Published on June 17, 2015
1. Domino, Notes, and Verse Where are We and What’s the Future? Tweet about this event And mention us: @Teamstudio @TLCCLTD @sssouder June 16, 2015
2. @Teamstudio teamstudio.com @TLCCLTD tlcc.com Courtney Carter Inbound Marketing Specialist Teamstudio
3. Who We Are • Teamstudio’s background is in creating tools for collaborative computing in mid-size and large enterprises, primarily for IBM Notes • Easy-to-use tools for developers and administrators • 1600+ active customers, 53 countries • Offices in US, UK, and Japan • Entered mobile space in 2010 with Unplugged: easy mobilization of Notes apps to Blackberry, Android and iOS
4. Teamstudio Unplugged • Your mobile Domino server: take your IBM Notes apps with you! • End-users access Notes applications from mobile devices whether online or offline • Leverages the powerful technology of XPages
5. Unplugged Templates • Continuity – Mobile offline access to BCM programs • OneView Approvals – Expense approvals; anywhere, anytime • CustomerView – lightweight CRM framework for field sales and field service teams • Contacts – customer information database • Activities – customer activity log • Media – mobile offline file storage and access
6. XControls • Set of Controls for IBM Domino XPages developers working on new XPages apps and on app modernization projects • Re-write of the Teamstudio Unplugged Controls project, but adds full support for PC browser-based user interfaces as well as mobile interfaces • Enables XPages developers to create controls that are responsive • Learn more: teamstudio.com/solutions/xfoundations
7. Teamstudio Services • Professional services for modernization, web enablement, project management, development, and administration o Modernization Services o Unplugged Developer Assistance Program o Application Upgrade Analysis o Application Complexity Analysis o Application Usage Auditing • http://www.teamstudio.com/solutions/services/
8. • NotesTools promotion: o Be automatically entered to win an iPhone 6 if you contact us by Jun. 30, 2015 for more information on Analyzer, Delta, and Configurator. • Webinar in French: Jun. 24, 2015 o With Laurent Godme of IBM and Ady Makombo of Teamstudio
9. 1 #XPages Your Hosts Today: Howard Greenberg TLCC @TLCCLtd Domino, Notes and Verse - Where are we and What's the Future? Paul Della-Nebbia TLCC @PaulDN
10. How can TLCC Help YOU! 2 • Private classes at your location or virtual •XPages Development •Support Existing Apps •Administration • Let us help you become an expert XPages developer! • Delivered via Notes • XPages • Development • Admin • User Self- Paced Courses Mentoring Instructor- Led Classes Application Development and Consulting Free Demo Courses!
11. 3 • Save hundreds and even Thousands of Dollars on the most popular courses and packages XPages Notes/Domino Admin and Development • Extended!!! Now through June 30th http://www.tlcc.com/springsale
12. Upcoming and Recorded Webinars 4 The Webinars will resume in September! • www.tlcc.com/xpages-webinar View Previous Webinars (use url above)
13. Asking Questions – Q and A at the end 5 Use the Orange Arrow button to expand the GoToWebinar panel Then ask your questions in the Questions pane! We will answer your questions verbally at the end of the webinar
14. Your Presenters Today: 6 #XPages Scott Vrusho IBM Dave Kern IBM Kevin Lynch IBM Scott Souder IBM @ssouder
15. SCOTT SOUDER IBM Program Director Sr. Product Manager, IBM Verse
16. © 2015 IBM Corporation Legal Disclaimer: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.
17. © 2015 IBM Corporation Mail that understands you Less clutter, more clarity Connecting me to we
18. © 2015 IBM Corporation Let’s take a look…
19. © 2015 IBM Corporation IBM Verse Roadmap
20. © 2015 IBM Corporation IBM Verse Post-GA priorities • Ofﬂine • Mobile: native iOS and Android • Enhanced Calendar • Deepen social integration • Personal Assistant based on IBM Watson • Extensibility and programmability for 3rd party integration • Continuous enhancement based on user usage metrics • On-premises support
21. © 2015 IBM Corporation Contact Sync! Sync social contacts and mail contacts • Modern, ﬁrst-class experience • Fully accessible • Seamlessly sync your Notes/Domino-based contacts with your Connections-based social contacts
22. © 2015 IBM Corporation Here’s what we’re thinking about next… • Share to blog w/images and attachments • Reduce cognitive debt by optimizing screen real estate for ease-of-use and clarity • A “reimagined” calendar experience • Reduce mail debt by surfacing messages that matter • Improvements to “Getting Started” experience • File viewer enhancements • Orient user and focus on what matters today • A deeper, more integrated chat experience • “Create my proﬁle picture” experience
23. © 2015 IBM Corporation IBM Verse Extensibility and API objectives Partnering for success: • Cover key integration points • Build the supporting ecosystem • Focus on key differentiators Verse extensibility Service APIs
24. © 2015 IBM Corporation IBM Verse Extensibility and API directions Integrated actions: • Allow for adding actions which work against content in Verse • Acting on a notiﬁcation from a workﬂow application • Moving a message into a CRM system for an identiﬁed opportunity • Archiving a message as “CLASSIFIED” Export insight: • Allow external applications to leverage Verse’s analytics and social insight • People important / suggested to me • Team analytics • Needs Action / Waiting for Action
25. © 2015 IBM Corporation IBM Verse Extensibility and API directions Improve on a New Way to Work: • Allow insights gathered from external resources to enhance the Verse experience • Supplementing “suggested people” based on relationships found in a CRM system • Improved search ﬁlters based on industry-speciﬁc taxonomy • Recommendations on existing Needs Action or Waiting for Action tasks Freedom to collaborate: • Allow for the substitution of third-party collaboration services in place of IBM’s • Chat • Files • …
26. http://tinyurl.com/njdun3v “So if you’re not sure about IBM Verse today, think about your move from keyboard to mouse…or from mouse to multi- touch. You’ll get there. We’ll be there waiting for you…” – Louis Richardson, IBM Storyteller
27. THANKS! @sssouder
28. Domino, Notes, and Verse - Where Are We and What's the Future? 1 Scott Vrusho Senior Program Manager Dave Kern Resident Paranoid Kevin Lynch Senior Development Manager June 16, 2015
29. Agenda Brief Review of current Domino content Futures – Domino.Next IBM mail support for Microsoft Outlook / Hawthorn Security The Ongoing Saga of SSL and TLS Verse – New way to work
30. CURRENCY CURRENT DOMINO CONTENT Domino 9.0.1
31. What's new in IBM Domino Social Edition 9.0.1 Themes: Quality: Notes / Domino Social edition 9.0.1 was focused at addressing important IBM customer reported defects Accessibility: XPages, iNotes, Domino server install Targeted features: Messaging Server Reliability (Cloud First) Diagnostic information in NSD for Router (Cloud First) Security Execution Control List (ECL): New setting for greater security control over Java execution. XPages Mobile enhancements: detect device type, orientation, event changes New REST calendar service Content in backup Shipped Q4’13
32. Notes/Domino/Designer Fix Packs Notes/Domino/Designer 9.0.1 FP2 – IE11 support – CKEditor 4.3.2 (Domino Server) – JVM 1.6 SR16 9.0.1 FP3 – iOS 8 support for XPages mobile controls – 9.0.1 FP2 IF1 – Dojo 1.9.4 – CkEditor 18.104.22.168 (Domino Server & Notes Client) – JVM 1.6 SR16FP2 9.0.1 FP4 – TLS 1.2 Plus More (details from Dave Kern in a few) – Dojo 1.9.7 – Libpng 1.5.21 – JVM 1.6 SR16FP4
33. FUTURES Domino.Next
34. What’s Next? A sample of what’s coming in a future release •Live View Refresh - Avoid view bottleneck when updating docs and views simultaneously •Expanded Summary limit in Documents •NIF/NSF project to optionally have NIF indexes stored outside of NSF file •Support RFC 2231- Popular International standard for email headers •Restrict mail rule forwarding to Internet •Backend support for field/document level encryption and signatures for Xpages Support for MS calendar and message files *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
35. Solution: New item on view note and a new view refresh option (Critical). This will shut down refresh during view opening processing The design flags can be set on the view via an Updall switch Domino.next LiveView Refresh – Dedicated background thread for maintaining critical view indexes Given out as Hotfixes. Code added to 9.0.1 FP3 Fixes in FP4 *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
36. Live View Refresh: Dedicated Background Thread The design flags can be set on the view via Updall task from server console on an ODS52 or above NSF file Syntax: Enable on a view: Load updall <dbname> -T#<#seconds> <viewname> Disable on a view (901FP4 and above): Load updall <dbname> -T~ <viewname> Example: Load updall disc9.nsf -T#5 "By Category” Load updall disc9.nsf -T#30 "All Documents" The dedicated threads can be observed via the server console ‘Show Tasks’ View Indexer disc9.nsf "By Category" 5 sec. stale read View Indexer disc9.nsf "All Documents" 30 sec. stale read The individual threads can be stopped but only temporarily until a server restart – tell ”View Indexer" stop disc9.nsf "All Documents” To disable on a view, issue a ~ (tilde) with the –T command as follows: – Load updall disc9.nsf –T~ "By Category” *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion. This sets the refresh poller to 5 and 30 seconds on these views respectively.
37. Expand 64k Summary limit In current releases Text (Summary) limit is: – 64KB per document – 32KB per field – 32KB per view entry In Notes/Domino.next we have raised the Summary data – 16MB per document – Individual Field/View limits remain unchanged *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
38. NSF Size on Disk View Indexes on Disk (outside of NSF file) Can grow to 1 Terabyte DAOS store (outside of NSF) Logical size can exceed 64gb with DAOS store now and in the future views outside of NSF NIF-NSF: Storing Views (NIF) outside of Database (NSF) *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion. • Encrypted for Secure storage • Accessed through existing APIs
39. RFC2231 support for Mail File Types This RFC is the current standard for specifying non-ASCII headers. – Although it was first introduced over 15 years ago. It was not widely used for many years. It has evolved to be the the default for many mail clients, e.g., Thunderbird *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
40. Restrict mail rule forwarding to internet Server configuration to prevent mail rule forwarding to an internet email address – This is a server side configuration option to prevent individual users from setting up a mail rule that forwards their incoming messages to the internet (i.e. a personal account). – When users create a mail rule that includes the send/copy to action, any addresses in domains that are not owned by your company are ignored – Already Available in the Cloud *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
41. Secure Your Data On The Web - Document encryption & signature support for XPages Ensure only the people you want to access the data can access the data using XPages document encryption Simplify access using public keys or apply greater control using secret keys Ensure authenticity by electronically signing Domino documents from the web + + X Targeting 2016 *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
42. Additional Features For XPages Encryption & Signature Support Infrastructure for working with keys from the web – New backend classes, methods & properties in C, Java & LotusScript – New IDVault class • Methods for working with IDs (Get or put ID, Get username…) • Properties for – New UserID class • Method for getting encryption keys – Other Methods • Session class: IDVault Session.getIDVault() • Database class: Database.setUserIDForDecrypt(UserID uid) • Document class: Document.encrypt(Optional UserID uid) *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
43. Application Development Plus Lots of good content for the App Dev space as you recently heard from Pete Janzen, Martin Donnelly and Brian Gleeson: – May 2015 TLCC/TeamStudio Webinar: App.Next - The Future of Domino Application Development – https://www.youtube.com/watch?v=ntVFNjKnljE *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
44. Support for Microsoft calendar/message files This resolves receiving files being received that a user cannot take action on. – Mail Arrives with un-viewable attachment. This will allow processing/handling these msg message types inline.
45. Currency Domino / Notes – ND.next updates the baselines of components including: • Java 8 • Latest Keyview for indexing/viewing attachments • ICU – IBM Classes for Unicode revised – Windows 10 Notes client support – In test now – Notes Mac 64 bit coming this fall for OS X 10.11 – El Capitan • Supports Java 8 – 64 bit – Lots more for latest OS levels for Server including IBM i, zLinux, Windows Server Next, RHEL/SLES *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
46. IBM MAIL SUPPORT FOR MICROSOFT OUTLOOK ALIASES: IMSMO, PROJECT HAWTHORN (Limited Availability)
47. IBM provides choice in client experience Notes Browser Plug-in Traveler Notes iNotes Connections Mail Verse (P) = On-premises only (C) = Cloud Initially (P) (C) IMAP accessMicrosoft Outlook 2013Limited Availability
48. IBM Mail Server for Microsoft Outlook (IMSMO) It's “Bring your own client” model supporting Outlook clients and various access methods Gives clients choice in messaging solutions Allows Domino 9 Server and Outlook 2013 to communicate Outlook 2013 natively offers EAS (Exchange ActiveSync) account configuration This is a capability vs. separate solution (i.e., IMAP, POP3, etc.) A lightweight Outlook 2013 add-in exposes additional functionality beyond what Outlook 2013 natively offers for EAS configurations Leverages Domino REST services Auto-updates ease desktop management as new releases are available Capabilities Mail, folders, calendar, contacts, delegation, offline, search, Notes encryption, OOO, room finder, freebusy, quota, etc. What is Hawthorn?
49. Outlook 2013 & IBM mail add-in IP Sprayer (F5 or IMC) Corporate LDAP (NameLookup only) Domino with IMSA Domino with IMSA Optional non-IMSA servers in cluster DB2 HADR Domino mail cluster Project Hawthorn Architecture
50. Requirements Client Outlook 2013 on Windows only Mail Server Domino 64-bit on Windows 64-bit or AIX 64-bit and now Linux-64 Domino release 9.0.1 + latest fixpack HTTP process running Mail replicas reside on the Hawthorn server(s) IDVault (enables Notes encryption) DB2 Domino server leverages DB2 storage of mapping metadata Can be bypassed for small proof of concept deployments Greatly improves server performance, reliability Cloud – Planned for End of Q4 2015 Contact your IBM Sales rep to see if you are a good fit for limited availability nomination *IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
51. OVER TO DAVE KERN FOR SECURITY 24
52. 25 The Ongoing Saga of SSL and TLS
53. How did we get here? The SHA-1 hash algorithm was due to be “sunset” in January 2016 – Naturally, we started working on SHA-2 support well in advance Sept 2014: Chrome and Firefox announced they were starting over a year early – Adding prominent lack-of-trust warnings for sites with SHA-1 certificates – Our timetable for Domino accelerates Oct 14, 2014: POODLE strikes! – Browser manufacturers and administrators frantically start disabling SSLv3 – Our timetable for Domino accelerates Nov 4, 2014: Domino Interim Fixes released adding TLS 1.0 (POODLE) and SHA-2 Dec 8, 2014: ”POODLE on TLS” vulnerability announced. Dec 19, 2014: Domino Interim Fixes for POODLE on TLS released March 2015: Domino 9.0.1 FP3 IF2 adds TLS 1.2 and more
54. Nov 2014 Domino Interim Fixes For all Platforms and supported Versions – 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5 TLS 1.0 support for all Internet Protocols inbound and outbound – HTTP, SMTP, LDAP, POP3, IMAP – DIIOP inbound only – Support for TLS_FALLBACK_SCSV – Does not enable disabling of SSL 3.0 – Cipher suite list for outbound connections re-ordered to place AES ciphers first – Removed SSLv2, SSL renegotiation, and disabled weak (< 128 bit) ciphers SHA-2 support introduced No UI changes http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0
55. Dec 2014 Notes and Domino Interim Fixes Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE- 2014-8730) – http://www.ibm.com/support/docview.wss?uid=swg21693142 SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability – Fixes the “POODLE on TLS” vulnerability for CBC ciphers SPR #KLYH9QXMQE: Disable SSL ini: DISABLE_SSLV3=1 – Domino 9.0.1 FP2 IF 3, 9.0 IF7,8.5.3 FP6 IF6, 8.5.2 FP4 IF3, 8.5.1 FP5 IF3 – Notes 9.0.1 FP2 IF4 and 8.5.3 FP6 IF4 added TLS 1.0 support • Windows, Linux and Mac OSX
56. SSLv2 ClientHello - Known “Incompatibility” Sending the first SSL message (ClientHello) in SSLv2 format provided backwards compatibility with servers that only supported SSLv2 – This is only needed if you want to connect to servers that only support SSLv2 – Extremely useful in 1996! – Using an SSLv2 ClientHello circumvents many important security characteristics of SSL/TLS Domino completely disabled SSLv2 including SSLv2 “ClientHello” – Some other servers may still accept it even if SSLv2 itself is disabled SSLv2 ClientHello might be still used by some applications – For example older OpenSSL Libraries or out-of-date clients – Workaround is to force a specify protocol version “TLS 1.0” • Example: wget.exe --secure-protocol=TLSv1 .. – Potential issue with external SMTP Clients that shall remain nameless
57. 30 Where are we today? (Domino 9.0.1 FP3 IF2)
58. Why TLS 1.2? Uses SHA-256 internally instead of MD5 and SHA-1 Adds support for ciphers with SHA-256 integrity checking Adds support for AEAD (AES-GCM) ciphers Other security-related improvements too numerous to mention
59. Caveats TLS 1.2 requires SHA-256 which requires Notes/Domino 9.0.x – Significant cryptographic changes between 8.5.x and 9.0.x – No plans to back port any enhanced TLS functionality to 8.5.x Any template, UI, and string changes require a Maintenance Release – Not just a Fix Pack, Interim Fix, or Hot Fix. – This is why a separate new keyring tool “kyrtool.exe” was released instead of a new database Therefore, until the next MR, configuration of TLS functionality will be limited to – notes.ini variables – server console commands – command line applications
60. Secure Renegotiation Old-style renegotiation is vulnerable to session splicing attacks – Renegotiation disabled by TLS 1.0 Interim Fixes Security scanners frequently confuse “doesn't support secure renegotiation” with “supports insecure renegotiation” RFC 5746 requires servers that do not support renegotiation to claim support for secure renegotiation
61. HTTP Strict Transport Security (HSTS) header Indicates to web browsers they should only connect to this site over HTTPS and not HTTP Helps prevent web browsers from being tricked into communicating over unencrypted HTTP Domino will now send this header by default if SSL/TLS is enabled and the http port is disabled or set to “redirect only” – Only with a one week “maximum age” by default http://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS
62. Problem: The All-Seeing Eye How do you protect against an attacker who can spy on all of your network traffic? In most SSL/TLS cipher specs the client transmits a “PreMasterSecret” to the server encrypted with the server's public key A passive attacker could record network traffic for years and then acquire the server's private key and decrypt all of that traffic – Sound like anybody you know?
63. Solution: Perfect Forward Secrecy No long-term keys are used to generate or transmit the keys used to encrypt your network traffic Incurs a significant performance penalty, so test in your environment before enabling May only be enabled via SSLCipherSpec notes.ini PFS cipher specs in Domino 9.0.1 FP3 IF2: – TLS_DHE_RSA_WITH_AES_128_CBC_SHA – TLS_DHE_RSA_WITH_AES_256_CBC_SHA – TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 – TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 – TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 – TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
64. Problem: Far too many attacks on hashes and CBC mode Most cipher specs use a hash algorithm for integrity checking Many advances in cryptanalytics techniques against hashes – First to fall were MD4 and SHA-0 – Next fell MD5 and SHA-1 – Now we're using SHA-2 (SHA-256, SHA-384, and SHA-512) – SHA-3 is undergoing standardization – When will it end? Numerous flaws have been found in Cipher Block Chaining (CBC) mode ciphers – Padding oracle attacks and timing attacks – POODLE and other downgrade attacks – POODLE on TLS and other padding attacks – BEAST and other IV attacks
65. Solution: Authenticated Encryption (AEAD) AEAD cipher specs don't use a hash algorithm for integrity – Integrity checking part of encryption and decryption AEAD cipher specs do not use CBC mode – AEAD cipher specs tend to perform better than equivalent CBC mode ciphers AEAD ciphers in Notes/Domino 9.0.1 FP3 IF2 (from RFC 5288) – TLS_RSA_WITH_AES_128_GCM_SHA256 – TLS_RSA_WITH_AES_256_GCM_SHA384 – TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 – TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
66. Selecting Ciphers with “SSLCipherSpec” Server Doc / Internet Site doc no longer used for SSL/TLS configuration – None of the new ciphers or versions are shown in the UI – Design changes in Domino Directory will have to wait for a maintenance release (9.0.x) , not a FP or IF Notes.ini “SSLCipherSpec” – Used to specify ciphers across all protocols – Concatenate the two hex digit numbers for the desired ciphers – Ciphers ordered based on strength – Example: SSLCipherSpec=9D9C3D3C352F0A9F9E6B3967 • Enable most of the PFS ciphers as well as the default ciphers Latest cipher list available on the Notes/Domino wiki – http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration
67. Notes.ini Settings DISABLE_SSLV3=1 – Prevent incoming SSLv3 connections – Fallback to SSLv3 already prevented with most modern clients via TLS_FALLBACK_SCSV DEBUG_SSL_ALL=2 – Or just DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 for less noise USE_WEAK_SSL_CIPHERS=1 – Not recommended – but if you absolutely must allow frighteningly weak cipher specs SSL_DISABLE_FALLBACK_SCSV=1 – Disables TLS_FALLBACK_SCSV functionality – Not recommended – Only use if a badly misconfigured client absolutely needs to connect to your server SSL_ENABLE_INSECURE_RENEGOTIATE=1 – Not recommended – but if you absolutely need “classic” SSL renegotiation SSL_ENABLE_INSECURE_SSLV2_HELLO=1 – Not recommended – but if remote SMTP server refuses to disable SSLv2 backwards compatibility...
68. SSL Test Tools https://www.ssllabs.com/ssltest/ Probably one of the most busy SSL Test Sites those days – Can be used to get an idea about your server security status – Will provide a a “rating” for your server from “A” to “F” – Also includes details about supported SSL protocol version and ciphers • Also contains a very useful “simulation” what ciphers certain applications might use – There is also a test to check which SSL protocol version and ciphers are supported
69. Reference for Useful OpenSSL Commands Connect test HTTPS – openssl s_client -connect www.acme.com:443 Connect test SMTP TLS – openssl s_client -connect mail.acme.com:25 -starttls smtp Both print detailed information about certificate, protocol and cipher Options to force certain SSL versions – -tls1, -no_tls1, -no_ssl3 “wget” - another test tool – Uses openssl libs and can be used for HTTPS requests – wget.exe [--secure-protocol=TLSv1] --no-check-certificate https://www.acme.com
70. 43 Where are we going?
71. Enhancements under consideration for inclusion in a future Fix Pack OCSP Response Stapling – Server requests a single OCSP response for itself and sends it as part of the TLS handshake – Improves performance by saving each client from needing to perform its own request Improved interoperability with Java 6 and 7 – Java 6 and 7 only support 1024 bit DH, which breaks compatibility with servers that choose stronger groups – Java 6 and 7 only use DH with TLS_DHE_RSA_WITH_AES_128_CBC_SHA – Enhancement to only use 1024 bit DH when using TLS_DHE_RSA_WITH_AES_128_CBC_SHA Drop priority of TLS_DHE_RSA_WITH_AES_128_CBC_SHA to protect against Logjam attack – 1024 bit DH groups are believed to be insecure, so avoid them unless the alternative is sending data in the clear. Add support for 4096 bit DH groups Logging enhancements Stability and interoperability fixes IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
72. TLS 1.3 Cleans up and greatly simplifies the TLS protocol – TLS 1.3 overhauls SSL/TLS in the way that TLS 1.0 should have Currently just an Internet Draft, but we're following it closely – Currently only allows cipher suites with Perfect Forward Secrecy and Authenticated Encryption Under consideration for inclusion in a future release of Notes/Domino IBM’s statements regarding its plans, directions and intent are subject to change or withdrawal without notice at IBM’s sole discretion.
73. 46 Notes/Domino SHA-2 Support
74. SHA-1 is rated as “insecure” SHA-1 is not recommended any more – There are at least theoretical attacks against SHA-1 – Customers are encouraged to move away from SHA-1 to avoid situations we had before with MD5 – SHA-256 is recommended and required for secure encryption – Governments recommend to move to SHA-256 – SHA-256 is approved by Federal Information Processing Standard (FIPS) 140-2 Browser vendors decided start to warn when using SHA-1 certificates – For example: Google starts first to warn for certificates expiring end of this year • Reducing step by step the expiration time for the certs (1.1.2017, .. 1.1.2016) – Affected certificates are all Server and intermediate CAs signed with SHA-1 – Root Certifiers are not affected because they are verified in a different way
75. Browser Vendors start to sunset SHA-1 This means that you have to replace your certificates ASAP – Best practice is also to create a new public/private key • Key could have been compromised and you don't know about it yet – Ensure that the CA you are using already supports SHA-2 • Most CAs only support SHA-2 today because for exact those reasons – If you server certificate expires later than 31.12.2015 and your server does not support SHA-2 yet, consider requesting a cert with a shorter valid period • Just a work-around. Better would be to update your server or put a secure reverse proxy in front of it References – https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature- algorithms/ – http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html
76. SHA-256 (SHA-2) Support Domino 9.0.x without the current IFs did already support SHA-256 in some areas – X.509 certificate signature verification and S/MIME signed mail – Some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously "hashed." – Internet CA supports SHA-256 Domino 9.0.1 FP2 IF1 supports SHA-2 Certificates for all Internet Protocols and for Keyring Files – SHA-2 support covers SHA-256, SHA-384, and SHA-512 – No Support for SHA-2 is planned for Domino 8.5.x • Domino 8.5.x does not contain SHA-2 support – You should consider updating to the current 9.0.1 fixpack and IF if possible – New Keyring files Management Tool “kyrtool”
77. New Keyring Tool - “kyrtool” Separate Download – Available for Win32/64, Linux 32/64 on Client or Server → just needs to be copied to the N/D program directory Can be used to import, show, export certificates – But not to create a private/public key and a certificate request You can use OpenSSL to create the key and the request – Or you can use any other tool to create the key and the request – Or use an existing key and cert in PEM format Importing Trusted Roots – Either add all to a single PEM file from leave to note (key, cert, intermediates, root) – Or import roots separately • Needs Notes/Domino 9.0.1 FP2 IF1 code → Backend API change is needed
78. Create a Certificate using OpenSSL OpenSSL – native installed on Linux/Unix – On Windows you can use a cygwin environment 1. Create a Private/Public Key – openssl genrsa -out server.key 2048 2. Generate a Certificate Signing Request (CSR) – openssl req -new -sha256 -key server.key -out server.csr 3. Send CSR to CA for signing – Or create a “self signed” certificate for testing • openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.pem – Result is a file in “PEM” format
79. Verify Import File Before importing a PEM file, you should verify the content with the “verify” command – Ensure that the certificate chain is complete and ordered correctly (key, cert, intermediate certs, root cert) – Special tip: you can show the certs in an input via to figure out which cert is missing • Example: kyrtool.exe show certs -i c:dominoall.crt kyrtool.exe verify c:dominoall.crt – Successfully read 2048 bit RSA private key – INFO: Successfully read 4 certificates – INFO: Private key matches leaf certificate – INFO: IssuerName of cert 0 matches the SubjectName of cert 1 – INFO: IssuerName of cert 1 matches the SubjectName of cert 2 – INFO: IssuerName of cert 2 matches the SubjectName of cert 3 – INFO: Final certificate in chain is self-signed
80. Create Keyring File Create a new Keyring File – kyrtool create -k keyring.kyr -p password – When creating a keyring file you need to specify a password • All other commands will read the password from the “.sth” file Importing Key, Certificate, Intermediates and Trusted root – Copy key, cert, intermediates and root certificate into one PEM file – kyrtool import all -k keyring.kyr -i server.pem You can also import the different parts separately – Kyrtool import all|keys|certs|roots -k keyring.kyr -i server.pem – But that makes the import a lot more complicated
81. Keyring “show” command Can be used to show information from a keyring file Kyrtool show certs -k keyfile.kyr – Shows the entire cert chain including the root matching the cert – Tip: You can use the show command to dump all certs and use the “verify” command on the resulting file Kyrtool show keys -k keyfile.kyr – Shows all keys in the keyfile Kyrtool show roots -k keyfile.kyr – Shows all trusted roots in the keyfile Verbose option “-v” can be used to dump more detailed information – More “-v”s on the command line results in more information
82. Reference - Converting file formats Kyrtool requires “PEM” format (text based - BASE64 encoded DER format) – In many cases your CA might use different formats (e.g. Microsoft CA) OpenSSL is your friend when converting different formats – But syntax is not always easy to figure out – Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM • openssl pkcs12 -in cert.pfx -out cert.pem -nodes – Convert Binary DER formatted certificate to text based (BASE64) PEM format • openssl x509 -inform der -in server.cer -outform pem -out server.pem – Convert Binary DER formatted certificate chain to text based (BASE64) PEM format • openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem
83. 56 Notes S/MIME Support
84. Increasing Internet Certificate Key Size Domino 9 Internet CA Supports SHA-2 – You can remove and re-create the Internet Certifier with SHA256 and higher key length – Or create multiple Internet Certifiers
85. Internet CA Result Resulting CA can be used to assign new certificates to users via Person Doc
86. Enabling stronger ciphers and SHA-2 Client Notes.ini (deployed via desktop policy) needs the following settings – SMIME_CAPABILITIES_SEND=AES_128:SHA_256 – SMIME_FIRST_CHOICE_CONTENT_ENC_ALG=AES_256
87. DOMINO 9.0.1 CONTENT Backup
88. 9.0.1: Messaging Server Reliability Protect from repeat outages due to a single message instance: Processing a “bad” message is responsible for the crash. It remains in mail.box or mail file. Server restarts and proceeds to deal with the same “bad” message, causing repeat crash for below scenarios: Transfer or deliver same "bad" message: Router repeat crash Receive same "bad" message: SMTP repeat crash Fetch same “bad” message via IMAP: IMAP repeat crash Solution to give messaging server reliability in 9.0.1: Keeping per-thread context identifying the current message being processed. Registering an exception handler callback that is called at time of crash to record which email message was processed during crash. A data file is opened and the information identifying this message is written to the file. When server restarts, if above file exists, Router/SMTP/IMAP read the file to identify the "bad" message, move the "bad" message to a new DB (Router and IMAP), and continue to deal with remaining messages.
89. 9.0.1: Messaging Server Reliability Prevent Router, SMTP and IMAP Repeat Crash The feature is enabled by default in 9.0.1 Set below Notes.ini to disable the feature RouterDisableFaultDataCapture=1 SMTPDisableFaultDataCapture=1 IMAPDisableFaultDataCapture=1 How we Deal with "bad" message Quarantine Message to IBM_Technical_Support directory Router/IMAP: Upon Restart move message for diagnostic collection SMTP reject with “554 unable to import”
90. 9.0.1: Diagnostic information in NSD for Router Router diagnostic data provides additional information in NSD stacks This identifies work in progress by a router transfer/delivery thread at the time of a crash. The information includes Message being processed (mailbox and Note ID) Sender and recipient. Stacks in the NSD contain a string printing out this value.
91. 9.0.1: New Execution Control List attribute - Only load Signed & Trusted Java code Provide Notes client users with an option to mitigate any risks involved with running Java code in Notes documents Prior ECLs associated with Applets, Java agents & Xpages enforce runtime security No load time ECL check, leaves an open window for application Java code to exploit any vulnerabilities in JVM Load time verification ECL check allows for customers to have more granular control on what Java code is allowed to load & run in a Notes client document The Quarterly Oracle security patches have all been around attacking the JVM security model primarily from unsigned code This is not a fix to address any known exploit but rather a mechanism to mitigate any future exploits More important from a Notes client perspective since deploying a security patch to Notes client JVM is not always an acceptable solution for customers Changes are limited to Client only covering: Xpages, Applets, Java agents & JS → Java calls Java code running in the context of Notes documents checks the load time ECL attribute and alert the user if the signer does not have permissions to load Java code New ECL attribute “Load Java code” in security panel and in security policy document for pushing out ECL settings
92. 9.0.1: New Security Policy for Federated Login New Security Policy Setting to prevent use of password on vaulted ID when Federated Login is configured Policy setting is only visible if NFL or WFL is configured Default is Yes (ie, Allow use of password) 'No' enforces use of SAML for download of ID from Vault
93. 9.0.1: Web SSO Config Doc Has Custom Cookie Names Web SSO Config doc allows admin to specify LTPAToken and LTPAToken2 custom name. Can be used to configure users for SSO across multiple SSO domains
94. Questions???? 7 Use the Orange Arrow button to expand the GoToWebinar panel Then ask your questions in the Questions panel! Remember, we will answer your questions verbally
95. #XPages @ssounder @TLCCLtd @Teamstudio @PaulDN Upcoming Events: MWLug User Group Meeting, Atlanta, GA - Aug. 19-21 ICON UK, London, England – Sept. 21-22 Question and Answer Time! 8 Teamstudio Questions? email@example.com 978-712-0924 TLCC Questions? firstname.lastname@example.org email@example.com 888-241-8522 or 561-953-0095 Howard Greenberg Paul Della-Nebbia Courtney Carter Kevin LynchDave KernScott Vrusho Keep in mind: TLCC Spring Sale Ends on June 30th Scott Souder
Hear from IBM's product team and learn where Notes, Domino, and Verse ... [Webinar] Domino, Notes, and Verse ... Whats New in IBM Domino, Notes, ...
THE DATE FOR THIS WEBINAR HAS PASSED. Come hear from IBM's product team and learn where Notes, Domino, and Verse are headed in this webinar for ...
Recorded Webinar: IBM Presented Domino, Notes and Verse – Where are We and What’s the Future?
Want to watch this again later? Sign in to add this video to a playlist. A webcast replay of What's New in IBM Domino, IBM Notes, IBM Lotus ...
... Domino, Notes and Verse ... Where are we and What's the Future? ... IBM Notes client: NEW for IBM Notes and Domino 9.0.1 Social Edition!
Domino, Notes, and Verse - Where Are We and Whats the Future? Last Tuesday we have seen what IBM has in store for the future of Notes Domino and ...
XPages Webinar Series Recordings. ... Notes and Verse - Where are we and What's the ... What's New in the IBM Notes and Domino 9 Social Edition for ...
The Future of Domino Application Development, XPages, Notes ... Verse - Where are we and What's the Future? ... Notes, Domino and Verse are ...