Can The NotesDriverShim Use Domino Certificate Authority (CA) To Register New Notes Users? Does the NotesDriverShim work with this Domino feature?
Yes. However, policy must set the appropriate XML attributes in the add command and the Domino Certificate Authority must be properly configured. Policy can also be applied to allow for moves to be performed using a Domino CA.
To have the NotesDriverShim attempt to use a Domino certificate authority, set the following attributes on the command element:
where \certOU\Org represents the name of the certifier in the NAB. If a move in being performed, and the old-certifier-name and old-cert-use-certificate-authority XML attributes can be utilized depending on which certifier (most likely both) is handled by the Domino CA. One deficiency of the Notes Driver attempting to perform a Move operation with via a Domino CA, is that the NotesDriverShim cannot complete the move request, it can only initiate it. The move completion must be manually performed by a Domino admin. This limitation is due to the delay caused when initiating the move request via a CA. After the request is initiated, and the NotesDriverShim is ready to complete the request, it is forced to wait until the events in the AdminP/CA queue are processed. Because this is not immediate, the move completion cannot be performed immediately, so it is skipped (and therefore must be performed manually by a Domino admin).
A really nice side effect of using a Domino CA to register new Notes person objects with the NotesDriverShim, is that the IDM system does not have to store and pass Domino certificate passwords. The certificate passwords are managed by the Domino CA. Only the certificate name is passed as a parameter.