Monday, 29 October 2018

Domino 10 - ID Vault Scanning


During the past weekend I have looked at some new Administrator features in Domino 10.0. Another new Administrator feature in Domino 10.0 is ID Vault scanning. Enabling ID vault scanning allows Administrators to use the query vault console command or the Domino Administrator to add or update ID vault assignments and user ID vault document modification times in Person documents in the Domino directory. Enabling scanning also allows Administrators to manage archived ID vault user documents.

Enable ID Vault scanning
To enable ID Vault scanning on the Domino server add the following notes.ini setting on the ID Vault administration server: IDV_Enable_Vault_Scan=1.

1. Open the Domino Administrator Client.
2. Select Configuration - Configurations to open the Configurations Document.


3. Select Edit Server Configuration.
4. Select the Tab NOTES,INI Settings
5. Select Set/Modify Parameters
6. Enter the parameter IDV_Enable_Vault_Scan=1 and select Add/Update
7. Select OK.
8. Save the Configurations document.


Scanning the Vault from the command line
Administrators can now use the query vault (qvault) console command to scan ID vaults and update Person documents in the Domino directory with ID vault assignments and last user ID vault document modification time. (The modification time indicates when the last successful ID synchronization occurred). You can also use the command to manage archived user documents in an ID vault.
From the ID Vault Administration server Administrators can use load qvault command with the following optional switches. Without adding switches the command scans all ID Vaults on the server and updates the Person documents of the users found with their ID Vault name and the time the users' ID vault documents were last modified.



Switch Description
-x <vaultname> Scan all documents in specified ID vault and
update directory Person documents with
vault assignments and the time the users' ID
vault documents were last modified.
-x <vaultname> -u <username> Scan specific user document in specific ID
vault and update directory Person document
with the user's vault assignment and the
time the user's ID vault document was last
modified.
-x <vaultname> -u <username> - a Archive a user's ID vault document by
renaming it so that an ID can be uploaded
again from the client to the vault. Used to
resume client-to-vault ID synchronization
that has stopped.
-x <vaultname> -u <username> - r Revert a user's archived ID vault document
to its original name.
-x <vaultname> -u <username> - d Delete a user's archived ID vault document
-x <vaultname> - d Delete all archived user ID vault documents
in a specific ID vault.

Scanning the ID vault from the Domino Administrator
Administrators can also use the Domino Administrator to scan an ID vault to update ID vault assignments and synchronization information in Person documents in the Domino directory. Administrators can update one Person document of update all Person documents.
Remark: Make sure you are registered as Vault Administrator. A vault Administrator assigned to the Auditor role in the Vault database Access Control List can extract an ID from a vault to gain access to a user's encrypted data and can scan the Vault.

Update one Person document
1. From Domino Administrator select People.
2. Select a Person document.
3. Select Tools - ID Vaults - Scan Vault.


Update all the Person documents of users in a specific ID vault
1. From Domino Administrator select Security - ID Vaults.
2. Select the ID Vault document.
3. Click Tools - ID Vaults - Scan Vault

In my next blog post more about the new Domino 10.0 Administrator features.

No comments:

Post a Comment