domino, notes, and verse - where are we and whats the future?

Domino, Notes, and Verse

Where are We and What’s the Future?

Tweet about this event

And mention us: @Teamstudio @TLCCLTD

@sssouder

June 16, 2015

@Teamstudio

teamstudio.com

@TLCCLTD

tlcc.com

Courtney CarterInbound Marketing Specialist

Teamstudio

Who We Are

• Teamstudio’s background is in creating tools for

collaborative computing in mid-size and large

enterprises, primarily for IBM Notes

• Easy-to-use tools for developers and administrators

• 1600+ active customers, 53 countries

• Offices in US, UK, and Japan

• Entered mobile space in 2010 with Unplugged: easy

mobilization of Notes apps to Blackberry, Android

and iOS

Teamstudio Unplugged

• Your mobile Domino server: take your IBM Notes

apps with you!

• End-users access Notes applications from mobile

devices whether online or offline

• Leverages the powerful technology of XPages

Unplugged Templates

• Continuity – Mobile offline access to BCM programs

• OneView Approvals – Expense approvals; anywhere, anytime

• CustomerView – lightweight CRM framework for field sales and field service teams• Contacts – customer information database

• Activities – customer activity log

• Media – mobile offline file storage and access

XControls

• Set of Controls for IBM Domino XPages developers

working on new XPages apps and on app

modernization projects

• Re-write of the Teamstudio Unplugged Controls

project, but adds full support for PC browser-based

user interfaces as well as mobile interfaces

• Enables XPages developers to create controls that

are responsive

• Learn more: teamstudio.com/solutions/xfoundations

Teamstudio Services

• Professional services for modernization, web

enablement, project management, development,

and administrationo Modernization Services

o Unplugged Developer Assistance Program

o Application Upgrade Analysis

o Application Complexity Analysis

o Application Usage Auditing

• http://www.teamstudio.com/solutions/services/

• NotesTools promotion:

o Be automatically entered to win an iPhone 6 if you contact us by Jun. 30, 2015 for

more information on Analyzer, Delta, and Configurator.

• Webinar in French: Jun. 24, 2015

o With Laurent Godme of IBM and Ady Makombo of Teamstudio

1

#XPages

Your Hosts Today:

Howard GreenbergTLCC

@TLCCLtd

Domino, Notes and Verse -Where are we and What's the

Future?

Paul Della-NebbiaTLCC

@PaulDN

How can TLCC Help YOU!

2

• Private classes at your location or virtual

•XPages Development

•Support Existing Apps

•Administration

• Let us help you become an expert XPages developer!

• Delivered via Notes

• XPages

• Development

• Admin

• UserSelf-

Paced Courses

Mentoring

Instructor-Led

Classes

Application Development

and Consulting

Free Demo

Courses!

3

• Save hundreds and even Thousands of Dollars on the most popular courses and packages XPages Notes/Domino Admin and Development

• Extended!!! Now through June 30th

http://www.tlcc.com/springsale

Upcoming and Recorded Webinars

4

The Webinars will resume in September!

• www.tlcc.com/xpages-webinar

View Previous Webinars(use url above)

Asking Questions – Q and A at the end

5

Use the Orange Arrow button to expand the GoToWebinar panel

Then ask your questions in the Questions pane!

We will answer your questions verbally at the end of the webinar

Your Presenters Today:

6

#XPages

Scott VrushoIBM

Dave KernIBM

Kevin LynchIBM

Scott SouderIBM

@ssouder

SCOTT SOUDER IBM Program Director Sr. Product Manager, IBM Verse

© 2015 IBM Corporation

Legal Disclaimer: IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or

functionality described for our products remains at our sole discretion. 

© 2015 IBM Corporation Mail that understands you Less clutter, more clarity Connecting me to we

© 2015 IBM Corporation

Let’s take a look…

© 2015 IBM Corporation

IBM Verse Roadmap

© 2015 IBM Corporation

IBM Verse Post-GA priorities

•  Offline

•  Mobile: native iOS and Android

•  Enhanced Calendar

•  Deepen social integration

•  Personal Assistant based on IBM Watson

•  Extensibility and programmability for 3rd party integration

•  Continuous enhancement based on user usage metrics

•  On-premises support

© 2015 IBM Corporation

Contact Sync! Sync social contacts and mail contacts

•  Modern, first-class experience

•  Fully accessible

•  Seamlessly sync your Notes/Domino-based contacts with your Connections-based social contacts

© 2015 IBM Corporation

Here’s what we’re thinking about next…

•  Share to blog w/images and attachments

•  Reduce cognitive debt by optimizing screen real estate for ease-of-use and clarity

•  A “reimagined” calendar experience

•  Reduce mail debt by surfacing messages that matter

•  Improvements to “Getting Started” experience

•  File viewer enhancements

•  Orient user and focus on what matters today

•  A deeper, more integrated chat experience

•  “Create my profile picture” experience

© 2015 IBM Corporation

IBM Verse Extensibility and API objectives

Partnering for success: •  Cover key integration points

•  Build the supporting ecosystem

•  Focus on key differentiators

Verse extensibility

Service APIs

© 2015 IBM Corporation

IBM Verse Extensibility and API directions

Integrated actions: •  Allow for adding actions which work against content in Verse

•  Acting on a notification from a workflow application

•  Moving a message into a CRM system for an identified opportunity

•  Archiving a message as “CLASSIFIED”

Export insight: •  Allow external applications to leverage Verse’s analytics and social insight

•  People important / suggested to me

•  Team analytics

•  Needs Action / Waiting for Action

© 2015 IBM Corporation

IBM Verse Extensibility and API directions

Improve on a New Way to Work: •  Allow insights gathered from external resources to enhance the Verse experience

•  Supplementing “suggested people” based on relationships found in a CRM system

•  Improved search filters based on industry-specific taxonomy

•  Recommendations on existing Needs Action or Waiting for Action tasks

Freedom to collaborate:

•  Allow for the substitution of third-party collaboration services in place of IBM’s •  Chat

•  Files

•  …

http://tinyurl.com/njdun3v

“So if you’re not sure about IBM Verse today, think about your move from keyboard to mouse…or from mouse to multi-

touch. You’ll get there. We’ll be there waiting for you…”

– Louis Richardson, IBM Storyteller

THANKS! @sssouder

Domino, Notes, and Verse - Where Are We and What's the Future?

1

Scott VrushoSenior Program Manager

Dave KernResident Paranoid

Kevin LynchSenior Development Manager

June 16, 2015

Agenda

Brief Review of current Domino content

Futures

– Domino.Next

IBM mail support for Microsoft Outlook / Hawthorn

Security

The Ongoing Saga of SSL and TLS

Verse

– New way to work

CURRENCY

CURRENT DOMINO CONTENT

Domino 9.0.1

What's new in IBM Domino Social Edition 9.0.1

Themes:

Quality: Notes / Domino Social edition 9.0.1 was focused at addressing important IBM customer reported defects

Accessibility: XPages, iNotes, Domino server install

Targeted features:

Messaging Server Reliability (Cloud First)

Diagnostic information in NSD for Router (Cloud First)

Security Execution Control List (ECL): New setting for greater security control over Java execution.

XPages Mobile enhancements: detect device type, orientation, event changes

New REST calendar service

Content in backup

Shipped Q4’13

Notes/Domino/Designer Fix Packs

Notes/Domino/Designer 9.0.1 FP2

– IE11 support

– CKEditor 4.3.2 (Domino Server)

– JVM 1.6 SR16

9.0.1 FP3

– iOS 8 support for XPages mobile controls – 9.0.1 FP2 IF1

– Dojo 1.9.4

– CkEditor 4.3.2.2 (Domino Server & Notes Client)

– JVM 1.6 SR16FP2

9.0.1 FP4

– TLS 1.2 Plus More (details from Dave Kern in a few)

– Dojo 1.9.7

– Libpng 1.5.21

– JVM 1.6 SR16FP4

FUTURES

Domino.Next

What’s Next?A sample of what’s coming in a future release

•Live View Refresh - Avoid view bottleneck when updating docs and views simultaneously

•Expanded Summary limit in Documents

•NIF/NSF project to optionally have NIF indexes stored outside of NSF file

•Support RFC 2231- Popular International standard for email headers

•Restrict mail rule forwarding to Internet

•Backend support for field/document level encryption and signatures for Xpages

Support for MS calendar and message files

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Solution: New item on view note and a new view refresh option (Critical).

This will shut down refresh during view opening processing

The design flags can be set on the view via an Updall switch

Domino.next Live View Refresh – Dedicated background thread for maintaining critical view indexes

Given out as Hotfixes.

Code added to 9.0.1 FP3 Fixes in FP4

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Live View Refresh: Dedicated Background Thread The design flags can be set on the view via Updall task from server console on an ODS52 or above NSF file

Syntax:

Enable on a view: Load updall <dbname> -T#<#seconds> <viewname>

Disable on a view (901FP4 and above): Load updall <dbname> -T~ <viewname>

Example:

Load updall disc9.nsf -T#5 "By Category”

Load updall disc9.nsf -T#30 "All Documents"

The dedicated threads can be observed via the server console ‘Show Tasks’

View Indexer disc9.nsf "By Category" 5 sec. stale read

View Indexer disc9.nsf "All Documents" 30 sec. stale read

The individual threads can be stopped but only temporarily until a server restart

– tell ”View Indexer" stop disc9.nsf "All Documents”

To disable on a view, issue a ~ (tilde) with the –T command as follows:

– Load updall disc9.nsf –T~ "By Category”

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

This sets the refresh poller to 5 and 30

seconds on these views respectively.

Expand 64k Summary limit

In current releases Text (Summary) limit is:

– 64KB per document

– 32KB per field

– 32KB per view entry

In Notes/Domino.next we have raised the Summary data

– 16MB per document

– Individual Field/View limits remain unchanged

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

NSF Size on Disk

View Indexes on Disk

(outside of NSF file)

Can grow to 1 Terabyte

DAOS store

(outside of NSF)

Logical size can exceed

64gb with DAOS store

now and in the future

views outside of NSF

NIF-NSF: Storing Views (NIF) outside of Database (NSF)

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

• Encrypted for Secure storage

• Accessed through existing APIs

RFC2231 support for Mail File Types

This RFC is the current standard for specifying non-ASCII headers.

– Although it was first introduced over 15 years ago. It was not widely used for many years. It has evolved to be the the default for many mail clients, e.g., Thunderbird

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Restrict mail rule forwarding to internet

Server configuration to prevent mail rule forwarding to an internet email address

– This is a server side configuration option to prevent individual users from setting up a mail rule that forwards their incoming messages to the internet (i.e. a personal account).

– When users create a mail rule that includes the send/copy to action, any addresses in domains that are not owned by your company are ignored

– Already Available in the Cloud

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Secure Your Data On The Web - Document encryption & signature support for XPages

Ensure only the people you want to access the data can access the data using XPages document encryption

Simplify access using public keys or apply greater control using secret keys

Ensure authenticity by electronically signing Domino documents from the web

+

+ X

Targeting

2016

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Additional Features For XPages Encryption & Signature Support

Infrastructure for working with keys from the web

– New backend classes, methods & properties in C, Java & LotusScript

– New IDVault class

• Methods for working with IDs (Get or put ID, Get username…)

• Properties for

– New UserID class

• Method for getting encryption keys

– Other Methods

• Session class: IDVault Session.getIDVault()

• Database class: Database.setUserIDForDecrypt(UserID uid)

• Document class: Document.encrypt(Optional UserID uid)

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Application Development

Plus Lots of good content for the App Dev space as you recently heard from Pete Janzen, Martin Donnelly and Brian Gleeson:

– May 2015 TLCC/TeamStudio Webinar:

App.Next - The Future of Domino Application Development

– https://www.youtube.com/watch?v=ntVFNjKnljE

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

Support for Microsoft calendar/message files

This resolves receiving files being received that a user cannot take action on.

– Mail Arrives with un-viewable attachment. This will allow processing/handling these msg message types inline.

Currency

Domino / Notes

– ND.next updates the baselines of components including:

• Java 8

• Latest Keyview for indexing/viewing attachments

• ICU – IBM Classes for Unicode revised

– Windows 10 Notes client support – In test now

– Notes Mac 64 bit coming this fall for OS X 10.11 – El Capitan

• Supports Java 8 – 64 bit

– Lots more for latest OS levels for Server including IBM i, zLinux, Windows Server Next, RHEL/SLES

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

IBM MAIL SUPPORT FOR MICROSOFT

OUTLOOK

ALIASES: IMSMO, PROJECT HAWTHORN

(Limited Availability)

IBM provides choice in client experience

Notes Browser Plug-in

Traveler

Notes

iNotes

Connections Mail

Verse

(P) = On-premises only (C) = Cloud Initially

(P)

(C)

IMAP accessMicrosoft Outlook 2013Limited

Availability

IBM Mail Server for Microsoft Outlook (IMSMO)

It's “Bring your own client” model supporting Outlook clients and various access methods

Gives clients choice in messaging solutions

Allows Domino 9 Server and Outlook 2013 to communicate

Outlook 2013 natively offers EAS (Exchange ActiveSync) account configuration

This is a capability vs. separate solution (i.e., IMAP, POP3, etc.)

A lightweight Outlook 2013 add-in exposes additional functionality beyond what Outlook 2013

natively offers for EAS configurations

Leverages Domino REST services

Auto-updates ease desktop management as new releases are available

Capabilities

Mail, folders, calendar, contacts, delegation, offline, search, Notes encryption, OOO, room finder, freebusy, quota, etc.

What is Hawthorn?

Outlook 2013 &

IBM mail add-in

IP Sprayer

(F5 or IMC)

Corporate LDAP

(NameLookup only)

Domino with IMSA Domino with IMSAOptional non-IMSA servers in

cluster

DB2 HADR

Domino mail cluster

Project HawthornArchitecture

Requirements

Client

Outlook 2013 on Windows only

Mail Server

Domino 64-bit on Windows 64-bit or AIX 64-bit and now Linux-64

Domino release 9.0.1 + latest fixpack

HTTP process running

Mail replicas reside on the Hawthorn server(s)

IDVault (enables Notes encryption)

DB2

Domino server leverages DB2 storage of mapping metadata

Can be bypassed for small proof of concept deployments

Greatly improves server performance, reliability

Cloud – Planned for End of Q4 2015

Contact your IBM Sales rep to see if you are a

good fit for limited availability nomination

*IBM’s statements regarding its plans, directions and intent are

subject to change or withdrawal without notice at IBM’s sole discretion.

OVER TO DAVE KERN FOR SECURITY

24

25

The Ongoing Saga of SSL and TLS

How did we get here?

The SHA-1 hash algorithm was due to be “sunset” in January 2016

– Naturally, we started working on SHA-2 support well in advance

Sept 2014: Chrome and Firefox announced they were starting over a year early

– Adding prominent lack-of-trust warnings for sites with SHA-1 certificates

– Our timetable for Domino accelerates

Oct 14, 2014: POODLE strikes!

– Browser manufacturers and administrators frantically start disabling SSLv3

– Our timetable for Domino accelerates

Nov 4, 2014: Domino Interim Fixes released adding TLS 1.0 (POODLE) and SHA-2

Dec 8, 2014: ”POODLE on TLS” vulnerability announced.

Dec 19, 2014: Domino Interim Fixes for POODLE on TLS released

March 2015: Domino 9.0.1 FP3 IF2 adds TLS 1.2 and more

Nov 2014 Domino Interim Fixes

For all Platforms and supported Versions

– 9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5

TLS 1.0 support for all Internet Protocols inbound and outbound

– HTTP, SMTP, LDAP, POP3, IMAP

– DIIOP inbound only

– Support for TLS_FALLBACK_SCSV

– Does not enable disabling of SSL 3.0

– Cipher suite list for outbound connections re-ordered to place AES ciphers first

– Removed SSLv2, SSL renegotiation, and disabled weak (< 128 bit) ciphers

SHA-2 support introduced

No UI changes

http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

Dec 2014 Notes and Domino Interim Fixes

Security Bulletin: TLS Padding Vulnerability affects IBM Domino (CVE-2014-8730)

– http://www.ibm.com/support/docview.wss?uid=swg21693142

SPR #KLYH9RMJGL: CVE-2014-8730 TLS 1.x Padding Vulnerability

– Fixes the “POODLE on TLS” vulnerability for CBC ciphers

SPR #KLYH9QXMQE: Disable SSL ini: DISABLE_SSLV3=1

– Domino 9.0.1 FP2 IF 3, 9.0 IF7,8.5.3 FP6 IF6, 8.5.2 FP4 IF3, 8.5.1 FP5 IF3

– Notes 9.0.1 FP2 IF4 and 8.5.3 FP6 IF4 added TLS 1.0 support

• Windows, Linux and Mac OSX

SSLv2 ClientHello - Known “Incompatibility” Sending the first SSL message (ClientHello) in SSLv2 format provided backwards

compatibility with servers that only supported SSLv2

– This is only needed if you want to connect to servers that only support SSLv2

– Extremely useful in 1996!

– Using an SSLv2 ClientHello circumvents many important security characteristics of SSL/TLS

Domino completely disabled SSLv2 including SSLv2 “ClientHello”

– Some other servers may still accept it even if SSLv2 itself is disabled

SSLv2 ClientHello might be still used by some applications

– For example older OpenSSL Libraries or out-of-date clients

– Workaround is to force a specify protocol version “TLS 1.0”

• Example: wget.exe --secure-protocol=TLSv1 ..

– Potential issue with external SMTP Clients that shall remain nameless

30

Where are we today?

(Domino 9.0.1 FP3 IF2)

Why TLS 1.2?

Uses SHA-256 internally instead of MD5 and SHA-1

Adds support for ciphers with SHA-256 integrity checking

Adds support for AEAD (AES-GCM) ciphers

Other security-related improvements too numerous to mention

Caveats

TLS 1.2 requires SHA-256 which requires Notes/Domino 9.0.x

– Significant cryptographic changes between 8.5.x and 9.0.x

– No plans to back port any enhanced TLS functionality to 8.5.x

Any template, UI, and string changes require a Maintenance Release

– Not just a Fix Pack, Interim Fix, or Hot Fix.

– This is why a separate new keyring tool “kyrtool.exe” was released instead of a new database

Therefore, until the next MR, configuration of TLS functionality will be limited to

– notes.ini variables

– server console commands

– command line applications

Secure Renegotiation

Old-style renegotiation is vulnerable to session splicing attacks

– Renegotiation disabled by TLS 1.0 Interim Fixes

Security scanners frequently confuse “doesn't support secure renegotiation” with “supports insecure renegotiation”

RFC 5746 requires servers that do not support renegotiation to claim support for secure renegotiation

HTTP Strict Transport Security (HSTS) header

Indicates to web browsers they should only connect to this site over HTTPS and not HTTP

Helps prevent web browsers from being tricked into communicating over unencrypted HTTP

Domino will now send this header by default if SSL/TLS is enabled and the http port is disabled or set to “redirect only”

– Only with a one week “maximum age” by default

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/HSTS

Problem: The All-Seeing Eye

How do you protect against an attacker who can spy on all of your network traffic?

In most SSL/TLS cipher specs the client transmits a “PreMasterSecret” to the server encrypted with the server's public key

A passive attacker could record network traffic for years and then acquire the server's private key and decrypt all of that traffic

– Sound like anybody you know?

Solution: Perfect Forward Secrecy

No long-term keys are used to generate or transmit the keys used to encrypt your network traffic

Incurs a significant performance penalty, so test in your environment before enabling

May only be enabled via SSLCipherSpec notes.ini

PFS cipher specs in Domino 9.0.1 FP3 IF2:

– TLS_DHE_RSA_WITH_AES_128_CBC_SHA

– TLS_DHE_RSA_WITH_AES_256_CBC_SHA

– TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

– TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Problem: Far too many attacks on hashes and CBC mode

Most cipher specs use a hash algorithm for integrity checking

Many advances in cryptanalytics techniques against hashes

– First to fall were MD4 and SHA-0

– Next fell MD5 and SHA-1

– Now we're using SHA-2 (SHA-256, SHA-384, and SHA-512)

– SHA-3 is undergoing standardization

– When will it end?

Numerous flaws have been found in Cipher Block Chaining (CBC) mode ciphers

– Padding oracle attacks and timing attacks

– POODLE and other downgrade attacks

– POODLE on TLS and other padding attacks

– BEAST and other IV attacks

Solution: Authenticated Encryption (AEAD)

AEAD cipher specs don't use a hash algorithm for integrity

– Integrity checking part of encryption and decryption

AEAD cipher specs do not use CBC mode

– AEAD cipher specs tend to perform better than equivalent CBC mode ciphers

AEAD ciphers in Notes/Domino 9.0.1 FP3 IF2 (from RFC 5288)

– TLS_RSA_WITH_AES_128_GCM_SHA256

– TLS_RSA_WITH_AES_256_GCM_SHA384

– TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

– TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

IBM’s statements regarding its plans, directions and intent are subject to change or

withdrawal without notice at IBM’s sole discretion.

Selecting Ciphers with “SSLCipherSpec”

Server Doc / Internet Site doc no longer used for SSL/TLS configuration

– None of the new ciphers or versions are shown in the UI

– Design changes in Domino Directory will have to wait for a maintenance release (9.0.x) , not a FP or IF

Notes.ini “SSLCipherSpec”

– Used to specify ciphers across all protocols

– Concatenate the two hex digit numbers for the desired ciphers

– Ciphers ordered based on strength

– Example: SSLCipherSpec=9D9C3D3C352F0A9F9E6B3967

• Enable most of the PFS ciphers as well as the default ciphers

Latest cipher list available on the Notes/Domino wiki

– http://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_Cipher_Configuration

Notes.ini Settings DISABLE_SSLV3=1

– Prevent incoming SSLv3 connections

– Fallback to SSLv3 already prevented with most modern clients via TLS_FALLBACK_SCSV

DEBUG_SSL_ALL=2

– Or just DEBUG_SSL_HANDSHAKE=2 and DEBUG_SSL_CIPHERS=2 for less noise

USE_WEAK_SSL_CIPHERS=1

– Not recommended – but if you absolutely must allow frighteningly weak cipher specs

SSL_DISABLE_FALLBACK_SCSV=1

– Disables TLS_FALLBACK_SCSV functionality

– Not recommended – Only use if a badly misconfigured client absolutely needs to connect to your server

SSL_ENABLE_INSECURE_RENEGOTIATE=1

– Not recommended – but if you absolutely need “classic” SSL renegotiation

SSL_ENABLE_INSECURE_SSLV2_HELLO=1

– Not recommended – but if remote SMTP server refuses to disable SSLv2 backwards compatibility...

SSL Test Tools

https://www.ssllabs.com/ssltest/

Probably one of the most busy SSL Test Sites those days

– Can be used to get an idea about your server security status

– Will provide a a “rating” for your server from “A” to “F”

– Also includes details about supported SSL protocol version and ciphers

• Also contains a very useful “simulation” what ciphers certain applications might use

– There is also a test to check which SSL protocol version and ciphers are supported

Reference for Useful OpenSSL Commands

Connect test HTTPS

– openssl s_client -connect www.acme.com:443

Connect test SMTP TLS

– openssl s_client -connect mail.acme.com:25 -starttls smtp

Both print detailed information about certificate, protocol and cipher

Options to force certain SSL versions

– -tls1, -no_tls1, -no_ssl3

“wget” - another test tool

– Uses openssl libs and can be used for HTTPS requests

– wget.exe [--secure-protocol=TLSv1] --no-check-certificate https://www.acme.com

43

Where are we going?

Enhancements under consideration for inclusion in a future Fix Pack

OCSP Response Stapling

– Server requests a single OCSP response for itself and sends it as part of the TLS handshake

– Improves performance by saving each client from needing to perform its own request

Improved interoperability with Java 6 and 7

– Java 6 and 7 only support 1024 bit DH, which breaks compatibility with servers that choose stronger groups

– Java 6 and 7 only use DH with TLS_DHE_RSA_WITH_AES_128_CBC_SHA

– Enhancement to only use 1024 bit DH when using TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Drop priority of TLS_DHE_RSA_WITH_AES_128_CBC_SHA to protect against Logjam attack

– 1024 bit DH groups are believed to be insecure, so avoid them unless the alternative is sending data in the clear.

Add support for 4096 bit DH groups

Logging enhancements

Stability and interoperability fixes

IBM’s statements regarding its plans, directions and intent are subject to change or

withdrawal without notice at IBM’s sole discretion.

TLS 1.3

Cleans up and greatly simplifies the TLS protocol

– TLS 1.3 overhauls SSL/TLS in the way that TLS 1.0 should have

Currently just an Internet Draft, but we're following it closely

– Currently only allows cipher suites with Perfect Forward Secrecy and Authenticated Encryption

Under consideration for inclusion in a future release of Notes/Domino

IBM’s statements regarding its plans, directions and intent are subject to change or

withdrawal without notice at IBM’s sole discretion.

46

Notes/Domino SHA-2 Support

SHA-1 is rated as “insecure”

SHA-1 is not recommended any more

– There are at least theoretical attacks against SHA-1

– Customers are encouraged to move away from SHA-1 to avoid situations we had before with MD5

– SHA-256 is recommended and required for secure encryption

– Governments recommend to move to SHA-256

– SHA-256 is approved by Federal Information Processing Standard (FIPS) 140-2

Browser vendors decided start to warn when using SHA-1 certificates

– For example: Google starts first to warn for certificates expiring end of this year

• Reducing step by step the expiration time for the certs (1.1.2017, .. 1.1.2016)

– Affected certificates are all Server and intermediate CAs signed with SHA-1

– Root Certifiers are not affected because they are verified in a different way

Browser Vendors start to sunset SHA-1

This means that you have to replace your certificates ASAP

– Best practice is also to create a new public/private key

• Key could have been compromised and you don't know about it yet

– Ensure that the CA you are using already supports SHA-2

• Most CAs only support SHA-2 today because for exact those reasons

– If you server certificate expires later than 31.12.2015 and your server does not support SHA-2 yet, consider requesting a cert with a shorter valid period

• Just a work-around. Better would be to update your server or put a secure reverse proxy in front of it

References

– https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

– http://googleonlinesecurity.blogspot.de/2014/09/gradually-sunsetting-sha-1.html

SHA-256 (SHA-2) Support

Domino 9.0.x without the current IFs did already support SHA-256 in some areas

– X.509 certificate signature verification and S/MIME signed mail

– Some areas of Notes/Domino where a password such as the Internet (HTTP) password was previously "hashed."

– Internet CA supports SHA-256

Domino 9.0.1 FP2 IF1 supports SHA-2 Certificates for all Internet Protocols and for KeyringFiles

– SHA-2 support covers SHA-256, SHA-384, and SHA-512

– No Support for SHA-2 is planned for Domino 8.5.x

• Domino 8.5.x does not contain SHA-2 support

– You should consider updating to the current 9.0.1 fixpack and IF if possible

– New Keyring files Management Tool “kyrtool”

New Keyring Tool - “kyrtool”

Separate Download

– Available for Win32/64, Linux 32/64 on Client or Server → just needs to be copied to the N/D program directory

Can be used to import, show, export certificates

– But not to create a private/public key and a certificate request

You can use OpenSSL to create the key and the request

– Or you can use any other tool to create the key and the request

– Or use an existing key and cert in PEM format

Importing Trusted Roots

– Either add all to a single PEM file from leave to note (key, cert, intermediates, root)

– Or import roots separately

• Needs Notes/Domino 9.0.1 FP2 IF1 code → Backend API change is needed

Create a Certificate using OpenSSL

OpenSSL

– native installed on Linux/Unix

– On Windows you can use a cygwin environment

1. Create a Private/Public Key

– openssl genrsa -out server.key 2048

2. Generate a Certificate Signing Request (CSR)

– openssl req -new -sha256 -key server.key -out server.csr

3. Send CSR to CA for signing

– Or create a “self signed” certificate for testing

• openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.pem

– Result is a file in “PEM” format

Verify Import File

Before importing a PEM file, you should verify the content with the “verify” command

– Ensure that the certificate chain is complete and ordered correctly (key, cert, intermediate certs, root cert)

– Special tip: you can show the certs in an input via to figure out which cert is missing

• Example: kyrtool.exe show certs -i c:\domino\all.crt

kyrtool.exe verify c:\domino\all.crt

– Successfully read 2048 bit RSA private key

– INFO: Successfully read 4 certificates

– INFO: Private key matches leaf certificate

– INFO: IssuerName of cert 0 matches the SubjectName of cert 1

– INFO: IssuerName of cert 1 matches the SubjectName of cert 2

– INFO: IssuerName of cert 2 matches the SubjectName of cert 3

– INFO: Final certificate in chain is self-signed

Create Keyring File

Create a new Keyring File

– kyrtool create -k keyring.kyr -p password

– When creating a keyring file you need to specify a password

• All other commands will read the password from the “.sth” file

Importing Key, Certificate, Intermediates and Trusted root

– Copy key, cert, intermediates and root certificate into one PEM file

– kyrtool import all -k keyring.kyr -i server.pem

You can also import the different parts separately

– Kyrtool import all|keys|certs|roots -k keyring.kyr -i server.pem

– But that makes the import a lot more complicated

Keyring “show” command

Can be used to show information from a keyring file

Kyrtool show certs -k keyfile.kyr

– Shows the entire cert chain including the root matching the cert

– Tip: You can use the show command to dump all certs and use the “verify” command on the resulting file

Kyrtool show keys -k keyfile.kyr

– Shows all keys in the keyfile

Kyrtool show roots -k keyfile.kyr

– Shows all trusted roots in the keyfile

Verbose option “-v” can be used to dump more detailed information

– More “-v”s on the command line results in more information

Reference - Converting file formats

Kyrtool requires “PEM” format (text based - BASE64 encoded DER format)

– In many cases your CA might use different formats (e.g. Microsoft CA)

OpenSSL is your friend when converting different formats

– But syntax is not always easy to figure out

– Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

• openssl pkcs12 -in cert.pfx -out cert.pem -nodes

– Convert Binary DER formatted certificate to text based (BASE64) PEM format

• openssl x509 -inform der -in server.cer -outform pem -out server.pem

– Convert Binary DER formatted certificate chain to text based (BASE64) PEM format

• openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem

56

Notes S/MIME Support

Increasing Internet Certificate Key Size

Domino 9 Internet CA Supports SHA-2

– You can remove and re-create the Internet Certifier with SHA256 and higher key length

– Or create multiple Internet Certifiers

Internet CA Result

Resulting CA can be used to assign new certificates to users via Person Doc

Enabling stronger ciphers and SHA-2

Client Notes.ini (deployed via desktop policy) needs the following settings

– SMIME_CAPABILITIES_SEND=AES_128:SHA_256

– SMIME_FIRST_CHOICE_CONTENT_ENC_ALG=AES_256

DOMINO 9.0.1 CONTENT

Backup

9.0.1: Messaging Server Reliability Protect from repeat outages due to a single message instance:

Processing a “bad” message is responsible for the crash. It remains in mail.box or mail file. Server restarts and proceeds to deal with the same “bad” message, causing repeat crash for below scenarios:

Transfer or deliver same "bad" message: Router repeat crash

Receive same "bad" message: SMTP repeat crash

Fetch same “bad” message via IMAP: IMAP repeat crash

Solution to give messaging server reliability in 9.0.1:

Keeping per-thread context identifying the current message being processed.

Registering an exception handler callback that is called at time of crash to record which email message was processed during crash. A data file is opened and the information identifying this message is written to the file.

When server restarts, if above file exists, Router/SMTP/IMAP read the file to identify the "bad" message, move the "bad" message to a new DB (Router and IMAP), and continue to deal with remaining messages.

9.0.1: Messaging Server Reliability

Prevent Router, SMTP and IMAP Repeat Crash

The feature is enabled by default in 9.0.1

Set below Notes.ini to disable the feature

RouterDisableFaultDataCapture=1

SMTPDisableFaultDataCapture=1

IMAPDisableFaultDataCapture=1

How we Deal with "bad" message

Quarantine Message to IBM_Technical_Support directory

Router/IMAP: Upon Restart move message for diagnostic collection

SMTP reject with “554 unable to import”

9.0.1: Diagnostic information in NSD for Router

Router diagnostic data provides additional information in NSD stacks

This identifies work in progress by a router transfer/delivery thread at the time of a crash.

The information includes

Message being processed (mailbox and Note ID)

Sender and recipient.

Stacks in the NSD contain a string printing out this value.

9.0.1: New Execution Control List attribute- Only load Signed & Trusted Java code

Provide Notes client users with an option to mitigate any risks involved with running Java code in Notes documents

Prior ECLs associated with Applets, Java agents & Xpages enforce runtime security

No load time ECL check, leaves an open window for application Java code to exploit any vulnerabilities in JVM

Load time verification ECL check allows for customers to have more granular control on what Java code is allowed to load & run in a Notes client document

The Quarterly Oracle security patches have all been around attacking the JVM security model primarily from unsigned code

This is not a fix to address any known exploit but rather a mechanism to mitigate any future exploits

More important from a Notes client perspective since deploying a security patch to Notes client JVM is not always an acceptable solution for customers

Changes are limited to Client only covering: Xpages, Applets, Java agents & JS → Java calls

Java code running in the context of Notes documents checks the load time ECL attribute and alert the user if the signer does not have permissions to load Java code

New ECL attribute “Load Java code” in security panel and in security policy document for pushing out ECL settings

9.0.1: New Security Policy for Federated Login

New Security Policy Setting to prevent use of password on vaulted ID when Federated Login is configured

Policy setting is only visible if NFL or WFL is configured

Default is Yes (ie, Allow use of password)

'No' enforces use of SAML for download of ID from Vault

9.0.1: Web SSO Config Doc Has Custom Cookie Names Web SSO Config doc allows admin to specify LTPAToken and LTPAToken2 custom name.

Can be used to configure users for SSO across multiple SSO domains

Questions????

7

Use the Orange Arrow button to expand the GoToWebinar panel

Then ask your questions in the Questions panel!

Remember, we will answer your questions verbally

#XPages

@ssounder

@TLCCLtd

@Teamstudio

@PaulDN

Upcoming Events: MWLug User Group Meeting, Atlanta, GA - Aug. 19-21 ICON UK, London, England – Sept. 21-22

Question and Answer Time!

8

Teamstudio Questions?contactus@teamstudio.com

978-712-0924

TLCC Questions?howardg@tlcc.com paul@tlcc.com

888-241-8522 or 561-953-0095

HowardGreenberg

PaulDella-Nebbia

CourtneyCarter

Kevin LynchDave KernScott Vrusho

Keep in mind:TLCC Spring Sale Ends on June 30th

Scott Souder