Hear from IBM's product team and learn where Notes, Domino, and Verse are headed in this webinar for administrators, application developers, and managers. The product team from IBM cover the following topics:
-Domino and Notes Directions with Scott Vrusho
-Domino Security with Dave Kern and Kevin Lynch
-IBM Verse with Scott Souder
3. Who We Are
• Teamstudio’s background is in creating tools for
collaborative computing in mid-size and large
enterprises, primarily for IBM Notes
• Easy-to-use tools for developers and administrators
• 1600+ active customers, 53 countries
• Offices in US, UK, and Japan
• Entered mobile space in 2010 with Unplugged: easy
mobilization of Notes apps to Blackberry, Android
and iOS
4. Teamstudio Unplugged
• Your mobile Domino server: take your IBM Notes
apps with you!
• End-users access Notes applications from mobile
devices whether online or offline
• Leverages the powerful technology of XPages
5. Unplugged Templates
• Continuity – Mobile offline access to
BCM programs
• OneView Approvals – Expense
approvals; anywhere, anytime
• CustomerView – lightweight CRM
framework for field sales and field
service teams
• Contacts – customer information database
• Activities – customer activity log
• Media – mobile offline file storage and access
6. XControls
• Set of Controls for IBM Domino XPages developers
working on new XPages apps and on app
modernization projects
• Re-write of the Teamstudio Unplugged Controls
project, but adds full support for PC browser-based
user interfaces as well as mobile interfaces
• Enables XPages developers to create controls that
are responsive
• Learn more: teamstudio.com/solutions/xfoundations
7. Teamstudio Services
• Professional services for modernization, web
enablement, project management, development,
and administration
o Modernization Services
o Unplugged Developer Assistance Program
o Application Upgrade Analysis
o Application Complexity Analysis
o Application Usage Auditing
• http://www.teamstudio.com/solutions/services/
8. • NotesTools promotion:
o Be automatically entered to win an iPhone 6 if you contact us by Jun. 30, 2015 for
more information on Analyzer, Delta, and Configurator.
• Webinar in French: Jun. 24, 2015
o With Laurent Godme of IBM and Ady Makombo of Teamstudio
9. 1
#XPages
Your Hosts Today:
Howard Greenberg
TLCC
@TLCCLtd
Domino, Notes and Verse -
Where are we and What's the
Future?
Paul Della-Nebbia
TLCC
@PaulDN
10. How can TLCC Help YOU!
2
• Private classes at
your location or
virtual
•XPages Development
•Support Existing Apps
•Administration
• Let us help you
become an expert
XPages developer!
• Delivered via Notes
• XPages
• Development
• Admin
• User
Self-
Paced
Courses
Mentoring
Instructor-
Led
Classes
Application
Development
and
Consulting
Free
Demo
Courses!
11. 3
• Save hundreds and even Thousands of Dollars
on the most popular courses and packages
XPages
Notes/Domino Admin and Development
• Extended!!! Now through June 30th
http://www.tlcc.com/springsale
12. Upcoming and Recorded Webinars
4
The Webinars will resume in September!
• www.tlcc.com/xpages-webinar
View Previous Webinars
(use url above)
13. Asking Questions – Q and A at the end
5
Use the Orange Arrow button to
expand the GoToWebinar panel
Then ask your questions in the
Questions pane!
We will answer your questions
verbally at the end of the
webinar
26. http://tinyurl.com/njdun3v
“So if you’re not sure about IBM Verse today, think about
your move from keyboard to mouse…or from mouse to multi-
touch. You’ll get there. We’ll be there waiting for you…”
– Louis Richardson, IBM Storyteller
28. Domino, Notes, and Verse - Where Are
We and What's the Future?
1
Scott Vrusho
Senior Program Manager
Dave Kern
Resident Paranoid
Kevin Lynch
Senior Development Manager
June 16, 2015
29. Agenda
Brief Review of current Domino content
Futures
– Domino.Next
IBM mail support for Microsoft Outlook / Hawthorn
Security
The Ongoing Saga of SSL and TLS
Verse
– New way to work
31. What's new in IBM Domino Social Edition 9.0.1
Themes:
Quality: Notes / Domino Social edition 9.0.1 was focused at addressing important
IBM customer reported defects
Accessibility: XPages, iNotes, Domino server install
Targeted features:
Messaging Server Reliability (Cloud First)
Diagnostic information in NSD for Router (Cloud First)
Security Execution Control List (ECL): New setting for greater security control
over Java execution.
XPages Mobile enhancements: detect device type, orientation, event changes
New REST calendar service
Content in backup
Shipped Q4’13
32. Notes/Domino/Designer Fix Packs
Notes/Domino/Designer 9.0.1 FP2
– IE11 support
– CKEditor 4.3.2 (Domino Server)
– JVM 1.6 SR16
9.0.1 FP3
– iOS 8 support for XPages mobile controls – 9.0.1 FP2 IF1
– Dojo 1.9.4
– CkEditor 4.3.2.2 (Domino Server & Notes Client)
– JVM 1.6 SR16FP2
9.0.1 FP4
– TLS 1.2 Plus More (details from Dave Kern in a few)
– Dojo 1.9.7
– Libpng 1.5.21
– JVM 1.6 SR16FP4
34. What’s Next?
A sample of what’s coming in a future release
•Live View Refresh - Avoid view bottleneck when updating docs and views simultaneously
•Expanded Summary limit in Documents
•NIF/NSF project to optionally have NIF indexes stored outside of NSF file
•Support RFC 2231- Popular International standard for email headers
•Restrict mail rule forwarding to Internet
•Backend support for field/document level encryption and signatures for Xpages
Support for MS calendar and message files
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
35. Solution: New item on view note
and a new view refresh option
(Critical).
This will shut down refresh
during view opening processing
The design flags can be set on
the view via an Updall switch
Domino.next LiveView Refresh – Dedicated background thread for
maintaining critical view indexes
Given out as Hotfixes.
Code added to 9.0.1 FP3
Fixes in FP4
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
36. Live View Refresh: Dedicated Background Thread
The design flags can be set on the view via Updall task from server console on an ODS52 or above NSF file
Syntax:
Enable on a view: Load updall <dbname> -T#<#seconds> <viewname>
Disable on a view (901FP4 and above): Load updall <dbname> -T~ <viewname>
Example:
Load updall disc9.nsf -T#5 "By Category”
Load updall disc9.nsf -T#30 "All Documents"
The dedicated threads can be observed via the server console ‘Show Tasks’
View Indexer disc9.nsf "By Category" 5 sec. stale read
View Indexer disc9.nsf "All Documents" 30 sec. stale read
The individual threads can be stopped but only temporarily until a server restart
– tell ”View Indexer" stop disc9.nsf "All Documents”
To disable on a view, issue a ~ (tilde) with the –T command as follows:
– Load updall disc9.nsf –T~ "By Category”
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
This sets the refresh poller to 5 and 30
seconds on these views respectively.
37. Expand 64k Summary limit
In current releases Text (Summary) limit is:
– 64KB per document
– 32KB per field
– 32KB per view entry
In Notes/Domino.next we have raised the Summary data
– 16MB per document
– Individual Field/View limits remain unchanged
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
38. NSF Size on Disk
View Indexes on Disk
(outside of NSF file)
Can grow to 1 Terabyte
DAOS store
(outside of NSF)
Logical size can exceed
64gb with DAOS store
now and in the future
views outside of NSF
NIF-NSF: Storing Views (NIF) outside of Database (NSF)
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
• Encrypted for Secure storage
• Accessed through existing APIs
39. RFC2231 support for Mail File Types
This RFC is the current standard for specifying non-ASCII headers.
– Although it was first introduced over 15 years ago. It was not widely used for
many years. It has evolved to be the the default for many mail clients, e.g.,
Thunderbird
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
40. Restrict mail rule forwarding to internet
Server configuration to prevent mail rule forwarding to an internet email
address
– This is a server side configuration option to prevent individual users from setting
up a mail rule that forwards their incoming messages to the internet (i.e. a
personal account).
– When users create a mail rule that includes the send/copy to action, any
addresses in domains that are not owned by your company are ignored
– Already Available in the Cloud
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
41. Secure Your Data On The Web - Document encryption &
signature support for XPages
Ensure only the people you want to access the data can
access the data using XPages document encryption
Simplify access using public keys or apply
greater control using secret keys
Ensure authenticity by electronically signing Domino
documents from the web
+
+ X
Targeting
2016
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
42. Additional Features For XPages Encryption & Signature
Support
Infrastructure for working with keys from the web
– New backend classes, methods & properties in C, Java & LotusScript
– New IDVault class
• Methods for working with IDs (Get or put ID, Get username…)
• Properties for
– New UserID class
• Method for getting encryption keys
– Other Methods
• Session class: IDVault Session.getIDVault()
• Database class: Database.setUserIDForDecrypt(UserID uid)
• Document class: Document.encrypt(Optional UserID uid)
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
43. Application Development
Plus Lots of good content for the App Dev space as you recently heard
from Pete Janzen, Martin Donnelly and Brian Gleeson:
– May 2015 TLCC/TeamStudio Webinar:
App.Next - The Future of Domino Application Development
– https://www.youtube.com/watch?v=ntVFNjKnljE
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
44. Support for Microsoft calendar/message files
This resolves receiving files being received that a user cannot take action
on.
– Mail Arrives with un-viewable attachment. This will allow processing/handling
these msg message types inline.
45. Currency
Domino / Notes
– ND.next updates the baselines of components including:
• Java 8
• Latest Keyview for indexing/viewing attachments
• ICU – IBM Classes for Unicode revised
– Windows 10 Notes client support – In test now
– Notes Mac 64 bit coming this fall for OS X 10.11 – El Capitan
• Supports Java 8 – 64 bit
– Lots more for latest OS levels for Server including IBM i, zLinux, Windows
Server Next, RHEL/SLES
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
46. IBM MAIL SUPPORT FOR MICROSOFT
OUTLOOK
ALIASES: IMSMO, PROJECT HAWTHORN
(Limited Availability)
47. IBM provides choice in client experience
Notes Browser
Plug-in
Traveler
Notes
iNotes
Connections
Mail
Verse
(P) = On-premises only (C) = Cloud Initially
(P)
(C)
IMAP accessMicrosoft
Outlook 2013Limited
Availability
48. IBM Mail Server for Microsoft Outlook (IMSMO)
It's “Bring your own client” model supporting Outlook clients and various access methods
Gives clients choice in messaging solutions
Allows Domino 9 Server and Outlook 2013 to communicate
Outlook 2013 natively offers EAS (Exchange ActiveSync) account configuration
This is a capability vs. separate solution (i.e., IMAP, POP3, etc.)
A lightweight Outlook 2013 add-in exposes additional functionality beyond what Outlook 2013
natively offers for EAS configurations
Leverages Domino REST services
Auto-updates ease desktop management as new releases are available
Capabilities
Mail, folders, calendar, contacts, delegation, offline, search, Notes encryption, OOO, room finder, freebusy, quota, etc.
What is Hawthorn?
49. Outlook 2013 &
IBM mail add-in
IP Sprayer
(F5 or IMC)
Corporate LDAP
(NameLookup only)
Domino with IMSA Domino with IMSA
Optional non-IMSA servers in
cluster
DB2 HADR
Domino mail cluster
Project Hawthorn
Architecture
50. Requirements
Client
Outlook 2013 on Windows only
Mail Server
Domino 64-bit on Windows 64-bit or AIX 64-bit and now Linux-64
Domino release 9.0.1 + latest fixpack
HTTP process running
Mail replicas reside on the Hawthorn server(s)
IDVault (enables Notes encryption)
DB2
Domino server leverages DB2 storage of mapping metadata
Can be bypassed for small proof of concept deployments
Greatly improves server performance, reliability
Cloud – Planned for End of Q4 2015
Contact your IBM Sales rep to see if you are a
good fit for limited availability nomination
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
53. How did we get here?
The SHA-1 hash algorithm was due to be “sunset” in January 2016
– Naturally, we started working on SHA-2 support well in advance
Sept 2014: Chrome and Firefox announced they were starting over a year early
– Adding prominent lack-of-trust warnings for sites with SHA-1 certificates
– Our timetable for Domino accelerates
Oct 14, 2014: POODLE strikes!
– Browser manufacturers and administrators frantically start disabling SSLv3
– Our timetable for Domino accelerates
Nov 4, 2014: Domino Interim Fixes released adding TLS 1.0 (POODLE) and SHA-2
Dec 8, 2014: ”POODLE on TLS” vulnerability announced.
Dec 19, 2014: Domino Interim Fixes for POODLE on TLS released
March 2015: Domino 9.0.1 FP3 IF2 adds TLS 1.2 and more
54. Nov 2014 Domino Interim Fixes
For all Platforms and supported Versions
– 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5
TLS 1.0 support for all Internet Protocols inbound and outbound
– HTTP, SMTP, LDAP, POP3, IMAP
– DIIOP inbound only
– Support for TLS_FALLBACK_SCSV
– Does not enable disabling of SSL 3.0
– Cipher suite list for outbound connections re-ordered to place AES ciphers first
– Removed SSLv2, SSL renegotiation, and disabled weak (< 128 bit) ciphers
SHA-2 support introduced
No UI changes
http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
55. Dec 2014 Notes and Domino Interim Fixes
Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-
2014-8730)
– http://www.ibm.com/support/docview.wss?uid=swg21693142
SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability
– Fixes the “POODLE on TLS” vulnerability for CBC ciphers
SPR #KLYH9QXMQE: Disable SSL ini: DISABLE_SSLV3=1
– Domino 9.0.1 FP2 IF 3, 9.0 IF7,8.5.3 FP6 IF6, 8.5.2 FP4 IF3, 8.5.1 FP5 IF3
– Notes 9.0.1 FP2 IF4 and 8.5.3 FP6 IF4 added TLS 1.0 support
• Windows, Linux and Mac OSX
56. SSLv2 ClientHello - Known “Incompatibility”
Sending the first SSL message (ClientHello) in SSLv2 format provided backwards
compatibility with servers that only supported SSLv2
– This is only needed if you want to connect to servers that only support SSLv2
– Extremely useful in 1996!
– Using an SSLv2 ClientHello circumvents many important security characteristics of SSL/TLS
Domino completely disabled SSLv2 including SSLv2 “ClientHello”
– Some other servers may still accept it even if SSLv2 itself is disabled
SSLv2 ClientHello might be still used by some applications
– For example older OpenSSL Libraries or out-of-date clients
– Workaround is to force a specify protocol version “TLS 1.0”
• Example: wget.exe --secure-protocol=TLSv1 ..
– Potential issue with external SMTP Clients that shall remain nameless
58. Why TLS 1.2?
Uses SHA-256 internally instead of MD5 and SHA-1
Adds support for ciphers with SHA-256 integrity checking
Adds support for AEAD (AES-GCM) ciphers
Other security-related improvements too numerous to mention
59. Caveats
TLS 1.2 requires SHA-256 which requires Notes/Domino 9.0.x
– Significant cryptographic changes between 8.5.x and 9.0.x
– No plans to back port any enhanced TLS functionality to 8.5.x
Any template, UI, and string changes require a Maintenance Release
– Not just a Fix Pack, Interim Fix, or Hot Fix.
– This is why a separate new keyring tool “kyrtool.exe” was released instead of a new database
Therefore, until the next MR, configuration of TLS functionality will be limited to
– notes.ini variables
– server console commands
– command line applications
60. Secure Renegotiation
Old-style renegotiation is vulnerable to session splicing attacks
– Renegotiation disabled by TLS 1.0 Interim Fixes
Security scanners frequently confuse “doesn't support secure
renegotiation”
with “supports insecure renegotiation”
RFC 5746 requires servers that do not support renegotiation to claim
support for secure renegotiation
61. HTTP Strict Transport Security (HSTS) header
Indicates to web browsers they should only connect to this site over
HTTPS and not HTTP
Helps prevent web browsers from being tricked into communicating over
unencrypted HTTP
Domino will now send this header by default if SSL/TLS is enabled and the
http port is disabled or set to “redirect only”
– Only with a one week “maximum age” by default
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS
62. Problem: The All-Seeing Eye
How do you protect against an attacker who can spy on all of your network
traffic?
In most SSL/TLS cipher specs the client transmits a “PreMasterSecret” to
the server encrypted with the server's public key
A passive attacker could record network traffic for years and then acquire
the server's private key and decrypt all of that traffic
– Sound like anybody you know?
63. Solution: Perfect Forward Secrecy
No long-term keys are used to generate or transmit the keys used to encrypt your network
traffic
Incurs a significant performance penalty, so test in your environment before enabling
May only be enabled via SSLCipherSpec notes.ini
PFS cipher specs in Domino 9.0.1 FP3 IF2:
– TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– TLS_DHE_RSA_WITH_AES_256_CBC_SHA
– TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
– TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
64. Problem: Far too many attacks on hashes and CBC mode
Most cipher specs use a hash algorithm for integrity checking
Many advances in cryptanalytics techniques against hashes
– First to fall were MD4 and SHA-0
– Next fell MD5 and SHA-1
– Now we're using SHA-2 (SHA-256, SHA-384, and SHA-512)
– SHA-3 is undergoing standardization
– When will it end?
Numerous flaws have been found in Cipher Block Chaining (CBC) mode ciphers
– Padding oracle attacks and timing attacks
– POODLE and other downgrade attacks
– POODLE on TLS and other padding attacks
– BEAST and other IV attacks
65. Solution: Authenticated Encryption (AEAD)
AEAD cipher specs don't use a hash algorithm for integrity
– Integrity checking part of encryption and decryption
AEAD cipher specs do not use CBC mode
– AEAD cipher specs tend to perform better than equivalent CBC mode ciphers
AEAD ciphers in Notes/Domino 9.0.1 FP3 IF2 (from RFC 5288)
– TLS_RSA_WITH_AES_128_GCM_SHA256
– TLS_RSA_WITH_AES_256_GCM_SHA384
– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
66. Selecting Ciphers with “SSLCipherSpec”
Server Doc / Internet Site doc no longer used for SSL/TLS configuration
– None of the new ciphers or versions are shown in the UI
– Design changes in Domino Directory will have to wait for a maintenance release (9.0.x) , not a FP or IF
Notes.ini “SSLCipherSpec”
– Used to specify ciphers across all protocols
– Concatenate the two hex digit numbers for the desired ciphers
– Ciphers ordered based on strength
– Example: SSLCipherSpec=9D9C3D3C352F0A9F9E6B3967
• Enable most of the PFS ciphers as well as the default ciphers
Latest cipher list available on the Notes/Domino wiki
– http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
67. Notes.ini Settings
DISABLE_SSLV3=1
– Prevent incoming SSLv3 connections
– Fallback to SSLv3 already prevented with most modern clients via TLS_FALLBACK_SCSV
DEBUG_SSL_ALL=2
– Or just DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 for less noise
USE_WEAK_SSL_CIPHERS=1
– Not recommended – but if you absolutely must allow frighteningly weak cipher specs
SSL_DISABLE_FALLBACK_SCSV=1
– Disables TLS_FALLBACK_SCSV functionality
– Not recommended – Only use if a badly misconfigured client absolutely needs to connect to your server
SSL_ENABLE_INSECURE_RENEGOTIATE=1
– Not recommended – but if you absolutely need “classic” SSL renegotiation
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
– Not recommended – but if remote SMTP server refuses to disable SSLv2 backwards compatibility...
68. SSL Test Tools
https://www.ssllabs.com/ssltest/
Probably one of the most busy SSL Test Sites those days
– Can be used to get an idea about your server security status
– Will provide a a “rating” for your server from “A” to “F”
– Also includes details about supported SSL protocol version and ciphers
• Also contains a very useful “simulation” what ciphers certain applications might use
– There is also a test to check which SSL protocol version and ciphers are supported
69. Reference for Useful OpenSSL Commands
Connect test HTTPS
– openssl s_client -connect www.acme.com:443
Connect test SMTP TLS
– openssl s_client -connect mail.acme.com:25 -starttls smtp
Both print detailed information about certificate, protocol and cipher
Options to force certain SSL versions
– -tls1, -no_tls1, -no_ssl3
“wget” - another test tool
– Uses openssl libs and can be used for HTTPS requests
– wget.exe [--secure-protocol=TLSv1] --no-check-certificate https://www.acme.com
71. Enhancements under consideration for inclusion in a
future Fix Pack
OCSP Response Stapling
– Server requests a single OCSP response for itself and sends it as part of the TLS handshake
– Improves performance by saving each client from needing to perform its own request
Improved interoperability with Java 6 and 7
– Java 6 and 7 only support 1024 bit DH, which breaks compatibility with servers that choose stronger groups
– Java 6 and 7 only use DH with TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– Enhancement to only use 1024 bit DH when using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Drop priority of TLS_DHE_RSA_WITH_AES_128_CBC_SHA to protect against Logjam attack
– 1024 bit DH groups are believed to be insecure, so avoid them unless the alternative is sending data in the clear.
Add support for 4096 bit DH groups
Logging enhancements
Stability and interoperability fixes
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
72. TLS 1.3
Cleans up and greatly simplifies the TLS protocol
– TLS 1.3 overhauls SSL/TLS in the way that TLS 1.0 should have
Currently just an Internet Draft, but we're following it closely
– Currently only allows cipher suites with Perfect Forward Secrecy and
Authenticated Encryption
Under consideration for inclusion in a future release of Notes/Domino
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
74. SHA-1 is rated as “insecure”
SHA-1 is not recommended any more
– There are at least theoretical attacks against SHA-1
– Customers are encouraged to move away from SHA-1 to avoid situations we had before
with MD5
– SHA-256 is recommended and required for secure encryption
– Governments recommend to move to SHA-256
– SHA-256 is approved by Federal Information Processing Standard (FIPS) 140-2
Browser vendors decided start to warn when using SHA-1 certificates
– For example: Google starts first to warn for certificates expiring end of this year
• Reducing step by step the expiration time for the certs (1.1.2017, .. 1.1.2016)
– Affected certificates are all Server and intermediate CAs signed with SHA-1
– Root Certifiers are not affected because they are verified in a different way
75. Browser Vendors start to sunset SHA-1
This means that you have to replace your certificates ASAP
– Best practice is also to create a new public/private key
• Key could have been compromised and you don't know about it yet
– Ensure that the CA you are using already supports SHA-2
• Most CAs only support SHA-2 today because for exact those reasons
– If you server certificate expires later than 31.12.2015 and your server does not support SHA-2 yet,
consider requesting a cert with a shorter valid period
• Just a work-around. Better would be to update your server or put a secure
reverse proxy in front of it
References
– https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-
algorithms/
– http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html
76. SHA-256 (SHA-2) Support
Domino 9.0.x without the current IFs did already support SHA-256 in some areas
– X.509 certificate signature verification and S/MIME signed mail
– Some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously
"hashed."
– Internet CA supports SHA-256
Domino 9.0.1 FP2 IF1 supports SHA-2 Certificates for all Internet Protocols and for Keyring
Files
– SHA-2 support covers SHA-256, SHA-384, and SHA-512
– No Support for SHA-2 is planned for Domino 8.5.x
• Domino 8.5.x does not contain SHA-2 support
– You should consider updating to the current 9.0.1 fixpack and IF if possible
– New Keyring files Management Tool “kyrtool”
77. New Keyring Tool - “kyrtool”
Separate Download
– Available for Win32/64, Linux 32/64 on Client or Server → just needs to be copied to the N/D program
directory
Can be used to import, show, export certificates
– But not to create a private/public key and a certificate request
You can use OpenSSL to create the key and the request
– Or you can use any other tool to create the key and the request
– Or use an existing key and cert in PEM format
Importing Trusted Roots
– Either add all to a single PEM file from leave to note (key, cert, intermediates, root)
– Or import roots separately
• Needs Notes/Domino 9.0.1 FP2 IF1 code → Backend API change is needed
78. Create a Certificate using OpenSSL
OpenSSL
– native installed on Linux/Unix
– On Windows you can use a cygwin environment
1. Create a Private/Public Key
– openssl genrsa -out server.key 2048
2. Generate a Certificate Signing Request (CSR)
– openssl req -new -sha256 -key server.key -out server.csr
3. Send CSR to CA for signing
– Or create a “self signed” certificate for testing
• openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.pem
– Result is a file in “PEM” format
79. Verify Import File
Before importing a PEM file, you should verify the content with the “verify” command
– Ensure that the certificate chain is complete and ordered correctly (key, cert, intermediate certs, root
cert)
– Special tip: you can show the certs in an input via to figure out which cert is missing
• Example: kyrtool.exe show certs -i c:dominoall.crt
kyrtool.exe verify c:dominoall.crt
– Successfully read 2048 bit RSA private key
– INFO: Successfully read 4 certificates
– INFO: Private key matches leaf certificate
– INFO: IssuerName of cert 0 matches the SubjectName of cert 1
– INFO: IssuerName of cert 1 matches the SubjectName of cert 2
– INFO: IssuerName of cert 2 matches the SubjectName of cert 3
– INFO: Final certificate in chain is self-signed
80. Create Keyring File
Create a new Keyring File
– kyrtool create -k keyring.kyr -p password
– When creating a keyring file you need to specify a password
• All other commands will read the password from the “.sth” file
Importing Key, Certificate, Intermediates and Trusted root
– Copy key, cert, intermediates and root certificate into one PEM file
– kyrtool import all -k keyring.kyr -i server.pem
You can also import the different parts separately
– Kyrtool import all|keys|certs|roots -k keyring.kyr -i server.pem
– But that makes the import a lot more complicated
81. Keyring “show” command
Can be used to show information from a keyring file
Kyrtool show certs -k keyfile.kyr
– Shows the entire cert chain including the root matching the cert
– Tip: You can use the show command to dump all certs and use the “verify” command on the resulting file
Kyrtool show keys -k keyfile.kyr
– Shows all keys in the keyfile
Kyrtool show roots -k keyfile.kyr
– Shows all trusted roots in the keyfile
Verbose option “-v” can be used to dump more detailed information
– More “-v”s on the command line results in more information
82. Reference - Converting file formats
Kyrtool requires “PEM” format (text based - BASE64 encoded DER format)
– In many cases your CA might use different formats (e.g. Microsoft CA)
OpenSSL is your friend when converting different formats
– But syntax is not always easy to figure out
– Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
• openssl pkcs12 -in cert.pfx -out cert.pem -nodes
– Convert Binary DER formatted certificate to text based (BASE64) PEM format
• openssl x509 -inform der -in server.cer -outform pem -out server.pem
– Convert Binary DER formatted certificate chain to text based (BASE64) PEM format
• openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem
84. Increasing Internet Certificate Key Size
Domino 9 Internet CA Supports SHA-2
– You can remove and re-create the Internet Certifier with SHA256 and higher key
length
– Or create multiple Internet Certifiers
85. Internet CA Result
Resulting CA can be used to assign new certificates to users via Person
Doc
86. Enabling stronger ciphers and SHA-2
Client Notes.ini (deployed via desktop policy) needs the following settings
– SMIME_CAPABILITIES_SEND=AES_128:SHA_256
– SMIME_FIRST_CHOICE_CONTENT_ENC_ALG=AES_256
88. 9.0.1: Messaging Server Reliability
Protect from repeat outages due to a single message instance:
Processing a “bad” message is responsible for the crash. It remains in mail.box or mail file. Server
restarts and proceeds to deal with the same “bad” message, causing repeat crash for below scenarios:
Transfer or deliver same "bad" message: Router repeat crash
Receive same "bad" message: SMTP repeat crash
Fetch same “bad” message via IMAP: IMAP repeat crash
Solution to give messaging server reliability in 9.0.1:
Keeping per-thread context identifying the current message being processed.
Registering an exception handler callback that is called at time of crash to record which email message
was processed during crash. A data file is opened and the information identifying this message is written
to the file.
When server restarts, if above file exists, Router/SMTP/IMAP read the file to identify the "bad" message,
move the "bad" message to a new DB (Router and IMAP), and continue to deal with remaining
messages.
89. 9.0.1: Messaging Server Reliability
Prevent Router, SMTP and IMAP Repeat Crash
The feature is enabled by default in 9.0.1
Set below Notes.ini to disable the feature
RouterDisableFaultDataCapture=1
SMTPDisableFaultDataCapture=1
IMAPDisableFaultDataCapture=1
How we Deal with "bad" message
Quarantine Message to IBM_Technical_Support directory
Router/IMAP: Upon Restart move message for diagnostic collection
SMTP reject with “554 unable to import”
90. 9.0.1: Diagnostic information in NSD for Router
Router diagnostic data provides additional information in NSD stacks
This identifies work in progress by a router transfer/delivery thread at the time of a
crash.
The information includes
Message being processed (mailbox and Note ID)
Sender and recipient.
Stacks in the NSD contain a string printing out this value.
91. 9.0.1: New Execution Control List attribute
- Only load Signed & Trusted Java code
Provide Notes client users with an option to mitigate any risks involved with running Java code in Notes documents
Prior ECLs associated with Applets, Java agents & Xpages enforce runtime security
No load time ECL check, leaves an open window for application Java code to exploit any vulnerabilities in JVM
Load time verification ECL check allows for customers to have more granular control on what Java code is allowed to load &
run in a Notes client document
The Quarterly Oracle security patches have all been around attacking the JVM security model primarily from unsigned code
This is not a fix to address any known exploit but rather a mechanism to mitigate any future exploits
More important from a Notes client perspective since deploying a security patch to Notes client JVM is not always an
acceptable solution for customers
Changes are limited to Client only covering: Xpages, Applets, Java agents & JS → Java calls
Java code running in the context of Notes documents checks the load time ECL attribute and alert the user if the
signer does not have permissions to load Java code
New ECL attribute “Load Java code” in security panel and in security policy document for pushing out ECL settings
92. 9.0.1: New Security Policy for Federated Login
New Security Policy Setting to prevent use of password on vaulted ID when
Federated Login is configured
Policy setting is only visible if NFL or WFL is configured
Default is Yes (ie, Allow use of password)
'No' enforces use of SAML for download of ID from Vault
93. 9.0.1: Web SSO Config Doc Has Custom Cookie Names
Web SSO Config doc allows admin to specify LTPAToken and LTPAToken2 custom name.
Can be used to configure users for SSO across multiple SSO domains
94. Questions????
7
Use the Orange Arrow button to
expand the GoToWebinar panel
Then ask your questions in the
Questions panel!
Remember, we will answer your
questions verbally
95. #XPages
@ssounder
@TLCCLtd
@Teamstudio
@PaulDN
Upcoming Events:
MWLug User Group Meeting, Atlanta, GA - Aug. 19-21
ICON UK, London, England – Sept. 21-22
Question and Answer Time!
8
Teamstudio Questions?
contactus@teamstudio.com
978-712-0924
TLCC Questions?
howardg@tlcc.com paul@tlcc.com
888-241-8522 or 561-953-0095
Howard
Greenberg
Paul
Della-Nebbia
Courtney
Carter
Kevin LynchDave KernScott Vrusho
Keep in mind:
TLCC Spring Sale Ends on June 30th
Scott Souder