Aus der KBASE:
Public key verification does not work from one organization to another
Product:
Lotus Domino > Lotus Domino Server > Versions 6.5, 6.0, 5.0
Platform(s):
AIX, i5/OS, Linux, OS/390, OS/400, Solaris, Windows, z/OS
Doc Number:
1087840
Published 06.03.2006
Technote
Problem
You are running a Domino server and discover that Public Key verification is not working from one organization to another, as demonstrated in the following example:
Two organizations, /Acme and /ABC are cross certified. Directory assistance is configured on both servers and is enabled for the other organization's names.nsf. The administrators for each organization enable the option "Compare Notes public keys against those stored in Directory", which is found in the Server document, Security tab, Security Settings section. Enabling Public key verification causes the following error to display during any attempt of a user or server to open a session with the cross certified organization:
"Server error : your public key was not found in the name and address book."
Solution
This issue is under investigation by Quality Engineering. To work around this issue, place copies of the entries or the entire Domino Directory on a server that you are authorized to use when the option is enabled. This is usually a server within your own organization.
Optionally, to work around this issue, copy the Person and Server documents into the Domino Directory (names.nsf) of the server which has the option "Compare Notes public keys against those stored in Directory" enabled.
To automate this process, you can setup an Extended Directory Catalog (EDC) and integrate it into your primary Domino Directory. This means, that your primary Domino Directory (names.nsf) will also become the EDC. The steps to set this up are documented in the Domino 6.5.1 Admin Help, Document "Setting up an Extended Directory Catalog". Please note the specific instructions about integrating the Extended Directory.
Note: To enable public key checking to work with a secondary address book defined in directory assistance, it is required to enable the "Trusted for Credentials" field on the Naming Contexts (Rules) tab of the directory assistance document for the appropriate domain.
Supporting Information:
The additional information displayed when you click on the "Compare Notes public keys against those stored in Directory" option fully documents the behavior as follows:
Select Yes to require that public keys on client IDs match those stored in the Public Address Book. Default is No. If you select Yes, only clients with public keys that match those in the Public Address Book can authenticate with the server. This helps prevent unauthorized use of IDs. For example, if an unauthorized person copies an ID and the owner changes the public key on the original as a result, select Yes to prevent the unauthorized user with the original ID and public key from authenticating. This feature also prevents someone not listed in the Public Address Book from authenticating, for example, someone from another organization or someone who has left the company.
Thema: Detailfrage zur Cross Zertifizierung (Gelesen 1696 mal)