Security features

Domino 12.0.2 provides the following features and enhancements related to security.

Security Assertion Markup Language (SAML)

SAML federated login changes
The default format for signed AuthnRequests sent from the Domino Service Provider to the Identity Provider has been changed from Post Binding to Redirect Binding.
To revert to using Post Binding as the default format, use the notes.ini settting SAML_REDIRECT_BINDING_SIGN=0.
For more information, see Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
Archival of legacy signing certificates
Support for legacy IDP signing certificates is added to the Domino Service Provider relying trust with the Identity Provider in the IdP catalog database.

When Domino imports a new IdP xml metadata file into an existing IdP catalog document, the new signing certificate is stored, and the previous signing certificate (if present) is saved off as an IdP Legacy Certificate.

IdP Legacy Certificates can be examined and removed from the Certificate Management tab - Examine Legacy Certificates button.

Legacy signing certificates will be used to verify SAML Response and Assertion signatures if the current IdP signing certificate fails verification.

For related information, see Creating a Web server IdP configuration document.

OpenID Connect (OIDC)

Domino 12.0.2 supports two new federated-identity login techniques that leverage signed JSON Web Tokens (JWTs) acquired from OpenID Connect (OIDC) providers.

Single Sign-On (SSO) via the OIDC authorization code flow with PKCE
For information on this feature, see Configuring OIDC-based SSO for web users.
HTTP Bearer authentication using OIDC
See Configuring HTTP Bearer authentication using an OIDC provider.

CertMgr updates

  • CertMgr is also available on AIX, allowing it to request and manage TLS certificates.
  • CertMgr supports the client mode to create the certstore.nsf replica automatically and optionally replicate.
  • The Internet CA root certificates in the Domino directory and in Certificate Store have been updated to include additional fields. For details, see Internet CA root certificates updated.
  • CertMgr supports validation of a TLS certificate on target URL endpoints specified in the TLS Credentials document. This validation checks for certification expiration and notifies the administrator if the certificate has expired. For more information, see Certificate URL health check.

New version of OpenSSL

HCL Domino has upgraded from OpenSSL 1.1.1a to OpenSSL 3.0.5 on the Windows, Linux, and AIX platforms.

The OpenSSL 3.0 FIPS provider's FIPS 140-2 validation certificate has been issued. For more information see this article on the OpenSSL Blog site.

The Windows, Linux, and AIX platforms will use the FIPS provider for FIPS 140-2 approved algorithms such as SHA-1, SHA-2, 3DES, AES, 2048+ bit RSA, ECDSA, ECDHE, and EdDSA.

Administration tool updates

Administration Quick
AdminQ expedites the processing of Administration Process (AdminP) requests that affect the user IDs of web users, for example, HCL Verse users. With AdminQ, web users are not required to authenticate with an HCL Notes client to complete the processing of these requests.
The following enhancements are added in Domino 12.0.2:
  • AdminQ runs automatically on domain administration servers and vault administration servers.
  • User rename requests no longer require the ID vault to be on the domain administration server.
  • User recertify requests are now supported.
  • User public key rollover requests are now supported.
For more information, see Using AdminQ to process web user requests.
Domino Console command to create MicroCA certificates for existing servers
For existing servers, a Domino Console command generates microCA certificates to replace the former process of using self-signed certificates to establish the intitial SSL/TLS connection for the Server Controller and Java-based Domino Console. For details, see Using Domino Console to create MicroCA certificates for existing servers.

Database encryption improvements

The new default selection for database encryption is 128 bit AES. Previously it was Strong Encryption. 256 bit AES encryption is now an available option when setting database encryption from any of these menu paths:
  • File > Replication > New Replica
  • File > Application > New Copy
  • File > Preferences > Replication and Sync > Default
  • File > Security > User Security > Notes Data > Notes Databases
  • File > Application > Properties > Encryption Settings