Lotus Notes security settings

Overview

The synchronization between the IBM Domino server and the Totalview 2016 SP2 server is based on having a query user with access to the Domino users’ calendar folders. The synchronization module logs on to the Domino server using the query user, and uses the Lotus Notes mail client API to query, create, update and delete appointments for the Domino users.

This document describes how to create the query user for IBM Domino 6 server and how to test the query user and the query user access to other users calendar folder.

Since the Lotus Notes mail client is used by the connector, the document also walks you through the necessary steps to configure the client correctly.

Creating and setting up access for the query user

The query user is created with rights to query, create, update and delete appointments for users on the Domino server.

The steps involved in creating the query user are:

  • Create the query user in Domino Server, create a mailbox for the query user

and issue an id file for the query user

  • Assign full calendar access rights to the query user over Domino’s server users

Create the TotalView query user with a Lotus Notes Mailbox

Create the account and mailbox for the query user to be used when the Lotus Notes   synchronization connects to the Domino server.

Log on the machine hosting IBM Domino Server using Administrator rights.

  1. Start Lotus Domino Administrator

  2. Open the Register user form
    • On the left vertical tabbed menu choose the second tab called Domain
    • Select People & Groups from the horizontal tabbed menu on the top and then, in the tree choose People
    • From the right menu choose Register (expand the People menu group is the Register option is not visible)
  3. Choose a certifier
    If promted to choose a certifier:
    – Select Supply certifier ID and password
    – Click on the Certifier ID button

    – Choose the appropriate certificate file

    – Press OK
    – Enter the password required for the chosen certificate and then the Register Person form will show up
  4. Register the person
    In the Register Person form:
    – Check the Advanced checkbox in order for a full menu to appear on the left. Select Basic menu entry
    – Fill in the different name fields and the password
    – Choose Lotus Notes from the Mail System dropdown
    – Check Create a Notes ID for this person

    – Choose Mail menu entry
    – Mail System must be Lotus Notes

    Write down the Mail file name. That name with a .nsf suffix will be the id/username to identify the Lotus Notes connector query user when setting it up

    – Choose the option Create file now
    Mail file owner access must be set to Manager

    – Choose ID Info menu entry
    – Check Create a Notes ID for this person
    – Leave Use CA process unchecked
    – Uncheck In Domino directory
    – Check In file and pressing the Set ID File choose a path where to save the ID file of the user (can leave the default path)

    – Check the green checkbox button near the Import Text File button and the user will be added in the Registration Queue as it can be seen below

    – Press Register and a popup saying Person registered successfully! should appear

    – Select OK and then Done

The query user is now created in the Domino server and a mailbox is attached to the query user.

Setting up the calendar access rights for the Totalview query user

The query user must be able to access other users calendar folder to be able to query, create, update and delete appointments not belonging to the query user itself. To be able to do this, the query user must be explicetely granted the necsssary rights in other users’ calendars.

 

The query user has maximum rights to all users calendars, and we recommend that the query user and password are only to be used in the installation process. The query users ONLY purpose should be to set up the Lotus Notes connector in the TotalView Administration.

Security settings for Totalview query user over a single calendar

When  adding a single user, the easiest way to set up security is from the user’s calendar.

Open the calendar for a user in Lotus Notes

  • Select Actions – Tools – Preferences
  • Select Access & Delegation tab
  • PressAdd Person or Group
  • At step 1 select Enter and choose a user/group and in the user text box enter or pick the query user
  • At step 2 select Only Calendar and To Do
  • At step 3 choose Read, create, edit and delete from Calendar Entry or To Do
  • Press OK

Security settings for Totalview query user over multiple calendars

If you are a manager on the Domino Server it is possible to set the access level for several users at a time. This is done by modifying the ACL’s or the databases. Only someone with a manager access can modify the ACL.

  • From the Domino Administrator right tabbed menu choose Server pane, select the server that stores the databases
  • Click Files tab and in the tree go to mail subfolder
  • Select one or more databases from the Domino data directory;
  • Right click on the selection and select Access Control
  • Press Add and select the query user
  • Set User type to Person, Access to Author.
    It is important that the Create Document checkbox is checked.
  • Press OK

Configuration of the Lotus Notes mail client

The Lotus Notes connector needs the Lotus Notes email client to be installed on the machine where the connector resides. All the queries that the connector performs are made through the user that the email client is configured with (the query user). Below you can see the steps that one needs to follow to configure such a user. The wizard will make sure that all the information about the query user and the Domino server is entered correctly. This is a simple way of validating the server and user credentials before configuring the LotusNotes connector with them.

Same wizard applies to versions 6, 7 and 8 of the Lotus Notes mail client.

Step 1:  The Lotus Notes client setup wizard

After installing it, when the client starts for the first time, a wizard will pop out.

Step 2.  Enter the mailbox username and the Domino server address

In this step, if the user or Domino server you entered are not valid, you will be notified about it as in the following screenshots:

Step 3.  Enter the id file for the query user

When a user is created on the Domino mail server an id file is generated for that user. This id file allows that user to configure its email client. This step in the wizard requests the path to that file:

Once the path specified you will be asked if the file should be copied in the client’s data directory. You can choose any option since it does not have effect on the client behavior.

Step 4.  Enter the password for the query user

This step prompts for the password corresponding to the configured user. Entering it here it’s a simple way to validate this data before configuring the TotalView LotuNotes connector to use it.

Step 5.  Skip the other services that can be configured

Step 6.  Configuration finished

 Step 7.  Browse the user’s calendar

Once the client configured you can access the query user calendar.

Testing the query user

After creating the query user, granting the query user the necessary rights to calendars and setting up the Lotus Notes mail client, the query user can be tested using the Lotus Notes mail client and/or the Lotus message test tool.

Testing the query user using Lotus Notes client

When testing, using Lotus Notes mail client, we test that the query user is created and that the query user has access rights to other users calendars.

Log on to Lotus Notes using the query user

After following the steps in section 3. Configuration of the Lotus Notes mail client, the Lotus mail client should be set up and ready to be used.

Start the Lotus mail client (version can be different than 6 according to your version of the client but the actions are the same)

Enter the password for the query user

Choose Calendar (second option from the right vertical tabbed menu) and if the query user’s calendar is displayed ok, then the query user is successfuly set up.

Open another user’s calendar with the query users credentials

 

Start the Lotus Notes mail client See section 4.1.1 Log on to Lotus Notes using the query user. After the calendar is open go to Tools and select Open Calendar For

Choose the desired user in which calendar you want  to test access and press OK.

If another tab appears showing the selected user’s calendar, then the query user has the needed access rights and the test was successful.

The Lotus message test tool

After creating the query user, the Lotus message test tool can be used to verify the query user’s access to the Domino server and that the operations done through the Lotus Notes mail client API are executed properly.

The Lotus message test tool is located in the /InstallFiles folder.

The tool tests the query user and and his access to other users calendar folder.

The test tool must be copied to the local machine before the program is executed.

Testing the query user

In the Connection credentials section enter the Domino Server IP, Username (the username is the text you wrote down in section 2.1 Create the TotalView query user with a Lotus Notes Mailbox, step 4)  and Password.

To test just the query user credentials enter the same username in the Search user calendar section. Pressing Search Calendar button should generate a list of appointments in the Received text area meaning that the test was successfull.

If the testing fails the error result is listed. Use this information to modify the settings and retry.

Testing access to users calendar folder

If the above query user test is successful, in the Search user calendar section enter the username of the user who’s calendar you wish to query.

Pressing Search Calendar button should generate a list of appointments in the Received text area meaning that the test was successfull.

If the testing fails the error result is listed. Use this information to modify the settings and retry.

Configuration of the Lotus Notes connector service

The Lotus Notes synchronization can log on the Domino server using username and password supplied in the Totalview3 server administration.

 

The Lotus Notes connector cannot use the service credentials as login data to Domino server.

Due to the fact that it logs both in the log file and Windows Logs, the service must run under

a user with administrative rights. To accomplish this you must:

  1. Start Services.
  2. Verify that theTotalview3LotusNotes service is installed. Right-click on the Totalview3LotusNotes service and select Properties.
  3. Select the tab Log on and then this account and add the username and password for the a user with administrative rights. Click Ok
  4. Restart the Service
    Right-click on the Totalview3LotusNotes service and select Restart
Last edited on November 20th, 2017