Home
Securing your data
HCL Notes® security enables you to protect your workspace and data at all times, so only you and the people you designate have access to your data.
How Notes® uses public and private keys for encrypting and signing mail
HCL Notes® uses a public and private key set to encrypt and decrypt data, as well as to validate digital signatures. The public and private key in a set are mathematically related to each other and are unique to your User ID. Your public key is stored in your Notes certificate. Your certificate is stored in your User ID and the HCL Domino® Directory. Your private key is stored only in your User ID.
Key rollover
Key rollover is the process used to update the set of Notes® public and private keys that is stored in your ID file. This set of keys may need to be replaced - for instance, to increase security by updating to larger keys, or to recover if your private key has been compromised in some way.

Securing your data
HCL Notes® security enables you to protect your workspace and data at all times, so only you and the people you designate have access to your data.
- Your Notes User ID and how to store it
- Changing passwords
  Passwords prevent others from using your User ID. When your administrator creates your User ID, he or she decides whether it needs a password, and what type of password is required. Once you access HCL Notes® for the first time, you should change your password to something that you can remember but is hard for others to guess.
- Using Notes shared login to eliminate Notes password prompts
  Notes® shared login (hereafter shared login) allows you to start HCL Notes and use your User ID without having to provide a Notes password. You only need to log in to Microsoft® Windows® using your Windows password. Your administrator controls whether you can use shared login.
- Locking the Notes ID
  Locking your HCL Notes® ID prevents others from using Notes when you are away from your computer. Locking your ID clears your Notes credentials and drops all connections to Notes servers. You must log in again in order to take any new action using Notes.
- Enabling Smartcards for Notes® login
  Smartcards resemble credit cards, but instead of containing a magnetic strip they contain a microprocessor and memory. You can use a Smartcard with your User ID to login to HCL Notes®, provided you have a Smartcard reader installed on your computer. Once your User ID is enabled for Smartcard login, you are prompted for your Smartcard Personal Identification Number (PIN) in place of your Notes password.
- Requesting a new user name
  If you want to request a new User Name - for example, if you got married and you want to change your name - you must contact your administrator.
- Your Notes® and Internet names
  You can view all the names that identify you in Notes®.
- Sending mail to your administrator
- Accessing servers using certificates
  A certificate is an electronic stamp, like a stamp on a passport, which verifies to a server that you are who you say you are. Certificates are stored in your User ID. When you first receive your User ID from your administrator, it contains a Notes® certificate. You may decide to use Internet certificates as well. (You may see Internet certificates being referred to as X.509 certificates.)
- The Access Control List
  Every database includes an access control list (ACL), which HCL Notes® uses to determine the level of access users and servers have to a database. Levels assigned to users determine the tasks that users can perform on a database. Levels assigned to servers determine what information within the database the servers can replicate.
- Restricting access to local databases
  When you enable encryption for a local database, HCL Notes® encrypts the database using your public key from your User ID. You are the only one who can then decrypt the database because you have the corresponding private key in your User ID. Nobody else's User ID can open the database.
- Notes data
  You can restrict access to applications you have stored locally or encrypt a document in an application.
- Preventing others from reading or viewing specific documents
  You can protect your documents, so that only you and the people you designate can read them, even if others have access to the database your documents are in.
- Encrypting documents using secret keys
  Using a secret encryption key that is stored in your User ID, you can encrypt a document that you are posting in a public database, provided the document contains fields that are encryptable.
- How Notes® uses public and private keys for encrypting and signing mail
  HCL Notes® uses a public and private key set to encrypt and decrypt data, as well as to validate digital signatures. The public and private key in a set are mathematically related to each other and are unique to your User ID. Your public key is stored in your Notes certificate. Your certificate is stored in your User ID and the HCL Domino® Directory. Your private key is stored only in your User ID.
  - Encrypting and digitally signing email messages
    You can set HCL Notes® to digitally sign and encrypt email messages you send to other Notes users or to users over the Internet.
  - Mail security
    You can access your mail security options through the User Security window.
  - Mail encryption failure
    The "Mail Encryption Failure" dialog box appears when you want to encrypt an outgoing mail message and HCL Notes® can't find the recipient's certificate to encrypt the message.
  - Location configuration for signing Internet-style (S/MIME) mail
    You can view your Internet mail address information.
  - Edit locations (format for sending mail to Internet addresses)
    HCL Notes® Internet-style mail uses secure MIME (S/MIME) protocols for sending and receiving encrypted and signed mail. Internet-style Notes mail is required to secure mail to people over the Internet, and is optional to secure your mail to other Notes users.
  - Edit locations (Internet Mail Address)
    HCL Notes® Internet-style mail uses secure MIME (S/MIME) protocols for sending and receiving encrypted and signed mail. Internet-style Notes mail (S/MIME) is required to secure your mail to people over the Internet, and is optional to secure your mail to other Notes users.
  - Incoming mail
    You can select the type of format in which you prefer to receive your incoming mail.
  - Encryption certificate configuration for Internet-style (S/MIME) mail
    You can view details about your encryption certificate, used for mail with people outside of HCL Notes® and for mail from Notes users if you are configured to receive Internet-style (S/MIME) mail.
  - Certificate configuration for Internet-style (S/MIME) mail
    You can view the Internet certificates located in your User ID. The certificates listed are the certificates that you can use to send and receive secure and signed mail through HCL Notes® with others over the Internet. One of these Internet certificates must be designated as the default signing certificate.
  - Using dual Internet certificates for encryption and signatures
    You use your Internet certificate to sign messages that you send. Other people use your Internet certificate to encrypt messages they are sending to you. This is similar to how HCL Notes® certificates work. However, if you have more than one Internet certificate, you may be able to use one Internet certificate for signing messages and another Internet certificate for people to use to encrypt mail messages.
  - Select default signing certificate
    You if you have more than one Internet certificate, you can select which one to act as the default signing certificate.
  - Internet-style Notes mail options
    You can configure your Internet certificates for sending and receiving secure mail with people outside of HCL Notes®.
  - Creating new public keys
    If you lost your User ID, or someone has taken it to access your data, you should change your password and create new public keys (a new Notes® multi-purpose certificate and a new Notes international encryption certificate).
  - Publishing your Notes certificate for others to access
    You may want to publish your certificate containing your public key so others can use it to encrypt data being sent to you. The certificate can be published in the HCL Domino® Directory or sent to an individual, so that person can publish it in their Contacts. How to publish your public key depends on whether or not you are an HCL Notes® mail user.
  - Certificates in your ID file
    You can display all HCL Notes® and Internet certificates that are found in your User ID.
  - Merge certificate into your User ID
  - Examining certificates
    You can examine your certificates from your Contacts.
  - Certificate authorities and the certificates they issue
    You can view all of the Notes® and Internet certificate authority (CA) certificates that you trust.
  - Requesting certificates or cross certificates
  - Creating a cross certificate on demand
    In the following situations you may be prompted to create a cross certificate.
  - Requesting cross certificates or merging information
  - Retrieving certificates and cross certificates from your home server
    To access HCL Notes® servers in other domains, to verify digital signatures, or to encrypt messages using S/MIME, you must have cross certificates in your Contacts. You can add to your Contacts Internet certificates and Notes and Internet cross certificates from the HCL Domino® Directory on your home/mail server.
  - Advanced certificate details
    You can view details about your selected HCL Notes® or Internet certificate.
  - Trust details
    When you are viewing certificates from people and services you can view Trust Details for a selected certificate. Trust Details displays the name of the certificate, and what kind of trust you have established for it. The following are reasons why you might trust a certificate.
  - Certificates for people or services
    You can view all of the HCL Notes® and Internet certificates that you trust and don't trust for specific people or services.
  - To delete your Notes pending public keys
    If you have HCL Notes® pending keys that you do not need anymore, you can delete the keys from your User ID. You get Notes pending keys when you request new Notes public keys. The reason you might not need your Notes pending keys any longer is if you've decided to not update your Notes certificates with new public keys. In this case, pending keys have not yet been used for any purpose, therefore it is safe to delete them, assuming you definitely don't want to complete your request for new public keys.
  - Exporting a safe copy of your User ID
    When renewing HCL Notes® certificates or requesting new public keys using removable media or another mail program, you need to create a safe copy of your User ID and save it to removable media or directory that you can access.
  - To import new information from removable media into your User ID
    When you import new information into your User ID, such as a new public key, you may need to make sure to update any copies of your User ID as well.
  - Key rollover
    Key rollover is the process used to update the set of Notes® public and private keys that is stored in your ID file. This set of keys may need to be replaced - for instance, to increase security by updating to larger keys, or to recover if your private key has been compromised in some way.
- Restricting execution access with the Execution Control List
  You can protect your workstation by specifying different types of execution access for different people or organizational certifiers who run HCL Notes® scripts and formulas. For example, you may give all types of execution access to your HCL Domino® administrator, but allow no execution access to unsigned scripts or formulas.
- Securing your POP3, IMAP, or LDAP accounts
  HCL Notes® supports Secure Sockets Layer (TLS), which makes communication secure for your POP3, IMAP, or LDAP accounts. TLS encrypts the data that is sent between your Notes client and the server you specify for your account. Notes supports TLS versions 2.0 and 3.0. By default, Notes negotiates the best TLS version to use with a particular server.
- Signed plug-ins
  Your administrator may have selected plug-ins to be installed automatically with your client software. These plug-ins are signed with a certificate that is trusted by your client, and verified that the data they contain is not corrupted. Plug-ins signed in this way can then be installed without having to prompt you to accept them.

Key rollover

Key rollover is the process used to update the set of Notes® public and private keys that is stored in your ID file. This set of keys may need to be replaced - for instance, to increase security by updating to larger keys, or to recover if your private key has been compromised in some way.

About this task

Automatic key rollover is set up by your administrator. You will know when key rollover has occurred because you will be prompted to accept the new keys in your ID. The new keys will be activated in your ID file. The old keys are archived so that they are available to decrypt documents encrypted with the old keys.

To accept new keys

Once the key rollover process has been initiated on your behalf, the next time you authenticate with the server you are prompted with the Accept New ID Information dialog box. Click OK to accept the new public keys. The new keys will be activated in your ID file the next time you authenticate after this.

Note: If you have installed copies of your ID on multiple machines, be sure to update each machine with a new copy of the ID.

To monitor key rollover progress

The key rollover process is complex and it takes time for new keys to be certified by the server and then added to your ID file. If you know that key rollover has been initiated on your behalf, you can monitor its progress in your ID in the Key Rollover Information dialog box. This dialog box is for informational purposes only.

Procedure

Click File > Security > User Security (Macintosh OS X users: Notes > Security > User Security).
Click Your Identity > Your Certificates.
Click Other Actions > Show New Public Key Status.
The Key Rollover Information dialog box appears, and provides the following information:
- information about the current Notes® keys, including key size and creation date
- the name of the server that issued the new certificates
- the date on which the new key was copied to the ID file
- the reason the keys are being updated
- information about the new keys, including key size and creation date
Click OK to close the dialog box.