Domino, Notes, and Verse - Where are We and Whats the Future?
-
Upload
teamstudio -
Category
Technology
-
view
2.493 -
download
0
Transcript of Domino, Notes, and Verse - Where are We and Whats the Future?
Domino, Notes, and Verse
Where are We and What’s the Future?
Tweet about this event
And mention us: @Teamstudio @TLCCLTD
@sssouder
June 16, 2015
@Teamstudio
teamstudio.com
@TLCCLTD
tlcc.com
Courtney CarterInbound Marketing Specialist
Teamstudio
Who We Are
• Teamstudio’s background is in creating tools for
collaborative computing in mid-size and large
enterprises, primarily for IBM Notes
• Easy-to-use tools for developers and administrators
• 1600+ active customers, 53 countries
• Offices in US, UK, and Japan
• Entered mobile space in 2010 with Unplugged: easy
mobilization of Notes apps to Blackberry, Android
and iOS
Teamstudio Unplugged
• Your mobile Domino server: take your IBM Notes
apps with you!
• End-users access Notes applications from mobile
devices whether online or offline
• Leverages the powerful technology of XPages
Unplugged Templates
• Continuity – Mobile offline access to BCM programs
• OneView Approvals – Expense approvals; anywhere, anytime
• CustomerView – lightweight CRM framework for field sales and field service teams• Contacts – customer information database
• Activities – customer activity log
• Media – mobile offline file storage and access
XControls
• Set of Controls for IBM Domino XPages developers
working on new XPages apps and on app
modernization projects
• Re-write of the Teamstudio Unplugged Controls
project, but adds full support for PC browser-based
user interfaces as well as mobile interfaces
• Enables XPages developers to create controls that
are responsive
• Learn more: teamstudio.com/solutions/xfoundations
Teamstudio Services
• Professional services for modernization, web
enablement, project management, development,
and administrationo Modernization Services
o Unplugged Developer Assistance Program
o Application Upgrade Analysis
o Application Complexity Analysis
o Application Usage Auditing
• http://www.teamstudio.com/solutions/services/
• NotesTools promotion:
o Be automatically entered to win an iPhone 6 if you contact us by Jun. 30, 2015 for
more information on Analyzer, Delta, and Configurator.
• Webinar in French: Jun. 24, 2015
o With Laurent Godme of IBM and Ady Makombo of Teamstudio
1
#XPages
Your Hosts Today:
Howard GreenbergTLCC
@TLCCLtd
Domino, Notes and Verse -Where are we and What's the
Future?
Paul Della-NebbiaTLCC
@PaulDN
How can TLCC Help YOU!
2
• Private classes at your location or virtual
•XPages Development
•Support Existing Apps
•Administration
• Let us help you become an expert XPages developer!
• Delivered via Notes
• XPages
• Development
• Admin
• UserSelf-
Paced Courses
Mentoring
Instructor-Led
Classes
Application Development
and Consulting
Free Demo
Courses!
3
• Save hundreds and even Thousands of Dollars on the most popular courses and packages XPages Notes/Domino Admin and Development
• Extended!!! Now through June 30th
http://www.tlcc.com/springsale
Upcoming and Recorded Webinars
4
The Webinars will resume in September!
• www.tlcc.com/xpages-webinar
View Previous Webinars(use url above)
Asking Questions – Q and A at the end
5
Use the Orange Arrow button to expand the GoToWebinar panel
Then ask your questions in the Questions pane!
We will answer your questions verbally at the end of the webinar
Your Presenters Today:
6
#XPages
Scott VrushoIBM
Dave KernIBM
Kevin LynchIBM
Scott SouderIBM
@ssouder
SCOTT SOUDER IBM Program Director Sr. Product Manager, IBM Verse
© 2015 IBM Corporation
Legal Disclaimer: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or
functionality described for our products remains at our sole discretion.
© 2015 IBM Corporation Mail that understands you Less clutter, more clarity Connecting me to we
© 2015 IBM Corporation
Let’s take a look…
© 2015 IBM Corporation
IBM Verse Roadmap
© 2015 IBM Corporation
IBM Verse Post-GA priorities
• Offline
• Mobile: native iOS and Android
• Enhanced Calendar
• Deepen social integration
• Personal Assistant based on IBM Watson
• Extensibility and programmability for 3rd party integration
• Continuous enhancement based on user usage metrics
• On-premises support
© 2015 IBM Corporation
Contact Sync! Sync social contacts and mail contacts
• Modern, first-class experience
• Fully accessible
• Seamlessly sync your Notes/Domino-based contacts with your Connections-based social contacts
© 2015 IBM Corporation
Here’s what we’re thinking about next…
• Share to blog w/images and attachments
• Reduce cognitive debt by optimizing screen real estate for ease-of-use and clarity
• A “reimagined” calendar experience
• Reduce mail debt by surfacing messages that matter
• Improvements to “Getting Started” experience
• File viewer enhancements
• Orient user and focus on what matters today
• A deeper, more integrated chat experience
• “Create my profile picture” experience
© 2015 IBM Corporation
IBM Verse Extensibility and API objectives
Partnering for success: • Cover key integration points
• Build the supporting ecosystem
• Focus on key differentiators
Verse extensibility
Service APIs
© 2015 IBM Corporation
IBM Verse Extensibility and API directions
Integrated actions: • Allow for adding actions which work against content in Verse
• Acting on a notification from a workflow application
• Moving a message into a CRM system for an identified opportunity
• Archiving a message as “CLASSIFIED”
Export insight: • Allow external applications to leverage Verse’s analytics and social insight
• People important / suggested to me
• Team analytics
• Needs Action / Waiting for Action
© 2015 IBM Corporation
IBM Verse Extensibility and API directions
Improve on a New Way to Work: • Allow insights gathered from external resources to enhance the Verse experience
• Supplementing “suggested people” based on relationships found in a CRM system
• Improved search filters based on industry-specific taxonomy
• Recommendations on existing Needs Action or Waiting for Action tasks
Freedom to collaborate:
• Allow for the substitution of third-party collaboration services in place of IBM’s • Chat
• Files
• …
http://tinyurl.com/njdun3v
“So if you’re not sure about IBM Verse today, think about your move from keyboard to mouse…or from mouse to multi-
touch. You’ll get there. We’ll be there waiting for you…”
– Louis Richardson, IBM Storyteller
THANKS! @sssouder
Domino, Notes, and Verse - Where Are We and What's the Future?
1
Scott VrushoSenior Program Manager
Dave KernResident Paranoid
Kevin LynchSenior Development Manager
June 16, 2015
Agenda
Brief Review of current Domino content
Futures
– Domino.Next
IBM mail support for Microsoft Outlook / Hawthorn
Security
The Ongoing Saga of SSL and TLS
Verse
– New way to work
CURRENCY
CURRENT DOMINO CONTENT
Domino 9.0.1
What's new in IBM Domino Social Edition 9.0.1
Themes:
Quality: Notes / Domino Social edition 9.0.1 was focused at addressing important IBM customer reported defects
Accessibility: XPages, iNotes, Domino server install
Targeted features:
Messaging Server Reliability (Cloud First)
Diagnostic information in NSD for Router (Cloud First)
Security Execution Control List (ECL): New setting for greater security control over Java execution.
XPages Mobile enhancements: detect device type, orientation, event changes
New REST calendar service
Content in backup
Shipped Q4’13
Notes/Domino/Designer Fix Packs
Notes/Domino/Designer 9.0.1 FP2
– IE11 support
– CKEditor 4.3.2 (Domino Server)
– JVM 1.6 SR16
9.0.1 FP3
– iOS 8 support for XPages mobile controls – 9.0.1 FP2 IF1
– Dojo 1.9.4
– CkEditor 4.3.2.2 (Domino Server & Notes Client)
– JVM 1.6 SR16FP2
9.0.1 FP4
– TLS 1.2 Plus More (details from Dave Kern in a few)
– Dojo 1.9.7
– Libpng 1.5.21
– JVM 1.6 SR16FP4
FUTURES
Domino.Next
What’s Next?A sample of what’s coming in a future release
•Live View Refresh - Avoid view bottleneck when updating docs and views simultaneously
•Expanded Summary limit in Documents
•NIF/NSF project to optionally have NIF indexes stored outside of NSF file
•Support RFC 2231- Popular International standard for email headers
•Restrict mail rule forwarding to Internet
•Backend support for field/document level encryption and signatures for Xpages
Support for MS calendar and message files
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Solution: New item on view note and a new view refresh option (Critical).
This will shut down refresh during view opening processing
The design flags can be set on the view via an Updall switch
Domino.next Live View Refresh – Dedicated background thread for maintaining critical view indexes
Given out as Hotfixes.
Code added to 9.0.1 FP3 Fixes in FP4
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Live View Refresh: Dedicated Background Thread The design flags can be set on the view via Updall task from server console on an ODS52 or above NSF file
Syntax:
Enable on a view: Load updall <dbname> -T#<#seconds> <viewname>
Disable on a view (901FP4 and above): Load updall <dbname> -T~ <viewname>
Example:
Load updall disc9.nsf -T#5 "By Category”
Load updall disc9.nsf -T#30 "All Documents"
The dedicated threads can be observed via the server console ‘Show Tasks’
View Indexer disc9.nsf "By Category" 5 sec. stale read
View Indexer disc9.nsf "All Documents" 30 sec. stale read
The individual threads can be stopped but only temporarily until a server restart
– tell ”View Indexer" stop disc9.nsf "All Documents”
To disable on a view, issue a ~ (tilde) with the –T command as follows:
– Load updall disc9.nsf –T~ "By Category”
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
This sets the refresh poller to 5 and 30
seconds on these views respectively.
Expand 64k Summary limit
In current releases Text (Summary) limit is:
– 64KB per document
– 32KB per field
– 32KB per view entry
In Notes/Domino.next we have raised the Summary data
– 16MB per document
– Individual Field/View limits remain unchanged
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
NSF Size on Disk
View Indexes on Disk
(outside of NSF file)
Can grow to 1 Terabyte
DAOS store
(outside of NSF)
Logical size can exceed
64gb with DAOS store
now and in the future
views outside of NSF
NIF-NSF: Storing Views (NIF) outside of Database (NSF)
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
• Encrypted for Secure storage
• Accessed through existing APIs
RFC2231 support for Mail File Types
This RFC is the current standard for specifying non-ASCII headers.
– Although it was first introduced over 15 years ago. It was not widely used for many years. It has evolved to be the the default for many mail clients, e.g., Thunderbird
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Restrict mail rule forwarding to internet
Server configuration to prevent mail rule forwarding to an internet email address
– This is a server side configuration option to prevent individual users from setting up a mail rule that forwards their incoming messages to the internet (i.e. a personal account).
– When users create a mail rule that includes the send/copy to action, any addresses in domains that are not owned by your company are ignored
– Already Available in the Cloud
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Secure Your Data On The Web - Document encryption & signature support for XPages
Ensure only the people you want to access the data can access the data using XPages document encryption
Simplify access using public keys or apply greater control using secret keys
Ensure authenticity by electronically signing Domino documents from the web
+
+ X
Targeting
2016
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Additional Features For XPages Encryption & Signature Support
Infrastructure for working with keys from the web
– New backend classes, methods & properties in C, Java & LotusScript
– New IDVault class
• Methods for working with IDs (Get or put ID, Get username…)
• Properties for
– New UserID class
• Method for getting encryption keys
– Other Methods
• Session class: IDVault Session.getIDVault()
• Database class: Database.setUserIDForDecrypt(UserID uid)
• Document class: Document.encrypt(Optional UserID uid)
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Application Development
Plus Lots of good content for the App Dev space as you recently heard from Pete Janzen, Martin Donnelly and Brian Gleeson:
– May 2015 TLCC/TeamStudio Webinar:
App.Next - The Future of Domino Application Development
– https://www.youtube.com/watch?v=ntVFNjKnljE
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
Support for Microsoft calendar/message files
This resolves receiving files being received that a user cannot take action on.
– Mail Arrives with un-viewable attachment. This will allow processing/handling these msg message types inline.
Currency
Domino / Notes
– ND.next updates the baselines of components including:
• Java 8
• Latest Keyview for indexing/viewing attachments
• ICU – IBM Classes for Unicode revised
– Windows 10 Notes client support – In test now
– Notes Mac 64 bit coming this fall for OS X 10.11 – El Capitan
• Supports Java 8 – 64 bit
– Lots more for latest OS levels for Server including IBM i, zLinux, Windows Server Next, RHEL/SLES
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
IBM MAIL SUPPORT FOR MICROSOFT
OUTLOOK
ALIASES: IMSMO, PROJECT HAWTHORN
(Limited Availability)
IBM provides choice in client experience
Notes Browser Plug-in
Traveler
Notes
iNotes
Connections Mail
Verse
(P) = On-premises only (C) = Cloud Initially
(P)
(C)
IMAP accessMicrosoft Outlook 2013Limited
Availability
IBM Mail Server for Microsoft Outlook (IMSMO)
It's “Bring your own client” model supporting Outlook clients and various access methods
Gives clients choice in messaging solutions
Allows Domino 9 Server and Outlook 2013 to communicate
Outlook 2013 natively offers EAS (Exchange ActiveSync) account configuration
This is a capability vs. separate solution (i.e., IMAP, POP3, etc.)
A lightweight Outlook 2013 add-in exposes additional functionality beyond what Outlook 2013
natively offers for EAS configurations
Leverages Domino REST services
Auto-updates ease desktop management as new releases are available
Capabilities
Mail, folders, calendar, contacts, delegation, offline, search, Notes encryption, OOO, room finder, freebusy, quota, etc.
What is Hawthorn?
Outlook 2013 &
IBM mail add-in
IP Sprayer
(F5 or IMC)
Corporate LDAP
(NameLookup only)
Domino with IMSA Domino with IMSAOptional non-IMSA servers in
cluster
DB2 HADR
Domino mail cluster
Project HawthornArchitecture
Requirements
Client
Outlook 2013 on Windows only
Mail Server
Domino 64-bit on Windows 64-bit or AIX 64-bit and now Linux-64
Domino release 9.0.1 + latest fixpack
HTTP process running
Mail replicas reside on the Hawthorn server(s)
IDVault (enables Notes encryption)
DB2
Domino server leverages DB2 storage of mapping metadata
Can be bypassed for small proof of concept deployments
Greatly improves server performance, reliability
Cloud – Planned for End of Q4 2015
Contact your IBM Sales rep to see if you are a
good fit for limited availability nomination
*IBM’s statements regarding its plans, directions and intent are
subject to change or withdrawal without notice at IBM’s sole discretion.
OVER TO DAVE KERN FOR SECURITY
24
25
The Ongoing Saga of SSL and TLS
How did we get here?
The SHA-1 hash algorithm was due to be “sunset” in January 2016
– Naturally, we started working on SHA-2 support well in advance
Sept 2014: Chrome and Firefox announced they were starting over a year early
– Adding prominent lack-of-trust warnings for sites with SHA-1 certificates
– Our timetable for Domino accelerates
Oct 14, 2014: POODLE strikes!
– Browser manufacturers and administrators frantically start disabling SSLv3
– Our timetable for Domino accelerates
Nov 4, 2014: Domino Interim Fixes released adding TLS 1.0 (POODLE) and SHA-2
Dec 8, 2014: ”POODLE on TLS” vulnerability announced.
Dec 19, 2014: Domino Interim Fixes for POODLE on TLS released
March 2015: Domino 9.0.1 FP3 IF2 adds TLS 1.2 and more
Nov 2014 Domino Interim Fixes
For all Platforms and supported Versions
– 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5
TLS 1.0 support for all Internet Protocols inbound and outbound
– HTTP, SMTP, LDAP, POP3, IMAP
– DIIOP inbound only
– Support for TLS_FALLBACK_SCSV
– Does not enable disabling of SSL 3.0
– Cipher suite list for outbound connections re-ordered to place AES ciphers first
– Removed SSLv2, SSL renegotiation, and disabled weak (< 128 bit) ciphers
SHA-2 support introduced
No UI changes
http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
Dec 2014 Notes and Domino Interim Fixes
Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730)
– http://www.ibm.com/support/docview.wss?uid=swg21693142
SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability
– Fixes the “POODLE on TLS” vulnerability for CBC ciphers
SPR #KLYH9QXMQE: Disable SSL ini: DISABLE_SSLV3=1
– Domino 9.0.1 FP2 IF 3, 9.0 IF7,8.5.3 FP6 IF6, 8.5.2 FP4 IF3, 8.5.1 FP5 IF3
– Notes 9.0.1 FP2 IF4 and 8.5.3 FP6 IF4 added TLS 1.0 support
• Windows, Linux and Mac OSX
SSLv2 ClientHello - Known “Incompatibility” Sending the first SSL message (ClientHello) in SSLv2 format provided backwards
compatibility with servers that only supported SSLv2
– This is only needed if you want to connect to servers that only support SSLv2
– Extremely useful in 1996!
– Using an SSLv2 ClientHello circumvents many important security characteristics of SSL/TLS
Domino completely disabled SSLv2 including SSLv2 “ClientHello”
– Some other servers may still accept it even if SSLv2 itself is disabled
SSLv2 ClientHello might be still used by some applications
– For example older OpenSSL Libraries or out-of-date clients
– Workaround is to force a specify protocol version “TLS 1.0”
• Example: wget.exe --secure-protocol=TLSv1 ..
– Potential issue with external SMTP Clients that shall remain nameless
30
Where are we today?
(Domino 9.0.1 FP3 IF2)
Why TLS 1.2?
Uses SHA-256 internally instead of MD5 and SHA-1
Adds support for ciphers with SHA-256 integrity checking
Adds support for AEAD (AES-GCM) ciphers
Other security-related improvements too numerous to mention
Caveats
TLS 1.2 requires SHA-256 which requires Notes/Domino 9.0.x
– Significant cryptographic changes between 8.5.x and 9.0.x
– No plans to back port any enhanced TLS functionality to 8.5.x
Any template, UI, and string changes require a Maintenance Release
– Not just a Fix Pack, Interim Fix, or Hot Fix.
– This is why a separate new keyring tool “kyrtool.exe” was released instead of a new database
Therefore, until the next MR, configuration of TLS functionality will be limited to
– notes.ini variables
– server console commands
– command line applications
Secure Renegotiation
Old-style renegotiation is vulnerable to session splicing attacks
– Renegotiation disabled by TLS 1.0 Interim Fixes
Security scanners frequently confuse “doesn't support secure renegotiation” with “supports insecure renegotiation”
RFC 5746 requires servers that do not support renegotiation to claim support for secure renegotiation
HTTP Strict Transport Security (HSTS) header
Indicates to web browsers they should only connect to this site over HTTPS and not HTTP
Helps prevent web browsers from being tricked into communicating over unencrypted HTTP
Domino will now send this header by default if SSL/TLS is enabled and the http port is disabled or set to “redirect only”
– Only with a one week “maximum age” by default
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS
Problem: The All-Seeing Eye
How do you protect against an attacker who can spy on all of your network traffic?
In most SSL/TLS cipher specs the client transmits a “PreMasterSecret” to the server encrypted with the server's public key
A passive attacker could record network traffic for years and then acquire the server's private key and decrypt all of that traffic
– Sound like anybody you know?
Solution: Perfect Forward Secrecy
No long-term keys are used to generate or transmit the keys used to encrypt your network traffic
Incurs a significant performance penalty, so test in your environment before enabling
May only be enabled via SSLCipherSpec notes.ini
PFS cipher specs in Domino 9.0.1 FP3 IF2:
– TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– TLS_DHE_RSA_WITH_AES_256_CBC_SHA
– TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
– TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Problem: Far too many attacks on hashes and CBC mode
Most cipher specs use a hash algorithm for integrity checking
Many advances in cryptanalytics techniques against hashes
– First to fall were MD4 and SHA-0
– Next fell MD5 and SHA-1
– Now we're using SHA-2 (SHA-256, SHA-384, and SHA-512)
– SHA-3 is undergoing standardization
– When will it end?
Numerous flaws have been found in Cipher Block Chaining (CBC) mode ciphers
– Padding oracle attacks and timing attacks
– POODLE and other downgrade attacks
– POODLE on TLS and other padding attacks
– BEAST and other IV attacks
Solution: Authenticated Encryption (AEAD)
AEAD cipher specs don't use a hash algorithm for integrity
– Integrity checking part of encryption and decryption
AEAD cipher specs do not use CBC mode
– AEAD cipher specs tend to perform better than equivalent CBC mode ciphers
AEAD ciphers in Notes/Domino 9.0.1 FP3 IF2 (from RFC 5288)
– TLS_RSA_WITH_AES_128_GCM_SHA256
– TLS_RSA_WITH_AES_256_GCM_SHA384
– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
Selecting Ciphers with “SSLCipherSpec”
Server Doc / Internet Site doc no longer used for SSL/TLS configuration
– None of the new ciphers or versions are shown in the UI
– Design changes in Domino Directory will have to wait for a maintenance release (9.0.x) , not a FP or IF
Notes.ini “SSLCipherSpec”
– Used to specify ciphers across all protocols
– Concatenate the two hex digit numbers for the desired ciphers
– Ciphers ordered based on strength
– Example: SSLCipherSpec=9D9C3D3C352F0A9F9E6B3967
• Enable most of the PFS ciphers as well as the default ciphers
Latest cipher list available on the Notes/Domino wiki
– http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
Notes.ini Settings DISABLE_SSLV3=1
– Prevent incoming SSLv3 connections
– Fallback to SSLv3 already prevented with most modern clients via TLS_FALLBACK_SCSV
DEBUG_SSL_ALL=2
– Or just DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 for less noise
USE_WEAK_SSL_CIPHERS=1
– Not recommended – but if you absolutely must allow frighteningly weak cipher specs
SSL_DISABLE_FALLBACK_SCSV=1
– Disables TLS_FALLBACK_SCSV functionality
– Not recommended – Only use if a badly misconfigured client absolutely needs to connect to your server
SSL_ENABLE_INSECURE_RENEGOTIATE=1
– Not recommended – but if you absolutely need “classic” SSL renegotiation
SSL_ENABLE_INSECURE_SSLV2_HELLO=1
– Not recommended – but if remote SMTP server refuses to disable SSLv2 backwards compatibility...
SSL Test Tools
https://www.ssllabs.com/ssltest/
Probably one of the most busy SSL Test Sites those days
– Can be used to get an idea about your server security status
– Will provide a a “rating” for your server from “A” to “F”
– Also includes details about supported SSL protocol version and ciphers
• Also contains a very useful “simulation” what ciphers certain applications might use
– There is also a test to check which SSL protocol version and ciphers are supported
Reference for Useful OpenSSL Commands
Connect test HTTPS
– openssl s_client -connect www.acme.com:443
Connect test SMTP TLS
– openssl s_client -connect mail.acme.com:25 -starttls smtp
Both print detailed information about certificate, protocol and cipher
Options to force certain SSL versions
– -tls1, -no_tls1, -no_ssl3
“wget” - another test tool
– Uses openssl libs and can be used for HTTPS requests
– wget.exe [--secure-protocol=TLSv1] --no-check-certificate https://www.acme.com
43
Where are we going?
Enhancements under consideration for inclusion in a future Fix Pack
OCSP Response Stapling
– Server requests a single OCSP response for itself and sends it as part of the TLS handshake
– Improves performance by saving each client from needing to perform its own request
Improved interoperability with Java 6 and 7
– Java 6 and 7 only support 1024 bit DH, which breaks compatibility with servers that choose stronger groups
– Java 6 and 7 only use DH with TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– Enhancement to only use 1024 bit DH when using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Drop priority of TLS_DHE_RSA_WITH_AES_128_CBC_SHA to protect against Logjam attack
– 1024 bit DH groups are believed to be insecure, so avoid them unless the alternative is sending data in the clear.
Add support for 4096 bit DH groups
Logging enhancements
Stability and interoperability fixes
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
TLS 1.3
Cleans up and greatly simplifies the TLS protocol
– TLS 1.3 overhauls SSL/TLS in the way that TLS 1.0 should have
Currently just an Internet Draft, but we're following it closely
– Currently only allows cipher suites with Perfect Forward Secrecy and Authenticated Encryption
Under consideration for inclusion in a future release of Notes/Domino
IBM’s statements regarding its plans, directions and intent are subject to change or
withdrawal without notice at IBM’s sole discretion.
46
Notes/Domino SHA-2 Support
SHA-1 is rated as “insecure”
SHA-1 is not recommended any more
– There are at least theoretical attacks against SHA-1
– Customers are encouraged to move away from SHA-1 to avoid situations we had before with MD5
– SHA-256 is recommended and required for secure encryption
– Governments recommend to move to SHA-256
– SHA-256 is approved by Federal Information Processing Standard (FIPS) 140-2
Browser vendors decided start to warn when using SHA-1 certificates
– For example: Google starts first to warn for certificates expiring end of this year
• Reducing step by step the expiration time for the certs (1.1.2017, .. 1.1.2016)
– Affected certificates are all Server and intermediate CAs signed with SHA-1
– Root Certifiers are not affected because they are verified in a different way
Browser Vendors start to sunset SHA-1
This means that you have to replace your certificates ASAP
– Best practice is also to create a new public/private key
• Key could have been compromised and you don't know about it yet
– Ensure that the CA you are using already supports SHA-2
• Most CAs only support SHA-2 today because for exact those reasons
– If you server certificate expires later than 31.12.2015 and your server does not support SHA-2 yet, consider requesting a cert with a shorter valid period
• Just a work-around. Better would be to update your server or put a secure reverse proxy in front of it
References
– https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
– http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html
SHA-256 (SHA-2) Support
Domino 9.0.x without the current IFs did already support SHA-256 in some areas
– X.509 certificate signature verification and S/MIME signed mail
– Some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously "hashed."
– Internet CA supports SHA-256
Domino 9.0.1 FP2 IF1 supports SHA-2 Certificates for all Internet Protocols and for KeyringFiles
– SHA-2 support covers SHA-256, SHA-384, and SHA-512
– No Support for SHA-2 is planned for Domino 8.5.x
• Domino 8.5.x does not contain SHA-2 support
– You should consider updating to the current 9.0.1 fixpack and IF if possible
– New Keyring files Management Tool “kyrtool”
New Keyring Tool - “kyrtool”
Separate Download
– Available for Win32/64, Linux 32/64 on Client or Server → just needs to be copied to the N/D program directory
Can be used to import, show, export certificates
– But not to create a private/public key and a certificate request
You can use OpenSSL to create the key and the request
– Or you can use any other tool to create the key and the request
– Or use an existing key and cert in PEM format
Importing Trusted Roots
– Either add all to a single PEM file from leave to note (key, cert, intermediates, root)
– Or import roots separately
• Needs Notes/Domino 9.0.1 FP2 IF1 code → Backend API change is needed
Create a Certificate using OpenSSL
OpenSSL
– native installed on Linux/Unix
– On Windows you can use a cygwin environment
1. Create a Private/Public Key
– openssl genrsa -out server.key 2048
2. Generate a Certificate Signing Request (CSR)
– openssl req -new -sha256 -key server.key -out server.csr
3. Send CSR to CA for signing
– Or create a “self signed” certificate for testing
• openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.pem
– Result is a file in “PEM” format
Verify Import File
Before importing a PEM file, you should verify the content with the “verify” command
– Ensure that the certificate chain is complete and ordered correctly (key, cert, intermediate certs, root cert)
– Special tip: you can show the certs in an input via to figure out which cert is missing
• Example: kyrtool.exe show certs -i c:\domino\all.crt
kyrtool.exe verify c:\domino\all.crt
– Successfully read 2048 bit RSA private key
– INFO: Successfully read 4 certificates
– INFO: Private key matches leaf certificate
– INFO: IssuerName of cert 0 matches the SubjectName of cert 1
– INFO: IssuerName of cert 1 matches the SubjectName of cert 2
– INFO: IssuerName of cert 2 matches the SubjectName of cert 3
– INFO: Final certificate in chain is self-signed
Create Keyring File
Create a new Keyring File
– kyrtool create -k keyring.kyr -p password
– When creating a keyring file you need to specify a password
• All other commands will read the password from the “.sth” file
Importing Key, Certificate, Intermediates and Trusted root
– Copy key, cert, intermediates and root certificate into one PEM file
– kyrtool import all -k keyring.kyr -i server.pem
You can also import the different parts separately
– Kyrtool import all|keys|certs|roots -k keyring.kyr -i server.pem
– But that makes the import a lot more complicated
Keyring “show” command
Can be used to show information from a keyring file
Kyrtool show certs -k keyfile.kyr
– Shows the entire cert chain including the root matching the cert
– Tip: You can use the show command to dump all certs and use the “verify” command on the resulting file
Kyrtool show keys -k keyfile.kyr
– Shows all keys in the keyfile
Kyrtool show roots -k keyfile.kyr
– Shows all trusted roots in the keyfile
Verbose option “-v” can be used to dump more detailed information
– More “-v”s on the command line results in more information
Reference - Converting file formats
Kyrtool requires “PEM” format (text based - BASE64 encoded DER format)
– In many cases your CA might use different formats (e.g. Microsoft CA)
OpenSSL is your friend when converting different formats
– But syntax is not always easy to figure out
– Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
• openssl pkcs12 -in cert.pfx -out cert.pem -nodes
– Convert Binary DER formatted certificate to text based (BASE64) PEM format
• openssl x509 -inform der -in server.cer -outform pem -out server.pem
– Convert Binary DER formatted certificate chain to text based (BASE64) PEM format
• openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem
56
Notes S/MIME Support
Increasing Internet Certificate Key Size
Domino 9 Internet CA Supports SHA-2
– You can remove and re-create the Internet Certifier with SHA256 and higher key length
– Or create multiple Internet Certifiers
Internet CA Result
Resulting CA can be used to assign new certificates to users via Person Doc
Enabling stronger ciphers and SHA-2
Client Notes.ini (deployed via desktop policy) needs the following settings
– SMIME_CAPABILITIES_SEND=AES_128:SHA_256
– SMIME_FIRST_CHOICE_CONTENT_ENC_ALG=AES_256
DOMINO 9.0.1 CONTENT
Backup
9.0.1: Messaging Server Reliability Protect from repeat outages due to a single message instance:
Processing a “bad” message is responsible for the crash. It remains in mail.box or mail file. Server restarts and proceeds to deal with the same “bad” message, causing repeat crash for below scenarios:
Transfer or deliver same "bad" message: Router repeat crash
Receive same "bad" message: SMTP repeat crash
Fetch same “bad” message via IMAP: IMAP repeat crash
Solution to give messaging server reliability in 9.0.1:
Keeping per-thread context identifying the current message being processed.
Registering an exception handler callback that is called at time of crash to record which email message was processed during crash. A data file is opened and the information identifying this message is written to the file.
When server restarts, if above file exists, Router/SMTP/IMAP read the file to identify the "bad" message, move the "bad" message to a new DB (Router and IMAP), and continue to deal with remaining messages.
9.0.1: Messaging Server Reliability
Prevent Router, SMTP and IMAP Repeat Crash
The feature is enabled by default in 9.0.1
Set below Notes.ini to disable the feature
RouterDisableFaultDataCapture=1
SMTPDisableFaultDataCapture=1
IMAPDisableFaultDataCapture=1
How we Deal with "bad" message
Quarantine Message to IBM_Technical_Support directory
Router/IMAP: Upon Restart move message for diagnostic collection
SMTP reject with “554 unable to import”
9.0.1: Diagnostic information in NSD for Router
Router diagnostic data provides additional information in NSD stacks
This identifies work in progress by a router transfer/delivery thread at the time of a crash.
The information includes
Message being processed (mailbox and Note ID)
Sender and recipient.
Stacks in the NSD contain a string printing out this value.
9.0.1: New Execution Control List attribute- Only load Signed & Trusted Java code
Provide Notes client users with an option to mitigate any risks involved with running Java code in Notes documents
Prior ECLs associated with Applets, Java agents & Xpages enforce runtime security
No load time ECL check, leaves an open window for application Java code to exploit any vulnerabilities in JVM
Load time verification ECL check allows for customers to have more granular control on what Java code is allowed to load & run in a Notes client document
The Quarterly Oracle security patches have all been around attacking the JVM security model primarily from unsigned code
This is not a fix to address any known exploit but rather a mechanism to mitigate any future exploits
More important from a Notes client perspective since deploying a security patch to Notes client JVM is not always an acceptable solution for customers
Changes are limited to Client only covering: Xpages, Applets, Java agents & JS → Java calls
Java code running in the context of Notes documents checks the load time ECL attribute and alert the user if the signer does not have permissions to load Java code
New ECL attribute “Load Java code” in security panel and in security policy document for pushing out ECL settings
9.0.1: New Security Policy for Federated Login
New Security Policy Setting to prevent use of password on vaulted ID when Federated Login is configured
Policy setting is only visible if NFL or WFL is configured
Default is Yes (ie, Allow use of password)
'No' enforces use of SAML for download of ID from Vault
9.0.1: Web SSO Config Doc Has Custom Cookie Names Web SSO Config doc allows admin to specify LTPAToken and LTPAToken2 custom name.
Can be used to configure users for SSO across multiple SSO domains
Questions????
7
Use the Orange Arrow button to expand the GoToWebinar panel
Then ask your questions in the Questions panel!
Remember, we will answer your questions verbally
#XPages
@ssounder
@TLCCLtd
@Teamstudio
@PaulDN
Upcoming Events: MWLug User Group Meeting, Atlanta, GA - Aug. 19-21 ICON UK, London, England – Sept. 21-22
Question and Answer Time!
8
Teamstudio [email protected]
978-712-0924
TLCC [email protected] [email protected]
888-241-8522 or 561-953-0095
HowardGreenberg
PaulDella-Nebbia
CourtneyCarter
Kevin LynchDave KernScott Vrusho
Keep in mind:TLCC Spring Sale Ends on June 30th
Scott Souder