SmartCloud Notes. Administering SmartCloud Notes: Service-only Environment March 2015

Transcription

1 SmartCloud Notes Administering SmartCloud Notes: Serice-only Enironment March 2015

2

3 SmartCloud Notes Administering SmartCloud Notes: Serice-only Enironment March 2015

4 Note Before using this information and the product it supports, read the information in Chapter 8, Notices, on page 167.

5 Contents Chapter 1. Oeriew of SmartCloud Notes What's new in SmartCloud Notes What's new for SmartCloud Notes administrators 2 Administrators can restore deleted user accounts What's new for SmartCloud Notes users Initee status iewable by meeting chair on Notes Traeler deices More Windows deices are supported for Traeler Notes Traeler features are aailable.. 2 Notes Traeler features are aailable.. 3 Setup improements for the Notes Traeler Android client Enhancements to supported encoding standards for inbound internet mail Accessibility Using SmartCloud Notes in a serice-only enironment SmartCloud Notes clients Web client Traeler deices Notes client IMAP client BlackBerry deices with a Hosted BlackBerry Serices subscription Feature differences between Notes and Domino and the SmartCloud Notes serice Frequently asked questions about administering the serice Information resources Chapter 2. Planning to deploy the serice Planning security and the network Network capacity for the web client Network capacity for the Notes client Planning mail routing and mail settings Chapter 3. Preparing for the serice.. 17 Preparing the firewall Configuring the firewall for inbound connections 17 Configuring the firewall for outbound connections Preparing to use company SMTP serers for Internet mail routing Preparing to use a company SMTP serer to route inbound Internet mail Preparing to use a company SMTP serer to route outbound Internet mail Example: Routing mail from a serice user to an external user using a company SMTP host. 21 Example: Routing mail from a serice user to an external user using a serice SMTP host.. 22 Chapter 4. Configuring the serice Logging on as the first company administrator.. 25 Configuring your account settings Configuring Internet domains Verifying ownership of a domain Configuring the MX record for a domain Configuring additional Internet domains for the serice to use Customizing settings Enabling the accessible experience for the web client Configuring logins Resetting serice login passwords Setting serice login password expiration.. 31 Managing Notes IDs Setting up federated identity management.. 36 Restricting the IP address range Enabling application passwords Authentication methods by client Password rules by authentication method.. 45 Configuring the name finder Standard and Adanced Name Finder options 49 Basic name finder illustration Basic Quick Search Only name finder illustration Standard name finder illustration Configuring mail settings Changing the size limit for incoming messages 55 Preent automatic forwarding of messages.. 55 Specifying how Notes links display in the web client Configuring how long mail remains in the Trash folder Deleting older and meetings Enabling the ActieX control for Internet Explorer users Specifying an SMTP serer to route mail to the Internet Preparing to use custom mail file templates.. 61 Handling execution security alerts caused by custom templates Configuring mail file templates Using extension forms files to customize the look of the web client Extension forms file requirements Preparing customized mail file ACLs Configuring filters and reporting Configuring filters for inbound Internet mail Enabling Junk Mail Reports Customizing the text in Junk Mail Reports.. 74 Customizing the Remoe Sender from Junk List action for Notes users Enabling the Report as Spam feature Reporting spam without the Report as Spam feature iii

6 Enabling busytime details in calendars Configuring instant messaging Configuring the web client to connect to an on-premises Sametime community Manually configuring Notes clients to connect to the serice instant messaging community. 87 Instant messaging features Setting password expiration for Notes IDs Enabling password synchronization Logging actiity in journal files Downloading journal files Format of the Notes mail journal file Format of the Notes client session journal file 97 Configuring IMAP access IMAP client limitations Chapter 5. Onboarding users Deciding whether to use the Notes client Preparing for onboarding Preparing for the web client Preparing for Notes Traeler deices Notes Traeler deice settings Preparing for Notes clients How the Client Configuration tool configures the Notes client Downloading Notes client software and other entitled software Connecting to cloud Actiities through the Notes client sidebar Preparing for IMAP clients Preparing to use BlackBerry deices Settings enforced for BlackBerry smartphones 116 Preparing communications and training Mail file quota Mail file delegation Adding a SmartCloud Notes subscription to a user account Forming a distinguished name Checking user proisioning status Helping users get started Proiding account information to users Getting started with the web client Getting started with the Notes Traeler deices 127 Adding a Notes Traeler subscription to a user account Remoing user accounts from on-premises Notes Traeler serers Getting started with the Notes client Getting started with IMAP clients Getting started with BlackBerry deices Accepting the Research In Motion terms of use Adding a BlackBerry subscription to a user account Remoing user accounts from an on-premises BlackBerry Enterprise Serer Actiating a user's BlackBerry smartphone 133 Ensuring that mail encryption is aailable for BlackBerry smartphone users Proiding documentation to your BlackBerry smartphone users Chapter 6. Administering user accounts Viewing assigned mail file templates Language ersions of the standard mail file template Changing user mail file templates Assigning extension forms files to users Setting a default extension forms file Explicitly assigning an extension forms file to many current users Explicitly assigning an extension forms file to indiidual current users Resetting serice login passwords Resetting passwords for Notes IDs Changing a user name Remoing a SmartCloud Notes subscription from a user account Suspending a user account Deleting a user account Restoring a deleted user account Permanently deleting a user account Remoing the SmartCloud Notes data for a deleted user account or subscription Managing groups Viewing subscriptions Viewing assigned subscriptions Managing IBM Notes Traeler deices Managing BlackBerry smartphones Reactiating a user's BlackBerry smartphone 158 Wiping a user's BlackBerry smartphone if it is lost or stolen Setting a deice password on a user's BlackBerry smartphone Remoing a BlackBerry subscription from a user account Frequently asked questions about BlackBerry smartphone administration Chapter 7. Troubleshooting the serice Finding troubleshooting tips in the Support Portal 165 Contacting Support Chapter 8. Notices Trademarks Priacy policy considerations Index i SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

7 Chapter 1. Oeriew of SmartCloud Notes IBM SmartCloud Notes is a multi-tenant cloud mail serice. When you use the serice, administrators at IBM set up and maintain IBM Domino mail serers for you in the cloud on external IBM serers. The serice offers you the benefits of Domino mail serer security features and architecture without the mail serer maintenance oerhead. Using the following clients, users connect to the SmartCloud Notes serice oer the Internet to access their mail: Web client through a browser interface aailable at social; Notes; Mobile deices. Any combination of these clients can be used. At least one person at a company is designated as a company administrator. A company administrator has a user account with the Administrator role and is responsible for configuring the serice and administering user accounts. The SmartCloud Notes serice proides arious options that are designed to help you deploy the serice in a way that best satisfies your business needs. You can deploy the serice with the assistance of an IBM Software Serices for Collaboration representatie or a certified IBM Business Partner. Whether you choose this option depends on factors such as the type of SmartCloud Notes enironment you deploy and your in-house IT expertise and priorities. You can choose from a list of standard mail file templates that are aailable within the serice by default, or deelop a custom template for your company. You can deelop a custom template in-house or contract with an IBM or a third-party representatie to deelop the template. Approal of a custom template requires a short serice engagement with IBM Software Serices for Collaboration. A Notes Traeler subscription is aailable automatically. This subscription enables users to access the serice through supported mobile handheld deices. Note that the ultra-light mode of the web client supports the use of some mobile deices for no additional purchase. If you purchase a SmartCloud Notes for Hosted BlackBerry Serices subscription, users can access the serice through BlackBerry smartphones. To use BlackBerry 10 deices, use Notes Traeler instead. If you purchase the Connections Archie Essentials subscription, the content of user can be captured and retained for later legal discoery. For more information about this serice, see the Using Connections Archie Essentials documentation. What's new in SmartCloud Notes The following features and enhancements are new in IBM SmartCloud Notes. 1

8 What's new for SmartCloud Notes administrators The following features are new for IBM SmartCloud Notes administrators. Administrators can restore deleted user accounts Administrators hae 30 days to restore user accounts after deleting them. The accounts are restored with complete functionality, including mail file access. Related tasks: Deleting a user account on page 149 When you delete a user's account, the user no longer has access to any cloud serices. If you change your mind about the deletion, you hae up to 30 days to restore the account to full functionality. Restoring a deleted user account on page 151 After you delete a user account, you hae up to 30 days to restore it if you change your mind. Restoring the account returns it to full functionality, including full mail file access. What's new for SmartCloud Notes users The following features are new for IBM SmartCloud Notes users. Initee status iewable by meeting chair on Notes Traeler deices Initee status display is now supported on Apple, BlackBerry 10, Windows Phone, Windows Tablet, and Android deices. The meeting chair can iew the status of each initee's response to the current ersion of the meeting. Possible statuses are accepted, tentatie, declined, and no response. Additionally, the Android client can show a status of delegated. More Windows deices are supported for Traeler IBM SmartCloud Notes Traeler users can now use Windows Phone and Windows Tablet (Windows Pro and Windows RT) deices with the serice. There is no need to install client software on these deices to use them with the serice. For deice requirements, see the SmartCloud Notes client requirements. Related information: SmartCloud Notes client requirements Using Notes Traeler documentation Notes Traeler features are aailable The IBM Notes Traeler client proides the following new features: Calendar improements for Android clients Local calendar information displays in IBM Notes Traeler calendar You can now add the information from your local deice calendars into your IBM Notes Calendar iew. Create calendar eents from mail messages You can now create a calendar eent while iewing mail, using the oerflow menu. Calendar eents created from mail messages will form with the initees populated with the message recipients, and the eent details information pre-filled with the content of the mail. 2 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

9 Interface improements for Android clients Action bar The action bar is a mobile feature that identifies your location within IBM Notes Traeler, as well as proides action icons and naigation modes. Naigation drawer for mail The naigation drawer is a panel that slides in from the left of the screen to display IBM Notes Traeler's main naigation options. For mail, the naigation drawer displays your user account and mail folders (inbox, outbox, sent, and personal). The naigation drawer is only aailable from the parent list iew of a mail folder. Android Contacts application IBM Notes Traeler on Android now proides its own dedicated Contacts application, rather than utilizing the deice Contacts application. New mail item list layout with thumbnail photos The mail item list has been redesigned to make it easier to consume the sender, subject, and message body where applicable. If the screen is wide enough, a person thumbnail image displays using the sender's mail address to search for aailable photos, either from local contacts, IBM Notes Traeler contacts, or from the new Sametime Integration feature. New mail list selection mode A new selection mode oerlays a 'Contextual Action Bar' oer the existing action bar, showing the number of selected items. It also proides batch operations on the selected items, such as: Moe to Folder, Discard, Mark as Read, or Mark as Unread. Only the actions which are applicable to all selected items displays. Gesture actions for mail and contacts To quickly act on mail items in a list or take action on a contact, you can now swipe the item from right to left to display a list of action buttons without haing to open the mail or contact itself. Aailable on phones with Android 3.0 (Honeycomb) and aboe. Add to Contacts from mail When iewing a mail item, you can now add the sender to your contacts. Mail list person actions You can now tap a user photo from a mail message and see a list of possible actions to take with that person. The actions aailable depend on the information aailable for the person. If there is a mail address associated with the person, you can perform the following actions: View the person's IBM Connections Profile (only if IBM Connections mobile is installed) Chat with the person (only if IBM Sametime mobile chat is installed and connected) Mail the person (opens the Android mail selection dialog). If there is at least one phone number associated with the person, and your deice is a phone, you can also call and text the person directly. These options are only aailable where a person photo displays: mail, calendar and contacts. Notes Traeler features are aailable The IBM Notes Traeler client proides the following new features. Chapter 1. Oeriew of SmartCloud Notes 3

10 New reply options for mail messages in Android deices When replying to a mail message on Android deices, you can now choose to reply with or without message history and attachments. Add Notes Traeler contact from a phone number On Android phones that support the option, you can now choose to make a new Notes Traeler contact from a phone number. Setup improements for the Notes Traeler Android client When setting up a new IBM Notes Traeler Android client, you are no longer required to type in your datacenter URL to connect to the serice. You are now automatically connected to the correct data center based on your login identity. Enhancements to supported encoding standards for inbound internet mail IBM SmartCloud Notes web and IBM Notes Traeler clients now support the RFC 2231 standard for inbound Internet . This standard proides improements, including the correct display of attachment file names that are specified in character sets other than US-ASCII. The serice supports the new standard for incoming messages that are encoded to support RFC The RFC 2231 encoding is retained when a recipient replies to or forwards a message. The serice does not use the new encoding in new outbound messages. Accessibility IBM SmartCloud Notes Administration, the interface that is used to administer SmartCloud Notes, is accessible. The ersion of this documentation that is in the Knowledge Center is accessible. All OS leel keystrokes for accessibility are recognized. For the best accessibility experience, use a ersion of Mozilla Firefox supported by the serice and the latest ersion of the JAWS screen reader. See the IBM Human Ability and Accessibility Center for more information about the commitment that IBM has to accessibility. Related tasks: Enabling the accessible experience for the web client on page 29 You can submit a request to enable the accessible experience for the web client for eeryone in your organization. Mail, Calendar, Contacts, and Preferences features proided with this experience are all accessible. Related information: System Requirements Knowledge Center documentation 4 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

11 Using SmartCloud Notes in a serice-only enironment When you deploy IBM SmartCloud Notes as a serice-only enironment, there is no integration with on-premises IBM Domino mail serers at a company site. IBM administrators administer and maintain the mail serers, and company administrators perform user management tasks through an administration interface accessed through The following illustration depicts Herb Medway and Allie Singh, employees of the fictional company ZetaBank, accessing their mail serers in the serice, Mail1/ZetaBank and Mail2/ZetaBank. It also depicts their company administrator accessing the serice. An IBM representatie can configure your SmartCloud Notes account settings, or you can do this yourself. Configuring account settings inoles supplying the following information to the serice: an Internet domain that is owned by your company and used for Internet mail, a name for your organization, and a base name for your mail serers. After your account is set up, you can add additional Internet domains for use with serice, if you own more than one domain. After your company's account settings are configured, an IBM Customer Serice Representatie creates accounts for your existing users to moe them to the serice. Chapter 1. Oeriew of SmartCloud Notes 5

12 After your existing users hae moed to the serice, company administrators perform user management tasks such as the following ones through the web Administration interface on the Connections Cloud website at Adding and deleting users Adding and managing mail list groups Resetting passwords Selecting mail file templates Configuring mail settings to limit incoming message size or remoe older messages Managing mobile deices SmartCloud Notes clients Managing instant messaging IBM SmartCloud Notes clients proide mail, personal Information Management features such as calendars, contacts, and to do lists, and with some clients, integrated collaboration features, such as embedded chat. Web client The IBM SmartCloud Notes web client proides access to mail serers through a browser. The web client is a hosted mail client; there is no client for users to install. Users simply log on to using their serice login address and password. The serice authenticates the client and then the client is redirected to the mail file in the serice. User can access the web client in either of these ways: On a computer -- after logging on, users click Mail. On a mobile deice -- users point the browser on the deice to the serice, and then log on to the ultra-light mode. Users need a subscription for either SmartCloud Notes or SmartCloud Notes Entry to use the web client. Each subscription proides a full mail client with mail, calendar, and contacts, as well as to do and notebook applications. Each subscription proides access to the serice through either full or ultra-light mode. Full mode -- The full mode offers the widest range of features including mail, contacts, calendar and scheduling, as well as notebook and to do tasks. Ultra-light mode -- The ultra-light mode is aailable at no extra cost on a mobile deice, and on a personal computer. There is no additional setup or client install on the mobile deice required. Users simply point their deice browser to to access their mail. The ultra-light mode supports Android, as well as Apple iphone, ipod Touch, and ipad deices. See the client requirements for details on the supported leels of deice operating systems. Decide which web client subscription best fits your needs. The SmartCloud Notes Entry subscription includes many of the same features that are aailable with the standard SmartCloud Notes subscription, but with the following limitations: Users are proisioned with a new mail file. There is no data migration of an existing mail file. Users cannot access mail using either the Notes client or an IMAP client. Users cannot access mail using Blackberry smartphones. 6 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

13 User mail files hae a 1 GB quota. For a list of browsers supported for use with the web client, see the client requirements. Related tasks: Preparing for the web client on page 104 Before you proision users who will access IBM SmartCloud Notes using the web client, prepare for the web client. Related information: SmartCloud Notes client requirements Using the web client Traeler deices A Notes Traeler subscription supports Apple, Android, Windows Phone and Windows Tablets, Windows Mobile, and BlackBerry 10 deices. See the deice requirements for details on the supported leels of deice operating systems. To get started, users perform simple steps to install and configure Notes Traeler on their deices using the installation and configuration information in the SmartCloud Notes product documentation for their specific deice. Related tasks: Preparing for Notes Traeler deices on page 106 Before enabling users to use IBM Notes Traeler mobile deices with the serice, prepare your enironment and the deices. Related information: Notes Traeler deice requirements Using Notes Traeler Notes client Use of the IBM Notes to connect to the serice is optional. A IBM SmartCloud Notes subscription entitles you to the Notes client license. Users who access mail by using a Notes client can take adantage of the many collaboration features that are aailable through the client. As with the web client, the Notes client proides mail, calendar, and contacts, as well as to do and notebook applications. You can manage your Inbox using full-text search, delegation, mail filtering and sorting, conersation iews, and flags. The following features and applications are also aailable to you when you use the Notes client. Actiities - Beginning with Notes 8.5.2, if your organization has a collaboration subscription, then the sidebar is automatically configured to access Actiities in the serice without further authentication. IBM Sametime - Use the embedded Sametime client to manage instant messaging contacts and initiate chats. RSS feeds - Subscribe to RSS feeds that display in the sidebar. Keep the following in mind if your users will use the Notes client: Chapter 1. Oeriew of SmartCloud Notes 7

14 SmartCloud Notes supports only the standard configuration of Notes, and not the basic configuration. You should decide which supported ersion of the client to use in your enironment. See the SmartCloud Notes client requirements for information on supported ersions. Related tasks: Preparing for Notes clients on page 108 Use of the IBM Notes client to connect to the serice is optional. If you want your users to use the Notes client, understand the steps to prepare. Related information: SmartCloud Notes client requirements Using Notes IMAP client If you enable IMAP access, users can configure third-party clients to access mail in the serice. The following IMAP clients are supported: Apple Microsoft Outlook 2003, 2007 Thunderbird There is no additional charge or subscription required to use IMAP clients. Related tasks: Preparing for IMAP clients on page 114 If you plan to use IMAP clients, complete these tasks to prepare. BlackBerry deices with a Hosted BlackBerry Serices subscription If your company has an IBM SmartCloud Notes for Hosted BlackBerry Serices subscription, users can use BlackBerry smartphones to access mail and personal information management features. IBM administrators set up and maintain BlackBerry Enterprise Serers for you on sites that they manage. The Blackberry subscription proides the following features: Mail, Calendar, Task, To Do, and Contact applications Corporate directory lookup Smartphone management through This subscription does not support BlackBerry 10 deices. Those deices are supported by IBM Notes Traeler. Related tasks: Preparing to use BlackBerry deices on page 114 If you plan to use BlackBerry deices that are supported by a Hosted BlackBerry Serices subscription, complete these tasks to prepare. 8 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

15 Feature differences between Notes and Domino and the SmartCloud Notes serice Some features in IBM Notes, IBM inotes, and IBM Domino are unaailable or hae limitations within the IBM SmartCloud Notes serice. For an explanation of the differences, see the following article in the IBM Connections Cloud wiki: Feature differences between Notes and Domino and the SmartCloud Notes serice. Frequently asked questions about administering the serice The following table proides answers to questions frequently asked about the tasks that company administrators perform in a IBM SmartCloud Notes enironment. Table 1. Frequently asked questions about administering SmartCloud Notes Question Answer Do company administrators hae access to user mail files? Do mail files hae a size limit? By default, administrators do not hae access to user mail files. Howeer, new users can be proisioned with mail files that hae customized access control lists (ACLs). In addition, the mail delegation feature can be used to delegate management of a mail file to an administrator or to a group of administrators. For more information, see Preparing customized mail file ACLs on page 68 and Mail file delegation on page 118. Currently a size limit (quota) of 25 GB is enforced on the mail files of users who were proisioned before Noember 22, 2014; the mail file size limit of users who are proisioned after this date is 50 GB. An exception is the mail files of SmartCloud Notes Entry users, whose mail files hae a 1 GB limit. What options are aailable for managing mail file size? Can we use a customized mail file template? For more information, see Mail file quota on page 118. Company administrators can manage the size of mail files by setting limits on the size of incoming messages. Additionally, they can specify how long mail remains in mail files by enabling automatic mail deletion for older mail. For more information, see Configuring mail settings on page 55. Yes, company administrators can apply a customized template to user mail files. This is done through SmartCloud Notes Administration. The template must meet specific design requirements. A representatie of IBM Software Serices for Collaboration must approe it as part of a short consulting serices engagement. For more information, see Preparing to use custom mail file templates on page 61. Chapter 1. Oeriew of SmartCloud Notes 9

16 Table 1. Frequently asked questions about administering SmartCloud Notes (continued) Question Answer Can users create local replicas of their mail files? IBM Notes users can create local replicas of their mail files and schedule replication between the local replicas and the serer replicas. Local replicas are useful in a serice-only enironment to proide offline access to mail files. Are company administrators responsible for mail database maintenance? How does a company administrator change a Notes user's hierarchical name? How do I reset a user's password? For more information about creating local replicas, see Getting started with replication in the Notes documentation. No, compacting and other mail database maintenance tasks are handled within the serice for you. In a serice-only enironment, company administrators change the Notes hierarchical name, as well as the serice login name, by editing the serice user account. For more information, see Changing a user name on page 145. There are two passwords. One is the serice login password that is used to log on to the IBM Connections Cloud website at Another is the Notes ID password used to log in to mail serers through Notes. Reset the serice login password through the serice user account. Reset the Notes ID password through the SmartCloud Notes Administration. For more information, see Resetting serice login passwords on page 30 and Resetting passwords for Notes IDs on page 31 Information resources The following information resources are aailable for IBM SmartCloud Notes. Be sure to use these resources to keep up-to-date on technical content, known issues, and product news. Table 2. Information resources for SmartCloud Notes Resource Description IBM Connections Cloud wiki The wiki proides the following information: Known issues and troubleshooting information Getting started information Technical articles by IBM employees and other community members Links to other resources such as courseware and multi-media content 10 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

17 Table 2. Information resources for SmartCloud Notes (continued) Resource Description SmartCloud Notes known issues This wiki article links to a comprehensie list of SmartCloud Notes technotes on the Support site. These technotes describe known issues and workarounds. The article also links to technotes about the Notes client. SmartCloud Notes Fix List This page shows a chronological list of fixes made to the SmartCloud Notes serice. SmartCloud Notes Support newsletter This newsletter highlights important technotes and new technical articles and courseware. To receie automatic notification when a new edition of this newsletter is aailable, add SmartCloud Notes to your My Notifications subscription and include the Product information and publications document type in your subscription. My Notifications from SmartCloud Notes Support Support page My Notifications enables you to receie daily or weekly announcements through , custom Web pages and RSS feeds. These customizable communications can contain important news, new or updated support content, such as publications, hints and tips, technical notes, product flashes (alerts). Click Support > Technical Support from this page for information about how to contact SmartCloud Notes Support. Chapter 1. Oeriew of SmartCloud Notes 11

18 12 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

19 Chapter 2. Planning to deploy the serice To plan for the IBM SmartCloud Notes serice, understand the features it offers, the deployment options that are aailable, and the planning considerations. Planning security and the network Answer the questions described in this topic to decide about security and network connections. About this task Table 3. Security and network planning questions Question Considerations What process does your company use to make network changes? Does your network hae sufficient bandwidth and Internet connectiity? Your company might hae a reiew and approal process for making the network changes required by the serice. Ensure that you understand the process and allow time to implement the required changes. Clients connecting to mail files in the serice increases network traffic to the Internet. It is important to assess whether your current network has sufficient bandwidth and Internet connectiity to handle the increased traffic. You may need to work with your Internet Serice Proider to increase network bandwidth before you proision users for the serice. For information, see the topics Network capacity for the web client on page 14 and Network capacity for the Notes client on page 14. Will you use federated identity management? Federated identity management allows users who are logged on to a company system to connect to the serice with the web client without logging on again. To enable federated identity management, register your organization as a trusted identity proider in the IBM Connections Cloud serice. Before you register, implement and test a federated identity management system that uses Security Assertion Markup Language (SAML). While you are implementing your system, you make some choices and prepare seeral artifacts. For more information on this option and other login options, see Configuring logins on page

20 Table 3. Security and network planning questions (continued) Question Considerations What firewall changes are required? Your firewall must allow outbound connections to specific ports and destination host names within the serice. The settings required depend on the clients that are used with the serice. For more information, see Configuring the firewall for outbound connections on page 17. Do you use a forward proxy to control user access to the Internet? If so, you must allow network traffic to pass transparently through the proxy oer port 1352 (NRPC), if you use Notes clients, as well as port 443 (HTTPS) for browser clients. Network capacity for the web client Before using the web client, hae an understanding of the approximate network capacity that your Internet Serice Proider will need to proide to support connections from the web clients to the serice. Use the following formula as a general guideline only: number_of_clients x 2.5 Kbps where number_of_clients is the expected number of web clients and 2.5 Kbps is the aerage network kilobits per second required for each client to connect to the serice. This formula assumes an aerage leel of client actiity based on IBM Domino mail benchmarks for serer-based mail files. Your actual network capacity requirements will depend on the client usage patterns in your enironment. Network capacity for the Notes client Before configuring Notes clients to connect to the serice, hae an understanding of the approximate network capacity that your Internet Serice Proider must proide to support those connections. Use the following formula as a general guideline only: number_of_clients x 3.1 Kbps where number_of_clients is the number of Notes clients used and 3.1 Kbps is the aerage network kilobits per second required for each client. This formula assumes an aerage leel of client actiity based on IBM Domino mail benchmarks for serer-based mail files. Your actual network capacity requirements will depend on the client usage patterns in your enironment. 14 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

21 Planning mail routing and mail settings Answer the questions in this topic to help you make decisions about Internet mail routing and mail settings. Table 4. Mail routing and mail settings questions Question Considerations What Internet domains do you own and use for Internet addresses? Do you use domain aliases so that users can receie addressed to more than one Internet domain? When users send mail to external users on the Internet, do you want to use an on-premises SMTP serer to route the mail? When external users on the Internet address mail to your users, do you want to use an on-premises SMTP serer to route the mail serice? If the serice handles routing inbound Internet mail, do you want apply filters to the inbound mail? Do you want to use any of the optional mail settings the serice proides? As part of serice configuration, you erify ownership of your company Internet domains. Verification inoles creating a CNAME record in your domain DNS record. If you do not hae access to the DNS record, you should allow time for your Internet Serice Proider (ISP) to create the required CNAME record for you. For more information, see Configuring Internet domains on page 27. The serice does not support domain aliases in a serice-only enironment. A user in the serice can hae only one Internet address. By default, the serice handles routing outbound mail that users address to the Internet. You can use a company-controlled SMTP serer to route the mail, instead. When you use your own serer, you can perform actions such as filtering and auditing before routing the mail. For more information, see the topic Preparing to use a company SMTP serer to route outbound Internet mail on page 20. By default, an SMTP serer in the serice handles routing inbound mail from the Internet that is addressed to your users. You can instead use a company-controlled SMTP serer to accept the mail and route it to user mail serers in the serice. For more information, see the topic Preparing to use a company SMTP serer to route inbound Internet mail on page 19 You can create filters to allow or block Internet sent from specific domains or addresses. For more information, see Configuring filters for inbound Internet mail on page 70 You can limit the size of incoming messages, preent auto-forwarding of external messages, customize the display of Notes document links in web client mail, configure mail retention in the trash folder, and control the deletion of older . For more information, see Configuring mail settings on page 55 Chapter 2. Planning to deploy the serice 15

22 16 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

23 Chapter 3. Preparing for the serice Preparing the firewall After you hae planned for a serice-only enironment, perform the steps in this section to prepare your enironment. Related tasks: Chapter 2, Planning to deploy the serice, on page 13 To plan for the IBM SmartCloud Notes serice, understand the features it offers, the deployment options that are aailable, and the planning considerations. Configure the corporate firewall to allow connections to and from the serice. About this task When configuring the firewall, specify the host names as described to minimize the risk of network attacks from the Internet. The risk of attack increases if you relax the host name rules. Configuring the firewall for inbound connections Configure firewall settings that allow the serice to connect to a company SMTP host serer. These settings are required only if you plan to use a company serer to route mail that serice users address to the Internet. About this task Table 5. Firewall settings to allow the serice to connect to an SMTP host serer Protocol Port Source Target SMTP 25 The IBM SmartCloud Notes addresses generated by the outer firewall of the serice. Contact your IBM Customer Serice Representatie for this information. Optional SMTP host that routes mail to the Internet. The host is specified in SmartCloud Notes Administration at Account Settings > Management > Manage Routing to External Internet Domains. Configuring the firewall for outbound connections Configure the firewall to allow outbound connections to the serice. About this task The following table describes the firewall settings required to allow connections from on-premises serers and clients to specific hosts in the serice. You can substitute *.collabser.com for the host names to represent all hosts in the serice. If your current firewall settings reference the original serice domain name, lotuslie.com, retain those settings and add the settings described in the table. 17

24 In addition to allowing connections oer HTTPS port 443, you can allow connections oer HTTP 80. If you do, connections oer HTTP are redirected to HTTPS. Table 6. Firewall settings for outbound connections Protocol Port Host name NRPC 1352 North American data center: notes.na.collabser.com Asia Pacific data center: notes.ap.collabser.com European data center: notes.ce.collabser.com HTTPS 443 North American data center: notes.na.collabser.com mail.notes.na.collabser.com Asia Pacific data center: notes.ap.collabser.com mail.notes.ap.collabser.com European data center: notes.ce.collabser.com mail.notes.ce.collabser.com HTTPS 443 North American data center: admin.notes.na.collabser.com Asia Pacific data center: admin.notes.ap.collabser.com European data center: admin.notes.ce.collabser.com HTTPS 443 North American data center: traeler.notes.na.collabser.com apps.na.collabser.com Asia Pacific data center : traeler.notes.ap.collabser.com apps.ap.collabser.com European data center: traeler.notes.ce.collabser.com apps.ce.collabser.com IMAP 993 North American data center: imap.notes.na.collabser.com Asia Pacific data center: imap.notes.ap.collabser.com European data center: imap.notes.ce.collabser.com IMAP 465 North American data center: submit.notes.na.collabser.com Asia Pacific data center: submit.notes.ap.collabser.com European data center: submit.notes.ce.collabser.com VP (Virtual Places - used for instant messaging) 1533 North American data center: im.na.collabser.com Asia Pacific data center: im.ap.collabser.com European data center: im.ce.collabser.com Applicable serer or client Domino serers IBM Notes clients IBM SmartCloud Notes web Web browser access to SmartCloud Notes Administration IBM Notes Traeler deices accessing the serice ia WiFi IMAP clients (receiing mail) IMAP clients (sending mail) IBM Notes clients that connect to the instant messaging community in the serice 18 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

25 Table 6. Firewall settings for outbound connections (continued) Protocol Port Host name VP (Virtual Places - used for instant messaging) 1533 North American data center: webchat.na.collabser.com Asia Pacific data center: webchat.ap.collabser.com European data center: webchat.ce.collabser.com SMTP 25 North American data center: smtp.notes.na.collabser.com Asia Pacific data center: smtp.notes.ap.collabser.com European data center: smtp.notes.ce.collabser.com FTP PASV (FTP) North American data center: ftp.notes.na.collabser.com Asia Pacific data center: ftp.notes.ap.collabser.com European data center: ftp.notes.ce.collabser.com Applicable serer or client IBM SmartCloud Notes web clients that connect to the instant messaging community in the serice SMTP serers that route Internet mail to serice users Temporary requirement for clients that transfer mail files to the serice oer FTP FTP PASV (FTP) North American data center: ftp.na.collabser.com Asia Pacific data center: ftp.ap.collabser.com European data center: ftp.ce.collabser.com Hybrid enironments only Client that downloads journal files Preparing to use company SMTP serers for Internet mail routing By default, the serice handles inbound and outbound Internet mail routing. You can prepare for company SMTP serers to route Internet mail, instead. About this task You can prepare company SMTP serers to route outbound Internet mail only, to route inbound Internet mail only, or to route both outbound and inbound Internet mail. Preparing to use a company SMTP serer to route inbound Internet mail By default, when external users send mail to serice users oer the Internet, an SMTP serer in the serice handles routing the mail to the serice users. You can use a company SMTP serer to route this mail, instead. Chapter 3. Preparing for the serice 19

26 About this task If you use a company SMTP serer to route Internet mail to your users, you are responsible for filtering the mail for iruses and SPAM. Do not perform this procedure if you want the serice to route Internet mail to your users. Procedure 1. Configure the company SMTP serer to accept mail for each Internet domain that contains serice users. 2. Configure mail addressed to serice users to be routed to one of the following SMTP hosts in the serice: If you use the United States data center: smtp.notes.na.collabser.com If you use the Asia Pacific data center: smtp.notes.ap.collabser.com 3. Configure the corporate firewall to allow outbound connections oer port 25 to the SMTP host that you specified in the preious step. What to do next When you configure the serice, skip the procedure that describes configuring the domain MX record to delier mail to the serice. That procedure is not necessary when you continue to use a company SMTP serer for inbound Internet routing. Related tasks: Configuring the MX record for a domain on page 28 After you erify ownership of the domain, configure your domain MX record to delier mail to the serice. Preparing to use a company SMTP serer to route outbound Internet mail You can configure a company SMTP host serer to route mail that serice users send to external users. About this task Skip this procedure if you want the serice to handle routing the mail that is sent to external users. In this case (default behaior), the serice filters the messages for irus and spam before routing them to the Internet. By using a company SMTP host serer for external routing, you can act on messages before routing them, for example, filter or audit messages. When you use this feature, the serice filters messages for iruses and spam and then routes them directly to your designated SMTP host serer. Messages addressed to any domain that is not an internal, serice-erified domain are routed to the SMTP host serer. The serice uses Transport Layer Security (TLS) to route mail to the SMTP host serer if the host serer uses TLS. The connection is made using STARTTLS oer SSL TCP/IP port 25. Procedure 1. Configure your SMTP host serer to accept mail from one of the following SMTP host serers in the serice: If you use the United States data center: smtp.notes.na.collabser.com 20 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

27 If you use the Asia Pacific data center: smtp.notes.ap.collabser.com If you use the European data center: smtp.notes.ce.collabser.com For more information on this step if you use a Domino SMTP serer, see the topic about enabling a serer to receie mail sent oer SMTP routing in the Domino documentation. 2. Configure the corporate firewall to allow inbound connections oer port 25 from the serice SMTP host serer specified in the preious step. For more information, see the topic Configuring the firewall for inbound connections on page If specifying a maximum message size, configure your SMTP host serer to accept messages up to 100 MB in size, the maximum message size allowed by the serice. For more information on this step if you use a Domino SMTP serer, see the topic about restricting mail routing based on message size in the Domino documentation. 4. Configure your SMTP host serer to relay mail to external Internet domains. For more information on this step if you use a Domino SMTP serer, see the topic about setting inbound relay controls in the Domino documentation. 5. Configure your SMTP host serer to route mail to the Internet. For more information on this step if you use a Domino SMTP serer, see the topic about setting up SMTP routing to external Internet domains in the Domino documentation. What to do next When you complete the serice configuration, perform the procedure Specifying an SMTP serer to route mail to the Internet on page 60. Related concepts: Example: Routing mail from a serice user to an external user using a company SMTP host This example illustrates how mail is routed from a serice user to an external user on the Internet when a company SMTP serer routes the mail. Example: Routing mail from a serice user to an external user using a serice SMTP host on page 22 This example illustrates how mail is routed from a serice user to an external user on the Internet when the serice manages the routing. Related information: Domino documentation Example: Routing mail from a serice user to an external user using a company SMTP host This example illustrates how mail is routed from a serice user to an external user on the Internet when a company SMTP serer routes the mail. In this example: The external user is in the zetabank.com domain. The external SMTP serer is smtp.zetabank.com. The on-premises SMTP serer is smtp.renoations.com. The serice user is in the renoations.com domain. The serice user s mail serer is Mail1/Renoations. Chapter 3. Preparing for the serice 21

28 When the serice user addresses mail to the external user in the zetabank.com domain, the following steps are taken to route the mail. 1. The serice user s mail serer, Mail1/Renoations, routes the mail to an SMTP serer in the serice. 2. The SMTP serer in the serice routes the mail to a mail hygiene serer in the serice. 3. The mail hygiene serer in the serice scans the mail for iruses and spam and then routes the mail to the on-premises SMTP serer, smtp.renoations.com. 4. The on-premises SMTP serer, smtp.renoations.com, filters and audits the mail, and then routes the mail to the external SMTP serer, smtp.zetabank.com.. Company-controlled SMTP serer routing mail from a serice user to an external user Example: Routing mail from a serice user to an external user using a serice SMTP host This example illustrates how mail is routed from a serice user to an external user on the Internet when the serice manages the routing. 22 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

29 In this example: The external user is in the zetabank.com domain. The external SMTP serer is smtp.zetabank.com. The serice user is in the renoations.com Internet domain. The serice user s mail serer is Mail1/Renoations. When the serice user sends mail to the external user in the zetabank.com domain, the following steps occur to route the mail. 1. The serice user s mail serer, Mail1/Renoations, routes the mail to an SMTP serer in the serice. 2. The SMTP serer in the serice routes the mail to a mail hygiene serer in the serice. 3. The mail hygiene serer scans the mail for iruses and spam and then routes the mail to the external SMTP serer, smtp.zetabank.com, oer the Internet.. Serice routing mail from a serice user to an external user Chapter 3. Preparing for the serice 23

30 24 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

31 Chapter 4. Configuring the serice After you hae prepared your enironment for the serice, perform the steps in this section to configure the serice. Related tasks: Chapter 3, Preparing for the serice, on page 17 After you hae planned for a serice-only enironment, perform the steps in this section to prepare your enironment. Logging on as the first company administrator An IBM Customer Serice Representatie creates the IBM SmartCloud Notes account for your company. This step creates a company administrator account under a name and address proided by your company. IBM sends an to the address confirming your purchase. To actiate the account for your company, follow the URL link in this and log on to the IBM Connections Cloud website as the company administrator. About this task Perform the following steps to actiate the account for your company and log on as the first company administrator. Procedure 1. Open the that was sent to the company administrator address confirming your purchase. 2. Click the URL link in the , to open the Registration page. 3. Perform the following steps on the Registration page: a. Create and confirm a serice logon password. Important: The address that is shown is the logon name for the company administrator account. Be sure to remember it and the new password. b. Select a country, language, and time zone. c. Read the terms of use and priacy practices information, and if you agree to them, click I accept the Terms of Use. d. Click Submit. e. Log on using the company administrator logon and new password. Results You are now logged on to your home page. To log on in the future, go to What to do next Configure the SmartCloud Notes serice, if IBM is not configuring it for you. 25

32 Configuring your account settings To set up the serice for your company, a company administrator or your IBM Customer Serice Representatie configures your company account settings. Before you begin Make sure that IBM has created the SmartCloud Notes account for your company and that you hae actiated it by logging on to the serice as the first company administrator. About this task Perform the following steps if you are a company administrator and want to configure account settings. Procedure 1. Log on to as a company administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. Make sure the Hybrid Enironment option is not selected, and then click Set Up My Account. 5. In the next window, click Continue to confirm that you do not want to integrate the serice with on-premises IBM Domino serers. Note: If you are unsure, click Back. After you press Continue, changing your account type requires the assistance of your IBM Customer Serice Representatie. 6. Click Begin Setup. 7. In the Tell us your Internet domain name window, proide a alid Internet domain name that your company owns and uses for Internet mail, for example, renoations.com, then click Next. 8. In the Choose your organization name window, proide a name for your organization that is at least six characters. The name becomes part of your Notes user names and is usually your company name. Use a short organization name for ease of use, for example, Renoations rather than Renoations Incorporated. Click Next. 9. In the Choose your mail serer base name window, proide a base with which to begin the names of your mail serers. A number is added to the base so that your serers are numbered sequentially, for example, Mail1/SCN/Renoations, Mail2/SCN/Renoations. Do not specify a number as part of the base. Click Next. 10. Verify your selections and, when you are satisfied with them, click Actiate My Account. What to do next When you are done configuring account settings, complete the tasks in the order shown. Serice users can receie mail addressed to this domain only after the tasks are completed. Verifying ownership of a domain on page 27 Configuring the MX record for a domain on page SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

33 Configuring Internet domains To enable users to receie mail addressed to an Internet domain, first erify ownership of the domain, and then configure an MX record for the domain. Verifying ownership of a domain Internet domain name erification is a standard industry practice among domain hosting serices to confirm domain name ownership and to preent abuse of user accounts. You need to erify only the domain names that correspond to Internet addresses of users that you are proisioning. About this task There are different methods to erify domain names. The serice uses a CNAME record for this purpose by requiring you to create a CNAME record to proe ownership. Your domain hosting serice should proide instructions for creating a CNAME record; howeer, if they do not, contact them directly. A CNAME record is an entry in the Domain Name System that is used to define a host name alias for an Internet domain. To proe ownership of a domain, you sign in to your domain hosting serice and use the DNS Management settings to create a temporary CNAME record for the domain. Then the serice uses the alias in the CNAME record to query your domain. A successful query proes that you were able to create the CNAME record and therefore that you own the domain. If you do not hae the authority to create a CNAME record for your domain, extra time may be required to contact your domain hosting serice and hae them create the record for you. Verifying a root domain also erifies any subdomains of it that are listed. For example, erifying renoations.com erifies west.renoations.com if listed in the Internet Domain Verification window. After you erify a root domain, no other company can use it or any subdomain of it. You can perform this procedure een if you are in the process of switching domain hosting serices. Perform the following steps to erify ownership. Users cannot receie mail addressed to this domain until ownership is erified. For additional information, see the exercise about erifying ownership of your domain in the IBM SmartCloud Notes in a serice-only enironment on-line training course. Procedure 1. Log on to using the address and password of a user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. In the naigation pane, click Internet Domain Verification. 5. In the Internet Domain Verification window, click Verify Ownership next to the domain to erify. Chapter 4. Configuring the serice 27

34 6. Sign in to your domain hosting serice and use the DNS management settings to create a new CNAME record. Use the information that is shown in the Internet Domain Verification window to create the CNAME record. Put the unique key that is shown into the first field of the CNAME record. The name of this field aries by endor, but it is sometimes named prefix or alias. Put collabser.com into the second field of the CNAME record. This field is sometimes named destination or target host. 7. After you create the CNAME record, click Begin Verification to begin erification of the domain. The unique key continues to be shown in the Internet Domain Verification window until erification completes successfully. Results To erify domain ownership, the serice uses the alias in the CNAME record to query your domain. For example, if the CNAME key is domino-1jkkiaojd-rules and your domain name is renoations.com, the serice queries domino-1jkkiaojd-rules.renoations.com. If erification is not successful, check that the unique key shown exactly matches the one added to the CNAME record. If the alues are different, do not restart erification. Rather, update the CNAME record with the correct key and simply wait again for erification to complete. Domain erification can take up to 48 hours, although usually it takes much less time. If after 48 hours domain erification has not completed, click Restart Verification. Restarting erification generates a new unique key and you must then replace the old key with the new key in the CNAME record. Only restart erification if 48 hours hae passed since you clicked Begin Verification. After a domain is erified, you can remoe the CNAME record you created. What to do next Next, complete the task Configuring the MX record for the domain. Configuring the MX record for a domain After you erify ownership of the domain, configure your domain MX record to delier mail to the serice. About this task A Mail exchange (MX) record identifies an SMTP host to which mail for a domain is sent. To enable your serice users to receie addressed to the erified domain, edit or create an MX record. Configure the MX record to point to the IBM SmartCloud Notes SMTP host name. If this domain is new, create an MX record for it. Contact your domain proider for information about the steps required to create or edit MX records. When you configure the MX record, specify one of the following SMTP host names, depending on the data center that you use. If you use the United States data center, specify smtp.notes.na.collabser.com. If you use the Asia Pacific data center, specify smtp.notes.ap.collabser.com. 28 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

35 If you use the European data center, specify smtp.notes.ce.collabser.com. Delete any MX records used preiously for the domain. What to do next Next, Customize settings. Configuring additional Internet domains for the serice to use When you configured your company account settings, you proided the name of one domain to use for routing Internet mail to your users. If you own additional Internet domains, you can configure the serice to use them too. Customizing settings Procedure 1. Log on to using the address and password of a user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings and then click Internet Domains. 5. Click Add Internet Domain, type the domain name, for example, renoations2.com, and click Sae. Note: If necessary, you can edit or delete a domain you added preiously. What to do next Next, erify ownership of the domain. After you configure account settings and Internet domains, optionally customize settings in the serice to suit your needs. Enabling the accessible experience for the web client You can submit a request to enable the accessible experience for the web client for eeryone in your organization. Mail, Calendar, Contacts, and Preferences features proided with this experience are all accessible. About this task Accessibility features help users who hae a disability, such as restricted mobility or limited ision, to use information technology products successfully. Another accessible experience for the web client is the desktop ultra-light mode. For more information on this mode, see the topic about web client accessibility features in the user documentation. Both accessible experiences are supported on a computer using Mozilla Firefox 24+ ESR or higher. See the IBM Human Ability and Accessibility Center for more information about the commitment that IBM has to accessibility. Chapter 4. Configuring the serice 29

36 Procedure To enable the accessible experience for the web client for all users in your organization, contact Support. Related information: Web client accessibility features Support Configuring logins Reset passwords, manage password expiration periods, set up federated identity management, restrict logins to an IP range, and enable application passwords. Resetting serice login passwords Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. About this task Reset passwords when userd forget their passwords, or when the password might be compromised. Users that log in by clicking Use My Organization's Login are using a federated identity and can reset their passwords only by following their company's process. If administrators enable password synchronization, when users change their serice login passwords, they can also use the new passwords to log in to the IBM Notes client. Follow these steps to reset any user's password: Procedure 1. Click Administration > Manage Organization. 2. Click User Accounts. 3. Select the arrow next to the user that needs the password changed. 4. Select Reset password and enter the new password. This password is a temporary password that the user enters the next time that they log in. At that time, the user is asked to create a password. You can also reset the password by editing the user account. Click the appropriate user name in User Accounts and enter a new password in the Account Login tab. 5. Notify the user of the password change. The user is not automatically notified that the password was reset. Make sure to communicate this change to the user, along with the new password if needed. What to do next Administrators can enable security settings to enforce password expiration through System Settings > Security. When s user logs in with an expired password, the user is prompted to reset that password. 30 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

37 Setting serice login password expiration By default, serice login passwords do not expire. Enforcing a password expiration period helps ensure that passwords are changed frequently. Administrators can set a password expiration interal for all users. Procedure 1. Click Administration > Manage Organization 2. Click Security. 3. Click Edit Settings in the Password Settings section. Select the number of days before a password expires, how the password can be reset, and add password reset support for your users. Managing Notes IDs You can reset Notes ID passwords, set Notes ID password expiration, and synchronize Notes ID passwords with serice login passwords. Resetting passwords for Notes IDs: Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. About this task This procedure applies only to passwords associated with Notes ID files used with Notes clients, and not to serice login passwords. Procedure 1. Log on to using the address and password of a SmartCloud Notes user with the Administrator role. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Users. 5. In the Search box, type the beginning characters of any of the following user alues to display the user's name: Distinguished name, for example, Samantha Daryn/Renoations. Internet address, for example, sdaryn@renoations. Last name, for example, Daryn. Note: You cannot use the wildcard character (*) when you search. A starts with search is done and the names of any users with matching alues in the directory are displayed. For example, the results of a search on ma include the names of users with the following alues in the directory: Madison Armond/Renoations masmith@renoations Kristin MacGyer This search does not match the following alues: Emarie Klein/Renoations tamado@renoations Ted Amado Search results can include a maximum of 1000 names. Chapter 4. Configuring the serice 31

38 6. Click the user's name in the search results. 7. Under Aailable actions for this user, click Reset IBM Notes Password. 8. Enter a new password, and then click Sae Changes. The password must be at least eight characters in length. 9. Proide the new password to the user in a way that complies with your company security policies. Results After you complete this procedure, the user can log on to a SmartCloud Notes serer from an IBM Notes client using the new password. After logging on with the new password, the user is prompted to change the password. Note: If the Wrong Password prompt is displayed, tell the user to re-enter the new password that you proided. If that step does not sole the problem, tell the user to delete the local ID file and then re-enter the password. The user has fie days from the time you reset a password to use the password to log on to a SmartCloud Notes mail serer and download the new password to the Notes client. If the 5-day limit is exceeded, the user sees the following message and you must reset the password again: Contact your company administrator to hae your Notes ID password reset. Related concepts: Notes IDs and passwords on page 35 When users connect to their mail serers in the cloud with IBM Notes clients and Notes IDs, they are authenticated using Notes Remote Procedure Call (NRPC) authentication. Related tasks: Resetting serice login passwords on page 30 Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. Setting password expiration for Notes IDs For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Enabling password synchronization on page 33 When users change their serice login passwords, password synchronization enables the users to use the new passwords when they log in to the IBM Notes client. Setting password expiration for Notes IDs: For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Before you begin For information on how this feature interacts with the password synchronization feature, see Enabling password synchronization on page SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

39 About this task If users click File > Security > User Security, the Password must be changed by field does not show the password expiration date. Perform the following procedure to set password expiration for Notes IDs. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. Click Password Management 5. Click Enable password expiration for IBM Notes clients. 6. Enter the number of days a password can be used before it expires. The minimum alue for this setting is 30 days; the maximum is 3650 days. Results When password expiration is first enabled, the passwords of all current users expire on a random basis after the expiration period, regardless of when the passwords were last changed. For example, if the expiration period is 90 days, all current users are prompted to change their passwords on a random basis when first authenticating after the 90-day expiration period. The passwords of new users also expire on a random basis after the expiration period. Users who are logged in when this setting becomes effectie are not prompted to change the password during the current login session. Users might experience a lag time of a few seconds between the time they change their password and authentication. This lag occurs while the updated ID is synchronizing with the ault. If the synchronization does not complete, authentication can fail. In that case, users can wait a few minutes, and then try again. If the synchronization continues to fail and the user cannot access the client, reset the Notes ID using SmartCloud Notes Administration. What to do next You might want to communicate the following information to your users: There is no warning that informs them that their password is about to expire. How often they will be prompted to reset their passwords. What to do if authentication fails after they change their passwords. Related tasks: Resetting passwords for Notes IDs on page 31 Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. Enabling password synchronization: When users change their serice login passwords, password synchronization enables the users to use the new passwords when they log in to the IBM Notes client. Chapter 4. Configuring the serice 33

40 About this task Password synchronization benefits users who are actie users of both the web and Notes clients by allowing them to use one password for both clients. After you enable password synchronization, when users change their serice login passwords, the new passwords are added to the Notes ID files in the ID ault. Users can then use the new passwords the next time they log in to the serice from the Notes client. Password synchronization occurs wheneer users change their serice login passwords. Users can change the serice login passwords at any time through Connections Cloud My Account Settings. They also change the passwords: After they log in to the serice for the first time with temporary passwords; After they log in to the serice after an administrator resets their serice login passwords; After they log in to the serice when serice login password expiration is enabled and their passwords expire. Before you enable password synchronization, be aware of the following information: The feature does not apply to users who log in to the serice with a federated identity that your organization defines. Synchronization occurs in one direction: from the serice login password to the Notes ID password. Changing the Notes ID password does not change the serice login password. When serice login passwords change, Notes client users are not required to use the new passwords. Their old passwords remain alid until they use the new passwords to log in to the serice from the Notes client. Because the continued use of the old password preents ID synchronization with the ID ault, as a best practice, recommend to users that they use the new passwords on the Notes client. Synchronization occurs after Notes clients are connected to the serice. Notes client users can change their Notes ID passwords, either by choice or because you enable the Password Expiration setting in SmartCloud Notes Administration and their passwords expire. When Notes users change the Notes ID passwords, the serice login passwords do not change automatically. Howeer, users can use Connections Cloud My Account Settings to change the serice login passwords to match the new Notes ID passwords. If you enable password expiration for Notes IDs, a Notes ID password might expire before a user logs in to Notes with a new serice login password. In this case, the user can log in to the Notes client with the old Notes ID password but the user is prompted to change the password when opening mail or another application. At this point the user can proide the new serice login password. To enable password synchronization, complete the following procedure. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes and then click Account Settings. 4. Click Password Management. 34 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

41 5. In the Password Synchronization section of the page, select Enable password synchronization. 6. Click Sae. Results When users change their serice login passwords, they can use the new passwords to log in to the Notes client. If users change the Notes ID password, the serice login password does not change automatically. What to do next Notify users that the feature is enabled. Recommend that when they change the serice login passwords that they use the new passwords to log in to the Notes client. Related tasks: Resetting serice login passwords on page 30 Users can reset their own serice login passwords once within a 24 hour period by clicking Forgot password?. An administrator or administrator assistant can reset serice login passwords for any user at any time. Setting serice login password expiration on page 31 By default, serice login passwords do not expire. Enforcing a password expiration period helps ensure that passwords are changed frequently. Administrators can set a password expiration interal for all users. Related information: Federated identity management Notes IDs and passwords: When users connect to their mail serers in the cloud with IBM Notes clients and Notes IDs, they are authenticated using Notes Remote Procedure Call (NRPC) authentication. In serice-only enironments, and in hybrid enironments that do not use on-premises security policy settings to configure password requirements, Notes ID passwords must be at least eight characters. Passwords must also hae a password quality of 8, on a quality scale of 0 (weakest) to 16 (strongest). Password quality refers to the required character complexity of passwords. In hybrid enironments, you can use on-premises security policy settings to control password requirements. By default, Notes ID passwords do not expire and keeping this default behaior is recommended. Neertheless, you can configure a password expiration interal of from 30 to 3650 days through the SmartCloud Notes Administration interface. If users forget their Notes ID passwords, company administrators can use the SmartCloud Notes Administration interface to reset the passwords to temporary alues. The users use the temporary passwords to log in to the serice from a Notes client and then are prompted to change the passwords. Chapter 4. Configuring the serice 35

42 The Notes shared login feature is supported in hybrid enironments. This feature allows users to log in to Microsoft Windows and then use the Notes client without proiding a Notes ID password. A benefit of this feature is there are no Notes ID passwords to use or remember. The Notes client can connect automatically to the cloud serice instant messaging community and to cloud serice Actiities through the client sidebar. (Access to serice Actiities requires a collaboration subscription). After users log on to the serice mail serer from the Notes client, a single-sign on capability enables them to access these cloud serices during the session without proiding their cloud serice account login credentials. A Notes client can be configured to connect to both on-premises and cloud instant messaging serers or Actiities serers through the sidebar. In this case, users must proide their cloud serice login credentials to access the cloud serers. Related tasks: Resetting passwords for Notes IDs on page 31 Reset the password on an IBM Notes ID file to change the current password. Typically you do this because a user has forgotten the current password. Setting password expiration for Notes IDs on page 32 For users who access the serice with the IBM Notes client, you can specify when Notes ID passwords expire. This password expiration does not apply to web users because they log in using their web login password rather than a Notes ID password. Setting up federated identity management When you set up federated identity management, users log on to the serice using your on-premises authentication mechanism. About this task Federated identity management proides the following benefits: It allows your company to control the type of authentication and authentication options. For example, you might restrict access to specific networks, use VPN connections, define custom password strength or password expiration periods, use smartcards, or require two-factor authentication. Users can use their familiar, on-premises credentials to access the cloud serice. While users are logged on to the on-premises identity proider, they can access a cloud serice without being re-prompted for credentials. After you implement federated identity management, you must accommodate users of mobile apps. If all of your mobile users hae one or more IBM mobile apps such as Connections, Chat, Meetings, or most ersions of IBM Notes Traeler, you hae the following options: Set up an additional, separate federated identity management endpoint for the IBM mobile apps. For more information about this, see the Flow models section of SAML federated identity concepts on page 37. Use the partial authentication type when setting up federated identity management, which allows you to specify a group of users to whom federated identity management does not apply. In this case, you would specify your mobile deice users. For more information about the partial authentication type, see the Authentication types section of SAML federated identity concepts on page 37. Use application passwords. For information about application passwords, see Enabling application passwords on page SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

43 All other mobile apps must use application passwords when federated identity management is implemented. Notes Traeler ersion or greater for Android is an exception to the rule. It can connect to the same federated identity management system that non-mobile apps use. Note: Users to whom federated identity management applies cannot connect to the serice with IMAP clients or FTP clients. SAML federated identity concepts: Learn about the federated identity process as implemented in the cloud serice, the flow models that are supported, and the authentication types. Oeriew of the process using SAML Cloud serices rely on SAML to proide the SSO serices. In this implementation, your organization is the identity proider, and the cloud serice is the serice proider. You can use either SAML 1.1 or SAML 2.0. As the identity proider, your organization authenticates users. The authentication can be by a login with a user name and password, or by some other method. For mobile apps, the authentication must be by a login with user name and password. When a user gains access to your intranet and attempts to use a cloud serice, a SAML assertion is sent from your organization to the SAML endpoint in the cloud serice. The SAML assertion securely identifies the user. The cloud serice uses the SAML assertion to decide whether the user can access it. Flow models Two flow models exist in federated identity management. One model is the identity proider initiated model (IdP-initiated), and the other is the serice proider initiated model (SP-initiated). Mobile apps use the SP-initiated model. Normally, the SP-initiated flow model is not aailable in SAML 1.1 because SAML 1.1 does not support Identity Proider Discoery Profile. Howeer, the cloud serices use a hybrid ersion of SP-initiated that allows both SAML 1.1 and SAML 2.0. As a result, Identity Proider Discoery Profile is not required by cloud serices, and is not implemented. The cloud serices implement the Browser/POST profile that is used in SAML 1.1 and is compatible with the Web Browser SSO profile in SAML 2.0. Other profiles are not supported at this time. The following outlines describe the two flows: IdP-initiated 1. The user gains access to your intranet ia your organization's authentication mechanism. 2. The user naigates to a web page on your intranet that contains a link to a cloud product such as Connections Cloud or SmartCloud Notes web. 3. The user clicks the link. Chapter 4. Configuring the serice 37

44 4. The SSO process is initiated. A SAML assertion is sent to the cloud endpoint ia HTTP POST. If the user has a alid account, access is granted. 5. The user interacts with the cloud product. SP-initiated hybrid 1. The user naigates to the cloud serice login page. 2. The user clicks Use My Organization's Login. 3. The user enters the address that is associated with the user s account. 4. The cloud serice looks up the address and then redirects the user to your organization s authentication mechanism. 5. The flow continues from Step 4 of the IdP-initiated model. The SP-initiated hybrid flow model also applies to mobile apps. Before using a mobile app, the user must do a one-time setup of the mobile app to use a cloud serer. The setup process is different for each mobile app; instructions are included in the documentation of each app. The following outline describes the flow for mobile apps: SP-initiated hybrid for mobile apps 1. A mobile app initiates a connection to a cloud serice. 2. The cloud serer looks up the address and then responds with the mobile login URL of your organization s mobile authentication mechanism. 3. The mobile client issues a basic authentication request to the mobile login URL with the user's address and password. 4. If the basic authentication is successful, a SAML assertion is returned to the mobile app. 5. The mobile app sends the SAML assertion to the cloud endpoint ia HTTP POST. If the user has a alid account, access is granted. 6. The mobile user interacts with the cloud product. Authentication types Four types of federated identity management are aailable: Federated, Modified, Partial, and Non-federated. By default, all users in your organization are assigned the Non-federated type unless you enable one of the other types. Federated Users must authenticate with your organization before they can access cloud serices. Users do not hae a user name or password in the cloud user account. If they go to the serice login page, they must click Use My Organization's Login. The Federated type applies to all users in your organization. The Federated type is conenient for your users who normally work from the office. They can log on to your system and use cloud serices without needing a separate user name and password combination. Howeer, if any of your users work from home or work while traeling, your directory serers must be accessible from the Internet. Also, because your users cannot log in with a name and password that is defined in the serice, serices such as chat and IMAP are not aailable. 38 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

45 If you choose the Federated type, you must implement the SP-initiated flow model. Modified Users hae the option of authenticating with your organization before accessing the cloud-based serices, or using a name and password defined in the serice to log on. The Modified type applies to all users in your organization. The Modified type allows your users to access cloud serices from the Internet, but you do not need to make your directory serers accessible from the Internet. Your users can use the single sign-on serices when they are in the office, and the cloud serice login when they are outside the office. Partial Each user in your organization is assigned one of the preiously listed types: Non-federated, Federated, or Modified. If you do not specify a type for a particular user, the user is assigned the Non-federated type. Use the Partial type if you hae one group of users who normally work in the office, and another group of users who normally work from home or who trael frequently. For example, the office workers can be assigned the Federated type, and the traeling sales team can be assigned the Modified type. You can also use the Partial type to group users by the serices that are aailable to them. Users with the Federated type do not hae access to chat or POP/IMAP, but users of the Modified type do hae access to chat and POP/IMAP. If you choose the Partial type, you must implement the SP-initiated flow model to support users with the Federated type. Non-federated The login for the cloud serice is independent of, and separate from, your organization's login procedure. Users must log on using the name and password defined in the serice to use the cloud-based serices. The Non-federated type is the default type, and is the simplest and easiest type to set up because it requires no action on your part. After one of the federation types is implemented, you can change to one of the other types by contacting your customer serices representatie. The customer serices representatie will adise you on the process. If you are using the Partial type, you can change indiidual users from one type to another without the need to contact your customer serices representatie. Preparing for federated identity management: The difficulty of getting your system ready for federated identity management depends on both the state of your system, and on your knowledge and experience with SAML, SSO, LDAP, and related technologies. Before contacting your IBM customer serice representatie to enable federated identity management, reiew the following checklist: Choose the ersion of SAML that you want to use. You can use either SAML 1.1 or SAML 2.0. Chapter 4. Configuring the serice 39

46 Choose the type of federation that you want to employ: Federated, Modified, or Partial. See the topic SAML federated identity concepts for more information. Reiew the IdP-initiated flow model and the SP-initiated hybrid flow model. See the topic SAML federated identity concepts for more information. Implement SAML on your web serer. You can use Tioli Federated Identity Manger, OpenSAML, Actie Directory Federation, or some other federated identity manager. If you are setting up federated identity for users of mobile apps, create a second endpoint that accepts basic authorization. The mobile apps work with the SP-initiated flow model only. Retriee or create the priate/public key pair that will be used in digital signatures. Integrate your directory serer with your SAML serice. Administration is easier if all of your users are on the same directory serer. Implement and test the SAML Browser/POST profile in either SAML 1.1 or SAML 2.0. Create a dummy serice proider and conduct an IdP-initiated single sign-on test to make sure that eerything is working correctly. Create a SAML metadata file to transmit your identity proider metadata to the IBM customer serice representatie. If you are using SAML 1.1, you hae the option of transmitting most of the information in an or by some other means that you negotiate with the IBM customer serice representatie. Howeer, in this case you must transmit the public key inside a Jaa keystore. Enabling federated identity management: When your system is ready for testing with the cloud system, contact an IBM customer serices representatie. Before you begin Before you start the enablement process, reiew the following list: 1. Implement and test a federated identity management system that uses SAML. Make sure that your system is configured to send the user s address as the subject in a SAML assertion. 2. Test your system to make sure that it is configured for the type and flow model that you hae chosen. See the topic SAML federated identity concepts for more information. 3. Complete the checklist in the topic Preparing for federated identity management Procedure To enable federated identity management: Send an to cloudcsg@us.ibm.com. In the , request to hae federated identity management enabled for your organization. An IBM customer serices representatie will contact you with instructions and proide details of the process. What to do next After federated identity management is enabled, notify users of IBM mobile apps such as Traeler, Chat, or Meetings that they must generate application passwords. Users enter the application password instead of their regular login passwords 40 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

47 when logging in with a mobile app. In the notification, include the following link, which has instructions for generating application passwords: apps.na.collabser.com/help/topic/com.ibm.cloud.welcome.doc/ logins_application_passwords.html Configuring the Sametime rich client for SAML and downloading: Your users can chat using the IBM Sametime Connect rich client. About this task If your organization uses a standard login, your users can use any standalone Sametime Connect client at ersion or later. They can also use the embedded ersion in Notes 9.0 or later. If your users log in with your organization's authentication credentials and use SAML token authentication for federated identity management, you can create a pre-configured installation package for Sametime Connect or for Notes. SAML support in Sametime and in Notes uses the Form based user/password login type. Alternatiely, Users can download the SAML-enabled Sametime client that is aailable in SmartCloud and configure it themseles. Instructions to do this are in the user help imb_download_saml.html. Howeer, users will need SAML IDP information from you to complete the configuration. Procedure To create a pre-configured installation package: 1. Locate the plugin_customization.ini file. The file is in one of the following locations, depending on the operating system: Windows Inside the deploy folder of the package root. RedHat Linux Inside the RedHat.rpm package at one of the following locations: For Sametime Connect: \opt\ibm\sametime\framework\rcp\deploy For Notes: \opt\ibm\notes\framework\rcp\deploy MacOS Inside sametime-*.pkg\contents\deploy. 2. Add the following configuration lines in the plugin_customization.ini file, based on your company's Sametime community and SAML IDP information. Note: To fit the width of this page, some records are shown on more than one line. In the plugin_customization.ini file, each record is a single line. # ";" is used to separate multiple communities com.ibm.collaboration.realtime.community/saml_communities=<sametime community serer host name> # IDP serer url com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp= <SAML authentication login URL> # login type of IDP serer com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.type=form # html tag id or tag name of the user name field in IDP web page. com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.form.usernam Chapter 4. Configuring the serice 41

48 <form_username_field_id> <form_username_field_name> # html tag id or tag name of the user password field in IDP web page. com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.form.password. <form_password_field_id> <form_password_field_name> # html tag id or tag name of the submit field in IDP web page. com.ibm.collaboration.realtime.community/<sametime community serer host name>.idp.form.submit.ta <form_submit_field_id> <form_submit_field_name> # Optional. The default alue is "false". If "true", all on-premises communities are deleted com.ibm.collaboration.realtime.community/<sametime community serer host name>.primary=false # Optional. The default alue is "false". if "true", the SmartCloud community can be # remoed from the communities preference page com.ibm.collaboration.realtime.community/<sametime community serer host name>.editable=false Sample: Note: To fit the width of this page, some records are shown on more than one line. In the plugin_customization.ini file, each record is a single line. com.ibm.collaboration.realtime.community/saml_communities=im.na.collabser.com com.ibm.collaboration.realtime.community/ im.na.collabser.com.idp= PartnerId= TARGET= com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.type=form com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.form.username.tag=intranet_id com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.form.password.tag=password com.ibm.collaboration.realtime.community/im.na.collabser.com.idp.form.submit.tag=ibm-submit 3. Replace the existing plugin_customization.ini file in the Sametime installation package or in the Notes installation package with the file that you updated. 4. Distribute the updated Sametime installation package or Notes installation package to your users. The SAML configuration information is automatically populated when your users install the client. Note: The installation package that you distribute to Mac users must be digitally signed by IBM. Before distributing the installation package to Mac users, your modified plugin_customization.ini file to support@collabser.com. A signed installation package will be created and returned to you. Restricting the IP address range To ensure that users log in from an approed network connection, administrators can define an approed range of IP addresses. About this task By restricting the IP addresses that hae access to your organization, you proide a leel of protection against user's credentials being stolen or phished. If IP ranges are restricted to your network, an attacker would need to authenticate to the serer from within your network to access any stolen credentials. If your company uses SMTP, POP or imap protocols, restrictions are not applied. Also, restrictions are not applied to SmartCloud Notes Notes Remote Procedure Calls (NRPC). Procedure 1. Click Administration > Manage Organization 2. Click Security. 3. Click Add Range in the IP Address Ranges section to enter the beginning and ending IP addresses. You must specify the IP address at which you are currently logged in. 42 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

49 Results Enabling IP address restrictions might block mobile user access to your organization. For example, Blackberry users must authenticate through a Blackberry Enterprise Serer (BES) which authenticates both the mobile deice and the user. Because the IP address for the authenticated user is that of the BES serer, IP address restrictions can block access, depending on the range specified. Use VPN tools on the mobile deice to route traffic to your organization using your network What to do next You can use IP address restrictions as a secondary authentication mechanism in combination with SAML single sign-on authentication. Enabling application passwords Application passwords can be used to proide a secure login for applications that do not support forms-based authentication. For example, they can be used to access applications that require passwords on a mobile deice or for organizations that use federated identity and serice login passwords are not used. When you enable application passwords, you also hae the option of requiring the use of application passwords, and of allowing mobile users to bypass IP restrictions. About this task If you require an application password, then the serice login password is disabled for the application, and users must log in using the application password. For example, users would be required to use the application password to log in to the serice on a mobile deice or in a browser. Howeer, they could still use the serice login password to log in to the serice web site and for other applications. If you do not require an application password, then users can continue to log in from a browser, for example, using their serice login password. If you allow mobile users to bypass IP restrictions, application passwords proide an additional layer of password strength. This is due in part to their length (16 characters) and because they are generated using a strong random number generator. If a mobile deice is lost or stolen, you can then disable the IP restriction bypass which preents access to the application outside your organization's designated IP range. Note: If you enable application passwords and select the Ignore IP range restrictions for applications setting to allow users to bypass IP restrictions, the setting does not apply to Windows Phone or Windows Tablet users. If you restrict login to a specific IP range, Windows Phone and Windows Tablet users must log in from network locations within the range. You can also disable the use of application passwords at any time. Then, if users hae created an application password, the application cannot be accessed because the password is no longer effectie. Tip: Users can also preent access to the application by reoking their application password, which they can do at any time. Organizations that do not use federated identity can disable the use of the standard serice password for mobile applications. Chapter 4. Configuring the serice 43

50 Procedure 1. Select Administration > Manage Organization. 2. In the naigation pane, under System Settings, click Security. 3. Under Password Settings, click Edit Settings. 4. Select Allow users to generate application passwords. 5. Select any of the following options that apply, and then click Sae Changes. Table 7. Application Password Options Option Expiration Ignore IP range restrictions for applications Require applications to use application passwords to access this site Result Select a password expiration interal or select No expiration if you do not want application passwords to expire. Users will be able to access applications from outside the organization's designated IP range. Howeer, they cannot access it using the serice login, they must use an application password instead. For more information about specifying IP address ranges, refer to Restricting the IP address range on page 42 This option restricts the supported authentication flow to application passwords. It preents users from logging to this site using their serice login password. This option does not display for organizations that use federated identity. Results After you enable this feature, users can create and manage application passwords in My Account Settings in the serice. General information about how users manage their application passwords is listed here. If enabled, users can generate an application password for the IBM Notes Traeler. Application passwords can be shared across mobile products, including IBM Traeler, IBM Sametime, and Connections Cloud. If you did not select the option Require applications to use application passwords to access this site, then using an application password is optional for users. Howeer, if you hae IP range restrictions enabled, they will not be able to log in using their serice password unless they are within the IP range. Application passwords are generated by the serice when requested by users. The generated passwords displays to the user only once, and cannot be recoered. Users can reoke and generate a new application password at any time. There is no limit to the number that can be generated. Passwords are generated using cryptographically strong random number generator. They are 16 characters long, and not case sensitie. Users should enter the password once into their deice and allow the deice to sae the password. If there are ten failed login attempts, the account is locked for three minutes. 44 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

51 What to do next If you selected Applications must use the generated password to access this site, or if you allowed users to bypass the specified IP range, instruct them to generate application passwords. For information on how users generate application passwords see Application passwords for mobile access. Authentication methods by client The following table lists the authentication methods supported for each type of IBM SmartCloud Notesclient. Table 8. Authentication methods by SmartCloud Notes client Authentication method Supported clients Cloud serice account identity and SmartCloud Notes web password IMAP clients IBM Notes Traeler deices FTP client that is used to connect to the integration serer to download journal files or to upload change files to manage user accounts SAML Federated Identity SmartCloud Notes web Cloud serice account identity with application password NRPC Research in Motion data center authentication Notes Traeler Android and higher client Notes Traeler deices IBM Notes BlackBerry deices that access the serice through Hosted BlackBerry subscriptions Password rules by authentication method The following table summarizes the password rules and settings for each supported IBM SmartCloud Notes client. Chapter 4. Configuring the serice 45

52 Table 9. Password rules and settings by authentication method Authentication method Password rules Password expiration 1 Password changes Cloud serice account identity and password SAML Federated Identity Cloud serice account identity and application password NRPC At least eight characters At least four alphabetic characters At least one non-alphabetic character No spaces No more than two consecutie characters No match of any of the eight preious passwords Cannot contain user name or address Controlled by company 16 characters (non-case sensitie) In serice-only enironments, and in hybrid enironments that do not use policy security settings to configure password requirements, IBM Notes ID passwords must be at least eight characters and hae a password quality of 8, on a password quality scale of 0 (weakest) to 16 (strongest). Disabled by default Administrators can enable a password expiration interal of 30, 60, 90, 180, or 365 days. Controlled by company Disabled by default Administrators can enable Disabled by default Administrators can enable through SmartCloud NotesAdministration By administrator By user Controlled by company Password changes not allowed Administrators or users can reoke passwords and users then generate new ones By administrator By user 1 While it may seem that requiring passwords to expire proides more security, most security experts beliee the opposite is true. Password expiration often leads to the use of simpler, more easily-guessed passwords, and to users writing down passwords to remember them. A better policy is to use more complex password phrases that do not expire, wheneer possible. In addition to proiding better 46 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

53 security, this policy also reduces the number of help desk calls generated from users who forget their eer-changing passwords. Configuring the name finder Complete this procedure to configure how users find names in a directory. Before you begin Read the topic Standard and Adanced Name Finder options on page 49for details about and a comparison of the Standard and Adanced name finder options. About this task The name finder settings control how users find names in a directory. For example, the settings are used when users find names by clicking the To link in a new mail message or the Required link in a new meeting initation. Name Finder settings are not related to type ahead addressing, the feature that automatically finds matches to names that users type in address fields. Procedure 1. Log on to the serice as an administrator. 2. If your account also has the User role, click Admin > Manage Organization. 3. In the System Settings section of the naigation pane, click IBM SmartCloud Notes. 4. Click Account Settings. 5. Click Name Finder. 6. Select options, as described in the following table: Option Basic Description The name finder lists all names in a directory, in alphabetical order by surname. Users type the first few characters of the surname they are looking for, and the cursor moes to the first matching name. From there, users can use the scroll bar to find the name. This setting is the default and it applies to Notes users and web client users. Chapter 4. Configuring the serice 47

54 Option Basic Quick Search Only Description The name finder shows no names in a directory, initially. Users type the first few characters of a gien name or surname and click Search. The name finder then shows directory entries whose surnames or gien names begin with the characters searched for. For example, a search for Jack can return the names Jackie Roberts or Tony Jackson but not Tony Blackjack. This setting proides more flexibility for finding names in large directories. Standard Adanced This setting applies to Notes users and web client users. Users search for names and search results show directory entries that match. Unlike the Basic and Basic Quick Search Only options, users can sort the search results and see details about the user entries that are returned in search results. This search capability applies to web client users only. Users get the name finder capabilities of the Standard option. In addition, they are able to narrow search results by manager, department, job title, location. This option is aailable for hybrid enironments only. Show user photos This search capability applies to web client users only. Search results show user photos. In serice-only enironments, the photos come from IBM Connections Cloud user profiles. In hybrid enironments, the photos can come from IBM Connections Cloud user profiles or from Person documents in an on-premises directory. To use an on-premises directory, clear the Use SmartCloud Engage photos field. This option is aailable when you select the Standard or Adanced options. The feature applies to web client users only. 48 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

55 Option Browse corporate hierarchy Description Users can browse a directory by hierarchy categories that you assign to Person documents in an on-premises Domino directory. This option is aailable for hybrid enironments when you select the Standard or Adanced options. Browse corporate hierarchy > Used ranked sort order The feature applies to Notes users and to web client users. Users can browse a directory by ranked categories that you define in an on-premises Domino directory by using the Domino Japanese Extension (DJX) tool. This option is aailable for hybrid enironments when you select the Standard or Adanced options. The feature applies to Notes users and to web client users. Results The change usually takes effect within 15 minutes or less. Standard and Adanced Name Finder options The Standard and Adanced Name Finder configuration options proide seeral features to help users to find names in directories. The Standard option is aailable for serice-only enironments and hybrid enironments. The Adanced option is aailable for hybrid enironments only. The following table compares the features that are proided by each option. All of these features are aailable for the web client. The features currently aailable for the IBM Notes client are the browse features only. When you enable the Standard or Adanced option, the Basic Quick Search Only search option is put in effect for Notes client users. Table 10. Comparison of the Standard and Adanced Name Finder configuration options Feature Standard Name Finder Adanced Name Finder Name search Users can search by: Users can search by: First name First name Last name Last name Notes full name Notes full name Internet address Internet address Short name Short name Alternate name Alternate name (if alue Phonetic name populated in directory) Phonetic name (if alue populated in directory) Chapter 4. Configuring the serice 49

56 Table 10. Comparison of the Standard and Adanced Name Finder configuration options (continued) Feature Standard Name Finder Adanced Name Finder Search conditions to narrow the results of name searches Not aailable Users can narrow name searches by: Manager Department Job Title Location Each condition added narrows results further. Maximum search results returned Sort entries in search results Show details about names in search results Show user photos from IBM Connections Cloud user profiles in search results All users can sort results by: Last name, first name First name, last name Directory Users in hybrid enironments can sort results by the following information, if the corresponding fields are populated in Person documents: Manager Job Title Department Location All users can see the following details: User name Internet address Domain Directory Users in hybrid enironments can see seeral additional details, if the fields are populated in Person documents. This feature requires users to hae a collaboration subscription in addition to a SmartCloud Notes subscription. These fields must be populated in Person documents in the on-premises directory. All users can sort results by: Last name, first name First name, last name Directory Users can sort results by the following information, if the corresponding fields are populated in Person documents: Manager Job Title Department Location All users can see the following details: User name Internet address Domain Directory Users can see seeral additional details, if the fields are populated in Person documents. This feature requires users to hae a collaboration subscription in addition to a SmartCloud Notes subscription. 50 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

57 Table 10. Comparison of the Standard and Adanced Name Finder configuration options (continued) Feature Standard Name Finder Adanced Name Finder Shows user photos from on-premises Person documents Browse entries in a directory by categories that are defined by use of the Domino Corporate Hierarchy feature Browse entries in a directory by ranking Aailable in hybrid enironments only and requires a change to the Domino directory design to support photos in Person documents. Aailable in hybrid enironments for directories with Person documents that are assigned corporate hierarchy categories. For more information, see the topic about categorizing a user by corporate hierarchy in the Domino documentation. Aailable in hybrid enironments. You use the Domino Japanese Extension tool (DJX) to configure the directory to support this option. Requires a change to the Domino directory design to support photos in Person documents. Aailable for directories with Person documents that are assigned corporate hierarchy categories. For more information, see the topic about categorizing a user by corporate hierarchy in the Domino documentation. You use the Domino Japanese Extension tool (DJX) to configure the directory to support this option. Basic name finder illustration The following pictures illustrate finding names in a directory when the Basic name finder option is enabled. Chapter 4. Configuring the serice 51

58 Basic Quick Search Only name finder illustration The following pictures illustrate finding names in a directory when the Basic Quick Search Only name finder option is enabled. 52 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015

59 Chapter 4. Configuring the serice 53

60 Standard name finder illustration The following pictures illustrate finding names in a directory when the Standard name finder option is enabled. 54 SmartCloud Notes: Administering SmartCloud Notes: Serice-only Enironment March 2015