Deployment on a single Domino Server

You must run the necessary configuration steps to deploy the plug-in on a single Domino® Server.

To install the Domino HTTP Password Synchronizer on the Domino, run the installer on the system where the Domino Server is installed. The installer places all required files in the appropriate directory structures. The file paths of the Domino Server data directories are as follows:

• The Domino Server program folder is known as domino_program_directory. For example, C:\Program Files\IBM\Lotus\Domino on the Windows platform. On the Linux and UNIX based platforms, /opt/ibm/lotus.
• The Domino Server data folder is known as domino_data_directory. For example, C:\Program Files\IBM\Lotus\Domino\Data on the Windows platform. On the Linux and UNIX based platforms, /local/notesdata.
• The Domino Server JVM folder is known as domino_jvm_directory. For example, C:\Program Files\IBM\Lotus\Domino\jvm on the Windows platform. On the Linux and UNIX based platforms, /opt/ibm/lotus/notes/80000/linux/jvm.

Notes:

1. The Domino HTTP Password Synchronizer ships with the TDI_install_dir/pws_plugins/domino/pwsync.props template configuration file that has all the required properties preset by default, and ready for use.
2. The default Password Store, which is configured in the shipped pwsync.props file is the Log Password Store. This Password Store logs all the captured passwords in the log file of the proxy. You must use this Password Store only for diagnostic purposes.

The following table explains the deployment steps.

Step	Description
1	Make sure that the new files that are copied during the post-install phase are read by the Domino Server.
2	The external databases that are shipped with the Security Directory Integrator must be signed by the Domino Server to be able to vouch for their integrity. See Signing databases with Server ID.
3	By editing the pubnames.ntf template, we can change the behavior of the names.nsf database. A code is placed on several key places to intercept the plain password. When the password is captured, it is passed to the appropriate Java agent such as IDIPWSyncClientAgent or IDIPWSyncWebAgent. See Updating pubnames.ntf template design.
4	By editing the admin4.ntf template, we can change the behavior of the admin4.nsf database. The copied Java agent IDIPWSyncAdminRequestAgent is responsible to periodically process the administration requests, posted by various users when they change the passwords. See Updating the admin4.ntf template design.
5	Agents are run with the rights of their signer. The agents of the Password Synchronizer must run restricted operations such as network access or file system access. Therefore, they can be signed by someone who has the sign or run unrestricted methods and operations privilege. See Signing the agents with a signer.
6	Refreshing the design of the names.nsf database applies the changed template to the existing database. See Refreshing names.nsf database design.
7	Refreshing the design of the admin4.nsf database applies the changed template to the existing database. See Refreshing the design of the admin4.nsf database.
8	The various Java agents use the idipwsync.nsf database to store the documents that need further processing. You must encrypt the documents to protect them in this database. The secret key that is created in this step is used in the database encryption process. See Set up secret key encryption infrastructure.
9	Port encryption encrypts the communication between Lotus® Domino Administrator and the Domino Server, bringing an additional layer of security to the network communication. See Set up port encryption.
10	SSL is necessary to secure the communication between the web browser and the Domino HTTP Server. If SSL is not set up, the password is transferred over the network in plain text. See Set up SSL for Domino HTTP Server.
11	The Java Proxy runs in the JVM that is shipped with the Domino. The process starts as a server task when you start the Domino Server. See Configure Domino Server to automatically start and stop Java proxy.
12	Configure each Lotus Domino Administrator client to enable administrative password changes. See Configure execution control list of Lotus Domino Administrator clients.
13	The IDIPWSync group contains a list of users who has the rights to change the password of other users. Typically, only the administrators are present in this group. Regular users can still change the passwords through iNotes® even if they do not belong to this group. Only members of this group can access the idipwsync.nsf database. The idipwsync.nsf database is used to transfer data between Lotus script and the Password Synchronizer agents. The signer of the Password Synchronizer agents must also be added to the IDIPWSync group so that the agents can access the idipwsync.nsf database. Agents are run with the rights of their signer. See Configure Access Control List.
14	The pwsync_install_r8.nsf database is used only to distribute the required template objects. When the Domino HTTP plug-in is set up, the database is no longer required and we can delete the database. See Deleting pwsync_install_r8.nsf database.

• Signing databases with Server ID
  You must sign the pwsync_install_r8.nsf and idipwsync.nsf databases with the Active Server ID.
• Updating pubnames.ntf template design
  You must edit the pubnames.ntf template to make the necessary changes to the names.nsf database.
• Updating the admin4.ntf template design
  You must edit the admin4.ntf template to make necessary changes to the admin4.nsf database.
• Signing the agents with a signer
  The agents of the Password Synchronizer must run restricted operations such as network access or file system access. Therefore, agents must be signed by the person who has the sign or run unrestricted methods and operations privilege.
• Refreshing names.nsf database design
  You must refresh the names.nsf database to apply the changes from the template to the existing database.
• Refreshing the design of the admin4.nsf database
  You must refresh the admin4.nsf database to apply the changes from the template to the existing database.
• Set up secret key encryption infrastructure
  The Java agents use the idipwsync.nsf database to store documents that are required for further password processing. You must encrypt the documents to protect them in this database.
• Set up port encryption
  Port encryption encrypts the communication between the Lotus Domino Administrator and the Domino Server, bringing an additional layer of security to the network communication.
• Set up SSL for Domino HTTP Server
  SSL is necessary to secure the communication between the web browser and the Domino HTTP Server. If SSL is not set up, the password is transferred over the network in plain text.
• Configure Domino Server to automatically start and stop Java proxy
  The Java Proxy runs in the JVM that is shipped with the Domino. The proxy starts as a Server Task when you start the Domino Server.
• Configure execution control list of Lotus Domino Administrator clients
  You must configure each of the Lotus Domino Administrator client to enable the administrative password change.
• Configure Access Control List
  You must create the IDIPWSync group in the Domino Directory and update the Access Control List (ACL) of theidipwsync.nsf database. Only members of the IDIPWSync group can access the idipwsync.nsf database.
• Deleting pwsync_install_r8.nsf database
  The pwsync_install_r8.nsf database is used only to distribute the required template objects. When the Domino HTTP plug-in is set up, the database is not required and we can delete the database from the Domino Server.

Parent topic:

Domino HTTP Password Synchronizer