Profile
Parameter | TICKET_ALG_SHA |
Component | Domino Server |
Available since | Domino 9.0.1 Fix Pack 7 |
Values | 1 (SHA-1), 256 (SHA-256, default), 384 (SHA-384), 512 (SHA-512) |
GUI equivalent | none — notes.ini only |
Description
TICKET_ALG_SHA determines which SHA hash algorithm the Domino server uses for generating and validating tickets in the single sign-on context — in particular for SAML and Kerberos.With Domino 9.0.1 FP7, the default algorithm was raised from SHA-1 to SHA-256. SHA-1 can still be enabled by configuration but should no longer be used today.
Example configuration
TICKET_ALG_SHA=256
Default value (SHA-256). Not strictly required to be entered, but documents intent and protects against accidental changes by other tools.
TICKET_ALG_SHA=512
Stronger variant (SHA-512). Useful when all counterparts (identity provider, other Domino servers) support SHA-512.
TICKET_ALG_SHA=1
SHA-1 — only as a temporary stopgap for incompatible legacy systems; avoid in the medium term.
Notes & pitfalls
- The chosen algorithm must match the configuration of the identity provider (e.g. ADFS, Azure AD, Keycloak) — otherwise ticket validation fails.
- In an SSO realm, set the value consistently on all participating Domino servers.
- Takes effect only after a restart of the
servertask.
- SHA-1 (
TICKET_ALG_SHA=1) is now considered cryptographically too weak and should be used only in justified exceptional cases.
Sources
- HCL Domino Administrator Documentation — TICKET_ALG_SHA
- HCL Domino Administrator Documentation — Configuring the level of port encryption and authentication
- IBM Domino 9.0.1 Documentation — TICKET_ALG_SHA