldera, Red Hat, SUSE, Turbolinux) ,
UNIX SecurityFocus (http://www.securityfocus.com/unix), ,
.
Linux Windows. ,
,

, .
Windows Linux,
Solaris AIX, , Domino.
Domino , zOS (OS/390) OS/400 (
zSeries - iSeries). , .

9.3 Windows ( NT)


Windows ( Win32).
, NT- Windows, :
Windows NT 4.0,
Windows 2000 Server,
Windows XP Professional.
Windows XP Professional, Windows (Linux ), , ,
,
.
Windows ,
, , , -

(hardening) 

353

. , :
1) 2) , -.
Web- . , ,
-.

9.3.1 Windows NT 4.0


Windows NT 4.0 Microsoft .

, ,
Windows NT 4.0. , , , , .
. , ,
Windows, .


Windows NT 4.0 Server , .
, , . ,
. ,
,
,
, .


, , , , . ,
, ,
. , .
, Windows NT 4.0
:
NTFS, FAT. NTFS (access control lists,
ACLs) .

354

.
FAT, , , NTFS.
, ACLs
.
, (, , ).
, DMZ Web, Domino DNS
.
(Service Pack) , .
Service Pack 6a, .
, . :
Remote Procedure Call (RPC),
NetBIOS,
Computer Browser.
.
, , .
:
(Control Panel Network Services):
Workstation. , , at.
, Server,
.
Server. .
, .
WINS TCP/IP. (Control Panel Network Bindings).
(All Protocols). WINS Client (TCP/IP)
/ (Disable/Remove).
. DMZ- .
, :
Alerter. ,
.
ClipBook.
.

(hardening) 

355

DHCP Client.
.
Messenger. ,
.
NetBIOS Interface. NetBIOS TCP/IP.
Net Logon. ( )

() .
Network DDE.
.
Network DDE DSDM.
(Dynamic Data Exchange, DDE) DDE-.
TCP/IP NetBIOS Helper. NetBIOS
TCP/IP, IP-.
,
, ,
, telnetd FTP. ,
,
. , , ,
IP- , .
IP- DMZ.
IP-, IP Windows NT.
TCP/IP (Control Panel Network Protocols TCP/IP Protocols Properties Advanced).
(Enable Security) (Configure). , .
,
; .
,
.
.
(Administrator) -
.
.
,
.
, , , . ,
.

356

. , , :

.
, .

, 24 .

. 30 .
(Everyone).

(Access This Computer From the Network),
, .
.

: ; ; , .
(
5). .
SYSKEY (Security Accounts Manager, SAM).
SYSKEY 3; ,
6a SYSKEY
.
OS/2 POSIX.
C2SECURITY Windows NT (Resource Kit) .
, ,
OS/2 HKEY_LOCAL_MACHINE\SOFTWARE\
Microsoft\OS/2 Subsystem for N.
Os2LibPath Environment:
H K E Y _ L O C A L _ M AC H I N E \ S Y S T E M \ C u r r e n t C o n t r o l S e t \ C o n t r o l \
SessionManager\EnvironmentOs2LibPath.
Optional, POSIX OS/2
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SubSystems.
%WINNT%\system32\os2 .
, ,
- ,
, .

(hardening) 

357


, . ,
, , .
,
. Windows NT , ,
, .
, . :
.
(Internet Information
Server, IIS) v2.0, Windows NT, Web-. IIS
,
IIS.
, IIS
, .
, TCP/IP. . NetBEUI , IPX .
IPX NetBEUI.

.
,
DNS-. Web-,
DNS. , , ,
, (Simple Network Management
Protocol, SNMP) DMZ.
, (community) - . SNMP , ,
.
WINS. NetBIOS
DNS, LMHOSTS.
DHCP- (relay). , DMZ-
(, , , ).
IP- (IP Forwarding),
.
, IP-.

.

358

(Internet Explorer) 5 5.5:


, . , . 5 5.5 , . , , , ,
Windows NT 4.0, . , .
Windows NT 4.0 DMZ- ,
4.01 2 (Internet Explorer 4.01 Service Pack 2).

. Internet Explorer 4.01 SP1 Windows NT -


(Option Pack CD), Internet Explorer 4.01 SP2
.


Windows NT,
. , . Windows NT .
1, , :
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogin
DontDisplayLastUserName
1, :
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\Lsa
RestrictAnonymous
, . (
3 .):
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\SecurePipeServers\winreg
1, NTFS
8.3. ( 8.3 Win16, .
,
8.3.):

(hardening) 

359

HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Control\FileSystem
NtfsDisable8dot3NameCreation
0,
(ADMIN$, C$
. .). (,
( ) net share /d.):
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\LanmanServer\Parameters
AutoShareServer
1 ,
( ):
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
RestrictGuestAccess
0 ( Windows NT 10 , , ):
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Winlogon
CachedLogonsCount

(Access Control Lists, ACLs).
(Everyone) ,
(Full-Control) (Administrators) (SYSTEM). (Owner) (Full-Owner control):
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWAR
\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\AeDebug
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\WinLogon

360

Windows NT 4.0
Windows NT 4.0 . EventLogs, Windows.

.
Windows, .
(,
FTP, HTTP, SMTP . .), . , (Performance Monitor). EventLog,
.
, .
Windows NT , .
, , . , 100%,
,
. , .
? , . .

EventLogs
EventLogs Windows NT ,
(Event Viewer).
Windows NT EventLogs syslogs UNIX.
EventLog (Application Log), (Security Log) (System Log). , Windows NT .
, .
:
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
File

(hardening) 

361

File . , .


, Windows IIS Web-,
: Web, FTP SMTP.
,
. .

Web FTP.
(Properties) .



(Performance Monitor). %SystemDrive%\PerfLogs.
DefaultLogFileFolder
:
HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\SysmonLog
DefaultLogFileFolder


%SystemRoot%\SchedLgU.Txt.
,
, .
LogPath :
HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\SchedulingAgent
LogPath
Windows NT. , Windows.
, , NT 4.0 Windows
,
.

9.3.2 Windows 2000


Windows 2000 , Windows
NT 4.0, , ,
. ,

362

, , ,
. , , Microsoft
Technet, .


Windows 2000 , . , , , , , Windows 2000.
Windows 2000 Windows 2000. Windows 2000 , Windows NT 4.0.

( - ),
.
Windows 2000 , ,
, . , , , . - ,
, . :
, .
, Windows NT 4.0, ,
Windows 2000 .


, . ,
,
, .
, .
Windows 2000 NTFS, FAT. NTFS
(ACLs) .

.
FAT, , , NTFS.
, ACLs
.
, ,
. DMZ

(hardening) 

363

, ,
. , , IIS- FTP, HTML-. , , , Windows Media
.
Microsoft (File and Printer
Sharing for Microsoft Networks). (Custom),
.
Web
SMTP, Microsoft (Microsoft Networking Client) ,
. ,
RPC
Microsoft. IIS, SMTP.
IP (IP Protocol Properties). IP DNS DHCP.
(Advanced)
:
a) DNS.
DNS (Register This Connections Addresses in DNS).
b) WINS;
WINS. NetBIOS,
LMHOSTS. NetBIOS
TCP/IP NetBIOS TCP/IP.
c) (Options) TCP/IP-, Windows NT 4.0.
.
DMZ- .
telnetd. - telnet
, telnet
TelnetClients.
TelnetClients, , telnet . telnetd
Telnet TelnetClients.
DNS-. . DNS. (Notify)
, (Only Allow Access From Secondaries Included on Notify List).
, . ,
DNS-, Windows NT 2000,
. -

364

, ISC BIND
(Internet Software Consortium Berkeley Internet Name Daemon),
UNIX-. ,
GUI1, , BIND. ISC
:
http://www.isc.org/products/BIND/


, .
:
, CA [Certificate Authorities
( )] , . , . , Lotus Domino
SSL, , , .
, SNMP (Management and Monitoring Tools), (community) .
(Active
Directory). , DMZ-, DMZ DNS .

Windows 2000
Windows NT 4.0 ,
.
, , /
. , , , .
Windows 2000 Microsoft Microsoft (Microsoft Management Console, MMC). (Security Templates Tool) , .
(Security Configuration and Analysis Tool) 1

GUI Graphical User Interface ( . . ..

(hardening) 

365


, , , .
MMC. .
,
(High Security for Workstations), HISECWS.INF. , Microsoft , Web-.
, Windows
NT 4.0. HISECWEB.INF Microsoft
URL:
http://support.microsoft.com/support/misc/kblookup.asp?id=Q316347
:
1. %windir%\security\templates.
2. .
3.
.
4. (Analyze Computer
Now) .
5. .
6. , , .
.
, WordPad. , ,
.
. , , , .
;
; .
, ,
. , , .
, , ,

.
.

366

. , , SECEDIT. , Telnet. .

,
, , , -. ,
, , HTTP, FTP SMTP, .
, ,
IIS , . - . 9-1.
9-1. -, IIS

IIS
IIS SDK
Admin Scripts
Data Access


\inetpub\iissamples
\inetpub\iissamples\sdk
\inetpub\AdminScripts
\Program Files\Common Files\System\msadc\Samples

, , DMZ:
Microsoft Windows NT 4.0 and IIS 4.0:
http://www.microsoft.com/technet/security/iischk.asp
Microsoft Windows 2000 Server and IIS 5.0:
http://www.microsoft.com/technet/security/iis5chk.asp
Microsoft SQL Server:
http://www.microsoft.com/technet/SQL/Technote/secure.asp
http://www.sqlsecurity.com/faq.asp
Windows 2000.
Windows NT 4.0 Windows 2000 , .
Windows 2000 , Windows NT 4.0.

9.3.3 Windows
, .
,

(hardening) 

367

, ,
Windows (NT, 2000, XP),
.
,
, Windows .
, - ( ) ( ),
: .
, Windows NT,
2000 XP; ,
.
, Windows Windows .
Lotus Collaborative,
. , , Windows,
, . ,

, .
Microsoft
( Steps to Personal Computing Security),
URL:
http://www.microsoft.com/security/articles/steps_default.asp
Windows, ,
Windows NT (NT 4.0, 2000 XP). , Windows 9x 95, 98, 98SE ME,
. , -,
9x, Windows NT.


Windows NT, 2000 XP . ( Windows 95, 98 ME,
. , 9x
.) , , .

368

, Windows,
(
) .
,
,
- .
. , ( )
, . , , . , ,
. ( , 2, , .)
,
.
Windows
. - ,
, .
, .
: , ( ). .
1. , , .
:
. (
, , ,
.)
(, , , ).
, ;
.
2. , ,
. , .
, .

(hardening) 

369


,

.
,
, , , . , . ,
. , , .
Norton Anti-Virus (NAV), McAffees
VirusScan ,
. , .
Windows.

Microsoft
(Microsoft Update Center)
Microsoft Windows .
Microsoft
( ),
. , , , , .

:
1. , Microsoft (http://windowsupdate.microsoft.com/) Product Updates.
2. , - (CRITICAL UPDATES AND SERVICES PACKS); .
(Download).
, . . , , ,
, .
, ,

370

, ,
. , -,
, .

Microsoft
(Microsoft Baseline Security Advisor, MBSA)
Microsoft , . URL MBSA :
http://www.microsoft.com/technet/security/tools/tools/MBSAhome.asp1
MBSA .
2002 . , Web
, Microsofts Personal Security Advisor (MPSA),
. MBSA
Windows NT 4.0, Windows 2000 Windows XP ( ,
Windows).
MS IIS MS SQL.
MBSA ( ),
. MBSA . , , , -, .
. , ,
Microsoft,
, MBSA.
.
, ,

. , - , ,
, , ,
.
,
, -. , Microsoft ,
.
, ,
, , , , ,
.
1

: http://www.microsoft.com/technet/security/tools/
mbsahome. , Microsoft Baseline Security
Analyzer. . .

(hardening) 

371

MBSA ,
. MBSA
, , .

IIS Web- Microsoft


Windows NT 4.0, 2000 XP Web
, Microsoft (Internet Information Server, IIS). ,
Code Red, ,
IIS.
, -, MS IIS Web-.
1. MS IIS Web-, .
MS IIS Web- ,
. ,
Web- (, IIS) , .
, , . , IIS , , , -
, Windows , 100% , - .
2. MS IIS Web-.
MS IIS Web- MBSA,
. ,
, Web- ( ). MS IIS Web-. Microsoft , IIS,
Windows 2000 Windows XP.
Microsoft (Microsoft Network Security Hot Fix Checker), Hfnetchk.exe, URL:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q303215

Microsoft, Hfnetchk.exe,
(Q305385) :
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305385
Microsoft,
Microsoft Technet Web URL:
http://www.microsoft.com/technet/security/current.asp

372

, Microsoft MS IIS Web-


. . IIS Microsoft, URL:
http://www.microsoft.com/technet/security/tools/tools/locktool.asp

Microsoft SQL-
Windows NT 4.0, 2000 XP
, (Structure
Query Language, SQL). MS SQL-.
MS IIS, .
Slammer.
Microsoft SQL- .
, , , . MS SQL-
:
1. MS SQL-, .
MS SQL-
,
. , ,
(, MS SQL-) , .
, ,
.
, MS SQL- - , -
. , .
MS SQL-
, , , - , Windows , 100% ,
- .
, MS SQL- , ,
.
2. MS SQL-
MS SQL- ( )
MBSA, .
,
MS SQL- , . MBSA , .
.
Microsoft, Hfnetchk.exe, (Q303215), .

(hardening) 

373


Microsoft, Hfnetchk.exe,
(Q305385).
Microsoft, Microsoft Technet Web.


- (
). ,
, .
, Symantec, Norton Anti-Virus, Symantec
Security Check ( Symantec), . URL:
http://security.symantec.com/ssc/home.asp
Scan for Security Risks
( , . . ),
Scan for Viruses ( , Norton
Anti-Virus) Trace a Potential Attacker ( ,
IP-). , .
, , , Scan for
Security Risks ,
. , - , - .
,
, Scan for Viruses
, .
- . , , .

. .
-, Symantec - ActiveX.
, , , ,
. , Symantec
,
. ,
; .
-, Symantec . ,
, ActiveX Symantec
25.06.2003, ( ) ActiveX,
. :
http://www.sarc.com/avcenter/security/Content/2003.06.25.html

374

Symantec . ,
- . , Gibson Research
Corporation ShieldsUp!,
. URL:
http://grc.com/intro.htm

!
, Symantec Gibson Research.
,
, , -
.

9.3.4
Windows.
-, , ,
, ,
,
:
Microsoft (http://www.microsoft.com/security/)
:
http://www.microsoft.com/security/articles/steps_default.asp

http://www.microsoft.com/technet/security/tools/tools.asp
Windows NT CERT (http://www.cert.org/tech_tips/win-resources.html)
Windows NT
http://www.cert.org/tech_tips/win_configuration_guidelines.html

http://www.cert.org/tech_tips/home_networks.html

http://www.cert.org/other_sources/viruses.html
SANS
(http://www.sans.org/rr/index.php)
Windows 2000
http://www.sans.org/rr/catindex.php?cat_id=66
. Web ,
.

(hardening) 

375

9.4 UNIX
UNIX-. UNIX
Windows ,
.
UNIX , ,
. UNIX , BSD AT&T System V. UNIX .
UNIX, BSD:
OpenBSD,
FreeBSD,
NetBSD,
BSDi,
MacOS X,
SunOS 4.
UNIX, System V:
HP-UX,
Solaris (SunOS 5).

. AIX, , , ,
BSD, System V , . -
AIX . . 9.5,
AIX.
, Linux? ,
Linux UNIX.
BSD System V.
, , Linux
. Linux GNU (http://www.gnu.org), -
GNU/Linux. GNU/Linux,
, , ,
.
, , Windows NT, Windows
2000 Windows XP, , UNIX Linux,
.
,
UNIX Linux. , ,
, .

376

9.4.1 UNIX Linux


, UNIX ( GNU/
Linux) , , .
, ,
, , .
, , ,
.
, , (e-mail) . e-mail root, , , .
, ,
.
UNIX GNU/Linux
. , :

, ;
;
, ,
( ), .
UNIX,
, Web- CERT URL:
ftp://info.cert.org/pub/tech_tips/UNIX_configuration_guidelines

9.4.2
, UNIX,
, , SWAP /tmp. ,
(denial-of-service) (out-of-disc-space).
: UNIX
FTP, , Domino- ,
, mail.box .

(hardening) 

377

.
(/). ,
, ,
, /bin, /sbin, /etc /lib.
/dev /devices.
GNU/Linux /boot,
/lib.
/usr. , ,
. /usr
, ;
(, mount) .
/var. ,
, Web, , , ,
.. / , /var
, .
/usr/local (/opt Solaris). ,
. /usr/local . , UNIX,
.
UNIX ( GNU/
Linux),
, UNIX, .

9.4.3 inetd
inetd UNIX. -1,
, /etc/inetd.conf.
inetd IP-.
, . ,
, .
, ,
-.
inetd , ,
. - FTP, TFTP, Telnet Berkley r*, .
1

378

- ,
, . Windows
DOS. . .

in.named. BIND. , DNS- , DNS UNIX.


in.fingerd. finger,
, .
UNIX , .
daytime. .
,
.
time. , 32- ,
, 1 1900 .
.
echo. ,
. , .
discard. ,
( ,
). .
chargen. ,
. ,
.
systat. .
.
netstat. .
.
. , ,
UNIX, UNIX.

9.4.4 tcp_wrappers
UNIX tcp_wrappers (
Wietse Venema), , , , , ,
IP- DNS. , , , DMZ - ( , ).
,
GNU/Linux BSD. UNIX, tcp_

(hardening) 

379

wrappers ,
URL ( ):
ftp://ftp.porcupine.org/pub/security/index.html

UNIX , (single
points of failure) .
, .
, ,
, . , (DDoS, Distributed Denial of Service), //
.
tcp_wrappers , .
,
.
/etc/hosts.allow
/etc/hosts.deny
, tcp/ip- (, , ),
.
: hosts.allow, hosts.deny.
KNOWN UNKNOWN. ALL
, . man-1 hosts_access, tcp_wrappers.

9.4.5 sendmail
Sendmail UNIX ( GNU/Linux)
(Mail Transfer Agent, MTA).
, sendmail
. suid root, sendmail .
sendmail , STARTTLS
SMTP AUTH. 1

UNIX GNU/Linux , , man (man pages), man [] ////. , man hosts_access man bash.
. .

() suid (set-UID)
- (.. ), , ( ). , suid root ,
root root.
. . .

380

UNIX sendmail ( , ),
. ,
8.9.3 - .
Realtime Blackhole List ( ), , sendmail.
mc :
FEATURE(rbl)dnl
, sendmail SMTP VRFY EXPN. . :
define('confPRIVACY_FLAGS', 'novrfy,noexpn')dnl
, ,
sendmail :
authwarnings: X-Authentication-Warning,
;
needmailhelo: - SMTP HELO;
needexpnhelo: - SMTP HELO
EXPN;
needvrfyhelo: - SMTP HELO
VRFY;
noreceipts: (Delivery Status Notifications, DSNs) ;
goaway: , restrictmailq restrictqrun;
restrictmailq: mailq
;
restrictqrun: .
, Domino UNIX GNU/Linux sendmail 1.

9.4.6 , Linux
GNU/Linux.
, - 1.44 ( Minix).
,
.
GNU/Linux Red Hat, SUSE, TurboLinux,
Mandrake, Caldera, Slackware Debian.
1

(SMTP) Domino,
sendmail, 25. . . .

(hardening) 

381

,
GNU/Linux, Domino, . , GNU/Linux , , , .
,
, ,
, - .

, .
Red Hat. , ,
. , Oracle, IBM Check Point,
Red Hat. ,
GNU/Linux, -

, Red Hat.
Debian. . , , ,
, .
Debian
100% . Debian
. GNU/Linux. Debian
, , . ,
Debian
, , , . Debian 3900 , .
SUSE,

, YAST2,
. GNU/Linux,
Domino, TurboLinux Caldera.
GNU/Linux, ,
(Custom
Installation) ,
. , , KDE GNOME, X Windows (
Domino, Domino ). ,

382

,
.
.
(enable shadow password); crypt
MD5.
, . Red Hat setup. Debian
shadowconfig. GNU/Linux man-. MD5 md5
/etc/pam.d.
ipchains, DMZ,
ipchains , - .
, / GNU/Linux.
Debian apt-get. Red Hat, 6.0, up2date.
, ,
GNU/Linux.
, Red Hat Linux, , Bastille Linux,
Linux, , .
Bastille Linux Red Hat Mandrake Linux1, , UNIX , .
Bastille Linux ,
, ( , ),
. , ,
. ,
, Linux. Bastille Linux
URL:
http://www.bastille-linux.org/
Linux.
Linux .
Linux :
http://www.securityportal.com/lasg/
1

Bastille Linux : Red Hat


(Fedora Core, Enterprise, Numbered/Classic), SUSE, Debian, Gentoo, Mandrake HP-UX.
Full Mac OS X. . .

(hardening) 

383

9.4.7 , Solaris
Solaris :
(Core), (End-User), (Developer) (Entire Distribution). ,
, ,
. , .
Solaris ,
Sun Blueprints Online, URL:
http://www.sun.com/software/solutions/blueprints/online.html

Solaris.
Solaris : ,
(Solaris Operating Environment Minimization for Security: A Simple, Reproducible and
Secure Application Installation Methodology),
(Alex Noordergraaf) (Keith Watson).
Web- iPlanet, Apache, Domino
Web- .
Solaris (Solaris Operating Environment
Security), . Solaris.
SPARC-; Intel.
Solaris, (Solaris Operating Environment Network Settings for Security),
, .
Blueprints Online Sun , Solaris,
Web- DMZ, Domino.
(Lance Spitzner) Solaris, Check Point FireWall-1
Solaris (
8) Intel SPARC. URL:
http://www.enteract.com/~lspitz/armoring.html
, Solaris Bastille-Linux,
TITAN. TITAN URL:
http://www.fish.com/titan/

384

9.4.8
WAN-, DMZ-
, TCP/IP.


: (Strict SourceRouted) (Loose Source-Routed). , .
Traceroute , .

, .
,
TCP/IP.

:
Solaris :
ndd -set /dev/ip ip_forward_src_routed 0
GNU/Linux
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route


Smurf
(direct broadcast)
, :
Solaris :
ndd -set /dev/ip ip_forward_directed_broadcasts 0

ICMP (ICMP echo)


draft RFC, draft-vshah-ddos-smurf-00,
URL-:
http://www.ietf.org/internet-drafts/draft-vshah-ddos-smurf-00.txt
, , IP ICMP-
(multicast) , ,
. , . , ICMP,
, :
Solaris :
ndd -set /dev/ip ip_respond_to_echo_broadcast 0

(hardening) 

385

GNU/Linux :
echo 1 > /proc/sys/net/ipv4/icmp_echo_ ignore_broadcasts
GNU/Linux - ICMP. Linux
ICMP:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

ICMP- (ICMP redirect)



, . ,
.
ICMP- , .
ICMP- ,
,
ICMP- :
Solaris :
ndd -set /dev/ip ip_ignore_redirect 1
GNU/Linux :
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

ICMP-
ICMP- .
DMZ-
, :
Solaris :
ndd -set /dev/ip ip_send_redirects 0
GNU/Linux :
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects


ICMP- (ICMP type 13)
. .
ICMP- rdate - .
,
.

NTP,

386

, ,
, .
ICMP 13 (
) 14 ( ) .
Solaris :
ndd -set /dev/ip ip_respond_to_timestamp_ broadcast 0

9.4.9
, , , ( ) . : , , , . .
.
. ,
- , , .

, UDP/514.
, , ,
, CD-R, WORM, .
UNIX .
,
syslog.
, /var/log.
, UNIX GNU/Linux
. , ,
(), .
UNIX GNU/
Linux, syslogd , , syslog-ng. syslogd,
, facility.priority
(.).

. Syslog-ng, ,
UNIX GNU/Linux. ,
URL:
http://www.balabit.hu/en/products/syslog-ng/

(hardening) 

387

UNIX
GNU/Linux. AIX1, AIX
, .

9.5 AIX
AIX UNIX, , ,

. AIX ,
, , , .
AIX
, , . ,
, ,
, .

AIX .
AIX, ,
AIX,
Lightweight Directory Access Protocol (LDAP) Internet Protocol Security (IPSec).
, Web- IBM AIX :
http://www-1.ibm.com/servers/aix/library/index.html
, , . X11 CDE ,

.
, AIX, , ,
.
, ,
. ,
, ,
1

388

, , 9.4.8, AIX no. . . .

, .
,
.
, ,
, . , .

9.5.1
(login) AIX
, ,
. , . .
herald /etc/security/login.cfg.
, AIX. chsec .
chsec:
# chsec -f /etc/security/login.cfg -a default -herald
Only authorized use of this system is allowed.\n\nlogin:
/etc/
security/login.cfg herald :
default:
herald =Only authorized use of this system is allowed.\n\nlogin:

CDE
CDE (Common Desktop
Environment). CDE . , /usr/dt/config/$LANG/Xresources, $LANG
, AIX.



.
.
lock , AIX windows,
xlock.

(hardening) 

389

9.5.2
AIX, . ( , AIX.)


,
.
. AIX
, , :
,
, ;
;
,
.
, , , UNIX,
. dictionlist
( ), , bos.data bos.txt.
dictionlist /etc/security/users:
dictionlist = /usr/share/dict/words
UNIX dictionlist /usr/share/dict/words.

root

, root. ID root AIX
su.
root ,
root ,
, . /var/adm/sulog.
, .
root
/etc/security/user. rlogin root
false.

390

root , AIX ID, root. , , .


root , su root,
, root . , , ,
.


,
.
, .

. , /etc/security/.profile , :
TMOUT=300 ; TIMEOUT=300 ; export readonly TMOUT TIMEOUT
300 , 5 .

,
. , , , .
, root , INTERNAL
FIELD SEPARATOR (IFS), , , sed,
awk cut, .


, , .
umask 077.

, ,
, .

. SP umask 022.
umask 022.

077. etc/security/user.

(hardening) 

391


, , ID . ID
.netrc1. ,
, , .
, :
# find 'awk -F: '{print $6}' /etc/passwd&' -name .netrc ls
, . Kerberos.


. 9-2 ,
.
/etc/usr/security2.
- , . chsec (, , , IBM Redbook AIX
Security Tools, SG24-5971-00).
9-2

dictionlist
histexpire
histsize
maxage
maxexpired

maxrepeats
minage
minalpha
mindiff

,
UNIX
,


,

maxage,



,

,


,


/usr/share/dict/words
26
20
4
2

2
13
2
4

. AIX. .
. .
: /etc/security/user. . . .

392

0, ..
, . . . .

.9-2

minlen
minother
pwdwarntime


,

,

,


6 (8 root)
2
5


, ,
(, , ), etc/security/login.cfg1.

,

AIX
ID . , AIX, ,
, ID , . ID ,
.
. 9-3 ID, , , .
9-3 ID
ID
uucp, nuucp
lpd
imnadm
guest

, uucp
,
IMN [
(Documentation Library Search]
,

. 9-4 ID , , ,
.
9-4 ID
ID
uucp
printq
imnadm
1

, uucp nuucp
, lpd
, imnadm

/etc/security/login.cfg. . . .

(hardening) 

393

ID ; ID, .
, ID.

9.5.3
Trusted Computing Base ( , TCB) , . TCB
(trusted communication path),
TCB.
TCB . TCB , preservation. TCB
(trusted shell), (Secure Attention Key, SAK).
TCB, /dev
TCB. , TCB
600 , /etc/security/syschk.cfg. TCB ,
, , , CD
, , .

9.5.4
AIX
. .


- ,

. , , .


, , Domino
DB2,
. ID,
, .

394


. , ,

. CD-ROM- CD-,
, CD , , , . , .
(Service Level Agreements,
SLAs), ,
, ,
,
. ( ).
.
(
CD, mksysb /CD).
. , , , IBM , .
root. ,
. , root,
.


AIX
- ,
.
, ,
, .

- , , .

9.5.5
,
. ,

.

(hardening) 

395

/etc/security/audit/
events. cron
.

9.5.6 ,
, , .



AIX.
AIX skulker,
.
, /tmp,
a.out, core ed.hup. skulker
:
# skulker -p
skulker, cron
.

,
ID , , . , , find , :
# find / -nouser -ls
, . , .
.


.rhosts.
. .rhosts AIX.
HACMP .rhosts 1. 600 root.system.
.rhosts :
# find / -name .rhosts -ls
1

396

HACMP 5.x . . . .


, . , , ,
root SUID SGID.

, ,
. ,
, AIX. :
# find / -perm -4000 -user 0 -ls
# find / -perm -2000 -user 0 -ls

cron at
cron at .
, ,
cron.allow at.allow, root.
/var/adm/cron cron.deny at.deny.
, cron at root.

9.5.7 , X11 CDE


,
X- X11 CDE (Common Desktop Environment).

/etc/rc.dt
CDE , .
CDE , .

CDE (dt). - , , /etc/rc.dt, CDE.

X-
, X11,
. X-
xwd xwud,
, .
,

(hardening) 

397

,
root.
xwd xwud X11.apps.clients.
xwd xwud , OpenSSH
MIT Magic Cookies. , xwd xwud.


X- xhost+ AIX. , xhost+ , X- .
,
X-.
xhost :
# xhost +

xhost
, xhost ,
. chmod /usr/bin/X11/xhost 744, :
# chmod 744/usr/bin/X11/xhost
, xhost . , X-.

. , .

9.5.8
,
.


- ,
.
, ,
; ,
. , , ,
.
, , .
netstat:

398

# netstat -af inet


. netstat .
, ,
/etc/services (Internet Assigned Numbers Authority, IANA) .
.


TCP-, LISTEN, UDP-, .
lsof, netstat -af. lsof AIX 5.1 AIX Toolbox for
Linux Applications CD.
, TCP-, LISTEN,
UDP-, IDLE, lsof :
# lsof -i | egrep COMMAND|LISTEN|UDP
ID
, :
# ps -fp PID#
,
man- .

9.6
, .
, , ,
,
.

,
.
, , , 100% 100% .
, , ,
, .
- , ,
.
.

(hardening) 

399


Lotus
, Lotus. Lotus Notes Domino 6, Sametime 3, QuickPlace 2.08, Domino Web
Access (iNotes) 6.x, WebSphere Portal 4.x
IBM/Lotus. ,

Lotus, , Lotus.

10

Notes/Domino
,
Notes/Domino. Domino . , Notes/Domino, .
, Notes/Domino.

Notes/Domino

403

10.1 Notes/Domino
Notes:
() , . , , . 10-1.

. 10-1. Notes
, : ,
Notes. . 10-2.

Notes

. 10-2.
,
,
Notes, ( ) Notes.
,
.
: . .

404

10

10.2

, ,
, , . 10-3.

Notes

. 10-3.
Domino.

.

, , .

, , .

:
, .
, . .

.
Domino Domino (Administration Tools), Lotus, .. Domino Administration 6 Client ( , Web-) Web Administrator 6, WebAdmin.nsf.

Notes/Domino

405


- ,
Notes Web- (. ., Telnet,
FTP ).

10.3

Notes, . 10-4.

Notes

. 10-4.

Notes ,
,
.

10.3.1
,
.
, . - , Notes

Notes

. 10-5.

406

10

Domino Web- Domino. (. ., - -), Notes Notes-Notes.


. 10-5.
, .

: .
(routers) , . (gateways) , , .
, - . IP,
,
.
, . , . , FTP, DNS
(Domain Name System) X11.
; , . ,
. IP, , .
-. -
. ,
UNIX- SendMail 20 000 ,
- SendMail 700 . -
.


. ,
. .
,
, , .
-

OSI (, ) (), (). . . .

Notes/Domino

407

. , .
(demilitarized
zone, DMZ), ,
( ).
, , - .
, , , .
.



Ethernet, Fast Ethernet, Gigabit Ethernet Token Ring, MAC- , , MAC-, .
(shutdown mode) (restrictive mode). ,
.
. , , .
, MAC- , . MAC- , ,
, ,
, . .
OSI, TCP/IP (
), TCP UDP,
, .
.
, , Network Mapper (NMap). :
http://www.insecure.org/nmap/
Nmap
. , . Nmap IP-
, , , () , ( ) -

408

10

, ,
. Nmap ; . Nmap , GNU GPL.

10.3.2 Notes
Notes Domino,
Notes , Notes,
. 10-6.

Notes

. 10-6.
Notes
Notes.

Notes Notes ID, .


, . Notes.
, -, SSL
S/MIME.
:
, .
, .
, Domino Directory, ID- (
). Notes , ,
.
.
.

Notes/Domino

409

, Person,
Server Certifier Domino Directory.
. . ,
,
Domino .
, ,
.
, ,
, ,
.
, -.
, Domino
Notes . ,
-
Domino Certificate Authority (CA), (Certificate Authority). Domino 6
-, x.509v3,
x.509, [Certificate Revocation Lists (CRL)] [Certificate Distribution Points (CDP)].

, , ( ) , , ,
. . (, ), (
) .
.
, , .
(ciphertext). . .
, Notes Domino,
, ,
,
(, RSA Security BSAFE Engine Notes Domino)
, , .

410

10


Notes Domino
( ), ( ), .
,
,
( ).
, . , ; . Notes Domino
.
,
.
, .

. , Notes, Notes.


;
,
, , , (
, ,
, ).
, ,
( ), , (
). non-repudiation (
).
, .
(
) :
1. (message digest)
. ( ), .
2.
, -

Notes/Domino

411

( ) .
3. ,
, .
4.
, . , , .


, , -,
[access control list, (ACL)], Domino .
, Domino , . .
, , , . , , , . Manager ACL
, .
( ): No Access, Depositor, Reader, Author, Editor, Designer, Manager.


ECL, Notes 4.5, (e-mail bombs), ,
(Trojan horses) . ECL ,
.
ECL
. , ,
, ,
,
, .
ECL . , Notes ,
ECL , ,
. , , ECL ( , , : */Lotus, Default) -

412

10

, . ECL , , , ,
, ,
( ), , ECL. : Abort (), Execute Once ( ) Trust Signer ( ). ,
No Signature ( )
ECL.


ID-.
Notes.

Notes.
, - , , Notes ID, . ,
.
, Notes.
, , ,
. Notes
Domino, . ,
, .

10.4
, Lotus Notes Domino.
.

Notes/Domino

413

11

Domino/Notes 6
Domino
Notes 6,
. . Domino 6 Administration Guide
Notes 6.

Domino Notes. Domino Designer 6 . Domino 6 Designer: A Developers Handbook, SG24-6854.
Domino
, , Domino, ,
. ( ) , .

. , ,
,
, .
:
Domino;
;
Domino;
;
Notes Domino;
Web-;
;
.

Domino/Notes 6

415

11.1 Domino
Domino
Security () Server (. 11.1). :
;
;
Domino;
;
.

. 11-1. Security () Server

416

11

11.1.1 Domino

Domino. . Notes, Domino Server ,
. ,
.

Notes . 6, .

Domino 6
Server Notes
. R6 Only allow server access to users listed in this Directory ( , ), Access server ( ) Not access server ( ) Notes.
Domino 6 -,
Notes.
, -
- ( ).
Server Ports () Internet Ports (-),
, , . Yes () Enforce server access settings (
).
11-1 Notes

Server access list
( )

Notes, Domino
, - (HTTP,
IMAP, LDAP, POP3)
Deny access list
Notes -.
( )
, ,
,
,
Notes Person Domino
Directory - , ,
-
Notes ID lock out ( Notes.
Notes)
, Notes
,
,
. Notes
,
, ,

Domino/Notes 6

417

. 11-1

Anonymous access
( )

Network port access


( )

Limit access to create new


databases, replicas, or
templates (

,
)
Control access to a server's
network port (

)
Encrypt server's network port
(
)

Notes Domino
.

,
.
Domino (LOG.
NSF) User Activity ( )
Notes
Domino ,
. , Alan Jones/Sales/
East/Acme, , ,
TCP/IP
Notes Domino
.

Notes Domino

11.1.2
Domino
, ,
Domino. , ,
.
Security () Server.
. :
Full access administrator ( )
, Server;
Administrator () (
);
Full console administrator ( )
( );

418

11

System administrator ( )
.
.
, , , . , , . ,
(, */Sales/Acme).
Administrators (), ; ,
. Administrators () , .

. 11-2. Server


Domino 6
Domino 6. Notes .
, , .

Domino/Notes 6

419

:
;

, ACL ;

Web- (WEBADMIN.NSF);
,
;
,
;
.

. .
, ,
.
, ,
.
ACL .


, :
Full Access Administrators (
) Administrators () Security () Server. .
Full Access Administration ( ) , Administration () Full Access Administration ( ).
, , Server.
Administrator ().
, , , ,
, ,
.

, Domino Designer
( Domino) Lotus Notes.
, .

, Server, , -

420

11

. ,

. , Server .
Full Access Administrators ( ) SECURE_DISABLE_FULLADMIN = 1
NOTES.INI. ,
, Server.
NOTES.INI , , NOTES.INI .
, Server.


:
Full Admin, Full Admin/Sales/Acme, Full Admin. , , .
, .

, Jane Admin/Full Admin/Acme.
Full access administrators ( )
.
.
Full Access Administrators ( ) .
:
Event Handler ( )
EVENTS4.NSF ;
, , ,
Database Properties ( ).
.

! , Full Access Administrators (


), Administrators () Database Administrators
( ) Security () Server,
,
(managers) ACL .

Domino/Notes 6

421

11.1.3 Web-

Domino, Web- , Domino.
Web- Web- (WEBADMIN.
NSF). HTTP- Web- Domino Domino. Web- .
Web-:
Microsoft Explorer 5.5 Windows 98, Windows NT 4, Windows 2000 Windows XP;
Netscape 4.7x Windows 98, Windows NT 4, Windows 2000, Windows XP
Linux 7.x.
.
Domino/Notes 6.
Domino:
Web- Administration Process (AdminP);
Certificate Authority (CA) Domino 6,
Issued Certificate List ( ) ;
HTTP- Web-, .
Domino
Web- (WEBADMIN.NSF) . , Full Access Administrators ( ) Administrators () Server, Web-.
, HTTP- ( 20 ) ACL Web-, ,
Server Full Access Administrators ( ) Administrators (), ACL.

webadmin.nsf
ACL Web- . . 11-2.
,
Administrators () Server.
11-2. ACL Web-

,
Server:

422

11

. 11-2

Full Access Administrators (
);
Administrators ()

- Default ( )
Anonymous ()
OtherDomainServers ( )


Web- -,
SSL-. Web- , SSL . Web- , / Web-
Domino (WEBADMIN.NSF) SSL-.
Web- SSL.
HTTP .

11.1.4
, ,
Server.
, Server
. Run unrestricted methods
and operations ( ) , Run Simple and Formula agents ( ) . , . , ,
.

. ,
.

Run unrestricted methods and operations (


)
Domino 6
,
, . Domino Designer 6 .

Domino/Notes 6

423

(Restricted mode).
(Unrestricted mode).
(Unrestricted
mode with full administration rights).
,
Do not allow restricted operations ( ).
Lotus Notes.
Server, ACL (, , ACL ).

.
, (),
, Full Access Administrators (
), Agent Builder.
Full Access Administrators ( )
.

Sign agents to run on behalf of someone else (


/)
, , .
; , .

. , ,
, ACL.

Sign agents to run on behalf of the invoker of the agent (


)
, , ,
. , . Web-. ;
, , ( ).

Run restricted LotusScript/Java agents ( LotusScript/Java)


, , LotusScript Java, , , .
, .

424

11

Run simple and formula agents ( )


, ( , ). ( ,
), .

Sign script libraries to run on behalf of someone else (


/)
,
, /.
, / .

11.1.5
Notes. ,
. , , .
, , .
Domino .
, . -
. 2, .
:
(Registration).
, , -,
.
(Setup). Notes Location .
- -, .
(Desktop).
. ,

,
.

Domino/Notes 6

425

(Mail archiving). .
.
(Security). ECL
, -
Notes.
o -
HTTP.

. - , , (session authentication).
o - Notes.
( Notes - . 11.7, -
Notes.)
o Notes.
o Notes / -.
, (grace periods) history ( Notes).
o . .

. 11-3. Security Settings

426

11

! Person
Server. Domino
, .
Domino ,
, .
ECL, :
ECL ECL .
ECL . Refresh ECL , , ECL; ECL ECL
. Replace ECL ECL. ECL .
ECL : Once Daily
,
ECL ECL; When Admin ECL
Changes ECL
, ECL
; Never ECL .

. 11-4. :
: (organizational) (explicit).
.


, . ,
, Sales/Acme,
*/Sales/Acme. Sales/Acme -

Domino/Notes 6

427


.
,
(Sales) (Marketing),
. ,
Sales/Acme Marketing/Acme , ,
*/Marketing/Acme.
.



. , 6-
, ,
,
.
: , Person
Assign Policy.


,
, , .
, .
,
.

, . , , */Acme ,
60 . Acme . , , ,
. . ,
.
. Policies () User and Server Configuration ( ) Domino 6 Administration Guide.

428

11

11.1.6 -
Domino 6
Internet Site -, Domino. Internet Site [Web (HTTP), IMAP, POP3, SMTP Inbound, LDAP IIOP]
Domino. ,
:
Web Site. Web-,
Domino.
LDAP Site. LDAP- .
IMAP Site, POP3 Site SMTP Site. , IP-, Internet
Site.
IIOP Site. Domino
IIOP (DIIOP) . Domino Domino Object Request Broker (ORB).
Internet Site - . ,
Domino 6 Web-
Domino Mapping, Web realms
() File Protection. .
Domino 6 Web Site,
Web-, ,
Web realm.
Internet Site :
e WebDAV (Web-based Distributed Authoring and Versioning) Web- Domino;
e SSL
(Certificate Revocation Lists) -, ;
e hosted organization (
).
Domino . Domino 6 Administration Guide.
Internet Site ( Site)
.
Site .
.

Domino/Notes 6

429

, Internet
Site ;
.
Domino Internet Site,
Server. , Server .
Internet Site Internet Sites, -, Internet Site .

. 11-5. Server,
-

430

11

! Internet Site Internet Site


- . , LDAP Internet Site
Server HTTP.
Internet Site, Server
-.
:
TCP/IP;
SSL ( TCP
SSL);
,
.

. 11-6. Web Site

Domino/Notes 6

431

Internet Site
Internet Site SSL- ,
- .
SSL -, SSL Server SSL ,
(key ring) .
SSL-
(server key ring file) Internet Site. Internet Site , , .
Security
() .
(Certificate Revocation
List, CRL) -, Domino .
SSL , IP-
Host names or addresses mapped to this site ( ,
) Basics ( )
Internet Site.
Web- (common name)
DNS-, IP-
Web Site. IP- Host name or addresses to map to this
site ( , ) Web
Site. Redirect TCP to SSL ( TCP SSL) Web Site , IP- .
Domino 6 Internet Site,
No Internet Site.
TCP-, SSL- TCP.
Internet Site
Domino. Web Server Server.
SSL . 6, .
Domino 6
. 11.5.1, Domino.

11.1.7
, . :

432

11

, , .
.

Domino 6
- . - . Notes,
Domino Domino 6 Administration Guide.

11.2 HTTP-
Domino 6
Domino 6, Lotus Domino HTTP-.
HTTP , , Domino
HTTP Domino 4.5. Domino 6
HTTP HTTP- IBM
( ICS). , Domino 6 API HTTP.
Web-
, HTTP 1.1
.
denial of service ( , DOS) , ,
URL length . . IP- IP-.
,
HTTP, HTTP- Domino Web-
( Web- Domino),
DSAPI, HTTP- Domino. ( DSAPI HTTP) .

11.2.1 Domino Web Server API


Domino Web Server Application Programming Interface (DSAPI)
C API, Web-
Domino. ( )
Web-.
Domino 4.6.1 Web- IBM Web Server (ICS) Domino GO Web Server API Domino Domino

Domino/Notes 6

433

GO Server GWAPI (Go Webserver Application Programming Interface). Domino 5.0 , - API . Domino 5 DSAPI HTTP- ICS,
Domino 5, GWAPI
( , ).
, HTTP-
Domino 6, DSAPI.
DSAPI,
Domino 6 DSAPI R5, . DSAPI, Domino5,
Lotus Domino 6,
HTTP-, . , , , API,
, HTTP, Domino 6.
, Domino 6 API, R5 DSAPI, , R5 DSAPI
100% , HTTP- ( ,
DSAPI 100% ). Domino 6
DSAPI -, 100% , .

. DSAPI-, R5, HTTP-


DSAPI (private)
Domino 6. , (
DSAPI-)
R5/DSAPI- .
,
HTTP- R6.
DSAPI (single sign-on) . 7.4, DSAPI.

11.2.2 HTTP-
Domino 6
Domino R6 Web- WebSphere.
Domino for IIS, Release
5. Web-
(, IIS)
( ), NSF- HTTP- Domino.
HTTP Domino;
HTTP-
, , HTTP-

434

11

Domino, .
Domino [ Domino,
Lotus iNotes Web Access, Lotus Domino Off-Line Services (DOLS), Lotus Discovery Server];
HTTP-
HTTP- .
, Domino,
Domino.
HTTP-
. Domino 6.0 :
IBM HTTP Server (IHS) AIX, Windows NT 4.0 Windows 2000 Server;
Microsoft IIS Windows NT 4.0 Windows 2000 Server.

Domino 6, Domino ( ,
, ,
Domino 6).
Lotus Domino 6 plugins data/domino. plug-ins
WAS 4.x 5.x , Microsoft
IIS IBM Apache HTTP. , Domino 6, HTTP-
(, IIS).

HTTP- Domino
notes.ini (HTTPEnableConnectorHeaders=1). notes.ini Domino , USER,
HTTP- .

HTTP . . C,
HTTP Domino 6.
HTTP Domino6, IBM iSeries . Lotus
Domino 6 for iSeries Implementation, SG24-6592.

11.3 (xSP)
Domino 6
Domino ( , , ,
..)
Domino.
,

Domino/Notes 6

435

Domino. , .
- , , . xSP- (.. ),
Domino .
, , ,
.
, . ,
,

, .

Domino
Domino
Domino
, . xSP, , ,
.
, ACL
Domino Directory
. ACL,
xSP, . , ACL ACL
xSP: .
Site
, -.
ACL ACL Domino Directory.

, - , . help common
Domino, ,
.
,
,
.

436

11

11.4
Domino 6
, Notes Notes,

Notes . ,
(roaming users),
,
. Notes ID- , ,
. ,
, . Notes.

.



-. -
, ,
Notes. , -
- .

11.5 Domino
(certificate authority, CA), (certifier), , .
, - SSL S/MIME .
,
, ,
.

(trusted root certificates), , , , .
Notes- -. Domino
Notes- Notes
Notes. Notes
Domino, Domino. Notes-

Domino/Notes 6

437

, Web-.
, - - (X.509),

(SSL, TLS . .). - Domino
.
, SSL Domino, , , SSL
.

. SSL . ,
SSL , , IMAP, POP3 SMTP.
SSL , -. Domino, , . , ;
, , . ,
.
(PKI) Domino
SSL . 6, , The Domino Certificate Authority IBM Redpapers.

. SSL ,
Domino, Domino.

11.5.1 Domino
Domino 6
Domino 6 Domino-, ( CA) .
CA Domino, . ,
Notes- CA -.

CA , CA.
CA;
. Domino
CA Domino Tell.
Domino 6 ,
:
Notes- -.

438

11

(registration authority, RA), / .


. CA , , .
- Web-.
, -.
(Issued Certificate List,
ICL) , , .
-, X.509 PKIX.
Domino Notes- -
CA. CA
(, - CA),
CA.
Domino,
CA.
CA.
, ICL ,
.

(ICL)
(Issued Certificate List,
ICL),
CA. ICL ,
, CA.
. CA
:
, , .
CA, .
RA/CA, , .
.

Domino/Notes 6

439

ID-,
.
CA ( Certifier) Domino Directory .

(CRL)
(Certificate Revocation List, CRL)
, -, , . CA
CRL -. CRL
, ICL
. CRL Domino Directory,

.
CRL -. , CRL , CRL. CRL
.
CRL , . ,
. HTTP Web- CRL, ,
,
. Internet Site - Domino CRL
.
CRL: . CRL ( , CRL ) CRL. CRL , CRL . , , ,
CRL, .
CRL CRL.
CRL. CRL
, CRL.
(,
) (. . ) CRL .
CRL.
CRL Tell.

440

11


-
(CERTREQ.NSF)
. ,
Administration Process .
, .

, , .


. , CA, Notes- - ,
.

. , ,
Domino 6 , CA.

Domino
Domino (certificate authority administrator,
CAA) :
.
. , CA Notes-.
CA RA, .

Domino Directory , Editor ().
. , , .

. , ,

.
,
.

Domino/Notes 6

441

Domino
(registration authority, RA) Notes Domino, - -. , , Domino , . , Domino ,
CA.
,
. CA Configuration,
ICL .
Domino, Notes,
Notes-.
Web Administrator
Notes. Web Administrator, , Web Administrator, .
Domino :
, Notes-;
-;
, ,

.

.
Domino Directory , Editor ().

, CA
CA , CA . , CA . CA Tell
.
CA , ,
12 . , Administration Requests CA, .
Tell AdminP CA.

442

11

. CA ca
Server NOTES.INI.
, CA,
:
1. :
Notes- O () OU (),
CA.
Notes- CA.
-
CA.
2. .
3. CA.
4. - .
. Domino 6 Administering the Domino
System.

11.6
Domino,
Domino.

11.6.1
Domino
Domino Directory.
Administration Process, Domino Directory. , ,
Domino Directory.

11.6.2
Domino .
, ,
, . .
:
Domino
Directory, Configuration Directory;

Domino/Notes 6

443

LDAP;
Dircat (directory
catalogs);
, ;
Domino Directory, Directory Assistance.
Notes ,
, .

Domino
Domino 6 , Domino Domino Directory .
: , , Person Group, , Domino.

Domino 6
,

Domino Directory, Domino Directory. Configuration Directory, Domino Directory
, Domino. , Configuration Directory, Domino Directory
( Domino Directory) Person, Group, Mail-In Database Resource,
, .
, .
,
, ,
Domino Directory, . , Configuration
Directory , , .
, . ,
Domino Directory.

444

11

11.6.3 Directory Assistance


Directory Assistance ,
,
Domino Directory (NAMES.NSF). Directory Assistance
:
( , -/
HTTP);
;
Notes;
(referrals) LDAP.
Directory Assistance LDAP-
Domino. LDAP- LDAP- LDAP-,
Domino, LDAP.
Domino PUBNAMES.NTF,
NAMELookup. Directory
Assistance Domino. Domino, Directory Assistance,
(secondary) Domino Directory,
(Extended Directory Catalog) (primary)
Domino Directory.
(secondary) Domino Directory Domino Directory, Domino Directory .
Domino Directory ,
Domino. Domino Directory Domino Directory,
PUBNAMES.NTF,
Domino, , ,
Web-.
(Extended Directory Catalog) , Domino Directory. Directory Assistance Extended Directory Catalog, Extended
Directory Catalog Domino Directory.
(primary) Domino Directory ,
Domino
. Directory Assistance Domino Directory, ,
Domino Directories
Configuration Directory.

Domino/Notes 6

445

Directory Assistance
, Domino - (Web (HTTP),
IMAP, POP3 LDAP), , Directory Assistance.
X.509
.
, Directory Assistance, Directory Assistance :
Basics ( ) Make this
domain available to ( ) Notes clients
and Internet Authentication/Authorization (/ Notes -);
Naming Contexts (Rules) [ ()] , (distinguished names) , , Trusted for Credentials (
) Yes ().
, Web-
LDAP-, Web-
Web- Domino
LDAP- .

! Domino Directory Assistance


, , ,
Directory Assistance.
, -, Internet Site Ports ()
Internet Ports (-) Server.

,

- , , .
Security () Internet Access ( )
Server Domino Directory More name variations with lower
security ( ) Fewer name
variations with higher security ( ( ).
,
Domino Directory.

446

11


,
Directory Assistance, , . , ,
cn=alice browning,o=Acme, alice browning. , alice browning. , , cn=alice browning,o=acme
.
Domino,
ACL , , ACL ,
Server, File Protection Web-.


, ,
, , X.509. X.509 ,
, X.509.


Domino -,
.
.
, Domino HTTP Web LDAP ,
, .

Notes
Notes Domino Directory Person Notes.
Compare Notes public keys against those stored in Directory ( Notes ) Basics
( ) Server Notes, ,
Notes, Person .

Domino/Notes 6

447

Notes, , Domino Directory, Domino Directory Compare Notes public


keys against those stored in Directory ( Notes ) , ,
Make this domain available to: Notes clients and Internet Authentication/
Authorization ( : /
Notes- -) Directory Assistance, .
Directory Assistance:
Domino Directory,
Notes;
(Extended Directory Catalog), Domino Directory,
Notes.

. , Domino Directory Extended Directory Catalog,


, Directory Assistance,
,
Notes, ,
Make this domain available to: Notes clients and Internet Authentication/Authorization (
: / Notes- -). ,
,
, .

LDAP-
LDAP- :
, LDAP-;
LDAP Domino, Notes, LDAP

Directory Assistance LDAP-


, Domino, . , .
,
, Domino Directory. ,
Directory Catalog ( ),
Directory Assistance.
( ),

448

11

(Distinguished Name, DN),


. ,
,
, . , , / , .
, . ,
/ .
Person
Domino Directory , , ,
. , , , , , , , ,
ACL , .

11.6.4
Domino 6
(ACL) , ,
PUBNAMES.NTF, Domino Directory Extended Directory Catalog. ACL ACL
Domino Directory Extended Directory Catalog.
Notes-,
LDAP-.
ACL ACL ,
Access Control List ( )
Notes 6 Domino Administrator 6. ACL
, ; ,
. ACL
:
, ,
OU=West/O=Acme;
,
Person;
;
.

Domino/Notes 6

449

ACL :
Domino,
, ;
;

,
Readers Authors;

: Notes (NRPC), Web (HTTP), LDAP, POP3 IMAP.

. , Router, ,
ACL. Router,
Readers
, ,
. , Readers,
, Router .
, ACL,
, ACL , , ACL . , ACL
Reader, ACL
Write.
User Creator ACL , ACL
Person Create.
, , , ACL. , Readers , , Browse ACL , Readers.


Domino Directory ACL . , ACL
ACL . ACL Domino Directory Extended Directory Catalog.
:
Domino Directory?
,
ACL, -

450

11

. , .
ACL? ACL ,
.
? Configuration Settings Domino Directory
LDAP-.
LDAP Read .
Anonymous () ACL
No Access ( )
, LDAP. ACL Anonymous () ACL ACL LDAP. Anonymous () Reader.

11.6.5 LDAP-
LDAP (Lightweight Directory Access Protocol) - . Domino Notes LDAP :
LDAP, Domino LDAP LDAP-;
LDAP Notes, Notes
LDAP- LDAP-;
Directory Assistance, Domino LDAP- .

Directory Assistance
LDAP-
Domino 6
LDAP- , Directory Assistance LDAP-. ,
.
Type of search filter to use ( )
Directory Assistance. . 11-3.

Domino/Notes 6

451

11-3.

Standard LDAP (
)

LDAP,
LDAP-, Domino, IBM
Directory Server, Netscape/iPlanet Directory Server

Active Directory

,
Active Directory. ,
LDAP- Active Directory

Custom


,
. , LDAP- .
Custom Type of search filter to use (
) ,
, . 11-4.
11-4.

(Mail filter)

Directory Assistance ,
Notes ,
. ,
: (|(cn=%*)(|(&
(sn=%a)(givenname=%z))(&(sn=%z)(give nname=%a))))


(Authentication filter)


LDAP- .
,
: (|(cn=%*)(|(&(sn=%a)(givenname=%z))(&(s
n=%z)(give nname=%a))))


(Authorization filter)


Notes. ,
: (|(&(objectc
lass=groupOfUniqueNames)(UniqueMember =%*))(&(obje
ctclass=groupOfNames)(Member=%*)))

,
, RFC 2251 2254.

LDAP
,
LDAP , , .

452

11

11-5. LDAP









(RFC 822)

(RFC 822)

( )
Alex M Davidson


%a

Alex M Davidson

%z

Alex M Davidson
amd@acme.com

%*
%l

amd@acme.com

%d

11-6. LDAP

Alex M Davidson


Directory Assistance
(|(gn=%a)(sn=%z)(cn=%*)(mail=%l))

amd
amd
amd
amd
amd@acme.com
amd@acme.com
amd@acme.com
blue

(EmpID=%*)
(EmpID=%z)
(mail=%*@acme.com)
(mail=%*@*)
(mail=*@%d)
(mail=%*)
(uid=%l)
(color=%*)

(|(gn=Alex)(sn=Davidson)(cn=Alex M
Davidson)(mail=))
(EmpID=amd)
(EmpID=)
(mail=amd@acme.com)
(mail=amd@*)
(mail=*@acme.com)
(mail=amd@acme.com)
(uid=amd)
(color=blue)

11.7 - Notes
Domino 6
- ,
Person Domino Directory Notes- . , Domino
Notes Web-. Notes -
- Notes

.
. 11.1.5, .
Notes -.

Domino/Notes 6

453

! , ,
, Notes -
User Security ( )
Notes -. ,
.
User Security ( )
. 11.14, Notes.

11.8 Notes
ID- Notes mail-in ID- Notes. ,
( -Recovery Authorities) Notes.

mail-in :
-Default- Anonymous No Access;

Reader.
ACL
Notes, .
ACL.
ID :
1. Domino Administrator Configuration (),
Certification ().
2. Edit Recovery Information ( ).
3. Choose a Certifier ( ) Server,
Domino Directory (
).
4. , .
Use the
CA process ( CA),
. ,
.
, Supply
certifier ID and password ( ). ,
Certifier ID ( ),
ID- .

454

11

5. OK. Edit Master Recovery Authority List ( ).


6. ,
ID-. .
7. Add () ,
.
8. , , :
mail-in,
, I want to use an existing mailbox ( ). Address ()
Domino Directory.
, I want to create a new mailbox (
). Create New Mailbox (
) ,
, . , , .

. Export ()
. ,
.
9. OK.
10. ,

load ca

CA
, .

tell adminp process all


. Notes (O),
-
Notes, .
Notes, . , Action ()
Accept Recovery Information ( ),
ID- Notes.
.
Notes
ID- Notes .

Domino/Notes 6

455

Notes
-
-, Notes
-.
, Notes -,
:
1. , .
2. , .
3. Action () Accept Recovery Information
( ).
4. Backup ID File ( ID-) Send (), .

. ID- Notes
Notes, .

ID- Notes
ID- Notes
Notes ID- Notes. Notes
Notes. , Notes
.
, Notes ID- Notes - .
, , ,
, Notes
.
Notes,
:
1. ( ,
), ( ,
Notes), Notes.

Notes .

456

11

.
Notes, ,
Notes.
Notes
.
2.
Notes. Password ()
Notes OK, .
3. Wrong Password ( ) Recover
Password ( ).

. -
Backup ID File ( ID-).
4. Choose ID File to Recover ( ID- )
, .
5. Enter Passwords ( ) ,
, ,

.
6. Notes,
.

. , , ,
Notes.
7. ,
Notes Notes
Notes.

Notes
. :
,
;

, Notes
.


(.. ) - .

Domino/Notes 6

457

11.9 Web-
Web-, Web- Domino. :
.

HTTP .
cookie- cookies, .

HTML-
. , Domino ,
cookie- .


, HTML . (single sign-on).

, , LTPA-cookie ,

. LTPA- ,
. ,
(single sign-on) .

6.2.4, Web-,
LTPA 7.2, LTPA.
,
.

11.9.1
, Domino Domino Directory LDAP-. - (HTTP, LDAP, IMAP, POP3). ,
- Domino. Domino
, Java-,
Domino,
Domino IIOP.

458

11

Fewer name variations with higher security (


)
Fewer name variations with higher security ( ) .
, , .
Web- -
, . 11-7.
11-7. Fewer name variations with higher security (
)
Domino Directory

CN=prefix

(, User name Person,


, )
- ( ,
Internet address Person)

LDAP-
DN
CN CN CN=prefix
UID UID UID=prefix

More name variations with lower security (


)
Domino
.
. , . 11-8, Web-.
11-8. More name variations with lower security (
)
Domino Directory

cn=prefix
()
()

(, User name Person,
, )
Soundex-
- ( ,
Internet address Person)

LDAP-

(CN) CN CN=prefix
DN
DN
UID UID UID=prefix

Domino/Notes 6

459

11.9.2 (SSO)
, (single sign-on, SSO), Web- Domino WebSphere Domino WebSphere DNS,
(SSO), .
Web- cookie-,
LTPA- , , cookie-.
:
( Web SSO Configuration)
Domino Directory ( Domino Web SSO Configuration,
, , );
Multi-server Web Site Server.

LTPA . 14, , , .


Domino, SSO.


URL, , ,
(fully qualified domain name, FQDN),
IP-. cookie-
, DNS- cookie-, DNS-
cookie- URL . cookie-
. , SSO,
DNS-).
Web Site Server
(FQDN). Internet
Cluster Manager (ICM)
SSO. DNS-, ICM URL Web-, TCP/IP, cookie-,
DNS- URL.

460

11

WebSphere
WebSphere Domino LDAP-. , (SSO),
(Distinguished Name, DN) , cn=john
smith, ou=sales, o=ibm, c=us. LDAP ,
Directory Assistance Domino , LDAP-, WebSphere. , LDAP Domino Directory WebSphere LDAP- Domino.
, ,
WebSphere, LDAP- Domino,
(flat) (
Domino, SSO
flat- ).
SSO- WebSphere
Domino. WebSphere LTPA- SSO, Domino.

Web SSO Domino


Domino
SSO,
.
:
Notes, . Web SSO Configuration , Domino Directory .
Server Person , Web SSO Configuration,
, , Person Server.
Web SSO Configuration Domino:
1. Web SSO Configuration Domino Directory, , Domino Directory .
2. Web SSO Configuration
Participating Domino Servers ( Domino),
Server ,
.
3. Server
. , , Location , , , , . -

Domino/Notes 6

461

, SSO
.
4. .
.

11.9.3 Web- Domino


Directory LDAP-
Web- Domino Directory Person. Domino Directory
LDAP- , Domino .
Domino LDAP-
Directory Assistance.
, Domino
Domino Directory,
Domino LDAP-. Directory Assistance , Domino .
, Domino Domino Directory , , SSL- Domino Directory
Domino Certificate Authority. LDAP, LDAP- Domino.
SSL ,
LDAP-.
, Domino Directory LDAP-, Directory Assistance, ,
. ,
Dave Lawson/Acme, Directory Assistance */Acme.
, .
Domino , , , , . Public Key Checking ( ), Allow Access
( ) . Password Checking ( ). ,
Notes, , , iNotes.

462

11

11.9.4 Domino
Domino Web-
Domino
LDAP- Domino Notes/Domino
ACL Domino.
,
:
Domino Portal.
Domino WebSphere Portal,
Portal LDAP-,
LTPA- LDAP, uid=twor
ek,ou=users,o=redbooks,c=us.
, Domino , Domino
LTPA- ( , Portal Domino
LTPA SSO). ACL
Notes, William Tworek/Cambridge/IBM.
LTPA- LDAP-, Domino , , .
Domino LDAP-.
Domino Directory Assistance LDAP- ,
LDAP- Domino
LDAP. Domino Notes, ,
Domino , LDAP- .
, Domino ,
Domino 6:
1. LDAP- ACL .
2. LDAP DN Person
Domino. Domino 5.x Domino 6.02+.
3. Domino LDAP-. Domino 6.x Directory Assistance.

LDAP- ACL
,
ACL Domino , LDAP-. ACL
, LDAP
Notes.

Domino/Notes 6

463

, ACL William Tworek/Cambridge/


IBM , LDAP- uid=tworek/ou=users/
o=redbooks/c=us. , LDAP- ACL Domino
, LDAP, /.
,
, ACL .

LDAP DN Domino
Domino Directory , LDAP Person .
. 11-7.

. 11-7. LDAP, Person



, 8,
. ; LDAP- Person Domino,
.
, Domino 5.x Domino 6.02+.
Domino 6.0 6.01.

464

11

Domino LDAP-
Domino , LDAP-. , , , . .
Domino LDAP-.
:
1. LDAP-, , LDAP .
2. LDAP- , LDAP-
Notes.
3. , Domino Directory Assistance LDAP Directory Assistance. DA, LDAP
.
Directory Assistance . 11-8.

. 11-8. LDAP Domino Directory Assistance


,

LDAP- LDAP-.
Domino 6,
Domino 6.x, Domino 5.x .

Domino/Notes 6

465

11.10 Domino
Password Checking ( ) , . . - - ID- Notes
Notes, Notes. Password Checking , ID- Notes,
. -
ID- Notes, .
Password Checking Required Change Interval ( ) ( ), ID- Notes .
Notes . Grace Period ( ). ( ), ( ),
. R5, Version 6

, Person . Notes
R4.67. R5 Version 6.

11.10.1 Notes Domino


Notes Domino : Notes Domino ( iNotes
). , ,
Domino (
), Notes.
,
.
Notes ,
.
Notes, ID- Notes
.

ID- Notes
ID- Notes
:
;

466

11

;
, ;
;
49 .

Domino Directory
Domino Directory , . 11-9 11-10.
11-9. , Server

Check passwords on Notes IDs (


Notes)

11-10. , Person

Check password? ( ?)
Required Change Interval (
)
Grace Period ( )

Last Change Date (


)
Password Digest ( )

-

. ,

,

, Notes
(
Person)
,

, .


,

Notes
. .
1. . Server
, .
Server Security (), .11-9.
Check passwords on Notes IDs ( Notes)
Enabled ().
.
, Server.

Domino/Notes 6

467

, Notes Domino, ,
Notes . ,

.

. 11-9.
2. ,
AdminP.
, .
Person.
:
) Domino Directory People View ,
.
) Actions () Set Password Fields (
).
) Notes Set Password Fields ( )
You are about to set the password fields for the selected person records.
Do you want to continue? (
. ?). Yes ().
) . Check Password ( ) Check password ( ), Required Change Interval ( )
Grace Period ( ); . ,
, ,
90 , 30
, 90 30 ( -

468

11

, ).
) OK. Administration Process (adminp)
Domino (Domino Server Administration Request Database, admin4.nsf), Notes Completed
Successfully ( ), ,
.
3. Adminp .
, Set password information ( ).
, Adminp, ,
. . 2 . 11-10.

. 11-10. Adminp
4. Adminp .
Adminp
,
.11-11.
Person , ,
Check Password ( ), Change Interval ( )
Grace Period ( ) .

Domino/Notes 6

469

, Password digest ( )
Person . , .
, Notes ( ), Notes
, , , , , Person.
true.

. 11-11. Adminp

, admin4.nsf
. Adminp Grace Period ( ) Change
Interval ( ) ID- Notes.
admin4, , Notes Grace Period ( )
Change Interval ( ).
ID- .

Notes, , , 11.1.

470

11

11.1. Notes
PWD_KEY_HDR
Type: 0000

Version: 0000

LastChanged: TIMEDATE

Innards: 0025 69DC 0039 822B

Text format: 22/01/2001 10:28:08

ExpirationDays: 0000 005A

NextExpirationDays: 0000 005A

NumDomains: 0001
NumOldPwds: 0001

OldPwdTotLen: 0214
Adminp ,
Password digest ( ) Person
Last Changed Date ( ), . , Person, . 11-12.
, Person , Notes .

. 11-12. Person ,

Domino/Notes 6

471

ID- Notes
, , , .

11.10.2
, Notes , . Notes

.


NOTES.INI CertificateExpChecked. ID- Notes, ,
Notes. Lotus Notes Notes .
, CertificateExpChecked, , Notes,
, , ,
, , ; , 11.2.

11.2.
Where = (
+ )
{

If ( - ) < (25% )
{

}
, CertificateExpChecked,
.

. 11-13.

472

11

Password Expiry
( ), . 11-13.
.
OK , .


Server,
, . , Person
Check Password ( ).
, , . 11.13.
,
, .
, . 11-14. .
22/04/2001 :

( ) + ( , ID)

. 11-14.
R4 , OK. ,
, . .
R4.6.7, R5 Version 6
, .
OK , , , , . 11-15.
, .
,
, ,
.

.

Domino/Notes 6

473

. 11-15.
R5 Version 6
, ,
(
, ).
R4.6.7
; , ,
.



30. R5 Version 6,
30- , ID- Notes, -
. 30- ,
, Person
; 30- , ,
,
.
, ,
, . 11.16.
Notes .
, Person, , -

474

11

. 11-16.
. , ,
, ,
, Notes, .
.
,
, adminP. , ,
, .


, Person .
, ,
Adminp .
, Person, , ( , ID- Notes
).
ID-, user.id ,
Person ,
. , , Person, Adminp.
. 11.17 Adminp, .
Administration Process
Person Password Digest (
) Last Change Date ( ), ID- .
ID- . .
,
49 , Notes ( ), , . 11-18.

Domino/Notes 6

475

. 11-17. Adminp,
,
, , .

. 11-18. ,

11.10.3
,
. , -.
, , -,
. , , . ,
, , , .

476

11

: Connection failed because of a problem with clock synchronization and password change intervals. Check your clock setting, change your password, or
consult your system administrator ( -
.
, ).
-, , Notes Person .



NOTES.INI
CertificateIsExpChecked
=

>




Server?




Person?


Person = EMPTY?


,

dd-mm-yyyy

:

,

D
B





ID



Person

(
+ )
< (
)

Person
= EMPTY?



Person = EMPTY?

+ 3
<

(
)
< (25%
)

<

:


dd-mm-yyyy

?

ID =


Person


ID-
.

,



ID ?

:


dd-mm-yyyy

D
E

AdminP,

. 11-19. -

Domino/Notes 6

477

- . 11.19, 11.3.

11.3.

if NOTES.INI CertificateIsExpChecked =
{

//

else
{

//

if ( > ) or ( < )
{

//

print , dd-mm-yyyy
}

else
{

//

if ( - ) < (25% )
{

print : ddmm-yyyy
}
}
}

if
{

//

if Server
{

if Person
{

if Person = EMPTY
{

//

478

11

if Person = EMPTY
{

//

ID

Person

AdminP,

else
{

//

if + 3 >
{

//

ID

Person

AdminP,

else
{

//

AdminP,

}
}

}{

//

if Person = EMPTY
{

//

Domino/Notes 6

479

print :
(...)
ID-

else
{

//

If ( + ) <
- )
{

//

print :
(...)
ID-

else
{

//

if
{

//

ID

Person

AdminP,

else
{

//

if ID = Person
{

//

480

11

if ID-
{

//

print :
(...)

ID

Person

AdminP,

else
{

//


}
}

else
{

//

print ID- (...)



}
}
}
}
}
}
}

Domino/Notes 6

481

11.10.4

Adminp. Person Adminp
Notes,
.
,
(, Warning: Your password will expire on dd/mm/yy),
Server .
Notes
. ,
, Last
Change Date ( ), Grace Period ( ) Expiration Date ( ), .

. Last Change Date ( )


Person,
.
, adminp- Lockout the user (
). adminp Person; Check Passwords ( )
Lockout ID. , , . 11-20.

. 11-20. ( )
. , . names.nsf , Domino , . Person (, )
,
, Domino Directory.

482

11


. ,
adminp-. 12 . , adminp-.
. , , adminp- . , ,
Person.

. adminp
adminp. , adminp
, adminp
, Person.

11.10.5 iNotes
iNotes Web Access Domino, : iNotes
,
?
iNotes - ,

. ,
, Notes.
iNotes Web Access Notes,
Notes. -.

11.11
Notes
(ACL),
.
ACL . Domino Designer 6 .
IBM Redbooks Domino 6 Designer: A Developers Handbook, SG24-6854.
Domino Notes , ,
. , ,
, , , , , .

Domino/Notes 6

483

, ,
.
.
. , UserCreator ACL Domino Directory
, Person.
ACL:
-Default-;
Anonymous ();
;
LocalDomainServers ( );
OtherDomainServers ( ).
ACL Anonymous ()
Person ACL.
ACL : Anonymous () -Default-. Anonymous () . -Default-
, Anonymous () .
Anonymous () -Default- , Domino Directory. , LocalDomainServers ( ) Domino Directory
ACL . Anonymous () .

-Default , -Default-,
, , , -. , ACL Anonymous (), ,
, -Default-.
-Default-
.
, -Default-, . No Access ( ), ,
. Author () Reader (), . -Default-
Unspecified ().
-Default- ACL .

484

11

Anonymous ()
Anonymous () - Notes, .
ACL- Anonymous ()
(.NTF-) Reader (),
.NSF- .
ACL- Anonymous ()
(.NSF-) No Access ( ).

-
-
, . ,
, Manager (). Manager ()
Designer ().

LocalDomainServers ( )
LocalDomainServers ( )
, , , Domino Directory.
LocalDomainServers ( ) Manager
().
Designer
(). LocalDomainServers ( )
, OtherDomainServers
( ).

OtherDomainServers ( )
OtherDomainServers ( ) , , ,
Domino Directory.
OtherDomainServers ( ) No Access ( ).

ACL
-
, ACL
(*).
. , ACL

Domino/Notes 6

485

, , , -.
ACL- .
*/Illustration/Production/Acme/US
:
Mary Tsen/Illustration/Production/Acme/US
Michael Bowling/Illustration/Production/Acme/US
:
Sandy Braun/Documentation/Production/Acme/US
Alan Nelson/Acme/US

ACL. ,
*/Illustration/*/Acme/US

Michael Bowling/Illustration/West/Acme/US
Karen Richards/Illustration/East/Acme/US
- ACL
Unspecified, Mixed Group Person Group.


ACL Notes -, SSL-.
Notes
, John Smith/Sales/Acme, ,
, .
- , User name ( ) Person.

. User name ( ) ,
;
. ACL
Domino, Server .ACL-.


ACL ,
. , (, Server1/Sales/Acme), ,
, .

486

11


(, Training) ACL , .

. . ACL,
Domino Directory, Domino Directory LDAP, Directory Assistance.
ACL . ACL :
ACL
. ACL, Domino Directory LDAP-, .

, .

.

. ,
, Manager () Designer
(). , Domino Directory
, ACL . , .



Domino Directory Deny List Only, . Deny Access ( ) Server
Notes, Domino.
, ACL
. Domino Directory,
Add deleted user to deny access group [ Deny Access ( )], ;
, No Deny Access group selected or
available [ Deny Access ( ) )].


, Notes. ACL. , . , Sandra Brown/West/Sales/Acme
Sandra Smith/ANWest/ANSales/ANAcme, AN .

Domino/Notes 6

487

LDAP
-
LDAP-. - ACL
.
LDAP- ,
-, ACL Notes. , - Web- Domino. Web- , ACL Web (),
- Web (), LDAP-, Domino Directory.
, , ,
Directory Assistance Web- LDAP Directory Assistance LDAP- Group Expansion ( ).
Notes, LDAP- ACL .
LDAP- ACL LDAP- , (/), (,). , LDAP- :

uid=Sandra Smith,o=Acme,c=US
ACL :

uid=Sandra Smith/o=Acme/c=US
LDAP- ACL . , LDAP-

cn=managers
ACL

managers

LDAP- ACL. ,

cn=managers,o=acme
ACL

cn=managers/o=acme
, , , (cn, ou, o, c), ACL .
, ACL :

cn=Sandra Smith/ou=West/o=Acme/c=US
Notes, ACL
:

Sandra Smith/West/Acme/US

488

11

. LDAP-,
Domino Directory, Domino 6 -
, Domino ACL.
. 8, .

Anonymous ()
, , Anonymous (). - Notes, .
, . , , Anonymous () . Reader () .
. 11-11 .
11-11.
-

Anonymous

ACL (). , Anonymous



() Reader
(), ,
,
Reader ()


no access (
) ACL

Anonymous () No Access ( )
Read Public Docu-ments
( ) Write Public
Documents ( ),
Anonymous ()
.
ACL

,

Anonymous
()
ACL


-Default-.
, -Default- Reader () ACL Anonymous, ,
,
Reader ()



.

(
, -
),

-Default-

Domino/Notes 6

489

[ ,
Anonymous (), ,
-Default-], , , . , Anonymous () Reader () ,
.

. , ,
, ACL Anonymous () No Access
( ), Read Public Documents (
) Write Public Documents ( ).
- ACL .
Domino Anonymous ()
. , Anonymous ()
Author () ACL , Authors () . Domino
Notes,
- Authors () .
Authors () , , ;
, .


@DbColumn @DbLookup ,
, , ACL , . , , Reader () , .
.
ACL : 85255B42:005A8fA4. , ,
.
,
,
-Default- Reader () .

ACL
ACL , , , . , ,
Anonymous ().

490

11

ACL
ACL. ACL . , Sandra E
Smith/West/Acme Sandra E Smith/West/Acme/US Sandra E
Smith. ,
(, ),
, ,
, ACL. ,
.

. ACL (, Sandra E Smith),


,
. , Sandra E Smith
Sandra E Smith/West/Acme Manufacturing/FactoryCo,
Sandra E Smith ACL
Manufacturing/FactoryCo.
ACL ,
.
, ACL
. ,
, (, Sales, Sales ,
Acme Sales Sales Managers), ,
ACL.

. ACL, ,
, ACL,
, ,
.
, ACL -. ,
, -,
, -.
, ACL ,
, -Default-.

ACL
, ACL .
, ,
. 20 , .
Manager () ACL ACL.

. ACL (Extended Access) 20


. .

Domino/Notes 6

491

-
,
, Notes , Notes. Maximum Internet name & password access ( - )
. Notes.
,
TCP/IP- SSL-. SSL- , SSL-.
SSL- , ACL .
Anonymous () ACL ,
.
, , .
, Notes
, ,
, Maximum Internet name & password access ( -
).

! ,
ACL ,
.
, Sandra Smith/West/Sales/Acme
Web- .
Sandra Smith/West/Sales/Acme ACL Editor (),
Maximum Internet name & password access ( ) Reader (), Sandra
Reader (). , Sandra Smith/West/Sales/Acme ACL Reader (), Editor (), Sandra Reader ().
Sandra Smith Notes
, Sandra Editor ().
Editor (). , , , -.

492

11

! , .
No Access ( ),
Notes -,
SSL- .


Domino 6
, ,
, . ,
,
, .
.
Effective Access ( )
Effective Access ( ) . Domino Directory
.
,
ACL Effective Access ( ). , :
, ACL .
.
, .
Full Access Administrators (
), ,
.
, Names () Calculate Access (
).

! ,
Unrestricted with Full Access ( ),
ACL . ,
Effective Access ( ), ACL . ,
,
, .

Domino/Notes 6

493

ACL
Domino 6
Domino 6 , , enforce consistent ACL ( ACL), .
,
. R6 Domino
. , , Enforce a consistent Access Control List ( ). ,
.
.
, Enforce a consistent access control list ( ) ACL , . . , , . ,
, ACL. , , ,
ACL , .
Enforce consistent ACLs ( ACL):
,
( );
,
( ) Domino Directory.
Enforce consistent ACLs ( ACL):
,
( );
, ( ).

ACL
ACL
-Default- No access ( ). , Default-, ,

494

11

, -. Default- No Access ( )
, ACL (
-Default- ACL).
, ( ), Manager (). , ,
. Designer (), .
LocalDomainServers (
) Manager (). LocalDomainServers ( ) , , , Domino Directory. LocalDomainServers ( )
Manager ().

Designer ().

ACL
,
, ACL.
(, Server1/Sales/Acme), ,
, .
ACL .
, Person Group , .
, ACL
. adminp
. Domino Directory
ACL , .
ACL, . ,
, Designers ().
, , . Designer
() ACL.

Domino/Notes 6

495

, ACL,
. ,
, . , , , , , , , .
ACL . Administrators (). .



, .
, Administration Process ACL. Administration Process
, , , , , Domino
Directory ACL , , Administration Process .
Readers () Authors () .
Administration Process Access Control List ( ) Multi-ACL
Management ( ACL) .
Depositor () No Access
( )
, . ,
, , , .
Enforce a consistent Access Control List (
) ,
Manager () ,

.
. ,
.
, ,
SSL-. Secure Sockets Layer (SSL)
,
Domino, TCP/IP.
SSL-
.

496

11

11.12
:
.
, , (inbound relay controls) - ,

(inbound recipient controls) .

. , Domino Secure Sockets Layer
SMTP-, IMAP POP3. Notes Notes ID- - X.509. X.509.
Notes ( ) S/MIME
, .
S/MIME
Notes . 6, .

11.12.1
80-, . ,
(flooding). SMTP-, . , .
. . Domino
, .
Domino, ,
, . IBM Redbooks Lotus Domino 6 spam
Survival Guide, SG24-6930.


,
, ,
. . .
, :
, ;
-, .

Domino/Notes 6

497

. , , Domino
, .

.

,
Configuration Settings [Router/SMTP
Restrictions and Controls ( ) SMTP Inbound
Controls ( SMTP)].

. ,
.
Allow messages to be sent only to the following external Internet domains
( -)
-, Domino . Domino
.
- .
, abc.com xyz.com Domino , abc.com xyz.com.
.
@ . ,
@xyz.com, , xyz.com, User@xyz.com. , xyz.com, User@
uvwxyz.com User@abc.xyz.com, .
Domino, ,
(%); , %AcmeEast, ,
Domino- AcmeEast.
Deny messages to be sent to the following external Internet domains ( -)
-, Domino .
(*) -.
Domino ,
. .
, abc.com, Domino -, abc.com. Domino abc.com.
@ . ,
@xyz.com, , -

498

11

, xyz.com, user@xyz.
com, , xyz.com, user@server.xyz.com.
Domino (%);
%AcmeEast Domino- AcmeEast. SMTP-
Domino , FAX-.
Allow messages only from the following Internet hosts to be sent to external
Internet domains ( - -)
, Domino SMTP .
, Domino , . .
IP- , Domino ,
-. , lotus.com
ibm.com, Domino , -, , lotus.com ibm.com. Domino , .
Deny messages from the following Internet hosts to be sent to external Internet domains ( -)
, Domino SMTP .
, Domino ,
. Domino .
IP- ,
Domino ,
-.
, lotus.com. Domino
- , , lotus.com. Domino
- lotus.com.
Domino,
(*) .

.
(*) . ,
Allow...
.
;
[127.*.0.1].

Domino/Notes 6

499

. , [123.234.45-*.0-255] ,
, 45.
; Domino
, .
IP- ,
[127.0.0.1].

Allow... . , ,
,
, . ,
, , , .
, Allow.... . 11-12 , Domino
Allow... Deny... .
11-12.

Allow messages to be sent only to the following


external Internet domains (

-)
Deny messages from the following Internet hosts to
be sent to external Internet domains (
-):
(* )

xyz.com


xyz.com,
smtp.efg.
com
smtp.efg.com smtp.efg.com
-
, xyz.com,

11-13.

Deny messages to be sent to the following external


Internet domains (
): (* )

qrs.com
, ,
relay.abc.com,


Allow messages only from the following Internet
relay.abc.com Relay.abc.com
hosts to be sent to external Internet domains

(
,
- qrs.com
)

500

11

qrs.com

. Domino Release 5, ,
, -
,
. Release 5
SMTPRelayAllowHostsandDomains NOTES.INI.
, Domino Deny.... , Domino xyz.com . 11-14.
11-14.

Allow messages to be sent only to the following external Internet domains


(
xyz.com, abc.com, qrs.com
-)
Deny messages to be sent to the following external Internet domains
( )
xyz.com

-
Domino 6
(blacklist, blackhole list) (, Open Relay Database Spamhaus Project).

(unsolicited commercial e-mail, UCE), , ,
Domino - SMTP-
DNS (DNS blacklists, DNSBL).
DNS , DNSBL-, SMTP-,
.
DNS SMTP-
Domino DNS- . Domino Mail Routing Events (
) Notes Log. ,
( DNS-) IP- ,
, .
, Domino , ,
Notes ($DNSBLSite) ,
.

Domino/Notes 6

501

DNS
- DNS
, SMTP , ,
. , IP- DNS.
Domino -
, .
, Domino DNS- .
,
, DNS.
Domino DNS- . DNS-, -, . DNS-, , ,
, Domino DNS- .
DNS- DNS- .

.
, ,
.
, ,
, ,
. , .
-,
DNS.

, DNS
DNS- Domino
DNS , ,
SMTP.
, , . , Domino [Router/SMTP Restrictions and Controls
( ) SMTP Inbound Controls (
SMTP) Perform Anti-Relay enforcement for
these connecting hosts ( )]. , ,
.

502

11

, DNS
Domino , -
:
;
;
.
Notes : IP ( DNS- ), , .

.
. , Domino ,
, ,
, .
Domino Notes , , . Domino
, , $DNSBLSite , , MAIL.BOX. $DNSBLSite , .
$DNSBLSite , , . ,

, , .
,
, ,
DNS. ,
, ; , , . , , , .

DNS
SMTP ,
, DNS , , . SMTP, , , .
Domino Administrator SHOW STAT SMTP . -

Domino/Notes 6

503

, , IP-
DNS. SMTPExpandDNSBLStats NOTES.INI . - , , Domino
.

. Domino IPv4- DNS


. IPv6-,
Domino DNS .


Domino 6
Configuration Settings SMTP
, .. , -.

Domino , , .
,
,
. :
. Domino ,
-. ,
,
, Domino - ( ).
. Domino
SMTP-.
, .
IP-. . ( IP- ), .


Domino 6
Domino . ,
Domino ,
Deny messages from the following Internet hosts to be

504

11

sent to external Internet domains ( - -) .



.
. ,
SMTP- Domino ,
Domino . SMTP- Domino , (, POP- IMAP-),
.

, SMTP- Domino .
SMTP- Domino ,
SMTP- , - .
SMTP- Domino, , , .
-
-, Deny
messages from the following internet hosts to be sent to external internet domains ( - ).
, SMTP- Domino ,
. Domino
, , ,
,
-, -. , Router , -,
RCPT TO, $Users Domino Directory, .

,

(, ) . IMAP- POP3-, Domino - , ,
Domino .

Domino/Notes 6

505

, Domino POP3- IMAP- ,


,
. SMTP- (listener) Domino , ,
. SMTP Ports () Server,
POP3- .
External hosts ( )
Domino , . Domino ( Domino
DNS-, IP- SMTP_
Caller , ).
All connecting hosts (
) .
, (store-and-forward firewall), .
None (). Domino
.

IP-

.
,
(, sendmail,
Domino) IP- Exclude these connecting hosts from anti-relay checks ( ).
Domino .
, , -, SMTP- Domino
Domino -.

. - DHCP (Dynamic Host


Control Protocol) IP- ,
IP- .
IP-
IMAP- POP3-, Domino
-.
.

506

11

.
, IMAP- POP3-,
-, , .
Yes (), POP3- SMTP- . POP3- SMTP-.

11.12.2
Configuration Settings Domino , , , Domino , .


Domino 6
ND6 (Inbound Intended
Recipients Controls) . , . MAIL.BOX.
Verify that local domain recipients exist in the Domino Directory (
Domino Directory) Enabled (), Domino ,
DNS-. Domino DNS PTR-,
IP- . Domino
- DNS
PTR-, .
Domino , SMTP- Mail From.
All messages intended only
for the following ( , ).
. REDP-3622.


Domino 6
, , .
, , MAIL.BOX, Domino . , ,
.
:

Domino/Notes 6

507

;
MAIL.BOX;
;
;
.
, , ,
make money fast, .
,
, ,
(EXE, VBS, VBE, SCR . .), ,
, , .
, Domino
, .
, , Domino
, . ,
Dont deliver message/Send NDR ( / NDR), , , .

. Domino ,
dont accept message ( ),
MAIL.BOX,
, . , SMTP- Domino
, SMTP-
, , .
, ,
-. ,
, Notes, MAIL.BOX,
, , .

. ,
, , .
Messaging Settings. Domino ,
Configuration Settings.
Configuration Settings
MAIL.BOX.

508

11

MAIL.BOX - (SMTP-, Router , ),


. . ,
MAIL.BOX ( , ,
), .


Messaging ()
Configuration Settings , .
,
, (. 11-15).
11-15.

Notes, Router
, .
: Sender (), Subject (), Body (
), Importance (), Delivery priority ( ),
To (), CC, BCC, To or CC ( CC), Body or subject (
), Internet domain (-), Size (in bytes) [
()], All documents ( ), Attachment name (
), Number of attachments ( ), From (),
Recipient count ( ) Any recipient (
). All Documents ( ),
, MAIL.BOX
Router .
, Attachment Name (
) is () ,
, ,
.
:
contains (, );
does not contain ( , );
is ();
is not ( );
is less than (, );
is greater than (, ).
.
, Attachment Name (
) contains () .VBS,
, ,
, .VBS, LOVE-LETTER.VBS,
CLICK-THIS.VBS.TXT MY.VBS.CARD.EXE.
, (*).
, contains ()
. ,
, ,
.VBS, Attachment
Name contains .VBS, Attachment Name is *.VBS..
.
, (. . 2, two)

Domino/Notes 6

509

:
.
. .
, , , , Add Action ( ) (. 11-16). .
11-16.

Journal this
message
(
)
Move to database
(
)

Dont accept
message
(
)

Dont deliver
message
(
)

Change routing
state (

510

11

Router .
Router/SMTP Advanced () Journaling
()
Router MAIL.BOX ,
, GRAVEYARD.NSF.
. .


Domino , Router
.
NDR , .
Domino SMTP-,
SMTP , ,
.
SMTP ( 500) ,
,
.
.
, Notes, Domino
, ,
.
, Notes,
, ,
Domino , , ,
:
Silently delete ( ) Domino MAIL.BOX
;
Send NDR ( NDR) Domino . MIME Notes Richtext,
Notes,
Domino , .
RoutingState
HOLD.
Router MAIL.BOX ,
. Domino ,
, , .
. ,
(,
) RoutingState


, . , , . , , , .
Configuration Settings ,
.
Configuration Settings .
.
. , Server Configuration Settings. 5 .
,
set rules.


MAIL.BOX (
Notes, S/MIME, PGP . .), , (, ), ,
.
. , .
, , .
Notes ( Form
); , MIME. , MAIL.BOX,
Notes, -
MIME. , SMTP, Memo, SMTP,
Domino NonDelivery Report. Notes:
Appointment,
Delivery Report,
Memo,
NonDelivery Report,
Notice,
Reply,
Return Receipt,
Trace Report.

Domino/Notes 6

511

11.13 Domino Off-Line Services


Domino 6
Domino Off-Line Services (DOLS) Web- IBM Lotus Domino Release 6 , Domino. IBM Lotus Notes 6, .
DOLS ( subscription )
Notes. , , , Notes, .
DOLS subscriptions Java-,
. DOLS , Notes.

DOLS

Offline Security Policy. , ,
,
, .
Offline Security Policy Offline
Services Configuration () Domino Administrator. Security () DOLS subscriptions (. 11-17).
11-17. DOLS

Tighten access to the


database (
)
Tighten security on the
configuration document
(
)

ACL subscription ,
. Anonymous ()
No Access ( )
, Offline
Subscription Configuration Profile ,
DOLS Offline Configuration ( DOLS)
subscription Lotus Domino Designer 6

Tighten security on offline
data (
subscription
)
, Offline
Subscription Configuration Profile
Tighten security for all
DOLSsubscriptions on the server subscriptions ,
(
DOLS Resource (DOLRES.NTF);
) DOLRES.NTF; Designer

512

11

11.14 Notes
Domino 6
Notes . Notes 6 ,
Notes, User Security ( ). Notes 6
.
User Security ( ) :
Notes Windows
Web/- Domino;
Notes Notes,
;
;
-,
- Notes ;
Notes -;
Notes -
;
Notes
; , , ,
;
,
.
User Security ( )
. Notes 6 Client Help.
, . , :
Notes -, Person
.
,
( Notes -) ;
, ,
, ,
.
Notes - . 11.7, - Notes.
-.

Domino/Notes 6

513

! , -,
-
, / Person
-.
.
ECL.
(Execution Security Alerts, ESA) ,
, . ECL . ECL , , .

11.14.1 -
- , . -

Notes. , - -, .
- , . Notes - -, PIN
- .
- Notes . Notes 6 Client Help.

- . Domino 6 Administration Guide.

-
- , /
Person -.
.
, ID- (ID File Recovery),
-.

11.14.2
(Execution Control List, ECL)
-

514

11

, . ECL , , , ,
.
, ECL , , .
,
, , , ,
, , ,
(hot spots), (,
).
ECL: ECL , Domino Directory (NAMES.NSF), ECL ,
(NAMES.NSF). ECL ECL
. ECL
Notes. ECL Domino Directory
Notes ECL .
ECL . ,
. , , Domino
Notes, Lotus Notes Template Development. , , , .
ECL , ,
, ,
,
.
,
, ECL, Notes
(Execution Security Alert, ESA),
,
ECL. :
Do not execute the action ( ). .
Execute the action this one time ( ). . .
ECL.
Start trusting the signer to execute this action ( ).
ECL ECL.
.

Domino/Notes 6

515

. ECL ,
ECL .
.

Domino 6
More Info ( ). ,
, , Notes,
, .
, , ,
. More Info ( ),
, .

Domino 6
Notes 6 ECL User Security ( ). What Others Do ( )
User Security ( ), , JavaScript.
, , JavaScript
.
Domino 6 Administration Guide Lotus Notes 6 Client Help.

ECL
Domino ECL
, . ECL
ECL .
Notes ECL Domino Directory Notes.
ECL Notes . , John Doe
John Doe ECL.
Notes (,
), ECL , ECL .

. ECL
. ECL
ECL ECL
ECL ,
. ECL
. ECL
ECL .
ECL ECL . ECL
ECL. , -

516

11

ECL ( Security Settings, ) ( ECL ).


ECL,
, Security Settings,
. , ECL
ECL .
ECL .
Domino 6 Administration Guide.
Security Settings ECL . Domino 6 Administration Guide.

ECL
, , , .
, ECL .
ECL :
ECL , , ECL .
.
, ( ) .
.
. ECL (,
, , ECL), Allow user to
modify ( ) ECL .
.
, , . ECL,
, , .
,
(, Enterprise ECLApp Signer/West/Acme). ,
,
. ECL .

Domino/Notes 6

517

12

Lotus
Notes Domino
Lotus, .
, Lotus:
Lotus Team Workplace (QuickPlace);
Lotus Web Conferencing and Instant Messaging (Sametime);
Lotus Domino Web Access (iNotes);
Lotus Workplace Messaging;
WebSphere Portal Server;
Lotus Domino Everyplace;
Lotus Sametime Everyplace.
Notes Domino,
Notes/Domino.

Lotus

519

12.1 Lotus Team Workplace (QuickPlace)


IBM Lotus Team Workplace (QuickPlace) Web- . , QuickPlace
, ,
, ,
, . . 12-1.

. 12-1. /

520

12

: , QuickPlace , . 12.1, ( ): Readers


(), Authors (), Managers (). , ,
ACL .
QuickPlace Domino. , Web Domino (nhttp.exe) HTTP-, URL- Domino (ninotes.
dll) URL- Domino.

12.1.1 QuickPlace SSL


QuickPlace SSL-
, Web- QuickPlace. SSL- (handshake) Web- Domino, SSL Domino. QuickPlace SSL
LDAP- QuickPlace LDAP-, HTTP
QuickPlace.
SSL , QuickPlace Domino, .

! QuickPlace SSL, Domino, SSL/LDAP .



TCP/IP Notes.
QuickPlace.
Domino . Domino 6.

12.1.2
(place) QuickPlace , .
.
QuickPlace (Contacts1.nsf) .
, .
.
, , . , , .
.

Lotus

521

LDAP-
QuickPlace LDAP-
,
LDAP- . (, ) LDAP- QPTool
, .
QPTool ,
. QPTool
:
;
;
;
;
;
;
;
;
PlaceTypes ( );
PlaceTypes;
;
;
PlaceTypes;
Place Catalog ( );
;
;
dead mail ( );
E-Mail API.
, John Smith LDAP- , LDAP- QPTool- updatemember .
QPTool , QuickPlace, . Lotus QuickPlace 3.0
Adminstrators Guide, Lotus QuickPlace, Web- :
http://doc.notes.net/uafiles.nsf/docs/QP30/$File/na5d3fus.pdf

522

12

.
. LDAP-
, .
,
, .
QuickPlace
, LDAP (Lightweight Directory Access
Protocol) 3, Domino LDAP
LDAP-. , QuickPlace
LDAP- .

12.1.3 QuickPlace
QuickPlace Web-
QuickPlace:

. , QuickPlace single server sessionbased name-and-password authentication (


), Domino, 1.

.
QuickPlace .
. 12-2. , ,
, . , ,
Domino .
, Web- DNS,
.
(single
sign-on, SSO) QuickPlace LTPA (Lightweight third-party)
HTML-cookie. cookie-
Domino .
QuickPlace , Domino Server API (DSAPI).
1

. . . .

Lotus

523

DSAPI-, QuickPlace. DSAPI- . 7.4, DSAPI.

. 12-2.

12.1.4 QuickPlace
QuickPlace
, .
, (room) QuickPlace Server
Settings ( ),
Members Customize ( ).
QuickPlace
QuickPlace. , :

524

12

QuickPlace.
,
QuickPlace.
, QuickPlace.
. , , .
( super user) QuickPlace.
,
QuickPlace. ,
.

. ,
.

12.1.5
Server Settings QuickPlace . ,
:
ActiveX Java- ;
(PlaceBots) ;
,
;
Sametime;
Domino Offline Passthru Server;
Alternate Offline Download URL;
URL- ,
QuickPlace -;

, .

12.2 Lotus Sametime


IBM Lotus Web Conferencing and Instant Messaging (Sametime)
: Sametime, Sametime Meeting Room Sametime
Connect.

Lotus

525

Sametime Connect : Java Connect Sametime Connect . Sametime Connect


, . . , Meeting Room
(shared whiteboard), (online meeting).
, Connect, Meeting Room.

12.2.1 Sametime Connect


Sametime Connect .
.


Sametime 3 Connect :
1. Sametime (handshake)
(630-) Sametime.
2. ,
( 10 ).
3.
, .
4. , .


, Sametime
connect.ini. connect.ini . , connect.ini, RSA RC2
40.
, .


Sametime- Sametime , Sametime 1.5 .

! - Sametime
(, AOL), .
.
RSA RC2 128- . Sametime Connect.

526

12

Sametime 2.5 3.0 Sametime 3.0x


, , Encrypt all meetings ( ) .
Sametime 2.5 , .
Sametime 2.5 Sametime 3.0
.
(instant meetings) Secure
meeting ( ), .
, , ,
.
(buddy list) Sametime
vpuserinfo (vpuserinfo.nsf). , Sametime.
(stauths.nsf)
(stautht.nsf). VPUserInfo , ,
. Connect.
,
.

12.2.2 - Sametime
. 12-1 -, .
12-1. -

Sametime

-
SOCKS 4

-
SOCKS 5

-
HTTP

-
HTTPS

Connect

Meeting Room

(. )

Meeting Room

Meeting Room

Broadcast



Sametime

Lotus

527

. , Sametime Meeting Room HTTP - HTTPS. Sametime Meeting Room


HTTPS- - HTTPS. Sametime Connect
- HTTPS ( CONNECT),
Sametime Connect
- HTTPS. Meeting Room
CONNECT - HTTPS, HTTPS-
- HTTPS.

12.2.3 Sametime Java Connect

SSL Web- Sametime. SSL HTTP, .

, Sametime
Connect .

12.2.4 Sametime Meeting Room

SSL Web- Sametime. SSL HTTP, . SSL Domino SSL Sametime-. Domino SSL . 6.2.5, Secure
Sockets Layer.

! cookie-. Cookie , Sametime


Sametime ,
.
cookie-, ,
.

Sametime-
Sametime- , , , .
.
, ,
.

528

12

, Security () New Meeting ( ), .


:
, .
.
. Sametime.
.
.

! , .
.
(Online
meeting center). ,
Meeting Center. . , . Meeting
Center , unlisted meeting ( )
, .
, .
. .
, , , NetMeeting,
, .

12.2.5 meeting server

Web- Sametime , .
Sametime.
, Sametime , SSL (Secure Sockets Layer)
HTTP- Sametime- ( ), Web- HTTP-.


Sametime
HTTP- Sametime Web-. , Sametime
Sametime (stcenter.nsf), .

Lotus

529


Sametime.
(access control list,
ACL) Sametime Sametime
Sametime Meeting.
Sametime,
Sametime,
ACL, :
Sametime Online Meeting Center (STCONF.NSF), ACL
No Access ( ) .
.
Sametime Web Admin (STADMIN.NSF), ACL
.
Sametime. -
Sametime.

ACL
ACL Domino,
Sametime Meeting Center.
Anonymous () Default No
Access ( ), ACL
. Anonymous () Default No Access ( ) , ,
ACL, .
Default.
ACL ,
,
. , ACL ,
Default.

. ACL Anonymous (), Default ACL


No access ( )
. ACL
Anonymous (),
,
Default . ACL Anonymous ()
No access ( ),
, ACL
Default.

530

12

Sametime
Sametime , Sametime. Sametime Development/Lotus Notes
Companion Products.
,
Sametime, ,

Sametime:
STCONF.NTF,
STDISC50.NTF,
STTEAM50.NTF,
STSRC.NSF.
,
ACL Run unrestricted
agents ( ) Server Sametime.
ACL :
: Reader ();
: Group Creator ( ), Group Modifier ( ),
UserCreator ( ), UserModifier ( ).

LDAP-
SSL
, Sametime- LDAP-. , Sametime- LDAP-,
, Sametime.
, Sametime- LDAP-,
:
1. Use SSL to authenticate and encrypt the connection between the
Sametime and the LDAP server ( SSL
Sametime LDAP-) Sametime Administration Tool.
2. Directory Assistance LDAP- .
3. Sametime LDAP-. SSL , Sametime- LDAP, :
Encrypt all data ( ).
( ),
Sametime LDAP-.

Lotus

531

SSL-
Sametime LDAP-. , .
Encrypt only user passwords ( ).
(, ), Sametime- LDAP-. ,
Sametime- LDAP- SSL.
, .
Encrypt no data ( ).
Sametime- LDAP- .
, ,
, Sametime- LDAP-, .
, Sametime- LDAP-, . Sametime Server Administrators Guide,
Sametime, Lotus Developer Domain :
http://doc.notes.net/uafiles.nsf/docs/QP30/$File/na5d3fus.pdf


Configuration () Meeting Services
( ) Sametime Administrator Encrypt all Sametime meetings ( Sametime-). T.120 , , Sametime Meeting Room Sametime
Broadcast Sametime . RSA RC2 128-
. , , , .


, Configuration () Meeting Services (
) Sametime Administrator Require all scheduled
meetings to have a password ( -

. 12-3. Sametime Server Meeting Services

532

12

), . 12-3.
, .
,
.

12.3 Domino Web Access (iNotes)


iNotes Web Access Web- , Domino, Web-. ,
, .
, , .
iNotes
Domino . , iNotes, .

12.3.1
Domino Notes,
ID- Notes .
Domino iNotes Web Access Web- ID- Notes . , Domino
.
Notes
, iNotes.

X.509
, ID- Notes, Web-, X.509 iNotes. ,
ID- Notes, X.509
.
6, .


. ,
, .
Save this password in your password list (
) . . (replay attack),

.

Lotus

533

(realm),
Domino . ,
URL-, ( ), .
yourserver/mail.
, , yourserver/help/help5_client.nsf, , yourserver/help
yourserver/mail.
,
Domino.


, , 30 , , .
, . iNotes Web Access
Logout, ,
.
,
back ()
,
.
,
iNotes Web Access.
, - .

! .
iNotes Web Access ,
.

Forms5.nsf
Forms5.nsf , iNotes Web Access.
JavaScript-, HTML- , iNotes Web Access.
iNotes Web Access , Anonymous () Reader () {
}\iNotes\Forms5.nsf. Catalog.nsf , , Domino
Administrator Files () Notes.

,
, iNotes.

534

12

12.3.2
Domino R5.09 iNotes
iNotes. . , .
:

(snooping). , .

.
.
,
, .
Preferences ()
iNotes. Other () Encrypt mail file locally ( ). .
, , , . , :
1. , Offline Sync Manager.
2. iNotes Web Access Preferences () - Other (),
Encrypt local mail file ( ).
3. Go Offline ( ), Install
Subscription ( ), (
).

. Encrypt mail file locally (


) ,
.

12.3.3
-
iNotes Web Access Notes, , , (to do list) : , - .

Lotus

535

iNotes Web Access ,


, . iNotes Web Access
,
back () .
, iNotes Web Access
. , ,
.
,
. Internet Explorer ,
. iNotes Web Access
;
, ( -) .

-
Internet Explorer -. Internet Explorer 5.01 Tools () Internet Options ( ) Advanced (), Empty temporary Internet
file folders when browser is closed (
).

12.3.4 iNotes Web Access Notes


Notes
iNotes Web Access.
Notes iNotes:
iNotes .
Notes , iNotes .
iNotes .
, , Notes Notes
iNotes.
iNotes .
iNotes ,

.
ID- (), iNotes, Notes.
iNotes - Domino Directory.
Notes,
-, iNotes.

536

12

12.3.5
Notes
(Execution Control List, ECL). ECL
.
, ECL , Domino . ECL . Lotus Domino Administrator 6 Help.
,
. Web- ECL
. iNotes
Web Access, , , . . ,
, .

.
,

.
, (, ,
ECL).

12.3.6
() iNotes Web Access.

Cookie-
, cookie- , . Cookie-
/ .
iNotes Web Access , cookie-. iNotes Web Access cookie-
Shimmer, . cookie-
.


iNotes Web Access iNotes Web Access
. HTML-,
, ( HTTP- Cache-Control) no-cache, , . , , JavaScript, .gif-

Lotus

537

iNotes Web Access, . iNotes Web Access , , [,


Empty temporary Internet files when browser is closed ( ) ].
, iNotes Web Access .
pdf- . .pdf-,
, private
Adobe Acrobat. 1 Adobe Acrobat Reader.
, - Internet Explorer (. Q272359 http://
www.microsoft.com) SSL iNotes Web Access
Cache-Control none XML-. ,
. XML- , .
, ,
. , , iNotes Web Access
Logout . - .
, .

iNotes Web Access . ,


, Notes.
iNotes Web Access default copy
and close ( ),
(, read later
with Notes),
Notes.

12.4 Lotus Workplace


Lotus Workplace Lotus,
(on demand) IBM,
:
, -
, , .

538

12

Lotus Workplace , , . Lotus Workplace ,



, -:
Lotus Workplace Messaging
.
- , , , , POP3, IMAP Microsoft Outlook. : ; (presence awareness) ;
; (,
, ); WebSphere Member Manager, .
Lotus Workplace Team Collaboration Web-.
, ,
, , - , , . : , ; ; ; ;
; ,
; , .
Lotus Workplace Web Content Management
, , Web-
.
Web-,
, , . , : , (
) .
Lotus Workplace Collaborative Learning ,
, . ,
.
, ,
.

Lotus

539

Lotus Workplace . 12-4,


.

Web-

WebSphere Portal
Lotus Collaboration

. 12-4. Lotus Workplace


Lotus Workplace , . ,
, ,
.
Workplace Messaging ,
Notes/Domino, iNotes
Web Access, WebSphere Portal, .
Workplace Team Collaboration , QuickPlace Sametime, WebSphere Portal, .

12.5 IBM WebSphere Portal


IBM WebSphere Portal IBM,
- (business-to-employee, B2E), - (business-to-business,
B2B) - (business-to-consumer, B2C). , Lotus, WebSphere Portal, Lotus. , ,
Lotus, Lotus,
WebSphere Portal.

540

12

12.5.1
Portal Server ,
. .
. WebSphere Portal Server IBM
WebSphere Application Server. - Trust Association Interceptor (TAI).
WebSphere Application Server
LDAP- CustomRegistry , LDAP. WebSphere Application Server Trust Association Interceptor (TAI) Netegrity SiteMinder, Tivoli Policy Director Tivoli Access Manager,
, WebSphere Application Server. , WebSphere Application Server (single sign-on) Domino, WebSphere Application Servers
, Tivoli Access Director Policy Director WebSEAL.
WebSphere Portal Server (Custom Form-based Authentication mechanism), WebSphere Application Server , .
WebSphere
Application Server /wps/myportal WebSphere Application Server All Authenticated Users ( ) Custom Form-Based Challenge ( ).
WebSphere Application Server
, Portal Server.
WebSphere Application Server
: WPS, (, LDAP-) - CustomRegistry.
(, Policy Director WebSEAL)
. WebSphere Application Server
Portal Server TAI.

Portal Server
,
WebSphere Application Server -
. -

Lotus

541

WebSphere Application Server,


/wps/myportal WebSphere Application Server. Portal Server
Portal Server. Portal Server

. .

-
WebSphere Application Server,
(, Policy Director
WebSEAL). WebSphere Application Server Trust Association Interceptor (TAI) -
. - , WebSphere Application Server, LTPA-. Policy Director WebSEAL.
Trust Association Interceptor WebSphere Application Server, (Security Center)
WebSphere Application Server trustedservers.properties.
, WebSphere Application Server TAI, , .. , , . TAI (Distinguished Name, DN), . WebSphere Application Server
,
. , , WebSphere Application Server . , WebSphere Application Server LTPA-
cookie- .
WebSphere Application Server TAI Tivoli Access Manager Tivoli
Policy Director. WebSphere Portal Server TAI SiteMinder,
TAI Portal
Server.
TAI .
- , Portal Server -
TAI LTPA-.
WebSphere Application Server -

542

12

, WebSphere Application Server Portal Server . , WebSphere Application Server WebSphere


Portal Server ,
.
TAI, WebSphere Application Server. , SiteMinder Tivoli Access
Manager, TAI .


WebSphere Portal Server Portal
Server, LDAP-,
( ).
WebSphere Application Server CustomRegistry
. LDAP
WebSphere Portal Server , WebSphere
Application Server,
.

.
, . , LDAP-
,
. Member Services Portal Server, ,
.
WebSphere Application Server .

(, LDAP-)
Portal, WebSphere Portal Server,
Customer User Registry (CUR). Member Services
.
, . , , . WebSphere
Portal Server .


(single sign-on) WebSphere Portal Server ,
,
.

Lotus

543

WebSphere Portal Server - . ,


WebSphere
Portal Server,
,
. WebSphere Portal Server
WebSphere Application Server, - ,
, Tivoli Access Manager SiteMinder. WebSphere Application Server Domino.
WebSphere Portal Server .
Credential Service, , , ,
. ,
WebSphere Portal Server
.
Portal Server Java Authentication and Authorization Services (JAAS). .
WebSphere Portal Server JAAS. WebSphere
Portal Server JAAS Subject . JAAS Subject Principal Credential. Principal , DN , . Credential , CORBA Credential, . JAAS Subject Principal Credential,
Credential Service.

Credential Service
Credential Service , LTPA- .
Principal JAAS Subject,
(credential vault service). Credential Service
JAAS Subject. Credential Service
Tivoli Access Manager SiteMinder JAAS Subject .


(Credential Vault) , , . -

544

12

, ,
, .
WebSphere Portal Server
. (Default Vault)
, , ,
. , , , POP3, ,
. , , ;
.
, base64.
, ,
(Vault Adapter) . (Vault
Adapter Implementation):

was_root/lib/app/config/services/VaultServices.properties
,
. (Vault Segment) Credential Vault.
WebSphere Portal Server , , Tivoli Access Manager. Portal Server
Tivoli Access Manager, AIX, Solaris Windows. . . . Credential Vault.

12.5.2
,
Access Control List.
Application Server - . Application Server
EJB (Enterprise Java Beans). WebSphere Portal Server
, , . WebSphere Portal Server .
WebSphere Portal Server ,
Tivoli Access Manager SiteMinder
.

Lotus

545

WebSphere Portal Server


.
, . .
Access Control List .
, Tivoli Access Manager Netegrity SiteMinder, .
, (access control). Access Control List (ACL)
. . WebSphere Portal
Server. Access Control List .
, . , , WebSphere Application Server - . WebSphere
Application Server EJB. WebSphere Portal
Server , ,
. , . WebSphere Portal Server
J2EE, .

Access Control List


Access Control List ,
. ,
, . Access Control List
.
. WebSphere Portal Server
.

. ,
WebSphere Application Server
Administrative Role. ,
, (Security Center)
Application Server.


, .
, DELEGATE, ,
.
: VIEW, EDIT, MANAGE CREATE. -

546

12

,
. WebSphere Application Server. .

DELEGATE
DELEGATE . DELEGATE, (, ),
.
(VIEW, EDIT, MANAGE, CREATE), ,
. DELEGATE . DELEGATE ,
. , Sandy EDIT DELEGATE
Financial DELEGATE , Fred, Sandy Fred VIEW EDIT Financial.
Sandy MANAGE , MANAGE .


.
, , . MANAGE DELEGATE
. Access Control List,
, .
, . .
, . ,
.


Access Control List .
WebSphere Portal Server
.
, wpsadmin wpsadmins.
,
, wpsadmin. LDAP . wpsadmins ,

Lotus

547

LDAP.
, ,
LDAP .

MANAGE PORTAL,
.
WebSphere Portal Server , XML- . MANAGE DELEGATE
. VIEW
. VIEW , .

Access Control List.

.
MANAGE .

DELEGATE DELEGATE
, . Portal Server . ,
,
.


WebSphere Portal Server
, , . WebSphere Portal Server
: Tivoli Access Manager Netegrity SiteMinder.

WebSphere Portal Server. ,
MANAGE DELEGATE
ACL.
,
Access Control List . , EXTERNAL_ACL, MANAGE DELEGATE.
. ,
, , ,
, MANAGE DELEGATE.

548

12



. Access Control List . Access Control List ,
,
MANAGE DELEGATE. Access Control List
.
, , ACL . ,
Tivoli Access Manager ACL Tivoli Access Manager.
WebSphere Portal Server
. WebSphere Portal Server.


.
. TAM SiteMinder . WebSphere Portal Server.

SSL
, SSL (Secure Sockets Layer)
.
SSL . , SSL .
WebSphere Application Server
Web-. ; . .
, WebSphere Portal.
.
-, Web- HTTPS. ,
(Certificate Authority, CA). IKEYMAN
.
, Web- , , Web-,
. SSL
Web- .
Web- , ikeyman,
HTTPD WebSphere Application Server.

Lotus

549

. SSL
Web- WebSphere Application Server IBM WebSphere V4.0 Advanced
Edition Security, SG24-6520.

12.5.3
.
, , .
(Setup Manager) (, DB2) , 42 .
.

. ,
, , wpsbind wpsadmin , WebSphere
Portal Server.

12.5.4
install.log wps_root/install.
WebSphere Portal Server
LDAP XML-:

AppServer_home/lib/app/xml/wms.xml
AppServer_home Application Server.
LDAP Member Services,
.
was_root/lib/app/xml/wms.xml.

12.5.5 Member Services


Member Services WebSphere Portal Server, .
. Member Services . , . Member Services
, ,
, .
Member Services
, .

550

12

Member Services :
(Profile management). , Manage Users.
(User repository). ,
. . .
. WebSphere Portal Server.
(Group membership). Member Services
Portal Server.

.


Member Services :
. ,
, . , , ,
, , ,
. ,
(generic user). .
.
. ,
. .
,
, , Portal Server
, .


,
,
. Manage Groups.

. . ( LDAP-, ,
, ) .
Member Services LDAP-
.

Lotus

551


, , , , . , , ,
, . .
, .
, , -, .
.
. .
WebSphere Portal Server. LDAP-
.
, LDAP.

Member Services Authentication. . , , , .


LDAP-
.
, Member Services. Member Services

. WebSphere Portal Server
XML-:

<was_root>/lib/app/wms.xml
WebSphere Portal Server WebSphere Application Server . WebSphere Application Server
.

Member Services
LDAP- , Member Services,
.
, .

552

12

Member Services
Portal Server
Member Services XML-:

<was_root>/lib/app/xml/wms.xml
,
.
Portal Server :
.
CustomRegistry. XML-:

<was_root>/lib/app/xml/wms.xml
LDAP XML-:

<wp_root>/wms/xml/attributeMap.xml
,
. LDAP- inetOrgPerson, LDAP-.
wms.xml Member Services
. WebSphere Portal Server. ,
<DIRECTORY.../> , Member Services .

LDAP
Member Services ,
Java-, ,
. LDAP-,
LDAP- XML-:

<wp_root>/wms/xml/AttributeMap.xml
LDAP- Java- ,
Java- , LDAP-.

LDAP- , , , . LDAP- attributeMap.xml.
: , , ,
.

Lotus

553


Portal Server ,
. , . WebSphere
Portal Server ,
. , Portal Server
. , ,
GlobalMarketing, , USMarketing. Portal Server
, USMarketing GlobalMarketing. USMarketing , GlobalMarketing. , GlobalMarketing File Server USMarketing World Clock, USMarketing
File Server World Clock. , Fred
GlobalMarketing File Server,
Sandy USMarketing
File Server, World Clock.

Tivoli Access Manager


WebSphere Portal (
):

;
User/Group Manager
;
LDIF-, , LDAP-.
Tivoli Access Manager WebSphere Portal LDIF-
:

;
, WebSphere Portal Server,
Tivoli Access Manager (. portallogin.config)
; , .

Tivoli Access Manager TAM:

pdadmin> user import wpsadmin uid=wpsadmin,cn=users,dc=yourco,dc=com


pdadmin> user modify wpsadmin account-valid yes

Tivoli Access Manager WebSphere Portal.

554

12

.
, WebSphere Portal, . WebSphere Portal Server.


, /wps/myportal, , /wps/portal/.scr/Login, . WEBSEAL TAI
Portal Server. /
wps/myportal.
WebSphere Portal Server , . , .
.


(common
names), WebSphere Portal Server. WebSphere Portal Server
, . , was_root\lib\
app\config\puma.properties:

puma.commonname = {0} {1}


{0} , {1} . {0} {1} + +. {0}, {1}. ,
, , : puma.commonname = {1} {0}.


WebSphere Portal Server . .
.


WebSphere Portal Server (self-care)
. ,
.

Lotus

555


, , . .
,
.
, WebSphere Portal .
Portal Server (turbine
actions) .
Puma.properties Registration Servlet.
puma.UserValidator , .
JSP (Java Server Pages):
UserProfileForm.jsp , ;
UserProfileConf.jsp , ;
Congrats.jsp , ;
RegistrationError.jsp .

JSP-
JSP- WebSphere Portal Server
, . JSP- , , wps.Name, Name , . Name
inetOrgPerson LDAP-,
attributeMap.xml, , LDAP-. Portal Server, : 64 255
.

(Self-care) , ,
. Portal Server
, . Puma.properties
Registration Servlet. puma.UserValidator
, .

556

12

JSP-:
UserProfileForm.jsp . . , .
UserProfileConf.jsp . Continue
(). UserProfileForm.jsp
Cancel ().
RegistrationError.jsp .

12.6 Domino Everyplace Access


Domino Everyplace Access Server (DEAS) Domino HTTP. Domino Mobile Notes,
Notes/Domino,
Domino. DEAS
, Domino
WAP 1.1.
Domino Everyplace Access - Domino .
HTTP- WML.
Domino Everyplace Access
, , Notes. Domino DEAS Domino, WML.


DEAS- ,
Manager () Domino,
. , , DEAS-
Manager () Delete . localdomainserver .

Domino Everyplace
:
, .
.
Notes ( ) .
Internet password (-) Person.

Lotus

557

IP- WAP- /
IP- WAP-.
Web- DEAS.
,
IP- WAP-, , Server. IP- WAP-,
IP-. IP-, ,
Permitted WAP gateway IP Addresses ( IP- WAP-).
IP- Restricted WAP gateway IP Addresses ( IP- WAP-).
( Phone.com).
, Phone.com, . , Server, Person, , . ,
.
( Phone.com).
DEAS- ( , , ),
.
, . , - - .

. ,
, .

12.7 Sametime Everyplace


Sametime Everyplace (STEP) Sametime WAP-,
. , , Sametime, , Sametime Connect .
Sametime Everyplace :
WAP 1.1
Web- , Notes, Netscape 4.5
( 4.7), Microsoft Internet Explorer 4.01 Service Pack 2
.

. Netscape 4.7 Netscape 6.0 .

558

12

.
STEP , WAP
1.1. . , STEP-.

STEP
STEP-
Sametime. STEP Sametime
. Sametime :
(STAUTHS.NSF) (STAUTHT.NSF), STEP Sametime.
STEP Sametime. STEP
.

STEP
STEP Sametime .
STEP . STEP- ,
STEP- , STEP- .
Sametime , ,
STEP. STEP Domino, , Sametime Domino,
STEP.
STEP Sametime, (STAUTHS.NSF)
(STAUTHT.NSF) STEP-.

STEP Domino
STEP Sametime, ,
Domino. STEP- Domino,
Sametime .
STEP Sametime , :
1. - STEP- Sametime.
2. STEP- Sametime.
3. Directory Assistance, STEP- .

Lotus

559

12.8
Lotus, Notes
Domino, . Lotus, ,
, .
:
Lotus Team Workplace (QuickPlace),
Lotus Web Conferencing and Instant Messaging (Sametime),
Lotus Domino Web Access (iNotes),
Lotus Workplace Messaging,
WebSphere Portal Server,
Lotus Domino Everyplace,
Lotus Sametime Everyplace.
Notes Domino, ,
, Notes Domino.

560

12


, Lotus. ,
.

, , .

13

Lotus, , .
, .
,
.

563

13.1
Redbooks Company. Redbooks : , , . , . , ,
, , .
,
.
.
, .
.
: .

.
.

13.2 1.
, RedbooksCo , , . , ,
;
Web-. ,
Lotus Domino Domino Web Access (iNotes) , Lotus
Team Workplaces (QuickPlace) Lotus Instant Messaging (Sametime) .
, RedbooksCo , ,
. ,
, ,
.
Redbooks . (single sign-on, SSO) .

URL ( Matt Milza):
http://itsosec-dom.cam.itso.ibm.com/mail/mmilza.nsf

564

13

URL Web- .
. 13-1.

. 13-1.
,
. Lotus Sametime QuickPlace
, .
iNotes , , . 13-2.
iNotes RedbooksCo . RedbooksCo -

. 13-2.

565

, iNotes.
. ,
, .

. 13-3. Sametime Meeting Server


, Lotus Sametime.
.
Sametime Java Connect Redbooks .

. 13-4. QuickPlace Server


, QuickPlace. QuickPlace .
. RedbooksCo , () . , .
, . .

566

13

13.3 2.
, RedbooksCo

. RedbooksCo .
, , ,
.
,
- (reverse proxy). - , - . , . - , .
. :
-, -; ,
- / ,
.
,
, ,
.
, .
SSL (Secure Sockets
Layer) -. , -.
Redbook
, URL, :
https://itsosec-dom.cam.itso.ibm.com/mail/mmilza.nsf
, SSL URL HTTPS.
- Domino SSL.
,
,
( SSL -)
.
,
-
. -.
-

567

Domino. -
, . , ,
https://itsosec-dom.cam.itso.ibm.com
you are not authorized ( ), . 13-5. - ,
.

. 13-5.

13.4 3.
RedbooksCo ,
: Domino,
, ,
. ,
, . ,
,
,
Domino Directory, .
, LDAP,
. -

568

13

RedbooksCo. Directory Assistance Lotus Lotus-


Domino LDAP- .
.
LDAP- ,
Domino LDAP-, Lotus.
RedbooksCo , ,
,
. ,
-
RedbooksCo .

13.5 4.

RedbooksCo , ,
, .
. , -
Lotus . ,
-, - Sametime
Sametime, RedbooksCo
. Sametime (3.1)
.
,
URL . (QuickPlace, Sametime, iNotes ..),
.
WebSphere Portal. . - , .
WebSphere Portal , RedbooksCo . - , , SSL- .

569

URL, :
https://itsosec-wps.cam.itso.ibm.com/wps/myportal
, . 13-6.

. 13-6. WebSphere Portal



, RedbooksCo.
,
, .
URL Redbooks, , .
, , ,
URL .

.

13.6 5.

RedbooksCo Web-
, .
Lotus

570

13

. 13-7. Lotus Learning Management System


Workplace Messaging Lotus Learning Management System.
, .
. , .
RedbooksCo WebSphere Portal
,
, .

13.7 6.
RedbooksCo SSL -. , LDAP-,
, , .
,
- WebSphere Portal / Lotus
.
.
RedbooksCo ,
,
- ,
. , -
, .
IBM Tivoli Access Manager (TAM). -

571

- - . ,
TAM , -. TAM
, - .
TAM -
TAM- -. TAM-
LDAP-. - . ,
TAM- . .

13.8 7.

RedbooksCo Web- .
Sametime, . , Sametime, .
, RedbooksCo,
, RedbooksCo.

. Lotus Sametime 3.0. Lotus


Sametime 3.1 Sametime -,
Lotus- , Sametime 3.1
-.
- Sametime 3.1 . 5.5, - Lotus Sametime 3.1.

13.9

RedbooksCo.
. Lotus.
.

.

572

13

14

,
, Redbooks.

(single sign-on, SSO)

.

573

14.1
(Domino, Sametime QuickPlace)

Lotus Domino, Sametime QuickPlace .
. 14-1 . ,
Web- Lotus, Domino. Lotus Domino LDAP,
Lotus Sametime Domino LDAP.

ITSOSEC-QP

ITSOSEC-DOM

ITSOSEC-ST

. 14-1.

14.1.1
Lotus Domino
:
1. Linux RedHat 8. sendmail telnet vncserver.
Lotus Domino.
2. Lotus Domino 6.01.
3. Redbooks
Servers. itsosec-dom/Servers/Redbooks.
4. Sametime QuickPlace.
itsosec-st/Servers/Redbooks itsosec-qp/
Servers/Redbooks .
5. : East West.
6. / East West
Lotus iNotes/Domino Web Access.
Lotus Sametime :

574

14

1. Windows 2000 Service Pack 3.


2. Lotus Domino 5.010.
3. Sametime 3.0 Service Pack 1
LDAP- . LDAP- itsosecdom/Servers/Redbooks (itsosec-dom.cam.itso.ibm.com).
4. Domino 5.012 .
Domino
. Domino, Domino Directory LDAP-, . Domino 5.012. ,
Domino 5.012 Sametime
Domino 5.012.
Lotus QuickPlace :
1. Windows 2000 Service Pack 3;
2. Domino 5.012;
3. Lotus QuickPlace 3.0.

14.1.2 Web SSO Configuration


Lotus Web SSO Configuration Domino Directory. Web
SSO Configuration Web SSO
Configuration :
1. Domino Directory (names.nsf) Domino (itsosec-dom/Servers/
Redbooks).
2. Configuration ().
3. Servers ().
4. All Server Documents ( ).

. 14-2. Web SSO


5. Web () Create Web SSO Configuration ( Web
SSO Configuration).
6. Web SSO Configuration (. 14-3). :

575

. 14-3. Web SSO Configuration


LtpaToken.
cam.itso.ibm.com.
DNS- (.. itsosecdom.cam.itso.ibm.com, itsosec-st.cam.itso.ibm.com, itsosec-qp.cam.itso.ibm.com).
Lotus Domino,
.
-, 30 , .
7. Keys () Create Domino SSO keys ( Domino SSO).
LTPA-, LTPA-.

. 14-4. Domino SSO


8. ,
Web SSO Configuration.
Server Internet
Protocols (-) Domino Web Engine (- Domino):
) Session Authentication ( )
Multiple Servers (SSO) [ (SSO)].
b) Web SSO Configuration Web SSO Configuration,
6. LtpaToken.

576

14

. 14-5.
9. Domino Directory . , Web SSO Configuration
Server .
HTTP, Web SSO. HTTP Tell HTTP Restart Domino.

. Lotus Domino 6 SSO


Internet Site. ,
Internet Site .

14.1.3
SSO (Fully
Qualified Domain Names, FQDN).
Server . Basics (
) Server, . 14-6.
, FQDN, Ports () Notes
Network Ports ( Notes) Server, . 14-7.

. 14-6. Basics ( ) Server

577

. 14-7. Ports () Server


, FQDN, Internet Protocols
() HTTP, . 14-8.

. 14-8. HTTP Server

14.2 -
, . WebSphere Edge,
SSL . Web-, , ,
Domino Directory.
. 14-9 ( ), .
-, Lotus Domino, ,
( ). /
.

578

14

. 14-9. Edge

14.2.1 SSL
SSL- SSL Lotus.
SSL / SSL-/.
, , Verisign.
Domino CA (untrusted) SSL-/ .

. 14-10. Internet Ports (-) 1

579

Domino SSL, Server . Ports () Internet Ports


(-) Server ,
SSL (SSL Key Ring) ,
SSL.
SSL 443
, . .
Internet Ports (-) . 14-8
14-9.
Server
HTTP.

. 14-11. Internet Ports (-) 2

14.2.2 WebSphere Edge Server


( -)
IBM WebSphere Edge Server
Edge Server Windows 2000 (Service
Pack 3). Edge Server Configuration Wizard -. :
Select Proxy Behavior ( -) Reverse Proxy ( -);
Select Proxy Port ( -)
80;
Target Web Server ( Web-)
URL itsosec-dom.cam.itso.ibm.com.

580

14

Edge Server
Web- :
http://itsosec-rp.cam.itso.ibm.com/admin-bin/webexec/frameset.html
:
, Proxy Settings ( -), HTTP.
. 14-12.

. 14-12. -
Privacy Settings ( )
HTTP- . Forward clients IP address to destination
server ( IP- ).
HTTP-, IP-
. . 14-13.

. 14-13.

581

SSL , SSL-. , SSL-


. SSL . 14-14.

. 14-14. SSL
Caching Filters ( ) - , -.
-
, HTTP-.
, . *//itsosec-dom.cam.itso.ibm.com/*
WebSphere Edge Server, . 14-15.
Last Modified Factor ( )
Domino, Edge.
URL- ?OpenImageResource ?OpenElement&FieldElemFormat=gif. Domino, -
( , HTML). . 14-16.
Basic Settings ( ) IP-, . . ,
IP-. . 14-17.

582

14

. 14-15.

. 14-16. Last Modified Factor ( )


583

. 14-17.
HTTP Methods (HTTP-) ,
Edge. ,
Domino, GET, HEAD POST.
, . . 14-18.
Request Routing ( )
. ,
. . 14-1 , Request Routing ( ). , , 192.168.0.3 IP- itsosecdom.cam.itso.ibm.com.
, , Edge , /mail /iNotes . . URL, 192.168.0.3 Domino.

14-1.
Index
()
1
2

584

Action
()
Proxy
Proxy

14

Request template
( )
/mail*
/iNotes/*

Replacement file path


( )
http://192.168.0.3/mail*
http://192.168.0.3/iNotes/*

. 14-1
Index
()
3
4
5
6

Action
()
Proxy
Proxy
Proxy
Proxy

Request template
( )
/inotes5/*
/icons/*
/domjava/*
/names.nsf

Replacement file path


( )
http://192.168.0.3/inotes5/*
http://192.168.0.3/icons/*
http://192.168.0.3/domjava/*
http://192.168.0.3/names.nsf*

. 14-19.

. 14-18. HTTP-

. 14-19.
IBMPROXY.CONF
. IBMPROXY.CONF :
SignificantUrlTerminator ?OpenImageResource;
SignificantUrlTerminator ?OpenElement;
SignificantUrlTerminator /?OpenImageResource;

585

SignificantUrlTerminator /?OpenElement;
fail /*;
Reversepass http://192.168.0.3/* http://itsosec-dom.cam.itso.ibm.com/*.
fail /* -. URL:
https://itsosec-dom.cam.itso.ibm.com
, . 14-20.

. 14-20.
- Domino Directory
(names.nsf) (/mail). Domino Directory
. -
.

14.2.3
- WebSphere Edge Server
.
, - Domino. Domino, QuickPlace Sametime
. .
,
80 443 . . 14-21.

586

14

, , Domino -.

. 14-21.

14.3 LDAP-
Domino Domino Directory LDAP LDAP. ,
LDAP-, LDAP- , Lotus. LDAP
Domino, , Redbook , LDAP-, Lotus,
.
, , Lotus , LDAP-, LDAP- (. . ) LDAP-. . 14-22 , Lotus,
LDAP-. , -
Lotus Domino
-,
LDAP-.

Lotus

ITSOSEC-RP

ITSOSEC-LDAP

-

. 14-22. LDAP-

587

14.3.1 LDAP-
LDAP- IBM Directory Server
Windows 2000 Service Pack 3.
LDAP- LDIF-. LDIF- LDAP-,
Domino LDAP (East West). ,
, Admin, Sales, Production Editorial.
.
14-1 LDIF- , , .

14-1. LDIF-
dn: UID=MMilza,OU=Admin,O=Redbooks,C=US
objectclass: eDominoAccount
objectclass: inetOrgPerson

objectclass: organizationalPerson
objectclass: person
objectclass: top

mail: M.Milza@redbooks.com

fullName: CN=Matt Milza,OU=East,O=Redbooks


title: IT Mgr
mailSystem: 1

givenName: Matt

sn: Milza

cn: Matt Milza

uid: MMilza

userid: mmilza

mailDomain: Redbooks

mailServer: CN=itsosec-dom,OU=Servers,O=Redbooks
mailFile: mail\mmilza

. LDIF-, dn
LDAP, fullName
Lotus Notes.

14.3.2 Lotus Domino LDAP-


Lotus Domino , LDAP- IBM
Directory Server. Domino LDAP- Directory Assistance Domino.
Directory Assistance Domino LDAP- :

588

14

1. Directory Assistance Database Domino da50.ntf.


2. Directory Assistance
LDAP-.
3. LDAP-. . 14-23, 14-24 14-25
Directory Assistance LDAP.
4. Directory Assistance Server Domino ,
Directory Assistance.

Directory Assistance Basics ( )


Server da.nsf DA.
. 14-26.

5. .

. 14-23. Domino Server Directory Assistance Basics ( )

. 14-24. Domino Server Directory Assistance Naming Contexts ( )

589

. 14-25. Domino Server Directory Assistance LDAP

. 14-26. Basics ( ) Server Domino

590

14

14.3.3
, Domino, LDAP- LDAP-.
Matt Milza East Domino LDAP UID=
MMilza,OU=Admin,O=Redbooks,C=US, Admin. Domino R5,
LDAP ACL ,
Matt Milza .
, Domino 6.01, LDAP-, Domino
, Domino 6.
. 14-25 Attribute to be used as Notes Distinguished Name (, Notes) Directory Assistance. fullName LDAP-,
Lotus Notes LDAP- LDIF
14.3.1, LDAP-.
, Domino
LDAP-.
. 11.9.4,
Domino.

14.3.4 Sametime LDAP-


Sametime , LDAP-.
1. Sametime Administration, administer the
server ( ). URL,
STCenter.nsf
http://yourservername.company.com/stcenter.nsf
2. LDAP directory (LDAP-) Connectivity ().
3. LDAP- LDAP Sametime. itsosec-ldap.
cam.itso.ibm.com 389 .
4. Domino - LDAP- LDAP. itsosec-dom.cam.itso.ibm.com Remove (), .
5. LDAP directory (LDAP-) Basics ( ) LDAP-.
LDAP- . 14-29 14-30.
6. Authentication () CN UID, IBM Directory Server Domino LDAP UID, CN.

591

. 14-27. LDAP-

. 14-28. LDAP-

. 14-29. People () Basics ( )


7. Directory Assistance (da.nsf) Sametime
Notes Directory Assistance,
Sametime LDAP- Domino.
8. Directory Assistance, LDAP.

592

14

. 14-30. Groups () Basics ( )


Directory Assistance, , .14-31,


14-32 14-33.

9. LDAP- , . ,
LDAP- .

. 14-31. Sametime Directory Assistance Basics ( )

. 14-32. Sametime Directory Assistance Rules ()

593

. 14-33. Sametime Directory Assistance LDAP

. 14-34. Sametime

14.3.5 QuickPlace LDAP-


QuickPlace , LDAP-, :
1. Directory Assistance Sametime
QuickPlace; DA Sametime.
2. Server QuickPlace Domino Directory
, Directory Assistance.
, Directory Assistance Basics
Server.
3. QuickPlace .
http://itsosec-qp.cam.itso.ibm.com/quickplace
4. Server Settings ( ).
5. User Directory ( ).

594

14

6. Change Directory ( ).
7. LDAP Server (LDAP-).
8. LDAP- Name ().
itsosec-ldap.cam.itso.ibm.com
9. Port Number ( ) 389 (
LDAP).
10. LDAP,
. o=redbooks,c=us.

. 14-35.

. 14-35.

. 14-36. LDAP ACL

595

11. LDAP , QuickPlace, ACL Main.nsf Admin.nsf


.

, Matt Milza Domino Directory


Matt Milza/West/Redbooks, LDAP- uid=mmilza/
ou=admin/o=redbooks/c=us. LDAP
Domino Directory, Matt Milza QuickPlace LDAP.

, QuickPlace
Domino 5.x; , Domino 5.x LDAP.
LDAP ACL .
. 14-36 ACL main.nsf.

14.4 WebSphere Portal


IBM WebSphere Portal. WebSphere Lotus.

LDAP-. - -.
Sametime QuickPlace . , iFrame,
Domino

Lotus
-

ITSOSEC-WPS

ITSOSEC-RP

ITSOSEC-LDAP

. 14-37. WebSphere Portal Server

596

14

Domino -.
iNotes.
. 14-37.
WebSphere Portal Extend
Windows 2000 Service Pack 3 DB2
.
LMS . WebSphere Portal Handbook Volume 1, SG24-6883.

14.4.1 SSO
WebSphere Portal .
:
1. Java- WebSphere Administrator.
2. wpsadmin , wpsadmin
.
3. Console () Security Center ( ) Java.
4. Authentication (); , . 14-38.

. 14-38. WebSphere Porta

597

5. Enable Single Sign On ( ) DNS- .


cam.itso.ibm.com.
6. Generate Keys ( ). WebSphere LTPA-.
7. Export Key ( ),
. LTPA- WebSphere
Domino.
8. Domino Directory Domino Notes.
9. Configuration () Web () Web Configurations () Domino Directory.
10. Web SSO Configuration, 14.3.2,
Lotus Domino LDAP-.
LtpaToken.
11. Edit (), .
12. Keys () Import WebSphere LTPA keys ( LTPA- WebSphere) (. 14-39).

. 14-39. LTPA- WebSphere

13. , WebSphere 7.
14. LDAP Realm (LDAP-) (\) :389.
LDAP- LTPA WebSphere (. 14-40).

. 14-40. LDAP Realm (LDAP-)

598

14

15. SSO Configuration Domino (. . QuickPlace Sametime),


HTTP (. . Tell HTTP Restart Domino)
.

14.4.2 -
- , WebSphere Portal, Domino.
ibmproxy.conf, URL
.
:
remove proxy /mail* http://itsosec-dom.cam.itso.ibm.com/mail*
remove proxy /iNotes/* http://itsosec-dom.cam.itso.ibm.com/iNotes/*
remove proxy /inotes5/* http://itsosec-dom.cam.itso.ibm.com/inotes5/*
remove proxy /icons/* http://itsosec-dom.cam.itso.ibm.com/icons/*
remove proxy /domjava/* http://itsosec-dom.cam.itso.ibm.com/domjava/*
remove proxy /names.nsf http://itsosec-dom.cam.itso.ibm.com/names.nsf
Proxy /* http://192.168.0.6/*itsosec-wps.cam.itso.ibm.com
proxy /* http://192.168.0.3/*itsosec-dom.cam.itso.ibm.com
proxy /* http://192.168.0.4/*itsosec-qp.cam.itso.ibm.com
Reversepass http://192.168.0.6/*http://itsosec-wps.cam.itso.ibm.com/*
Reversepass http://192.160.0.3/*http://itsosec-dom.cam.itso.ibm.com/*
Reversepass http://192.168.0.4/*http://itsosec-qp.cam.itso.ibm.com/*
conf-
-.

14.5
IBM Lotus Learning Management System (LMS).
Learning Management System 1.01
Windows 2000 Service Pack 3. LMS LMS,
DB2 WebSphere 5.
LMS . IBM Lotus Learning Management System Handbook, SG24-7028.

. , LMS WebSphere Application Server


v5.0 . , Lotus Domino

WebSphere 4 WebSphere 5.

599

14.5.1 LMS
LMS
:
1. WebSphere Application Server LMS- . WebSphere 5 , WebSphere 4, Java-.
2. Security () Authentication Mechanisms ( ) LTPA WebSphere.

. 14-41. LMS LTPA


3. LTPA- WebSphere,
WebSphere, LTPA-,
.
WebSphere Portal LMS-.
4. Import Keys ( ); LTPA-
.
5. Save (), (. 14-42).

. 14-42. LTPA

600

14

6. Save (), ,
, SSO LMS; Domino WebSphere
Portal, LMS (. 14-43).

. 14-43.

14.5.2 LMS
, LMS , WebSphere Portal,
LMS- WebSphere Portal, LMS .
SSO, WebSphere Portal, ,
, LMS- .


LMS LMS WebSphere (My
Courses, Search Catalog My Calendar). WebSphere Portal,
:
1. WebSphere Portal (wpsadmin).
2. Portal Administration ( ).
3. Install portlets ( ).
4. My Courses.war LMS,
Next ().
5. , war-;
Install () , .
6. 4 5 Search catalog.war My Calendar.war.

601


WebSphere
, LMS- Web- LMS-,
LMS.
:
1. Portal Administration ( ) Manage
portlets ( ).
2. Myourses Modify Parameters (
) (. 14-44).

. 14-44. LMS-
3. ,
(. 14-45):
webserviceport: 80;
webservicepath: /lms-lmm/auth-api;
webserviceserver: itsosec-lms.cam.itso.ibm.com.

. 14-45. LMS-
4. 2 3 Search Catalog My Calendar,
.

602

14

14.6 Tivoli Access Manager



-, .
, , ,
. , , Redbook.
, ,
.

14.6.1 Tivoli Access Manager


WebSphere Edge Server
-,
Domino WebSphere Portal . , Tivoli Access Manager (TAM).
TAM - WebSeal, RPSS ( - ). - . 5, -.
IBM Websphere Edge Server,
-,
Tivoli WebSeal.
Tivoli WebSphere Edge Server, WebSeal-Lite.
, , Tivoli Access Manager, WebSeal-Lite . Tivoli Access Manager
.Tivoli Information Center :
http://publib.boulder.ibm.com/tividd/td/IBMAccessManagerfore-business4.1.html
Tivoli Access Manager , Tivoli Access Manager .

14.6.2 WebSeal
Websphere Edge Server
WebSeal-Lite
-, :
1. Tivoli Access Manager Edge Server:
) .

603

b) - IBM Tivoli Access Manager Web Security, Version 4.1 for


Windows. setup.exe, :

cdrom_drive\windows\PolicyDirector\Disk Images\Disk1
c) Select Packages ( )
Edge Server.
2. Edge Server:
) wslconfig.exe.
b) :
- Edge Server.
80.
Tivoli Access Manager, TAM. , sec_master
.
:
;
(ivacld-servers SecurityGroup);
SSL-;
SSL- Tivoli Access
Manager;
- Edge Server
Edge Server, - Edge Server (ibmproxy.conf);
- Edge Server (ibmproxy).

Edge Server wesosm.
Tivoli Access Manager
Edge Server.
Edge Server .
- Edge Server
Edge Server. sec_master
-.

14.6.3 Domino TAM


Lotus Domino (Domino, Sametime, QuickPlace ..),
cookie- SSO LTPA Domino ,
IBM Tivoli WebSeal - Domino .
:
1. Administration Command Prompt (PDAdmin) AccessManager for e-business Start ().

604

14

2. pdadmin.
3. Lotus Domino, :
(-t);
(-h);
TCP-, (-p);
(-A);
(-F);
(-Z);
JavaScript (-j);
(/).

14.2. WebSeal Domino


commands:
pdadmin>login
Enter User ID:sec_master
Enter Password:
pdadmin>server list
webseald-webseal39
pdadmin>server task webseald-webseal39 create -t tcp -h
itsosec-dom.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /domino
Created junction at /domino
pdadmin>
Domino, Sametime QuickPlace
. ,
Domino, :
itsosec-dom.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /domino
itsosec-st.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /sametime
itsosec-qp.cam.itso.ibm.com -p 80 -A -F c:\Lotus\Domino\Keys\amdom.key -Z
mercury1 -j /quickplace

605

14.6.4 WebSphere Portal TAM


Domino TAM WebSeal- ,
Websphere Portal Tivoli Access Manager:
1. Tivoli Access Manager SvrSslCfg. :
c:\progra~1\Tivoli\POLICY~1\sbin\%WAS_HOME%\java\jre\bin\java
com.tivoli.pd.jcfg.SvrSslCfg -action config -admin_id sec_master
-admin_passwd password -appsvr_id itsosec-tam_amwps -mode remote
-port 7201
-policysvr itsosec-tam.cam.itso.ibm.com:7135:1 -authzsvr
itsosec-tam.cam.itso.ibm.com:7136:1 -cfg_file
c:\websphere\appserver\java\jre\PDPerm.properties -key_file
c:\websphere\appserver\java\jre\lib\security\pdperm.ks -cfg_action create
2. Portallogin.cfg WebSphere Portal Server. (
.)
WpsNewSubject {
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.GetCORBACredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.CORBACredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.UserDNGroupDNLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.UserIdPasswordLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.UserIdPrincipalLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.PasswordCredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.LTPATokenLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.tivoli.mts.PDLoginModule;
};
WpsSubjectExists {
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy

606

14

required delegate=com.ibm.wps.sso.GetCORBACredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.CORBACredentialLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.ibm.wps.sso.LTPATokenLoginModule;
com.ibm.websphere.security.auth.module.proxy.WSLoginModuleProxy
required delegate=com.tivoli.mts.PDLoginModule;
};
,
, Tivoli Access
Manager ( WebSphere Edge Server)
.
(. . WebSphere Portal, Lotus
Domino . .) . ,
ACL, , , TAM, . TAM
,
.

14.7
, Redbook RedbooksCo Redbooks.
.

607




(, html- ),
. ,
HTML- , HTTP-. ,
, , . , .



, , , ,
.
,
. , (, TCP, HTTP, HTML).

611

, .
:
EtherReal.
http://www.ethereal.com
CommView. ,

http://www.tamos.com/products/commview/
CommView , . , ,
. ,
.


,
Web-.

. A-1
Web- Domino,

. A-2
IE ( HTTP,
HTML)

612

. A-1 , .
. A-2 HTML- .
. A-3 HTML- .

. A-3 GET, (CommView)


, , ,
<HTML>, <! Doctype>. HTML- HTTP-. HTTP- ( ) (
Domino).
. A-3 CommView.
ASCII.

(Ethernet, IP, TCP,
HTTP ..). . A-3 .
, Lotus, , . , , . . A-4
.
. A-4 HTTP-. ASCII- HTTP-
( , 11 ). , , HTTP- ( Domino , 8 ). ,
, HTML-

613

. A-4

. A-5 HTML-
(), , . , View Source ( HTML-) Web-,
HTTP-. .
, , .

614

B
DSAPI
DSAPI-, Web- Domino
.
DSAPI, 7, .
DSAPI- Windows- Domino Windows. Domino
UNIX,
UNIX.
: , Windows
UNIX. , make- Domino 6 C API Samples,
Admin.


1. DSAPI-
Domino ,
DSAPI- Domino.
2. , ,
Domino Domino,
,
. Domino -

DSAPI

615

. Domino .

3.
Domino Web-. ACL
. Reader ()
Default No Access ( )
Anonymous (). No Access
Anonymous () .

DSAPI- Domino
1. DLL
Domino.
2. Domino.
3. Notes UI Lotus Domino (
names.nsf).
4. Server () Servers () Server
.
5. Internet Protocols (-) DLL
DSAPI-.
6. .

Domino

1. Domino.
2. Domino Administrator.
3. , Server () , Local.
Local, File () Open Server
( ) , Domino.
4. People () .
5. People () Register
().
6. First name (), Last name (), Short name ( ) Password (). .
7. Register () Domino.
8. Domino Administrator.
9. Domino.

616

DSAPI- secdom
( Windows). DSAPI Windows,
Act as part of the operating system (
). ,
.
Windows , .
Windows , Windows Windows.
1. Lotus Domino , http server .
:

DSAPI Operating System Authentication Filter Loaded successfully.


2. Web- Domino .
3. URL <Domino-server>/<Domino-server-database>,
Web, <Domino-server> Domino ( IP-), <Domino-server-database> .
: dserver/dsdatabase.nsf
4. Enter Network Password ( )
, .
Domino Windows NT/2000,
:

<operating-system-user-name>@<operating-system-domain>
: jdoe@os_domain

Domino UNIX, :

<operating-system-user-name>
: jdoe

5. OK .
6. .


DSAPI-.

B-1.
/******************************************************************
: SECDOM
: SECDOM.C ( )

DSAPI

617

: C API,
, Domino
Web DSAPI.
******************************************************************/
/* - */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* Notes SDK */
#include global.h
#include osmem.h
#include lookup.h
#include dsapi.h
#include addin.h
#define MAX_BUF_LEN 512
#define USER_DOMAIN_SEPARATOR @
/*--*
*/
/* Notes SDK Unix */
STATUS FAR PASCAL MainEntryPoint (void);
/* , DSAPI */
unsigned int Authenticate(FilterContext* context, FilterAuthenticate* authData);
/* Notes */
int getUserNames (FilterContext* context,
char *userName,
char **pUserFullName,
int *pUserFullNameLen,
char **pUserShortName,
int *pUserShortNameLen);
int getLookupInfo (FilterContext* context,
char *pMatch,
unsigned short itemNumber,
char **pInfo,
int *pInfoLen);
int doAuthenticate(char *userName, char *domain, char *password);
#ifdef UNIX
int unixAuthenticate(char *userName, char *password);
#else
int separateUsernameAndDomainname(char *userName,char *separator,char
**user,char**domain);

618

int winAuthenticate(char *userName, char *domain, char *password);


#endif
/*--*
*/
STATUS FAR PASCAL MainEntryPoint (void)
{
/*
* : Notes API
* . ,
*
*
* Notes SDK API.
*
* :
* :
* : NOERROR
*/
return NOERROR;
}
/*--*
*/
unsigned int FilterInit(FilterInitData* filterInitData)
{
/*
* :
* .
*
* : filterInitData dsapi
*
* : filterInitData
*
* : kFilterHandledEvent
*/
printf(\nFilterInitData() is getting called.\n);
/**/
filterInitData->appFilterVersion = kInterfaceVersion;
/* , */
filterInitData->eventFlags = kFilterAuthenticate;
/* */
strcpy(filterInitData->filterDesc,

DSAPI

619

Operating System Authentication Filter);


/* ... */
/* , stdout stderr,
* , .
*/
printf(\nDSAPI Authentication filter initialized\n);
return kFilterHandledEvent;
}
/*--*
*/
unsigned int TerminateFilter(unsigned int reserved)
{
/*
* :
* .
*
* : , ( dsapi
* )
* :
*
* : kFilterHandledEvent
*/
/* ... */
return kFilterHandledEvent;
}
/*--*
*/
unsigned int HttpFilterProc(FilterContext* context,
unsigned int eventType, void* eventData)
{
/*
* :
dsapi-.
*
* : , ( dsapi
* )
* :
*
* : kFilterNotHandled ,

620

* * .
*/
/* ,
*/
switch (eventType) {
case kFilterAuthenticate:
return Authenticate(context, (FilterAuthenticate *)eventData);
default:
break;
}
return kFilterNotHandled;
}
/*--*
*/
unsigned int Authenticate(FilterContext* context,
FilterAuthenticate* authData)
{
/*
* :
* dsapi kFilterAuthUser.
*
* : dsapi
*
* authData ,
*
* userName
*
* foundInCache = TRUE,
* e
* .
*
* : authType authName
*
* authType filed
* kNotAuthentic -
* kAuthenticBasic -
* .
*
* : kFilterNotHandled - ,
* e,

DSAPI

621

* ,
* .
* kFilterHandledEvent -
.
*/
/* e, * .
*/
if (!authData || authData->foundInCache) {
AddInLogMessageText (\n user is found in the cache \n, NOERROR);
return kFilterNotHandled;
}
/* .
*/
if (authData->userName && authData->password) {
char *fullName = NULL;
int fullNameLen = 0;
char *shortName = NULL;
int shortNameLen = 0;
char *user = NULL;
char *domain = NULL;
#if defined SOLARIS || AIX
user=(char*)authData->userName;
#else
separateUsernameAndDomainname(authData->userName,USER_DOMAIN_SEPARA
TOR,&user,&domain);
#endif
/* .
* (,
* )
* (, ,
* dsapi).
*/
if (NOERROR == getUserNames (context,
user,
&fullName,
&fullNameLen,
&shortName,
&shortNameLen) )
{
/* / */
if (NOERROR != doAuthenticate(shortName, domain,

622

(char *)authData->password))
{
return kFilterNotHandled;
}
else
{
/* ,
* dsapi. */
strncpy ((char *)authData->authName, fullName,
authData->authNameSize);
authData->authType = kAuthenticBasic;
authData->foundInCache = TRUE;
}
return kFilterHandledEvent;
}
}
return kFilterNotHandled;
}
int getUserNames (FilterContext* context,
char *userName,
char **pUserFullName,
int *pUserFullNameLen,
char **pUserShortName,
int *pUserShortNameLen) {
/*
* :
* .
*
* : context - ,
* userName - ,
* : pUserFullName -
* pUserFullNameLen -
* pUserShortName
* pUserShortNameLen -

*
* : -1 - , 0 -
*/
STATUS error = NOERROR;
HANDLE hLookup = NULLHANDLE;
DWORD Matches = 0;
char *pLookup;
char *pName = NULL;

DSAPI

623

char *pMatch = NULL;


int rc = -1;
/* */
*pUserFullName = NULL;
*pUserFullNameLen = 0;
*pUserShortName = NULL;
*pUserShortNameLen = 0;
/* do the name lookup
*/
error = NAMELookup2(NULL, /* NULL */
0, /* */
1, /* */
$Users, /* */
1, /* , */
userName, /* , */
2, /* */
FullName\0ShortName, /*
* */
&hLookup); /*
* */
if (error || (NULLHANDLE == hLookup))
goto NoUnlockExit;
pLookup = (char *) OSLockObject(hLookup);
/* .
*/
pName = (char *)NAMELocateNextName2(pLookup, /*
* */
NULL, /*
* */
&Matches); /*
*
* ( 1) */
/* - */
if ((pName == NULL) || (Matches <= 0)) {
goto Exit;
}
pMatch = (char *)NAMELocateNextMatch2(pLookup, /*
* */
pName, /* */
NULL); /* */
if (NULL == pMatch) {
goto Exit;
}

624

/* */
if ( getLookupInfo (context,
pMatch,
0,
pUserFullName,
pUserFullNameLen) )
goto Exit;
AddInLogMessageText (full name=%s,length=%d\n, 0,*pUserFullName,*
pUserFullNameLen);
/* */
if ( getLookupInfo (context,
pMatch,
1,
pUserShortName,
pUserShortNameLen) )
goto Exit;
else
rc = 0;
AddInLogMessageText (short name=%s,length=%d\n, 0,*pUserShortName
,*pUserShortNameLen);
Exit:
if ( pLookup && hLookup )
OSUnlock(hLookup);
NoUnlockExit:
if (NULLHANDLE != hLookup)
OSMemFree(hLookup);
return rc;
}
int getLookupInfo (FilterContext* context,
char *pMatch,
unsigned short itemNumber,
char **pInfo,
int *pInfoLen) {
/*
* :
*
*
*
*
*
*
*

: context - ,
pMatch
itemNumber
: pInfo
pInfoLen

DSAPI

625

* : -1 - , 0 -
*/

unsigned int reserved = 0;


unsigned int errID;
char *ValuePtr = NULL;
WORD ValueLength, DataType;
STATUS error;
void *newSpace = NULL;
/* */
*pInfo = NULL;
*pInfoLen = 0;
/* */
ValuePtr = (char *)NAMELocateItem2(pMatch,
itemNumber,
&DataType,
&ValueLength);
if (NULL == ValuePtr || ValueLength == 0) {
return -1;
}
ValueLength -= sizeof(WORD);
/* DataType */
switch (DataType) {
case TYPE_TEXT_LIST:
break;
case TYPE_TEXT:
break;
default:
return -1;
}
/* .
* .
*/
newSpace = (context->AllocMem)(context, ValueLength+1,
reserved, &errID);
*pInfo = (char *) newSpace;
if (NULL == *pInfo) {
printf (Out of memory\n);
return -1;
}
/* */
error = NAMEGetTextItem2(pMatch, /* */

626

itemNumber, /*
* */
0, /*
* */
*pInfo, /*
* */
MAX_BUF_LEN); /* */
if (!error) {
*pInfoLen = strlen(*pInfo)+1;
return 0;
}
return -1;
}
int doAuthenticate(char *userName, char *domain, char *password) {
/*
* : ,

* , , .
*
* : userName -
* domain - (NULL - UNIX)
* password -
*
* : -1 - , 0 -
*/
if (!userName) {
AddInLogMessageText (\nERROR: User must be specified\n, NOERROR);
return -1;
}
#if defined SOLARIS || AIX
printf(\nin doAuthenticate()\n);
return(unixAuthenticate(userName, password));
#else
if (!domain) {
AddInLogMessageText (\nERROR: Domain must be specified. Use username@domainname format\n,
NOERROR);
return -1;
}
return(winAuthenticate(userName, domain, password));
#endif
}
/* ----- secdom.c */

DSAPI

627

B-2. Windows
/******************************************************************
: SECDOM
: W_SECDOM.C ( Windows)
: C API,
, Domino
Web DSAPI.
******************************************************************/
/* W32 */
#include <windows.h>
#include <winbase.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* ************************************************************* */
/* * Windows API . * */
/* ************************************************************* */
int separateUsernameAndDomainname(char *userName,char *separator,
char **user, char **domain)
{
*user=strtok(userName,separator);
*domain=strtok(NULL,separator);
return 0;
}
/* ************************************************************* */
/* * Windows API . * */
/* ************************************************************* */
int winAuthenticate(char *userName, char *domain, char *password)
{
char *lpMsgBuf;
HANDLE phToken;
printf(\n Executing Windows-specific authentication for user %s
in domain
%s\n,userName,domain);
if (LogonUser(userName,domain,password,LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,&phToken))
{
printf( ** Successful return from Windows-specific authentication
\n);
return NOERROR;
}
else

628

{
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
printf(***** Error from Windows-specific authentication: ***\n);
printf( %s\n,lpMsgBuf);
LocalFree(lpMsgBuf);
return -1;
}
}

B-3. UNIX
/******************************************************************
: SECDOM
: U_SECDOM.C ( UNIX)
: C API, , Domino Web

DSAPI.
******************************************************************/
/* */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/* UNIX */
#ifdef SOLARIS
#include <shadow.h>
#endif
#ifdef AIX
#include <sys/types.h>
#include <pwd.h>
#endif
int unixAuthenticate(char *userName, char *password)
{
char buffer[1024];
int error = -1;
int success = 0;
int unknown = 1;
/* UNIX- */

DSAPI

629

#ifdef SOLARIS
struct spwd result;
#endif
#ifdef AIX
struct passwd *result;
#endif
/* UNIX- */
#ifdef SOLARIS
if (getspnam_r(userName, &result, buffer, sizeof(buffer))) {
/*
* .
*/
char *thisCrypt = NULL;
thisCrypt = (char *)crypt(password, result.sp_pwdp);
if (strcmp (result.sp_pwdp, thisCrypt) == 0) {
return success;
} else {
return error;
}
}
#endif
#ifdef AIX
result = getpwnam(userName);
if (result && result->pw_passwd) {
/*
* .
*/
char *thisCrypt = NULL;
thisCrypt = (char *)crypt(password,
result->pw_passwd);
if (strcmp (result->pw_passwd, thisCrypt) == 0) {
return success;
} else {
return error;
}
}
#endif
return unknown;
}

630

C



Domino 6 HTTP
Domino
6 HTTP, 11.2.2, HTTP-.

HTTP-
, HTTPEnableConnectorHeaders
Notes.ini Domino HTTP , WebSphere, Web- .
HTTP-
Domino, ,
.
HTTPEnableConnectorHeaders :

Domino 6 HTTP

631

0. Domino HTTP .
HTTP , .
1. Domino HTTP .

. , ,
, , http.
notes.ini HTTP- Domino HTTP-.

. 14-46. HTTP
HTTPEnableConnectorHeaders=1
. LogLevel TRACE XML-
,
.
$WSAT. , .
$WSCC. , .
Web- base64,
base64, .

632

$WSCS. , Web- .
, .
$WSIS. True False,
, ( SSL/TLS).
$WSSC. , . http https.
$WSPR. HTTP-, .
HTTP/1.1.
$WSRA. IP- , .
$WSRH. , .
, IP-.
$WSRU. , .
$WSSN. , .
, HOST .
$WSSP. , .
, .
$WSSI. SSL-, . Web- base64, base64,



, Domino , HTTP-. , IP- , HTTP- Domino HTTP-, Domino IP-, $WSRA. :
, Domino , $WSRU, Domino
, !
HttpEnableConnectorHeaders=1
notes.ini, ,
Domino , HTTP . , ,
HTTP-.
,
Domino IP Web- IP- Domino 6.

Domino 6 HTTP

633

IIS-
!
PlugIn (Plug-In)
(Plugin Config) .
, , ,
. , , ,
NAME ,
( EventViewer) .
WebSphere Application Server Microsoft IIS.
1. IIS (
) Domino
IIS-:
data/domino/plug-ins/plugin-cfg.xml

c:\WebSphere\AppServer\config.

. C-1. , C IIS-
2. RegEdit.exe ( Windows)
: HKEY_LOCAL_MACHINE - SOFTWARE - IBM - WebSphere Application Server - 4.0.

4.0 Plugin Config. plugin-cfg.xml (C:\


WebSphere\AppServer\config\plugin-cfg.xml).

WAS5.x
( RegEdit):
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. '5.0' BinPath. , (C:\WebSphere\AppServer\bin).

634

. C-2. , !
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'InstallLocation'.
, WAS (C:\WebSphere\AppServer).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'LibPath'. (C:\WebSphere\AppServer\lib).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 'MajorVersion'.
(5).
'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' '5.0'. 5.0 ' p l u g - i n
Config' .
plug-in-cfg.xml (C:\WebSphere\AppServer\config\plug-in-cfg.xml).

. C-3. (DLL), bin IIS


3. data/domino/plug-ins/w32/iisWASPlugin_http.dll plug-in_common.dll ( , Domino) c:\WebSphere\
AppServer\bin IIS- .
4. Internet Service Manager IIS-.
IIS, Internet Service

Domino 6 HTTP

635

Manager. Windows NT Microsoft Management Console ( MMC), XP


Administrative Tools ().

. C-4. IIS Manager


5. Web-,
WebSphere.
, Default Web Site (- ).
Default Web Site (- )
New () Virtual Directory ( ).

! IIS
Domino, , Web-
.
) Alias () sePlugins ( ).
) Directory () WebSphere bin (C:\WebSphere\
AppServer\bin).
) Execute ()
.
) Finish (). sePlugins.

636

. C-5.

. C-6.

6. ( ) Web- .
) ISAPI Filters ( ISAPI). Add ()
iisWASPlugin Filter Name ( ).
Executable ( ), Browse (),
WebSphere bin iisWASPlugin_http.dll.

Domino 6 HTTP

637

. C-7. ,

. C-8.

sePlugIns

. C-9.

638

. C-10. Web-

! , ;
ISAPI- .
) , OK.

! OK ISAPI , Priority ()
ISAPI- *Unknown*. ,
IIS ISAPI- ,
.
) OK , ,
, *Unknown* , . C-13. .

, -, .
, , ,

Domino 6 HTTP

639

. C-11. ISAPI-

. C-12. OK

640

. C-13.

. C-14. !

Domino 6 HTTP

641

, .

.

XML
WebSphere\AppServer\config\plugin-cfg.xml
. Domino,
plugin-cfg.xml,
URL, , Domino.
, .
Web- .

. Windows!
plugin-cfg.xml:
1. plugin-cfg.xml Notepad () XML-.
2. <Transport> ,
Domino. Hostname Port , ,
HTTP .
:

<!-- Server groups provide a mechanism of grouping servers together. -->


<ServerGroup Name=default_group>
<Server Name=default_server>

<Transport Hostname=mydomino.server.com
Protocol=http/>

Port=81

</Server>

</ServerGroup>
3. <UriGroup>. URL-, Web-
Domino.

<UriGroup Name=default_host_URIs>
<Uri Name=*/icons/*>

<Uri Name=*/domjava/*>
<Uri Name=*/.nsf*>

642

. URI .
WebSphere Application Server
( ,
) .
, Web-
. IIS World Wide
Web Publishing Service Windows
- Internet Services Manager. Web-
, . Web- IIS
IIS, .
Domino , <Uri> .

! , ,
XML. ,
(< >) ,
plugin-cfg.cml Internet Explorer (). IE
XML-.

plugin-cfg.xml
plugin-cfg.xml,
,
.

C-1. plug-in.xml :

<?xml version=1.0 encoding=ISO-8859-1?>
<!-###################################################################
C:\Websphere\AppServer\config\plugin-cfg.xml chiesa@dotNSF.com
(c) IBM Corp 2003. (c) dotNSF
Inc MMIII
###################################################################
WAS...
.xml- !!!
( : !)
###################################################################
, WAS plugin-cfg-service.xmi,
. !!!
###################################################################
-->

Domino 6 HTTP

643

<ConfigIgnoreDNSFailures=true RefreshInterval=300 > <!-- !!! -->


<Log Name=C:/WebSphere/AppServer/logs/native.log
LogLevel=Trace /> <!--
!!! -->
<VirtualHostGroup Name=DominoHosts><!-- -->
<VirtualHost Name=*:*/><!-- -->
</VirtualHostGroup><!-- -->
<UriGroup Name=DominoHostsURIs>
<Uri Name=/icons/* />
<Uri Name=/domjava/* />
<!- , . Regex!
###################################################################
http://www-106.ibm.com/developerworks/xml/library/x-case/
?dwzone=xml
###################################################################
-->
<Uri Name=/*.(N|n)(S|s)(F|f|G|g|H|h|1|2|3|4|5|6)* />
<!-###########################################################
! . ( !)
###########################################################
... !
###########################################################
-->
<!-- *.??f -->
<Uri Name=/*.nsf* />
<Uri Name=/*.Nsf* />
<Uri Name=/*.nSf* />
<Uri Name=/*.NSf* />
<!-- *.??F -->
<Uri Name=/*.nsF* />
<Uri Name=/*.nSF* />
<Uri Name=/*.NsF* />
<Uri Name=/*.NSF* />
<!-- *.??g -->
<Uri Name=/*.nsg* />
<Uri Name=/*.nSg* />
<Uri Name=/*.Nsg* />
<Uri Name=/*.NSg* />
<!-- *.??G -->

644

<Uri Name=/*.nsG*
<Uri Name=/*.nSG*
<Uri Name=/*.NsG*
<Uri Name=/*.NSG*
<!-- *.??h -->
<Uri Name=/*.nsh*
<Uri Name=/*.nSh*
<Uri Name=/*.Nsh*
<Uri Name=/*.NSh*
<!-- *.??H -->
<Uri Name=/*.nsH*
<Uri Name=/*.nSH*
<Uri Name=/*.NsH*
<Uri Name=/*.NSH*
<!-- *.??2 -->
<Uri Name=/*.ns2*
<Uri Name=/*.nS2*
<Uri Name=/*.Ns2*
<Uri Name=/*.NS2*
<!-- *.??3 -->
<Uri Name=/*.ns3*
<Uri Name=/*.nS3*
<Uri Name=/*.Ns3*
<Uri Name=/*.NS3*
<!-- *.??4 -->
<Uri Name=/*.ns4*
<Uri Name=/*.nS4*
<Uri Name=/*.Ns4*
<Uri Name=/*.NS4*
<!-- *.??5 -->
<Uri Name=/*.ns5*
<Uri Name=/*.nS5*
<Uri Name=/*.Ns5*
<Uri Name=/*.NS5*
<!-- *.??6 -->
<Uri Name=/*.ns6*
<Uri Name=/*.nS6*
<Uri Name=/*.Ns6*
<Uri Name=/*.NS6*
</UriGroup>
<ServerGroup
Name=DominoGroup

/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>
/>

Domino 6 HTTP

645

LoadBalance=Round Robin
RemoveSpecialHeaders=true
RetryInterval=60
>
<Server
Name=Domino1
CloneId=TestingClone
MaxConnections=50
>
<Transport
Hostname=localhost.dotnsf.com
Port=81
Protocol=http
/>
</Server>
<Server
Name=Domino2
CloneId=ProductionClone
MaxConnections=50
>
<Transport
Hostname=server203.dotNSF.com
Port=80
Protocol=http
/>
<!--<Transport
Hostname=server100.dotNSF.com
Port=443
Protocol=https
/>
-->
</Server>
<Server
Name=Domino3
MaxConnections=50
CloneId=ProductionClone>
<Transport
Hostname=server101.dotnsf.com
Port=80
Protocol=http
/>
</Server>

646

</ServerGroup>
<Route
VirtualHostGroup=DominoHosts
UriGroup=DominoHostsURIs
ServerGroup=DominoGroup
/>
</Config>

: TRACE (log)
(Trace mode),
( C:/WebSphere/AppServer/logs/native.log).
( ),
,
, . , , URI .

C-2. C:/WebSphere/AppServer/logs/native.log
[Mon Jun 09 11:59:14 2003] 00000b0c 00000c44 - PLUGIN:
------------------------------------------------------------------[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Plugins
loaded.
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: -------------------System Information---------------------------------------[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Bld date:
Apr 28 2002, 01:26:50
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Webserver: IIS
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: Hostname =
VAIOR600
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN: OS version
5.1, build 2600, Service Pack 1
[Mon Jun 09 12:05:36 2003] 00000d54 00000e78 - PLUGIN:
------------------------------------------------------------------[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: iis_plugin:
HttpFilterProc: In
HttpFilterProc for SF_NOTIFY_PREPROC_HEADERS
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: iis_plugin:
checkRequest: In checkRequest
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: lib_util:
decodeURI: Decoding /wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: lib_util:
decodeURI: Decoded to
/wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereCheckConfig: Current time is 1055174814, next stat time
is 1055174766

Domino 6 HTTP

647

[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:


websphereCheckConfig: Latest
config time is 1055173899, lastModTime is 1055173899
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereShouldHandleRequest:
trying to match a route for: vhost=127.0.0.1; uri=/wmi.nsf
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/icons to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/domjava to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.NS6* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.Ns6* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.nS6* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.ns6* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.NS5* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.Ns5* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.nS5* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.ns5* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.NS4* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.Ns4* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Comparing
/*.nS4* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:

648

websphereUriMatch: Comparing
/*.ns4* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NS3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.Ns3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nS3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.ns3* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NS2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.Ns2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nS2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.ns2* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NSH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NsH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nSH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.nsH* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.NSh* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing
/*.Nsh* to /wmi.nsf in UriGroup:
[Mon Jun 09 12:06:54 2003] 00000d54
websphereUriMatch: Comparing

DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:
DominoHostsURIs
00000198 - TRACE: ws_common:

Domino 6 HTTP

649

/*.nSh* to /wmi.nsf in UriGroup: DominoHostsURIs


[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nsh* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.NSG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.NsG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nSG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nsG* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.NSg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.Nsg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nSg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nsg* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.NSF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.NsF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nSF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.nsF* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.NSf* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE:
websphereUriMatch: Comparing
/*.Nsf* to /wmi.nsf in UriGroup: DominoHostsURIs

650

ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:
ws_common:

[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:


websphereUriMatch: Comparing
/*.nsf* to /wmi.nsf in UriGroup: DominoHostsURIs
[Mon Jun 09 12:06:54 2003] 00000d54 00000198 - TRACE: ws_common:
websphereUriMatch: Found a
match /*.nsf* to /wmi.nsf in UriGroup: DominoHostsURIs

, ,
Domino, HttpEnableConnectorHeaders=1.
, , ( ) , cookie- , URL URL.
,
sticky-, . . , (affinity), ,
.

C-3
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Accept| to value |image/gif, image/xxbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_
htrequest: htrequestSetHeader:
Setting the header name |Accept-Language| to value |en-gb|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Connection| to value |Keep-Alive|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Host| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |User-Agent| to value |Mozilla/4.0
(compatible; MSIE 6.0; Windows NT
5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |Accept-Encoding| to value |gzip, deflate|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |x-ibm-incoming-enc-url| to value |/wmi.NSF|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:

Domino 6 HTTP

651

htrequestSetHeader:
Setting the header name |$WSAT| to value |Negotiate|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSIS| to value |false|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSSC| to value |http|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSPR| to value |HTTP/1.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSRA| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSRH| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSRU| to value |VAIOR600\MyUserChiesa|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSSN| to value |127.0.0.1|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestSetHeader:
Setting the header name |$WSSP| to value |80|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleSessionAffinity: Checking for session affinity
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleSessionAffinity: Checking the SSL session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestGetCookie:
Looking for cookie: SSLJSESSION
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestGetCookie: No
cookie found for: SSLJSESSION
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Parsing session id from /wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Failed to parse session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleSessionAffinity: Checking the app server session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:

652

htrequestGetCookie:
Looking for cookie: JSESSIONID
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestGetCookie: No
cookie found for: JSESSIONID
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Parsing session id from /wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereParseSessionID:
Failed to parse session id
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_server_
group:
serverGroupNextRoundRobinServer: Round Robin load balancing
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereFindTransport:
Finding the transport
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereFindTransport:
Setting the transport: dotNSF.theconifers.com on port 80
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Executing
the transaction with the app server
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereGetStream: Getting
the stream to the app server
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_transport:
transportStreamDequeue:
Checking for existing stream from the queue
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_stream:
openStream: Opening the stream
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereGetStream: Created a
new stream; queue was empty
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestWrite: Writing
the request:
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: GET /wmi.NSF
HTTP/1.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Accept:
image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.
ms-powerpoint,
application/msword, */*
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: AcceptLanguage: en-gb

Domino 6 HTTP

653

[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Connection:


Keep-Alive
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Host:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: User-Agent:
Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: AcceptEncoding: gzip, deflate
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: x-ibmincoming-enc-url: /wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSAT: Negotiate
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSIS:
false
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSSC: http
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSPR: HTTP/1.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSRA:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSRH:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSRU:
VAIOR600\MyUserChiesa
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSSN:
127.0.0.1
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: $WSSP: 80
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_htrequest:
htrequestWrite: Writing
the request content
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_stream:
flushStream: Flushing the
stream
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Wrote the
request; reading the response
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_
htresponse: htresponseRead: Reading the response:
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: HTTP/1.1 200 OK
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Date: Mon,
09 Jun 2003 16:03:37 GMT
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Last-Modified:
Mon, 09 Jun 2003
16:03:35 GMT
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Expires:
Tue, 01 Jan 1980 06:00:00 GMT
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Content-Type:
text/html;

654

charset=US-ASCII
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ContentLength: 1601
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_
htresponse:
htresponseSetContentLength: Setting the content length |1601|
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: Cachecontrol: no-cache
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: lib_stream:
flushStream: Flushing the stream
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Read the
response; breaking out of loop
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereExecute: Done with
Request to app server processing
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheWriteHeaders: In cacheWriteHeaders
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
cb_write_headers: In the write headers callback
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheWriteBody: In cacheWriteBody
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
cb_write_body: In the write body callback
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
cb_write_body: Writing chunk
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereHandleRequest: Done:
host=127.0.0.1; uri=/wmi.NSF
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_common:
websphereEndRequest: Ending the request
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_transport:
transportStreamEnqueue:
Adding existing stream to the queue
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: ws_cache:
cacheFinish: In cacheFinish
[Mon Jun 09 12:07:18 2003] 00000d54 00000198 - TRACE: iis_plugin:
HttpFilterProc: In
HttpFilterProc for SF_NOTIFY_LOG

Domino 6 HTTP

655


,
, .

IBM Redbooks
. IBM Redbooks. , .
Lotus Notes and Domino R5.0 Security Infrastructure Revealed, SG24-5341
IBM WebSphere V5.0 Security WebSphere Handbook Series, SG24-6573
Upgrading to Lotus Notes and Domino 6, SG24-6889
Deploying QuickPlace, SG24-6535
Enterprise Security Architecture using IBM Tivoli Security Solutions, SG24-6014
A Deeper Look into IBM Directory Integrator, REDP-3728
IBM Tivoli Access Manager for e-business, REDP-3677
Enterprise Business Portals II with IBM Tivoli Access Manager, SG24-6885
Deploying a Public Key Infrastructure, SG24-5512
Understanding LDAP, SG24-4986
LDAP Implementation Cookbook, SG24-5110
Using LDAP for Directory Integration: A Look at IBM SecureWay Directory, Active Directory, and Domino, SG24-6163
Implementation and Practical Use of LDAP on the IBM e-server iSeries Server,
SG24-6193
LDAP Directory Services in IBM WebSphere Everyplace Access V4.1.1, REDP-3603
Active Directory Synchronization with Lotus ADSync, REDP-0605
IBM WebSphere V4.0 Advanced Edition Security, SG24-6520
WebSphere Portal Handbook Volume 1, SG24-6883
IBM Lotus Learning Management System Handbook, SG24-7028



.
Maximum Windows 2000 Security (Sams, 2001, ISBN 0672319659)

Maximum Linux Security (Sams, 1999, ISBN 0672316706)


D. Verton, Common Ground Sought for IT Security Requirements, Computerworld
35, No. 11, 8 (March 12, 2001)
P. B. Checkland, Systems Thinking, Systems Practice, John Wiley & Sons, Inc., New
York (1981)
W. R. Cheswick and S. M. Bellovin, Firewalls and Internet Security: Repelling the Wily
Hacker, Addison-Wesley Publishing Co., Reading, MA (1994)
E. Rechtin, Systems Architecting: Creating and Building Complex Systems, Prentice
Hall, New York (1991)
Committee on Information Systems Trustworthiness, National Research Council,
Trust in Cyberspace, National Academy Press, Washington, DC (1999)
A. Patel and S. O. Ciardhuain, The Impact of Forensic Computing on Telecommunications,
IEEE Communications Magazine 38, No. 11, 64-67 (November 2000)
F. B. Schneider, Enforceable Security Policies, ACM Transactions on Information
and System Security 3, No. 1, 30-50 (February 2000)
P. T. L. Lloyd and G. M. Galambos, Technical Reference Architectures, IBM Systems
Journal 38, No. 1, 51-75 (1999)
S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Security Secrets &
Solutions, McGraw-Hill Publishing Company, Maidenhead, Berkshire (1999)
Charles Carrington (Editor), Timothy Speed, Juanita Ellis, and Steffano Korper,
Enterprise Directory and Security Implementation Guide: Designing and Implementing
Directories in Your Organization. ISBN: 0121604527


Web- URL .
RFC 2316, Report of the IAB Security Architecture Workshop (April 1998)
http://www.ietf.org/rfc.html
Digital Signature Guidelines, American Bar Association (1996), Section 1.35
http://www.abanet.org/scitech/ec/isc/dsgfree.html
Information Technology--Security Techniques--Evaluation Criteria for IT Security-Part 1: Introduction and General Model, ISO/IEC 15408-1 (1999)
http://isotc.iso.ch/livelink/livelink/fetch/2000/2489/lttf_Home/PubliclyAvailableStan
dards.htm
Information Technology--Security Techniques--Evaluation Criteria for IT Security-Part 2: Security Functional Requirements, ISO/IEC 15408-2 (1999). and Information
Technology--Security Techniques--Evaluation Criteria for IT Security--Part 3: Security
Assurance Requirements, ISO/IEC 15408-3 (1999).
http://www.commoncriteria.org/protection_profiles/pp.html

Guide for Development of Protection Profiles and Security Targets, ISO/IEC PDTR
15446
http://csrc.nist.gov/cc/t4/wg3/27n2449.pdf
RFC 1825, Security Architecture for the Internet Protocol (August 1995)
http://www.ietf.org/rfc.html
Security Architecture for Open Systems Interconnection for CCITT Applications,
ITU-T Recommendation X.800/ISO 7498-2 (1991)
http://www.itu.int/itudoc/itu-t/rec/x/x500up/x800.html
J. J. Whitmore, Security and e-business: Is There a Prescription?, Proceedings, 21st
National Information Systems Security Conference, Arlington, VA (October 6-9,
1998)
http://csrc.nist.gov/nissc/1998/proceedings/paperD13.pdf

IBM Redbooks
, Redbooks, Redpapers, Hints and Tips, , Redbooks - Web-
ibm.com/redbooks

IBM
IBM Support :
ibm.com/support
IBM Global Services:
ibm.com/services