Can The NotesDriverShim Use Domino Certificate Authority (CA) To Register New Notes Users? Does the NotesDriverShim work with this Domino feature?


Yes. However, policy must set the appropriate XML attributes in the add command and the Domino Certificate Authority must be properly configured. Policy can also be applied to allow for moves to be performed using a Domino CA.

To have the NotesDriverShim attempt to use a Domino certificate authority, set the following attributes on the command element:

  • use-certificate-authority=”true”
  • certifier-name=”\certOU\Org”

where \certOU\Org represents the name of the certifier in the NAB. If a move in being performed, and the old-certifier-name and old-cert-use-certificate-authority XML attributes can be utilized depending on which certifier (most likely both) is handled by the Domino CA. One deficiency of the Notes Driver attempting to perform a Move operation with via a Domino CA, is that the NotesDriverShim cannot complete the move request, it can only initiate it. The move completion must be manually performed by a Domino admin. This limitation is due to the delay caused when initiating the move request via a CA. After the request is initiated, and the NotesDriverShim is ready to complete the request, it is forced to wait until the events in the AdminP/CA queue are processed. Because this is not immediate, the move completion cannot be performed immediately, so it is skipped (and therefore must be performed manually by a Domino admin).

A really nice side effect of using a Domino CA to register new Notes person objects with the NotesDriverShim, is that the IDM system does not have to store and pass Domino certificate passwords. The certificate passwords are managed by the Domino CA. Only the certificate name is passed as a parameter.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: pnuffer
Apr 23, 2008
4:01 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow