Enabling Smartcards for Notes® login

Smartcards resemble credit cards, but instead of containing a magnetic strip they contain a microprocessor and memory. You can use a Smartcard with your User ID to login to IBM® Notes®, provided you have a Smartcard reader installed on your computer. Once your User ID is enabled for Smartcard login, you are prompted for your Smartcard Personal Identification Number (PIN) in place of your Notes® password.

About this task

The advantage of using a Smartcard with Notes® is that you use a Smartcard to lock your User ID. Without a Smartcard, you only need your User ID and your Notes® password to access Notes®. When using a Smartcard, you need your User ID, your Smartcard, and your Smartcard PIN to access Notes®. Also, because you carry your Smartcard with you (just as you would carry a credit card with you), you are much less vulnerable to User ID theft.

Note: The term Smartcard includes cryptographic tokens. These are hardware devices that usually plug into a USB port, and have the same function as Smartcards.

For a list of supported Smartcard packages, see the Domino® Support site.

Two ways to enable Smartcard login

About this task

There are two ways to enable Smartcard login. The preferred way secures the ID file using a private key from a personal Internet certificate stored on the Smartcard. Because this method supports the use of a Smartcard on which the Internet certificate and keys are preloaded, it does not require changes to a Smartcard, so allows the use of read-only Smartcards. It also enables users to easily secure multiple copies of their ID files with a Smartcard. The second way secures the ID file using a secret that is added to the Smartcard. This method does not offer the advantages of the preferred method, but is supported for compatibility with Domino® release 6.

CAUTION: Do not enable Smartcard login without notifying your administrator first. Your administrator must verify that your person record does not have password expiration enabled before you can start using a Smartcard-enabled User ID.

If you synchronize your Microsoft Windows password with your Notes® password or if you synchronize your Notes® password with your IBM® Domino® Web/Internet password password, you need to disable the synchronization before enabling Smartcard login with Notes®.

CAUTION: Before using a Smartcard, you must work with your administrator to ensure your User ID is recoverable. For more information on recovering your User ID, see Recovering your User ID. If you run Notes® from more than one computer, you must disable password checking before you enable use of a Smartcard.

Enabling Smartcard login by securing the ID file with an Internet certificate key (preferred)

About this task

Note: This procedure assumes that the Internet certificate that you will use to secure the ID file is stored on the Smartcard. If it is stored in the ID file instead, before performing this procedure you must a) enable Smartcard login by securing the ID file with a secret, and b) move the Internet keys to the Smartcard.

Procedure

  1. Make sure a Smartcard reader is installed on your computer and your administrator has set up recovery information for your User ID.
  2. Insert your Smartcard in the Smartcard reader.
  3. If the Internet certificate and keys you will use to secure your Smartcard have not been stored on your Smartcard, import the Internet certificate to your Smartcard, following your Smartcard vendor's directions.
  4. From the menu, choose File > Security > UserSecurity.
  5. Click Your Identity > Your Smartcard.
  6. In the Smartcard Configuration dialog, enter or browse for (click the folder button) the entire path of the directory for the PKCS #11 Smartcard driver file in the Smartcard driver file field. (This file was added when you installed your Smartcard reader). For example, C:\Schlumberger\Smart Cards and Terminals\Common Files\SLBCK.DLL.
    Tip: Below the Smartcard driver file field, Notes® suggests places on your computer where you might find your Smartcard driver file.
  7. Click Continue.
  8. Click Your Identity > Your Certificates.
  9. Select Your Internet Certificates and select the certificate to use to secure the ID file.
  10. Click Other Actions > Lock ID File with Key on Smartcard
  11. When prompted for each, enter your Notes® password and your Smartcard PIN. Once you are prompted that Smartcard Login is enabled, you must use your Smartcard PIN the next time you login to Notes® and thereafter.
  12. When prompted, and if supported by your Smartcard, enter a descriptive name for your Smartcard in the Smartcard Login Labelfield under Your Smartcard configuration. For example: Jason's Smartcard.

Results

Note: Make sure to take your Smartcard with you whenever you leave your workstation. If you are using a PKCS#11 Version 2.01 or higher Smartcard driver set, removing your Smartcard from the Smartcard reader locks the Notes® display until the Smartcard is put back into the Smartcard reader and you enter the correct PIN.
Note: If you have additional copies of your User ID, repeat these steps to Smartcard-enable each copy. Or, if you run Notes® from only one computer at a time, copy the ID that you Smartcard-enabled in this procedure to each computer as you use it.

Enabling Smartcard login by securing the ID file with a secret stored on the Smartcard

About this task

Use this method to enable Smartcard login only if you cannot use the preferred method described earlier in the topic.

Procedure

  1. Make sure a Smartcard reader is installed on your computer and your administrator has set up recovery information for your User ID.
  2. Insert your Smartcard in the Smartcard reader.
  3. From the menu, choose File > Security > UserSecurity. .
  4. Click Your Identity > Your Smartcard.
  5. In the Smartcard Configuration dialog, enter or browse for (click the folder button) the entire path of the directory for the PKCS #11 Smartcard driver file in the Smartcard driver file field. (This file was added when you installed your Smartcard reader). For example, C:\Schlumberger\Smart Cards and Terminals\Common Files\SLBCK.DLL.
    Tip: Below the Smartcard driver file field, Notes® suggests two places on your computer where you might find your Smartcard driver file.
  6. Click Continue.
  7. Click the Enable Smartcard Login under Using your Smartcard with Notes.
  8. When prompted for each, enter your Notes® password and your Smartcard PIN. Once you are prompted that Smartcard Login is enabled, you must use your Smartcard PIN the next time you login to Notes® and thereafter.
  9. When prompted, and if supported by your Smartcard, enter a descriptive name for your Smartcard in the Smartcard Login Label field under Your Smartcard configuration. For example: Jason's Smartcard.

Results

Note: Make sure to take your Smartcard with you whenever you leave your workstation. If you are using a PKCS#11 Version 2.01 or higher Smartcard driver set, removing your Smartcard from the Smartcard reader locks the Notes® display until the Smartcard is put back into the Smartcard reader and you enter the correct PIN.
Note: If there are copies of your User ID file, replace them with the copy of the User ID file that you enabled for Smartcard login in this procedure.

Moving Internet keys to a Smartcard

About this task

You can store on your Smartcard any Internet public and private keys from personal Internet certificates that you may have (not from Internet certificate authority certificates). Storing your Internet keys on your Smartcard adds an extra level of protection for them than storing them in your User ID. Once a set of Internet keys is moved to a Smartcard, it is only possible to export the certificate itself, without including the private key, to a separate file.

Note that you may not be able to store some keys on a Smartcard, including 630-bit private keys.

The X.509 certificate associated with the Internet keys is also stored on the Smartcard. You can view this certificate and its associated keys in the User Security dialog box, when you click Your Certificates and select Your Internet Certificates in the drop-down list.

CAUTION: Once you place your Internet keys on your Smartcard, you cannot remove them. You can only recover keys that are placed on your Smartcard after User ID recovery has been enabled on your User ID. If the recovery information in your User ID changes after you have placed keys onto a Smartcard, you can no longer recover those keys directly. If you do not recover your Internet keys, data encrypted with the keys is no longer readable. Contact your administrator for further advice on whether your Internet keys can be recovered before continuing with this procedure.

Procedure

  1. Click File > Security > User Security. .
  2. Enter your PIN when prompted.
  3. Click Your Identity > Your Certificates.
  4. Select Your Internet Certificates.
  5. Select the Internet certificate that corresponds with the Internet keys you want to move to your Smartcard.
  6. Click Other Actions > Move Private Key to Smartcard.
  7. Click Yes when you receive the warning that you cannot reverse the action.
  8. Enter your PIN to confirm.
  9. You should receive confirmation that your key was stored successfully.

Using pre-loaded Internet certificates on a Smartcard

About this task

If your Smartcard was given to you with Internet certificates already stored on it, Notes® supports the ability to find and use those certificates without having to import them into the Notes® client. These certificates must conform to the PKCS#11: Conformance Profile Specification for RSA Asymmetric Client Signing. If they do not, you must manually import them into your ID file.

When Notes® searches for Internet certificates to display in the User Security dialog box, or to use the certificates for decrypting Internet mail or for SSL client authentication, the Internet certificates loaded on your Smartcard will be available for use, along with the Internet certificates in your ID file.

When you sign Internet email, and you have Internet certificates in your Smartcard that are not already contained in your ID file, you will have the option of choosing a new signing certificate from those on the Smartcard, through a dialog box prompt. If no new certificates are found on your Smartcard, your default signing certificate will be used and you will not be prompted.

If you have copies of Internet certificates in your ID file and on your Smartcard, Notes® will use the copy of the certificate in the ID file.

To import Internet certificates from a Smartcard

About this task

You can import Internet certificates and store them in the Notes® ID file so that they can be found by, and used with, Notes®.

Note: This option is only applicable to users who have enabled Smartcard login by securing the ID file with a secret.

Procedure

  1. Click File > Security > UserSecurity.
  2. Enter your PIN when prompted.
    Note: If you are performing this step as part of enabling Smartcard login with an Internet certificate and key, you are not prompted for the PIN.
  3. Click Your Identity > Your Certificates.
  4. Click Get Certificates. A drop-down list appears, listing different ways of importing certificates into the ID file.
  5. Select Import Internet Certificate from a Smartcard. This imports all available certificates from the current Smartcard.

To view Smartcard configuration details

About this task

You can view all of the configuration information for any Smartcard or cryptographic token you have configured to use with Notes®.

Procedure

  1. Click File > Security > User Security.
  2. Enter your PIN when prompted.
  3. Click Your Identity > Your Smartcard.
  4. Click Configuration Details. The Smartcard Configuration dialog box appears.
  5. Optional: Click Select Slot. The Select Slot dialog box appears. In addition to information about the cryptographic token, it provides a list box of all of the slots in your PC that are being used by Smartcard or cryptographic token readers. Select a number from the list to view details about the Smartcard or token that is being used by that slot.