One-Way Cross Certification at the Organization (O) Level Using the "Host" Cert.id and a "remote" User ID (Safe User ID)

Mindwatering Incorporated

Author: Tripp Black

Created: 07/22/2005 at 01:21 PM

 

Category:
Domino Server Issues Troubleshooting
Cross-Certification

Paradigm:
ACME wants to let all WB users access their ACME Domain.
The two main steps to complete are:
1. Cross-Certification (one-way)
2. Editing of Security Tab of ACME server docs.

This document covers step 1 above.

Pre-requisites:
1. WB id:
You must cross-certify the domain or ou/domain. In order to cross certify the external/remote Domain (e.g. WB), all you need is an id from any level of the hierarchy certification allowed. For example if you have the WB user John Doe/ABC/WB, you could do the cross certificate at any of the three levels: for just John, for his OU, ABC, and for the entire organization, WB.
2. ACME admin id:
You must have the Admin client using the appropriate Admin.id for the ACME Domain with admin rights to the ACME server.
3. ACME cert.id or ou.id:
You must have the cert.id, O-level, or OU-level id that is going to cross-certify the WB id.


Steps for One-Way Cross-Certification of Acme Domain

1. Start the Administration client
2. Switch to the Configuration tab.
3. On the right under Tools\Certification choose "Cross Certify."
4. When prompted to choose certifier id, choose your Certifier id.
5. When prompted for an id to cross certify, choose the WB safe user.id file.
6. At this point you will notice in the subject name has a drop-down list. You can select any of the levels of the WB id (e.g. John's, his "ABC" OU, or his "WB" O):
/WB
/ABC/WB
John Doe/ABC/WB
7. Verify that your registration server specifies your ACME server's name (If "Local", click "Server" button to change it).
8. Click Cross-Certify.
9. Once completed, refresh the Certificates view (left side twistie still within the Configuration tab).
10. Verify you see a cross-certficate in your ACME server's Domino Directory issued from your ACME domain to the level you certified of the WB domain.

Note:
As users of WB domain access the server, they will be propted to issue (for their ID, at the local workstation level) a cross certificate. If they answer Yes, they will be accessing your server assuming the "Access Server" field in server document allows them access.


previous page