Customizing a Notes install kit to set certifier and trust defaults

You can configure the deploy.nsf application to specify administrative trust settings using an Export option in the server's Domino® Directory (names.nsf) to add those settings to the install kit's deploy.nsf application.

About this task

The administrative trust defaults in deploy.nsf and the Internet certifiers in the install kit's Java™ keystore are processed to define trusted certifiers. The keystore is used directly during install, but is ignored at runtime. The deploy.nsf is processed at startup to add trust certifiers to the user's Contacts application (names.nsf) to be used at runtime.

You can install the deploy.nsf application as part of a Notes® client install kit.

You cannot manually edit or delete certificates in the deploy.nsf. You can only make changes to the installed deploy.nsf only by exporting from the server's Domino Directory to a new deploy.nsf and then overwriting the installed deploy.nsf with the new file. The notes.ini statement FORCE_PROCESS_DEPLOY_NSF=1 ensures that the deploy.nsf application is processed. Alternatively, you can simply use Domino policy. If there are certificates listed in the installed deploy.nsf and you overwrite the with a new deploy.nsf, any certificates that are not in the new deploy.nsf are deleted. If you are going to use this technique, maintain a central and cumulative deploy.nsf so as not to unintentionally delete certificates from a user's system.

Pushing administrative trust settings to users by customizing the install kit enables you to do the following:

  • Add third party certificates to the Java keystore, which allows signed features/plugins added to the install kit to be trusted at install time. The keystore can be modified manually using keytool, but this method is simpler and leverages existing infrastructure.
  • Push Internet Certifiers, Internet Cross Certificates, and Notes Cross Certificates to the user's Contacts application (names.nsf), so that when user install new features/plugin at runtime, or access new applications, they will not be prompted for trust decisions.

You can alternatively push administrative trust settings to users from Domino policy, which is the recommended method, to centrally manage and change settings as needed.

Note: You should use the action Export Certificates to Deploy Database only to make changes to an existing deploy.nsf.
Note: If you use the Domino policy method (Keys and Certificates tab on the Security policy page) to push trust settings, then even if there is an installed deploy.nsf it will be ignored and the policy settings will instead be used. Any certificates resident in the Contacts application because of the deploy.nsf, and that are not specified in Domino policy, will be removed.

To add administrative trust settings to an install kit without pushing those settings from the Keys and Certificate tab on the Security policy page, proceed as follows.

Procedure

  1. Log into a Domino Administrator or Notes client using an administrative ID.
    Note: The client and server must be version 8.5.1 or later, and the server must be running the 8.5.1 or later version of names.nsf, based on the pubnames.ntf template.
  2. Open the server's Domino Directory (names.nsf).

    This server must contain all of the certificates and cross-certificates that you want to deploy.

  3. Open the Security/Certificates view.
  4. Select all the Internet certifiers, and Notes and Internet cross-certificates, that you want to deploy.
    Note: Each must be checked (checkmark) and visible in the view, not hidden under a category. The currently selected document must also be checked.
  5. Click Export Certificates to the Deploy Database on the Actions menu.
  6. Specify the location at which to create the Java keystores and the deploy.nsf application.

    This must be an existing directory; ensure that the specified path is correct before continuing.

    Note: If these files do not exist, they will be created.
    Note: To augment an existing install kit, choose the deploy directory of that kit. The selected Internet certifiers will be added to any existing .keystore* files, and all selected documents will replace any certificate documents in the existing deploy.nsf.
  7. Respond to the force deletes prompt and click Next.
    • Choose Yes to delete any certificate documents in the user's Contacts application previously added by a deploy.nsf. The certificates in deploy.nsf are copied to the Contacts application.
    • Choose No to copy all the certificates in deploy.nsf to the user's Contacts application, if they don't already exist. Certificates that were previously added by deploy.nsf, but do not exist in the current deploy.nsf, remain unchanged in the user's Contacts application.

    If you selected Internet Certifiers, the result should be as follows, otherwise only the deploy.nsf application is created.

    location/.keystore.JCEKS.Java_HotSpot_Client_VM.install
    location/.keystore.JCEKS.IBM_J9_VM.install
    location/extras/deploy.nsf
  8. Copy the .keystore* files to the deploy directory of the kit and the ddeploy.nsf to the deploy/extras directory of the kit.
    Note: On Windows™ the deploy directory is located in the same directory as setup.exe.
    Note: On Mac OS X the deploy directory is located at Lotus Notes Installer.mpkg\Contents\deploy\. To access it in Finder, right-click on Lotus Notes Installer.mpkg and choose Show Package Contents.
    Note: Linux™ requires a different process. See the related topic on customizing installation for Linux.

    The resultant deploy.nsf is based on the client's Contacts application template (pernames.ntf) and can be opened to check that all of the certificates have copied correctly.

    If the resultant deploy.nsf application is not what you expected, or error messages appear during processing, start Notes and select Tools > Show Java Debug Console to view log messages or Java exceptions and contact IBM® Support with that information.

    Note: To ease performance, deploy.nsf is processed only when new components are installed to the Notes runtime by way of an add-on installer or the client is upgraded. To force deploy.nsf to be reprocessed, set the notes.ini variable FORCE_PROCESS_DEPLOY_NSF=1. After deploy.nsf is processed, the value resets to zero.
  9. Run the Notes installation program.
    Note: When you install Notes (standard configuration), deploy.nsf is created in the extras directory in the install kit and installed to the Notes framework\rcp\extras directory. If using Notes (basic configuration) install kit customization, the deploy.nsf should be installed to the user's data directory.