User`s guide
IBM Lotus Notes, Domino, Domino Designer 8 Release Notes
Caveats and Warnings :
z
An entry of "n/a" in the "Use pre-loaded keys and X.509 certificates" column does not necessarily
indicate any incompatibility with the smartcard package, but simply means that we did not have a
sample pre-loaded token to test against.
z
Current versions of the Entrust CA create non-compliant PKCS#11 attributes for certificates and
keys. Support for these keys and certs is limited; see "Problems using Entrust certificates on
smartcards" in these release notes for more details.
z
Read-only tokens, such as many national identity "eID" cards and Common Access Cards, can
only be used to lock the ID file through the "Lock ID with Key on Smartcard" action, which was
introduced in ND7. The "Enable Smartcard Login" action that was introduced in ND6 requires
write access to the token.
z
The "Lock ID with Key on Smartcard" action will search all slots for the key needed to unlock the
Notes ID file. Therefore, if a token is lost or locked out, a new token can be used with the old ID
file, as long as the new token contains the exact same certificates and keys with the same key
identifier (CKA
_
ID) attributes. However, if an ID file is smartcard-enabled using the "Enable
Smartcard Login" option, then ID File Recovery must be used if the token is lost or locked out in
order to revert the ID to a conventional password.
z
The only way to revert a smartcard-protected ID file to a conventional password is through ID File
Recovery. ID File Recovery should be configured for an ID file before the ID file is
smartcard-enabled. Recovering a smartcard-protected ID file will revert the ID file to use a
password and will restore any keys that were pushed onto the smartcard from the ID file, as long
as the recovery information was not changed after the key was pushed down to the smartcard.
z
Password expiration should be disabled in a user's person record before they smartcard-enable
their ID file.
z
Password checking will result in only a single smartcard being usable with a given ID file, even
across multiple computers or platforms. In this scenario, one copy of the ID file should be
smartcard-enabled, and then that version of the ID file should be copied to all of the other
respective computers. That single smartcard will now be required for all of the copies of the ID
file.
z
Server setup will not function with a smartcard-protected server ID. In order to use a
smartcard-protected ID with a server, finish server setup with a password-protected version of the
ID file, then add the path to the PKCS #11 library in the server's NOTES.INI
(PKCS11
_
Library=<path to library>), and finally smartcard-enable the server's ID file on a client
or using the SECManipulateSC C-API function.
z
Single Logon, which synchronizes the Notes and Windows passwords, cannot be used with a
smartcard-protected ID file. You must restart Notes after disabling Single Logon before
smartcard-enabling an ID file.
z
Notes uses version 2.01 of the PKCS #11 API to communicate with smartcards and other
PKCS#11 devices. PKCS #11 libraries that only implement version 2.0 will not result in an
"F5"-style logout when the card is removed from the reader. Updated libraries may be available
from the smartcard vendors.
Sample PKCS #11 Library Install Paths :
z
c:\WINNT\system32\acpkcs211.dll (ActivClient 5.4)
z
c:\WINNT\system32\eTpkcs11.dll (Aladdin eToken RTE 3.65)
z
c:\WINNT\system32\asignp11.dll (A-Trust v1.2.2.1)
z
c:\WINNT\system32\Belgium Identity Card PKCS11.dll (Belgian eID)
z
c:\WINNT\system32\dkck201.dll (Datakey CIP 4.07)
z
c:\WINNT\system32\opensc-pkcs11.dll (Estonian eID)
z
c:\WINNT\system32\sadaptor.dll (Eutron CryptoIdentity CryptoKit 3.7.1)
22