Domino, Notes, and Verse - Where are We and Whats the Future?

Domino, Notes, and Verse
Where are We and What’s the Future?
Tweet about this event
And mention us: @Teamstudio @TLCCLTD
@sssouder
June 16, 2015

@Teamstudio
teamstudio.com
@TLCCLTD
tlcc.com
Courtney Carter
Inbound Marketing Specialist
Teamstudio

Who We Are
• Teamstudio’s background is in creating tools for
collaborative computing in mid-size and large
enterprises, primarily for IBM Notes
• Easy-to-use tools for developers and administrators
• 1600+ active customers, 53 countries
• Offices in US, UK, and Japan
• Entered mobile space in 2010 with Unplugged: easy
mobilization of Notes apps to Blackberry, Android
and iOS

Teamstudio Unplugged
• Your mobile Domino server: take your IBM Notes
apps with you!
• End-users access Notes applications from mobile
devices whether online or offline
• Leverages the powerful technology of XPages

Unplugged Templates
• Continuity – Mobile offline access to
BCM programs
• OneView Approvals – Expense
approvals; anywhere, anytime
• CustomerView – lightweight CRM
framework for field sales and field
service teams
• Contacts – customer information database
• Activities – customer activity log
• Media – mobile offline file storage and access

XControls
• Set of Controls for IBM Domino XPages developers
working on new XPages apps and on app
modernization projects
• Re-write of the Teamstudio Unplugged Controls
project, but adds full support for PC browser-based
user interfaces as well as mobile interfaces
• Enables XPages developers to create controls that
are responsive
• Learn more: teamstudio.com/solutions/xfoundations

Teamstudio Services
• Professional services for modernization, web
enablement, project management, development,
and administration
o Modernization Services
o Unplugged Developer Assistance Program
o Application Upgrade Analysis
o Application Complexity Analysis
o Application Usage Auditing
• http://www.teamstudio.com/solutions/services/

• NotesTools promotion:
o Be automatically entered to win an iPhone 6 if you contact us by Jun. 30, 2015 for
more information on Analyzer, Delta, and Configurator.
• Webinar in French: Jun. 24, 2015
o With Laurent Godme of IBM and Ady Makombo of Teamstudio

1
#XPages
Your Hosts Today:
Howard Greenberg
TLCC
@TLCCLtd
Domino, Notes and Verse -
Where are we and What's the
Future?
Paul Della-Nebbia
TLCC
@PaulDN

How can TLCC Help YOU!
2
• Private classes at
your location or
virtual
•XPages Development
•Support Existing Apps
•Administration
• Let us help you
become an expert
XPages developer!
• Delivered via Notes
• XPages
• Development
• Admin
• User
Self-
Paced
Courses
Mentoring
Instructor-
Led
Classes
Application
Development
and
Consulting
Free
Demo
Courses!

3
• Save hundreds and even Thousands of Dollars
on the most popular courses and packages
 XPages
 Notes/Domino Admin and Development
• Extended!!! Now through June 30th
http://www.tlcc.com/springsale

Upcoming and Recorded Webinars
4
The Webinars will resume in September!
• www.tlcc.com/xpages-webinar
View Previous Webinars
(use url above)

Asking Questions – Q and A at the end
5
Use the Orange Arrow button to
expand the GoToWebinar panel
Then ask your questions in the
Questions pane!
We will answer your questions
verbally at the end of the
webinar

Your Presenters Today:
6
#XPages
Scott Vrusho
IBM
Dave Kern
IBM
Kevin Lynch
IBM
Scott Souder
IBM
@ssouder

SCOTT SOUDER
IBM Program Director
Sr. Product Manager, IBM Verse

© 2015 IBM Corporation
Legal Disclaimer:
IBM’s statements regarding its plans, directions, and intent are subject to
change or withdrawal without notice at IBM’s sole discretion. Information
regarding potential future products is intended to outline our general product
direction and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a
commitment, promise, or legal obligation to deliver any material, code or
functionality. Information about potential future products may not be incorporated
into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.

Mail that understands you Less clutter, more clarity Connecting me to we

Let’s take a look…

IBM Verse
Roadmap

IBM Verse
Post-GA priorities
•  Ofﬂine
•  Mobile: native iOS and Android
•  Enhanced Calendar
•  Deepen social integration
•  Personal Assistant based on
IBM Watson
•  Extensibility and programmability
for 3rd party integration
•  Continuous enhancement based
on user usage metrics
•  On-premises support

Contact Sync!
Sync social contacts and mail contacts
•  Modern, ﬁrst-class
experience
•  Fully accessible
•  Seamlessly sync your
Notes/Domino-based
contacts with your
Connections-based social
contacts

Here’s what we’re thinking about next…
•  Share to blog w/images and attachments
•  Reduce cognitive debt by optimizing screen real estate for ease-of-use and clarity
•  A “reimagined” calendar experience
•  Reduce mail debt by surfacing messages that matter
•  Improvements to “Getting Started” experience
•  File viewer enhancements
•  Orient user and focus on what matters today
•  A deeper, more integrated chat experience
•  “Create my proﬁle picture” experience

IBM Verse
Extensibility and API objectives
Partnering for success:
•  Cover key integration points
•  Build the supporting ecosystem
•  Focus on key differentiators
Verse extensibility
Service APIs

IBM Verse
Extensibility and API directions
Integrated actions:
•  Allow for adding actions which work against content in Verse
•  Acting on a notification from a workflow application
•  Moving a message into a CRM system for an identified opportunity
•  Archiving a message as “CLASSIFIED”
Export insight:
•  Allow external applications to leverage Verse’s analytics and social insight
•  People important / suggested to me
•  Team analytics
•  Needs Action / Waiting for Action

IBM Verse
Extensibility and API directions
Improve on a New Way to Work:
•  Allow insights gathered from external resources to enhance the Verse experience
•  Supplementing “suggested people” based on relationships found in a CRM system
•  Improved search ﬁlters based on industry-speciﬁc taxonomy
•  Recommendations on existing Needs Action or Waiting for Action tasks
Freedom to collaborate:
•  Allow for the substitution of third-party collaboration services in place of IBM’s
•  Chat
•  Files
•  …

http://tinyurl.com/njdun3v
“So if you’re not sure about IBM Verse today, think about
your move from keyboard to mouse…or from mouse to multi-
touch. You’ll get there. We’ll be there waiting for you…”
– Louis Richardson, IBM Storyteller

Domino, Notes, and Verse - Where Are
We and What's the Future?
1
Scott Vrusho
Senior Program Manager
Dave Kern
Resident Paranoid
Kevin Lynch
Senior Development Manager
June 16, 2015

Agenda
 Brief Review of current Domino content
 Futures
– Domino.Next
 IBM mail support for Microsoft Outlook / Hawthorn
 Security
 The Ongoing Saga of SSL and TLS
 Verse
– New way to work

CURRENCY
CURRENT DOMINO CONTENT
Domino 9.0.1

What's new in IBM Domino Social Edition 9.0.1
 Themes:
 Quality: Notes / Domino Social edition 9.0.1 was focused at addressing important
IBM customer reported defects
 Accessibility: XPages, iNotes, Domino server install
 Targeted features:
 Messaging Server Reliability (Cloud First)
 Diagnostic information in NSD for Router (Cloud First)
 Security Execution Control List (ECL): New setting for greater security control
over Java execution.
 XPages Mobile enhancements: detect device type, orientation, event changes
 New REST calendar service
Content in backup
Shipped Q4’13

Notes/Domino/Designer Fix Packs
 Notes/Domino/Designer 9.0.1 FP2
– IE11 support
– CKEditor 4.3.2 (Domino Server)
– JVM 1.6 SR16
 9.0.1 FP3
– iOS 8 support for XPages mobile controls – 9.0.1 FP2 IF1
– Dojo 1.9.4
– CkEditor 4.3.2.2 (Domino Server & Notes Client)
– JVM 1.6 SR16FP2
 9.0.1 FP4
– TLS 1.2 Plus More (details from Dave Kern in a few)
– Dojo 1.9.7
– Libpng 1.5.21
– JVM 1.6 SR16FP4

What’s Next?
A sample of what’s coming in a future release
•Live View Refresh - Avoid view bottleneck when updating docs and views simultaneously
•Expanded Summary limit in Documents
•NIF/NSF project to optionally have NIF indexes stored outside of NSF file
•Support RFC 2231- Popular International standard for email headers
•Restrict mail rule forwarding to Internet
•Backend support for field/document level encryption and signatures for Xpages
Support for MS calendar and message files
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.

Solution: New item on view note
and a new view refresh option
(Critical).
This will shut down refresh
during view opening processing
The design flags can be set on
the view via an Updall switch
Domino.next LiveView Refresh – Dedicated background thread for
maintaining critical view indexes
Given out as Hotfixes.
Code added to 9.0.1 FP3
Fixes in FP4

Live View Refresh: Dedicated Background Thread
 The design flags can be set on the view via Updall task from server console on an ODS52 or above NSF file
Syntax:
Enable on a view: Load updall <dbname> -T#<#seconds> <viewname>
Disable on a view (901FP4 and above): Load updall <dbname> -T~ <viewname>
Example:
Load updall disc9.nsf -T#5 "By Category”
Load updall disc9.nsf -T#30 "All Documents"
 The dedicated threads can be observed via the server console ‘Show Tasks’
View Indexer disc9.nsf "By Category" 5 sec. stale read
View Indexer disc9.nsf "All Documents" 30 sec. stale read
 The individual threads can be stopped but only temporarily until a server restart
– tell ”View Indexer" stop disc9.nsf "All Documents”
 To disable on a view, issue a ~ (tilde) with the –T command as follows:
– Load updall disc9.nsf –T~ "By Category”
This sets the refresh poller to 5 and 30
seconds on these views respectively.

Expand 64k Summary limit
 In current releases Text (Summary) limit is:
– 64KB per document
– 32KB per field
– 32KB per view entry
 In Notes/Domino.next we have raised the Summary data
– 16MB per document
– Individual Field/View limits remain unchanged

NSF Size on Disk
View Indexes on Disk
(outside of NSF file)
Can grow to 1 Terabyte
DAOS store
(outside of NSF)
Logical size can exceed
64gb with DAOS store
now and in the future
views outside of NSF
NIF-NSF: Storing Views (NIF) outside of Database (NSF)
• Encrypted for Secure storage
• Accessed through existing APIs

RFC2231 support for Mail File Types
 This RFC is the current standard for specifying non-ASCII headers.
– Although it was first introduced over 15 years ago. It was not widely used for
many years. It has evolved to be the the default for many mail clients, e.g.,
Thunderbird

Restrict mail rule forwarding to internet
 Server configuration to prevent mail rule forwarding to an internet email
address
– This is a server side configuration option to prevent individual users from setting
up a mail rule that forwards their incoming messages to the internet (i.e. a
personal account).
– When users create a mail rule that includes the send/copy to action, any
addresses in domains that are not owned by your company are ignored
– Already Available in the Cloud

Secure Your Data On The Web - Document encryption &
signature support for XPages
 Ensure only the people you want to access the data can
access the data using XPages document encryption
 Simplify access using public keys or apply
greater control using secret keys
 Ensure authenticity by electronically signing Domino
documents from the web
+
+ X
Targeting
2016

Additional Features For XPages Encryption & Signature
Support
 Infrastructure for working with keys from the web
– New backend classes, methods & properties in C, Java & LotusScript
– New IDVault class
• Methods for working with IDs (Get or put ID, Get username…)
• Properties for
– New UserID class
• Method for getting encryption keys
– Other Methods
• Session class: IDVault Session.getIDVault()
• Database class: Database.setUserIDForDecrypt(UserID uid)
• Document class: Document.encrypt(Optional UserID uid)

Application Development
 Plus Lots of good content for the App Dev space as you recently heard
from Pete Janzen, Martin Donnelly and Brian Gleeson:
– May 2015 TLCC/TeamStudio Webinar:
App.Next - The Future of Domino Application Development
– https://www.youtube.com/watch?v=ntVFNjKnljE

Support for Microsoft calendar/message files
 This resolves receiving files being received that a user cannot take action
on.
– Mail Arrives with un-viewable attachment. This will allow processing/handling
these msg message types inline.

Currency
 Domino / Notes
– ND.next updates the baselines of components including:
• Java 8
• Latest Keyview for indexing/viewing attachments
• ICU – IBM Classes for Unicode revised
– Windows 10 Notes client support – In test now
– Notes Mac 64 bit coming this fall for OS X 10.11 – El Capitan
• Supports Java 8 – 64 bit
– Lots more for latest OS levels for Server including IBM i, zLinux, Windows
Server Next, RHEL/SLES

IBM MAIL SUPPORT FOR MICROSOFT
OUTLOOK
ALIASES: IMSMO, PROJECT HAWTHORN
(Limited Availability)

IBM provides choice in client experience
Notes Browser
Plug-in
Traveler
Notes
iNotes
Connections
Mail
Verse
(P) = On-premises only (C) = Cloud Initially
(P)
(C)
IMAP accessMicrosoft
Outlook 2013Limited
Availability

IBM Mail Server for Microsoft Outlook (IMSMO)
 It's “Bring your own client” model supporting Outlook clients and various access methods
 Gives clients choice in messaging solutions
 Allows Domino 9 Server and Outlook 2013 to communicate
 Outlook 2013 natively offers EAS (Exchange ActiveSync) account configuration
 This is a capability vs. separate solution (i.e., IMAP, POP3, etc.)
 A lightweight Outlook 2013 add-in exposes additional functionality beyond what Outlook 2013
natively offers for EAS configurations
 Leverages Domino REST services
 Auto-updates ease desktop management as new releases are available
 Capabilities
 Mail, folders, calendar, contacts, delegation, offline, search, Notes encryption, OOO, room finder, freebusy, quota, etc.
What is Hawthorn?

Outlook 2013 &
IBM mail add-in
IP Sprayer
(F5 or IMC)
Corporate LDAP
(NameLookup only)
Domino with IMSA Domino with IMSA
Optional non-IMSA servers in
cluster
DB2 HADR
Domino mail cluster
Project Hawthorn
Architecture

Requirements
 Client
 Outlook 2013 on Windows only
 Mail Server
 Domino 64-bit on Windows 64-bit or AIX 64-bit and now Linux-64
 Domino release 9.0.1 + latest fixpack
 HTTP process running
 Mail replicas reside on the Hawthorn server(s)
 IDVault (enables Notes encryption)
 DB2
 Domino server leverages DB2 storage of mapping metadata
 Can be bypassed for small proof of concept deployments
 Greatly improves server performance, reliability
 Cloud – Planned for End of Q4 2015
Contact your IBM Sales rep to see if you are a
good fit for limited availability nomination

OVER TO DAVE KERN FOR SECURITY
24

25
The Ongoing Saga of SSL and TLS

How did we get here?
 The SHA-1 hash algorithm was due to be “sunset” in January 2016
– Naturally, we started working on SHA-2 support well in advance
 Sept 2014: Chrome and Firefox announced they were starting over a year early
– Adding prominent lack-of-trust warnings for sites with SHA-1 certificates
– Our timetable for Domino accelerates
 Oct 14, 2014: POODLE strikes!
– Browser manufacturers and administrators frantically start disabling SSLv3
– Our timetable for Domino accelerates
 Nov 4, 2014: Domino Interim Fixes released adding TLS 1.0 (POODLE) and SHA-2
 Dec 8, 2014: ”POODLE on TLS” vulnerability announced.
 Dec 19, 2014: Domino Interim Fixes for POODLE on TLS released
 March 2015: Domino 9.0.1 FP3 IF2 adds TLS 1.2 and more

Nov 2014 Domino Interim Fixes
 For all Platforms and supported Versions
– 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5
 TLS 1.0 support for all Internet Protocols inbound and outbound
– HTTP, SMTP, LDAP, POP3, IMAP
– DIIOP inbound only
– Support for TLS_FALLBACK_SCSV
– Does not enable disabling of SSL 3.0
– Cipher suite list for outbound connections re-ordered to place AES ciphers first
– Removed SSLv2, SSL renegotiation, and disabled weak (< 128 bit) ciphers
 SHA-2 support introduced
 No UI changes
 http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

Dec 2014 Notes and Domino Interim Fixes
 Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-
2014-8730)
– http://www.ibm.com/support/docview.wss?uid=swg21693142
 SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability
– Fixes the “POODLE on TLS” vulnerability for CBC ciphers
 SPR #KLYH9QXMQE: Disable SSL ini: DISABLE_SSLV3=1
– Domino 9.0.1 FP2 IF 3, 9.0 IF7,8.5.3 FP6 IF6, 8.5.2 FP4 IF3, 8.5.1 FP5 IF3
– Notes 9.0.1 FP2 IF4 and 8.5.3 FP6 IF4 added TLS 1.0 support
• Windows, Linux and Mac OSX

SSLv2 ClientHello - Known “Incompatibility”
 Sending the first SSL message (ClientHello) in SSLv2 format provided backwards
compatibility with servers that only supported SSLv2
– This is only needed if you want to connect to servers that only support SSLv2
– Extremely useful in 1996!
– Using an SSLv2 ClientHello circumvents many important security characteristics of SSL/TLS
 Domino completely disabled SSLv2 including SSLv2 “ClientHello”
– Some other servers may still accept it even if SSLv2 itself is disabled
 SSLv2 ClientHello might be still used by some applications
– For example older OpenSSL Libraries or out-of-date clients
– Workaround is to force a specify protocol version “TLS 1.0”
• Example: wget.exe --secure-protocol=TLSv1 ..
– Potential issue with external SMTP Clients that shall remain nameless

30
Where are we today?
(Domino 9.0.1 FP3 IF2)

Why TLS 1.2?
 Uses SHA-256 internally instead of MD5 and SHA-1
 Adds support for ciphers with SHA-256 integrity checking
 Adds support for AEAD (AES-GCM) ciphers
 Other security-related improvements too numerous to mention

Caveats
 TLS 1.2 requires SHA-256 which requires Notes/Domino 9.0.x
– Significant cryptographic changes between 8.5.x and 9.0.x
– No plans to back port any enhanced TLS functionality to 8.5.x
 Any template, UI, and string changes require a Maintenance Release
– Not just a Fix Pack, Interim Fix, or Hot Fix.
– This is why a separate new keyring tool “kyrtool.exe” was released instead of a new database
 Therefore, until the next MR, configuration of TLS functionality will be limited to
– notes.ini variables
– server console commands
– command line applications

Secure Renegotiation
 Old-style renegotiation is vulnerable to session splicing attacks
– Renegotiation disabled by TLS 1.0 Interim Fixes
 Security scanners frequently confuse “doesn't support secure
renegotiation”
with “supports insecure renegotiation”
 RFC 5746 requires servers that do not support renegotiation to claim
support for secure renegotiation

HTTP Strict Transport Security (HSTS) header
 Indicates to web browsers they should only connect to this site over
HTTPS and not HTTP
 Helps prevent web browsers from being tricked into communicating over
unencrypted HTTP
 Domino will now send this header by default if SSL/TLS is enabled and the
http port is disabled or set to “redirect only”
– Only with a one week “maximum age” by default
 http://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS

Problem: The All-Seeing Eye
 How do you protect against an attacker who can spy on all of your network
traffic?
 In most SSL/TLS cipher specs the client transmits a “PreMasterSecret” to
the server encrypted with the server's public key
 A passive attacker could record network traffic for years and then acquire
the server's private key and decrypt all of that traffic
– Sound like anybody you know?

Solution: Perfect Forward Secrecy
 No long-term keys are used to generate or transmit the keys used to encrypt your network
traffic
 Incurs a significant performance penalty, so test in your environment before enabling
 May only be enabled via SSLCipherSpec notes.ini
 PFS cipher specs in Domino 9.0.1 FP3 IF2:
– TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– TLS_DHE_RSA_WITH_AES_256_CBC_SHA
– TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
– TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Problem: Far too many attacks on hashes and CBC mode
 Most cipher specs use a hash algorithm for integrity checking
 Many advances in cryptanalytics techniques against hashes
– First to fall were MD4 and SHA-0
– Next fell MD5 and SHA-1
– Now we're using SHA-2 (SHA-256, SHA-384, and SHA-512)
– SHA-3 is undergoing standardization
– When will it end?
 Numerous flaws have been found in Cipher Block Chaining (CBC) mode ciphers
– Padding oracle attacks and timing attacks
– POODLE and other downgrade attacks
– POODLE on TLS and other padding attacks
– BEAST and other IV attacks

Solution: Authenticated Encryption (AEAD)
 AEAD cipher specs don't use a hash algorithm for integrity
– Integrity checking part of encryption and decryption
 AEAD cipher specs do not use CBC mode
– AEAD cipher specs tend to perform better than equivalent CBC mode ciphers
 AEAD ciphers in Notes/Domino 9.0.1 FP3 IF2 (from RFC 5288)
– TLS_RSA_WITH_AES_128_GCM_SHA256
– TLS_RSA_WITH_AES_256_GCM_SHA384
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.

Selecting Ciphers with “SSLCipherSpec”
 Server Doc / Internet Site doc no longer used for SSL/TLS configuration
– None of the new ciphers or versions are shown in the UI
– Design changes in Domino Directory will have to wait for a maintenance release (9.0.x) , not a FP or IF
 Notes.ini “SSLCipherSpec”
– Used to specify ciphers across all protocols
– Concatenate the two hex digit numbers for the desired ciphers
– Ciphers ordered based on strength
– Example: SSLCipherSpec=9D9C3D3C352F0A9F9E6B3967
• Enable most of the PFS ciphers as well as the default ciphers
 Latest cipher list available on the Notes/Domino wiki
– http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

Notes.ini Settings
 DISABLE_SSLV3=1
– Prevent incoming SSLv3 connections
– Fallback to SSLv3 already prevented with most modern clients via TLS_FALLBACK_SCSV
 DEBUG_SSL_ALL=2
– Or just DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 for less noise
 USE_WEAK_SSL_CIPHERS=1
– Not recommended – but if you absolutely must allow frighteningly weak cipher specs
 SSL_DISABLE_FALLBACK_SCSV=1
– Disables TLS_FALLBACK_SCSV functionality
– Not recommended – Only use if a badly misconfigured client absolutely needs to connect to your server
 SSL_ENABLE_INSECURE_RENEGOTIATE=1
– Not recommended – but if you absolutely need “classic” SSL renegotiation
 SSL_ENABLE_INSECURE_SSLV2_HELLO=1
– Not recommended – but if remote SMTP server refuses to disable SSLv2 backwards compatibility...

SSL Test Tools
 https://www.ssllabs.com/ssltest/
 Probably one of the most busy SSL Test Sites those days
– Can be used to get an idea about your server security status
– Will provide a a “rating” for your server from “A” to “F”
– Also includes details about supported SSL protocol version and ciphers
• Also contains a very useful “simulation” what ciphers certain applications might use
– There is also a test to check which SSL protocol version and ciphers are supported

Reference for Useful OpenSSL Commands
 Connect test HTTPS
– openssl s_client -connect www.acme.com:443
 Connect test SMTP TLS
– openssl s_client -connect mail.acme.com:25 -starttls smtp
 Both print detailed information about certificate, protocol and cipher
 Options to force certain SSL versions
– -tls1, -no_tls1, -no_ssl3
 “wget” - another test tool
– Uses openssl libs and can be used for HTTPS requests
– wget.exe [--secure-protocol=TLSv1] --no-check-certificate https://www.acme.com

Enhancements under consideration for inclusion in a
future Fix Pack
 OCSP Response Stapling
– Server requests a single OCSP response for itself and sends it as part of the TLS handshake
– Improves performance by saving each client from needing to perform its own request
 Improved interoperability with Java 6 and 7
– Java 6 and 7 only support 1024 bit DH, which breaks compatibility with servers that choose stronger groups
– Java 6 and 7 only use DH with TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– Enhancement to only use 1024 bit DH when using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 Drop priority of TLS_DHE_RSA_WITH_AES_128_CBC_SHA to protect against Logjam attack
– 1024 bit DH groups are believed to be insecure, so avoid them unless the alternative is sending data in the clear.
 Add support for 4096 bit DH groups
 Logging enhancements
 Stability and interoperability fixes

TLS 1.3
 Cleans up and greatly simplifies the TLS protocol
– TLS 1.3 overhauls SSL/TLS in the way that TLS 1.0 should have
 Currently just an Internet Draft, but we're following it closely
– Currently only allows cipher suites with Perfect Forward Secrecy and
Authenticated Encryption
 Under consideration for inclusion in a future release of Notes/Domino

SHA-1 is rated as “insecure”
 SHA-1 is not recommended any more
– There are at least theoretical attacks against SHA-1
– Customers are encouraged to move away from SHA-1 to avoid situations we had before
with MD5
– SHA-256 is recommended and required for secure encryption
– Governments recommend to move to SHA-256
– SHA-256 is approved by Federal Information Processing Standard (FIPS) 140-2
 Browser vendors decided start to warn when using SHA-1 certificates
– For example: Google starts first to warn for certificates expiring end of this year
• Reducing step by step the expiration time for the certs (1.1.2017, .. 1.1.2016)
– Affected certificates are all Server and intermediate CAs signed with SHA-1
– Root Certifiers are not affected because they are verified in a different way

Browser Vendors start to sunset SHA-1
 This means that you have to replace your certificates ASAP
– Best practice is also to create a new public/private key
• Key could have been compromised and you don't know about it yet
– Ensure that the CA you are using already supports SHA-2
• Most CAs only support SHA-2 today because for exact those reasons
– If you server certificate expires later than 31.12.2015 and your server does not support SHA-2 yet,
consider requesting a cert with a shorter valid period
• Just a work-around. Better would be to update your server or put a secure
reverse proxy in front of it
 References
– https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-
algorithms/
– http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html

SHA-256 (SHA-2) Support
 Domino 9.0.x without the current IFs did already support SHA-256 in some areas
– X.509 certificate signature verification and S/MIME signed mail
– Some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously
"hashed."
– Internet CA supports SHA-256
 Domino 9.0.1 FP2 IF1 supports SHA-2 Certificates for all Internet Protocols and for Keyring
Files
– SHA-2 support covers SHA-256, SHA-384, and SHA-512
– No Support for SHA-2 is planned for Domino 8.5.x
• Domino 8.5.x does not contain SHA-2 support
– You should consider updating to the current 9.0.1 fixpack and IF if possible
– New Keyring files Management Tool “kyrtool”

New Keyring Tool - “kyrtool”
 Separate Download
– Available for Win32/64, Linux 32/64 on Client or Server → just needs to be copied to the N/D program
directory
 Can be used to import, show, export certificates
– But not to create a private/public key and a certificate request
 You can use OpenSSL to create the key and the request
– Or you can use any other tool to create the key and the request
– Or use an existing key and cert in PEM format
 Importing Trusted Roots
– Either add all to a single PEM file from leave to note (key, cert, intermediates, root)
– Or import roots separately
• Needs Notes/Domino 9.0.1 FP2 IF1 code → Backend API change is needed

Create a Certificate using OpenSSL
 OpenSSL
– native installed on Linux/Unix
– On Windows you can use a cygwin environment
 1. Create a Private/Public Key
– openssl genrsa -out server.key 2048
 2. Generate a Certificate Signing Request (CSR)
– openssl req -new -sha256 -key server.key -out server.csr
 3. Send CSR to CA for signing
– Or create a “self signed” certificate for testing
• openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.pem
– Result is a file in “PEM” format

Verify Import File
 Before importing a PEM file, you should verify the content with the “verify” command
– Ensure that the certificate chain is complete and ordered correctly (key, cert, intermediate certs, root
cert)
– Special tip: you can show the certs in an input via to figure out which cert is missing
• Example: kyrtool.exe show certs -i c:dominoall.crt
 kyrtool.exe verify c:dominoall.crt
– Successfully read 2048 bit RSA private key
– INFO: Successfully read 4 certificates
– INFO: Private key matches leaf certificate
– INFO: IssuerName of cert 0 matches the SubjectName of cert 1
– INFO: Final certificate in chain is self-signed

Create Keyring File
 Create a new Keyring File
– kyrtool create -k keyring.kyr -p password
– When creating a keyring file you need to specify a password
• All other commands will read the password from the “.sth” file
 Importing Key, Certificate, Intermediates and Trusted root
– Copy key, cert, intermediates and root certificate into one PEM file
– kyrtool import all -k keyring.kyr -i server.pem
 You can also import the different parts separately
– Kyrtool import all|keys|certs|roots -k keyring.kyr -i server.pem
– But that makes the import a lot more complicated

Keyring “show” command
 Can be used to show information from a keyring file
 Kyrtool show certs -k keyfile.kyr
– Shows the entire cert chain including the root matching the cert
– Tip: You can use the show command to dump all certs and use the “verify” command on the resulting file
 Kyrtool show keys -k keyfile.kyr
– Shows all keys in the keyfile
 Kyrtool show roots -k keyfile.kyr
– Shows all trusted roots in the keyfile
 Verbose option “-v” can be used to dump more detailed information
– More “-v”s on the command line results in more information

Reference - Converting file formats
 Kyrtool requires “PEM” format (text based - BASE64 encoded DER format)
– In many cases your CA might use different formats (e.g. Microsoft CA)
 OpenSSL is your friend when converting different formats
– But syntax is not always easy to figure out
– Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
• openssl pkcs12 -in cert.pfx -out cert.pem -nodes
– Convert Binary DER formatted certificate to text based (BASE64) PEM format
• openssl x509 -inform der -in server.cer -outform pem -out server.pem
– Convert Binary DER formatted certificate chain to text based (BASE64) PEM format
• openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem

Increasing Internet Certificate Key Size
 Domino 9 Internet CA Supports SHA-2
– You can remove and re-create the Internet Certifier with SHA256 and higher key
length
– Or create multiple Internet Certifiers

Internet CA Result
 Resulting CA can be used to assign new certificates to users via Person
Doc

Enabling stronger ciphers and SHA-2
 Client Notes.ini (deployed via desktop policy) needs the following settings
– SMIME_CAPABILITIES_SEND=AES_128:SHA_256
– SMIME_FIRST_CHOICE_CONTENT_ENC_ALG=AES_256

9.0.1: Messaging Server Reliability
 Protect from repeat outages due to a single message instance:
 Processing a “bad” message is responsible for the crash. It remains in mail.box or mail file. Server
restarts and proceeds to deal with the same “bad” message, causing repeat crash for below scenarios:
 Transfer or deliver same "bad" message: Router repeat crash
 Receive same "bad" message: SMTP repeat crash
 Fetch same “bad” message via IMAP: IMAP repeat crash
 Solution to give messaging server reliability in 9.0.1:
 Keeping per-thread context identifying the current message being processed.
 Registering an exception handler callback that is called at time of crash to record which email message
was processed during crash. A data file is opened and the information identifying this message is written
to the file.
 When server restarts, if above file exists, Router/SMTP/IMAP read the file to identify the "bad" message,
move the "bad" message to a new DB (Router and IMAP), and continue to deal with remaining
messages.

9.0.1: Messaging Server Reliability
 Prevent Router, SMTP and IMAP Repeat Crash
 The feature is enabled by default in 9.0.1
 Set below Notes.ini to disable the feature
 RouterDisableFaultDataCapture=1
 SMTPDisableFaultDataCapture=1
 IMAPDisableFaultDataCapture=1
 How we Deal with "bad" message
 Quarantine Message to IBM_Technical_Support directory
 Router/IMAP: Upon Restart move message for diagnostic collection
 SMTP reject with “554 unable to import”

9.0.1: Diagnostic information in NSD for Router
 Router diagnostic data provides additional information in NSD stacks
 This identifies work in progress by a router transfer/delivery thread at the time of a
crash.
The information includes
 Message being processed (mailbox and Note ID)
 Sender and recipient.
 Stacks in the NSD contain a string printing out this value.

9.0.1: New Execution Control List attribute
- Only load Signed & Trusted Java code
 Provide Notes client users with an option to mitigate any risks involved with running Java code in Notes documents
 Prior ECLs associated with Applets, Java agents & Xpages enforce runtime security
 No load time ECL check, leaves an open window for application Java code to exploit any vulnerabilities in JVM
 Load time verification ECL check allows for customers to have more granular control on what Java code is allowed to load &
run in a Notes client document
 The Quarterly Oracle security patches have all been around attacking the JVM security model primarily from unsigned code
 This is not a fix to address any known exploit but rather a mechanism to mitigate any future exploits
 More important from a Notes client perspective since deploying a security patch to Notes client JVM is not always an
acceptable solution for customers
 Changes are limited to Client only covering: Xpages, Applets, Java agents & JS → Java calls
 Java code running in the context of Notes documents checks the load time ECL attribute and alert the user if the
signer does not have permissions to load Java code
 New ECL attribute “Load Java code” in security panel and in security policy document for pushing out ECL settings

9.0.1: New Security Policy for Federated Login
 New Security Policy Setting to prevent use of password on vaulted ID when
Federated Login is configured
 Policy setting is only visible if NFL or WFL is configured
 Default is Yes (ie, Allow use of password)
 'No' enforces use of SAML for download of ID from Vault

9.0.1: Web SSO Config Doc Has Custom Cookie Names
 Web SSO Config doc allows admin to specify LTPAToken and LTPAToken2 custom name.
 Can be used to configure users for SSO across multiple SSO domains

Questions????
7
Use the Orange Arrow button to
expand the GoToWebinar panel
Then ask your questions in the
Questions panel!
Remember, we will answer your
questions verbally

#XPages
@ssounder
@TLCCLtd
@Teamstudio
@PaulDN
Upcoming Events:
 MWLug User Group Meeting, Atlanta, GA - Aug. 19-21
 ICON UK, London, England – Sept. 21-22
Question and Answer Time!
8
Teamstudio Questions?
contactus@teamstudio.com
978-712-0924
TLCC Questions?
howardg@tlcc.com paul@tlcc.com
888-241-8522 or 561-953-0095
Howard
Greenberg
Paul
Della-Nebbia
Courtney
Carter
Kevin LynchDave KernScott Vrusho
Keep in mind:
TLCC Spring Sale Ends on June 30th
Scott Souder

Domino, Notes, and Verse - Where are We and Whats the Future?

Recommended

Recommended

More Related Content

What's hot

What's hot (16)

Similar to Domino, Notes, and Verse - Where are We and Whats the Future?

Similar to Domino, Notes, and Verse - Where are We and Whats the Future? (20)

More from Teamstudio

More from Teamstudio (20)

Recently uploaded

Recently uploaded (20)

Domino, Notes, and Verse - Where are We and Whats the Future?