About this task
The administrative trust defaults in deploy.nsf and
the Internet certifiers in the install kit's Java keystore are processed to define trusted
certifiers. The keystore is used directly during install, but is ignored
at runtime. The deploy.nsf is processed at startup
to add trust certifiers to the user's Contacts application (names.nsf)
to be used at runtime.
You can install the deploy.nsf application
as part of a Notes® client
install kit.
You cannot manually edit or delete certificates
in the deploy.nsf. You can only make changes
to the installed deploy.nsf only by exporting
from the server's Domino Directory
to a new deploy.nsf and then overwriting the
installed deploy.nsf with the new file. The notes.ini statement FORCE_PROCESS_DEPLOY_NSF=1 ensures
that the deploy.nsf application is processed.
Alternatively, you can simply use Domino policy.
If there are certificates listed in the installed deploy.nsf and
you overwrite the with a new deploy.nsf, any
certificates that are not in the new deploy.nsf are
deleted. If you are going to use this technique, maintain a central
and cumulative deploy.nsf so as not to unintentionally
delete certificates from a user's system.
Pushing administrative
trust settings to users by customizing the install kit enables you
to do the following:
- Add third party certificates to the Java keystore,
which allows signed features/plugins added to the install kit to be
trusted at install time. The keystore can be modified manually using
keytool, but this method is simpler and leverages existing infrastructure.
- Push Internet Certifiers, Internet Cross Certificates, and Notes Cross Certificates to the
user's Contacts application (names.nsf), so that
when user install new features/plugin at runtime, or access new applications,
they will not be prompted for trust decisions.
You can alternatively push administrative trust settings to
users from Domino policy,
which is the recommended method, to centrally manage and change settings
as needed.
Note: You should use the action Export Certificates
to Deploy Database only to make changes to an existing
deploy.nsf.
Note: If you use the Domino policy method (Keys and
Certificates tab on the Security policy page) to push
trust settings, then even if there is an installed deploy.nsf it
will be ignored and the policy settings will instead be used. Any
certificates resident in the Contacts application because of the deploy.nsf,
and that are not specified in Domino policy,
will be removed.
To add administrative trust settings to
an install kit without pushing those settings from the Keys
and Certificate tab on the Security policy page, proceed
as follows.
- Log into a Domino Administrator
or Notes client using an administrative
ID.
Note: The client and server must be version 8.5.1
or later, and the server must be running the 8.5.1 or later version
of names.nsf, based on the pubnames.ntf template.
- Open the server's Domino Directory
(names.nsf).
This server must
contain all of the certificates and cross-certificates that you want
to deploy.
- Open the Security/Certificates view.
- Select all the Internet certifiers, and Notes and Internet cross-certificates, that
you want to deploy.
Note: Each must be checked (checkmark)
and visible in the view, not hidden under a category. The currently
selected document must also be checked.
- Click Export Certificates to the Deploy Database on
the Actions menu.
- Specify the location at which to create the Java keystores and the deploy.nsf application.
This must be an existing directory; ensure that the specified
path is correct before continuing.
Note: If these files do not
exist, they will be created.
Note: To augment an existing install
kit, choose the deploy directory of that kit.
The selected Internet certifiers will be added to any existing .keystore* files,
and all selected documents will replace any certificate documents
in the existing deploy.nsf.
- Respond to the force deletes prompt
and click Next.
- Choose Yes to delete any certificate documents
in the user's Contacts application previously added by a deploy.nsf.
The certificates in deploy.nsf are copied to
the Contacts application.
- Choose No to copy all the certificates
in deploy.nsf to the user's Contacts application,
if they don't already exist. Certificates that were previously added
by deploy.nsf, but do not exist in the current deploy.nsf,
remain unchanged in the user's Contacts application.
If you selected Internet Certifiers, the result should be
as follows, otherwise only the deploy.nsf application
is created.
location/.keystore.JCEKS.Java_HotSpot_Client_VM.install
location/.keystore.JCEKS.IBM_J9_VM.install
location/extras/deploy.nsf
- Copy the .keystore* files to the deploy
directory of the kit and the ddeploy.nsf to the deploy/extras directory
of the kit.
Note: On Windows the
deploy directory is located in the same directory as setup.exe.
Note: On
Mac OS X the deploy directory is located at Lotus Notes
Installer.mpkg\Contents\deploy\. To access it in Finder,
right-click on Lotus Notes Installer.mpkg and
choose Show Package Contents.
Note: Linux requires a different process.
See the related topic on customizing installation for Linux.
The resultant deploy.nsf is
based on the client's Contacts application template (pernames.ntf)
and can be opened to check that all of the certificates have copied
correctly.
If the resultant deploy.nsf application
is not what you expected, or error messages appear during processing,
start Notes and select to view log messages or Java exceptions
and contact IBM® Support with
that information.
Note: To ease performance, deploy.nsf is
processed only when new components are installed to the Notes runtime by way of an add-on installer
or the client is upgraded. To force deploy.nsf to
be reprocessed, set the notes.ini variable FORCE_PROCESS_DEPLOY_NSF=1.
After deploy.nsf is processed, the value resets
to zero.
- Run the Notes installation
program.
Note: When you install Notes (standard configuration), deploy.nsf is
created in the extras directory in the install kit and installed to
the Notes framework\rcp\extras directory.
If using Notes (basic configuration)
install kit customization, the deploy.nsf should
be installed to the user's data directory.