Configuring a port for TLS

You can configure a port to use only server authentication or to use both server and client authentication.

About this task

If you are using Internet Site documents, see the topic about setting up security for Internet Site documents in the related information.

Procedure

  1. From the HCL Domino® Administrator, click Configuration > Servers, and open the Server document.
  2. Click the Ports > Internet Ports tab.
  3. Complete these fields:
    Table 1. Internet Ports fields

    Field

    Enter

    TLS key file name
    Specify one of the following:
    • If a certstore.nsf configuration is used, specify the host name of the server or any other certificate present in certstore.nsf for the server.
    • If certstore.nsf configuration is not used, specify the kyr file.
    Note: If the Domino server makes outbound TLS connections, for example LDAPS requests, using client certificate authentication, then specify the host name or key ring for the credentials being used for those outbound connections.
    Note: Domino® does not use this field for IIOP, which uses a separate key ring file. You cannot change the name of the IIOP key ring file.

    Accept TLS site certificates

    Choose one:

    • Yes - to allow this server to accept the site certificate and use TLS to access an Internet server, even if the Domino® server does not have a certificate in common with the Internet server.
    • No - to not allow this server to accept site certificates.

    Accept expired TLS certificates

    Choose one:

    • Yes - to allow clients to access the server, even if the client certificate is expired.
    • No - to not allow clients to access the server with expired client certificates.
  4. Click the tab for the protocol that you want to configure, and then complete these fields:
    Table 2. Protocol fields

    Field

    Enter

    TLS port number

    Enter the port number on which Domino® listens for TLS requests. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view.

    Note: If you change the default port number, clients must change their configurations as well. The default port number is usually changed only if a firewall proxy uses the reserved port number.

    TLS port status

    Choose Enabled to allow TLS connections on the port. You configure this here regardless of whether you are using Internet Sites or the Web Configurations view.

    Note: Since a Domino® server can be either an SMTP server or an SMTP client, you have two choices for the TLS port status field. To set up a Domino® server as an TLS-enabled SMTP server, choose Enabled in the SMTP Inbound field.

    Client certificate

    Choose one:

    • No - to not use client authentication.
    • Yes - to use client authentication.
    Note: SMTP and IIOP do not support client authentication.

    Name & password

    Choose one:

    • No - to not use name-and-password authentication.
    • Yes - to use name-and-password authentication.

    Anonymous

    Choose one:

    • Yes - to allow anonymous access. You must choose Yes if you want users to connect using server authentication only.
    • No - to prevent anonymous access.

    If you choose Yes for both Anonymous and Client certificate, Domino® first tries to authenticate the client. If that fails, Domino® tries to connect the user anonymously.

    If you choose Yes for Anonymous, Client certificate, and Name & password, Domino® first tries to authenticate the client using the client certificate. If that fails, Domino® tries to use name-and-password authentication. If that fails, Domino® tries to connect the user anonymously.

    LDAP must be configured to allow anonymous TLS connections in order to do name lookups.

    IMAP, POP3, and SMTP do not support anonymous access.