Creating a DOLS Offline Security Policy document

Use Offline Security Policy documents to set different ID policies for users in different domains. For example, you can generate IDs automatically for users inside the company, but require users in a domain outside the company to provide IDs you have given them.

To create an Offline Security Policy Document, do the following:

  1. Open IBM® Domino® Administrator.
  2. Click the Configuration tab.
  3. Click Offline Services.
  4. Click Security.
  5. Click New Security Policy.
  6. Fill out the following fields in the Basics tab:
    Table 1. Basics tab fields



    Security domain

    Enter the domain that this policy affects. For example, /US/Company or /Company. Make sure to include the leading slash. All users in this domain are subject to the deployment policy you set in this document.

    The domain specified in this field includes users one level down from the root. For example, Cambridge/Renovations includes users in these two domains:

    Prompt for ID during download

    Before the subscription installs, users are asked to specify where on their computer their user ID is stored. The administrator must provide an ID to the user. This is the default ID deployment policy.

    Automatically generate user IDs

    Before installation, a certifier ID is generated for the user automatically.

    The Automatic tab appears when this option is selected. Click this tab and attach the certifier ID to be generated, set the password, and set the ID expiration date.

    It is recommended that you do not attach the absolute root certifier for your organization (for example, /Renovations). Instead, you should automatically generate a user ID against a subcertifier (for example, /NewUsers/Renovations). You may also want to generate the user ID in a new domain.

    Use the Domino® Directory for ID lookup

    Before installation, the server looks for an existing user ID in the Domino® Directory.

    The Lookup tab appears when this option is selected. Enter the relative path for the Domino® Directory that contains the IDs.

    Roaming User

    Select Override security policy for roaming users to set the Domino® server to behave appropriately with "Roaming users" who access the subscription. The server will recognize the user as a Roaming user, ignore the current security policy, and find the user's ID on the user's home server.

    ID Management

    Select Overwrite existing user IDs to have user's offline ID overwritten with a new ID each time they install a subscription.

    CAUTION: This setting should not be turned on in an enterprise that uses encrypted subscriptions. Users whose IDs are overwritten will not be able to open an offline subscription encrypted with a key from the previous ID.
  7. If you selected Automatically generate user IDs, fill out the following fields in the Automatic tab:
    Table 2. Automatic tab fields



    Certifier ID to use

    Attach a certifier ID to this rich text field. The certifier ID must support the Security domain field specified in the Security domain field.

    For example, if the Security domain is /A/B/C, then any of the following would be acceptable certifiers:

    The certifier ID file attached here must share the same root certifier as the server's ID for DOLS. If they do not share the same root certifier, the user may receive replication errors about a lack of cross-certifiers.

    Password for certifier ID

    Enter the password for the certifier ID. The password, which is case-sensitive, must be correct or the user will not be able to install.

    Make sure you protect stored passwords by appropriately restricting the ACL of this database (doladmin.nsf).

    Expiration date to set on created user IDs

    Select or enter an expiration date for the ID. For example, 03/31/2014.

  8. If you selected Use NAB for ID lookup, fill out the following fields in the Lookup tab:
    Table 3. Lookup tab field



    Address book to look up ID files from

    Enter the database filename, with relative path, of the directory where your server's user IDs reside. The target database must have standard Domino® Directory views and documents, with ID files attached to each person document.