I need to enable some databases using SSL. I am using R7.01. What steps do I need to take? Do I generate the keyfile.kyr and update the server document to enable the SSL port 443 and recycle the server? From the database side, do I just check the option “Enable SSL…”? I am not sure how and where to get the key. Is this key from Domino server? Thanks much.
Subject: Enable SSL for some databases on web
All the info you need can be found in admin help. The whole topic is much to broad to go into details here. Just a few points to get you started:
To generate the keyring file and its associated stash file (you need both of them) you have to create a db based on the “Server Certificate Admin” (csrv50.ntf) template.
You can buy certificates to use in your keyring file from trusted root authorities like Verisign, Thawte and many others, or set up a Certificate Authority in Domino, using a db based on the “Domino Certificate Authority” template (cca50.ntf). If you create a certificate yourself, it is not derived from one of the trusted certificates that web browser know about. Consequentially, users will be presented with a dialog to accept your certificate. This is, because the certificate serves two purposes: It’s not only used for encrypting data transfer, but also to ensure, that you (or your server) are really who you claim to be.
The database property will make sure that this single database can only be used over https, but additionally, you can configure web site documents to only accept SSL Authentication and/or redirect all TCP requests to SSL.
Subject: RE: Enable SSL for some databases on web
Thanks, Harkpabst. When I generate the keyring file, do I need server id to do it? My server admin does not know much and he is away. I am not sure if I can complete this task without the server id. My company may have bought the certificate, so I will create a database based on csrv50.ntf and generate the keyfile and apply certificate all from the notes client? What is stash file? Does that come with keyring?Thanks much.
Subject: RE: Enable SSL for some databases on web
No, you should not need the server or certifier id, as this is has nothing to do with Domino’s own certificates. First check, if the Server Certificate Admin has already been created on the server. Chances are, it has. Then of course you need access to that database. Editor access should do.
Note, that the keyring.kyr (or however you name it, but nothing speaks against just keeping this name) and the associated .sth file are created on your local machine, so you need to have a way to move them physically to the server machine. The stash file is required for the server to be able to decrypt the keyring file (as you will protect it with a password).
The admin help is really pretty verbose on these topics. Could be that I forgot something that’s noted there.
Subject: RE: Enable SSL for some databases on web
Dear Harkpabst, Thanks for your info. I created one Certificate Admin database, and created the Keyring file plus the stash file and they are in my local drive. Then I realize that they should be in the server box. My question is on the server document, ports~internet Ports, the keyring file box default to “keyfile.kyr”, it does not specify the file path. How does the system know where the key file resides?
In my company, we can request public CA certificate, If I need to do this SSL for two servers, I need to genearte two CSR and apply the certificate from CA on each of them, correct? Thanks so much!
Subject: RE: Enable SSL for some databases on web
Keyring and stash file should be placed alongside into the data directory. I don’t know if you can add a path to the location of keyring.kyr in internet site documents or the internet ports tab of the server document. But its not worth trying, I tend to say.
Usually, a certificate is issued for one machine, specifying its the fully qualified hostname. Consequentially, every server with a unique FQHN needs a certificate on its own. Some companies do sell certificates for domain scope rather than host scope, but this is not so common, not offered by the bigger root authorities and (probalby) not by the Certificate Authority in your company.
Also note one more potential stumbling block: If you SSL enable a database, that inherits its design from a template, the templates setting will be reinforced the next time the design process runs. In other words: If you have different databases based on the same template, and some of them require SSL, while others don’t you have to manage different templates for them.