ID vault trust

User IDs can be stored in an ID vault only if a parent certifier of the IDs has been used to issue a Vault Trust Certificate to the vault. A Vault Trust Certificate is a special-purpose cross-certificate establishing that an organizational or organizational unit certifier trusts an ID vault to store the user IDs that are descended from the certifier.

You create Vault Trust Certificates in the Configuration > Security > Certificates view of the Domino® Directory using the ID Vaults > Create or ID Vaults > Manage tool.

If users in your environment are certified within different organizations or organizational units, you will need to decide how to implement vault trust. For example, if you have an organizational certifier and multiple organizational unit certifiers subordinate to it, decide which one or ones should issue Vault Trust Certificates.

For example, assume the Renovations company uses the organization certifier /Renovations and three organizational unit certifiers /Dallas/Renovations, /NewYork/Renovations, and /Shanghai/Renovations. All the users are registered in one Domino® Domain and will use the same vault. In this case, the /Renovations certifier could issue one Vault Trust Certificate. However, perhaps /Renovations doesn't want to store the IDs of /Shanghai/Renovations users in the vault because those users are registered in a different Domino® Domain and will use a different vault. The /Dallas/Renovations and /NewYork/Renovations certifiers, rather than the /Renovations certifier, could each issue a Vault Trust Certificate, preventing IDs certified under /Shanghai/Renovations (as well as under /Renovations) from using the vault.

Note: Vault Trust Certificates determine which IDs are allowed in a vault; policy configuration determines which IDs are actually stored there.