Security features

Domino 12.0.2 provides the following features and enhancements related to security.

Security Assertion Markup Language (SAML)

SAML federated login changes
The default format for signed AuthnRequests sent from the Domino Service Provider to the Identity Provider has been changed from Post Binding to Redirect Binding.
To revert to using Post Binding as the default format, use the notes.ini settting SAML_REDIRECT_BINDING_SIGN=0.
For more information, see Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
Archival of legacy signing certificates
Support for legacy IDP signing certificates is added to the Domino Service Provider relying trust with the Identity Provider in the IdP catalog database.

When Domino imports a new IdP xml metadata file into an existing IdP catalog document, the new signing certificate is stored, and the previous signing certificate (if present) is saved off as an IdP Legacy Certificate.

IdP Legacy Certificates can be examined and removed from the Certificate Management tab - Examine Legacy Certificates button.

Legacy signing certificates will be used to verify SAML Response and Assertion signatures if the current IdP signing certificate fails verification.

For related information, see Creating a Web server IdP configuration document.

Security enhancements to cookies involving SAML

Starting with Domino 12.0.2, a samesite=strict setting has been added to the domrelaystate cookie as a default.

If the Domino server is multi-homed or has multiple DNS aliases, the http client may be prevented from recognizing that the site it is posting back to is the same site and therefore cause the user to land on the server's default homepage instead of the URL that was requested.

To disable this feature, use the notes.ini setting DOMINO_RELAY_COOKIE_SAMESITE=0. For more details, see After authenticating with SAML, the user is not returned to originating URL.

An additional security enhancement in Domino sets a secure attribute on the cookies that are set during SAML authentication, if the service provider ID has HTTPS in the URL. If the URL is not protected by HTTPS, browsers will not send authentication-related cookies to the server. Unsecure HTTP should be disabled in order for the cookies to be transmitted securely. This feature cannot be disabled. For more information, see Switching between HTTP and HTTPS protocols on SAML enabled Domino server returns user to wrong URL.

OpenID Connect (OIDC)

Domino 12.0.2 supports two new federated-identity login techniques that leverage signed JSON Web Tokens (JWTs) acquired from OpenID Connect (OIDC) providers.

Single Sign-On (SSO) via the OIDC authorization code flow with PKCE
For information on this feature, see Configuring OIDC-based SSO for web users.
HTTP Bearer authentication using OIDC
See Configuring HTTP Bearer authentication using an OIDC provider.

CertMgr updates

  • CertMgr is also available on AIX, allowing it to request and manage TLS certificates.
  • CertMgr supports the client mode to create the certstore.nsf replica automatically and optionally replicate.
  • The Internet CA root certificates in the Domino directory and in Certificate Store have been updated to include additional fields. For details, see Internet CA root certificates updated.
  • CertMgr supports validation of a TLS certificate on target URL endpoints specified in the TLS Credentials document. This validation checks for certification expiration and notifies the administrator if the certificate has expired. For more information, see Certificate URL health check.

New version of OpenSSL

HCL Domino has upgraded from OpenSSL 1.1.1a to OpenSSL 3.0.5 on the Windows, Linux, and AIX platforms.

The OpenSSL 3.0 FIPS provider's FIPS 140-2 validation certificate has been issued. For more information see this article on the OpenSSL Blog site.

The Windows, Linux, and AIX platforms will use the FIPS provider for FIPS 140-2 approved algorithms such as SHA-1, SHA-2, 3DES, AES, 2048+ bit RSA, ECDSA, ECDHE, and EdDSA.

Support for SELinux

SELinux in Enforcing and Targeted mode has been tested and is now supported for Domino installations. (No policies were applied to Domino.)

Administration tool updates

Administration Quick
AdminQ expedites the processing of Administration Process (AdminP) requests that affect the user IDs of web users, for example, HCL Verse users. With AdminQ, web users are not required to authenticate with an HCL Notes client to complete the processing of these requests.
The following enhancements are added in Domino 12.0.2:
  • AdminQ runs automatically on domain administration servers and vault administration servers.
  • User rename requests no longer require the ID vault to be on the domain administration server.
  • User recertify requests are now supported.
  • User public key rollover requests are now supported.
For more information, see Using AdminQ to process web user requests.
Domino Console command to create MicroCA certificates for existing servers
For existing servers, a Domino Console command generates microCA certificates to replace the former process of using self-signed certificates to establish the intitial SSL/TLS connection for the Server Controller and Java-based Domino Console. For details, see Using Domino Console to create MicroCA certificates for existing servers.

Database encryption improvements

The new default selection for database encryption is 128 bit AES. Previously it was Strong Encryption. 256 bit AES encryption is now an available option when setting database encryption from any of these menu paths:
  • File > Replication > New Replica
  • File > Application > New Copy
  • File > Preferences > Replication and Sync > Default
  • File > Security > User Security > Notes Data > Notes Databases
  • File > Application > Properties > Encryption Settings