Domino server rating from F to A+ in seconds

Posted by: Mats

Requirements:
Server running 9.0.1 FP4 and up

Background:
Running SSL Labs test on https://www.ssllabs.com/ssltest/index.html
Gives You low rating

Mission:
Increase rating

Step1:
Gather OCSP information
Goto Site and View certificate

Go to Intermediate certificate next to Your own and View Certificate

Go to Details and Authority Information and under Alternative name write down the URL.
In our case it is https://ocsp.starfield.com/

Step2:
Update notes.ini from console with the following, remember to replace the value of OCSP_RESPONDER with Your value from Step1.!!

set config DISABLE_SSLV3=1
set config HTTP_HSTS_MAX_AGE=17280000
set config HTTP_HSTS_INCLUDE_SUBDOMAINS=1
set config SSL_ENABLE_OCSP_STAPLING=1
set config OCSP_RESPONDER=https://ocsp.starfield.com/
set config OCSP_CLOCKSKEW=10
set config OCSP_LOGLEVEL=31
set config SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C013

In Release 10 the last notes.ini SSLCipherSpec is not respected it must be set in Internet Sites\Security

a. Is most secure

b. If You have with a. You can use this and get a good rating anyway

Step3:
Restart HTTP task with following command:
restart task http

Now You can test Your server again and everything should be running fine

19
JUN
2019

0

Share

Blog

A+, certificate, cipher, configuration, Domin, domino, domino security, Domino SSL, Domino10, HCL Domino, hsts, IBM Domino, OCSP, rating, security, SSL, SSL Labs, SSLCipherSpec, SSLv3, stapling, subdomains, www.ssllabs.com

Välkommen till GDPR Meetup – vad hinner du egentligen med på 72 timmar?

Posted by: admin

Välkommen på GDPR-frukost Meetup!

Den nya Data Protection Regulation från EU säger att ett dataintrång måste rapporteras inom 72 timmar. Så långt är allt klart. Utmaningen vi nu står inför är att vara redo med rutiner på vad som ska hinnas med på de 72 timmarna.

– Var upptäcktes intrånget?
– Vilka delar av verksamheten drabbas och kan skadas?
– Kan intrånget spridas till andra delar?
– Har vi någon action plan för att täppa till säkerhetshålet?

Utan ett loggverktyg eller en SIEM-lösning som samlar in information om säkerhetshändelser i din miljö data är det i princip omöjligt att formulera en överblick över intrånget och rapportera det. Än mindre sätta in åtgärder för att lösa problemet.

Under mötet berättar och diskuterar vi om hur du kan upptäcka händelser i realtid och förbereda dig för ett eventuellt intrång.

Spendera dina 72 timmar på omedelbar avhjälpning och snabb rapportering till de drabbade.

Michael Albek har arbetat inom SIEM området i mer än tio år och han kommer att krydda presentationsdelen med flera verkliga intrång som han arbetat med.

Infoware bjuder på frukost!

Talare: Ulf Stider, Infoware och Michael Albek, SecureDevice

Tisdag 8 maj 2018
8:30 – 10:00

Se mer information här!

17
APR
2018

0

Share

Blog

gdpr, meetup, security

Did you know that we are experts in Security Solutions

Posted by: admin

Together with our partner SecureDevice, who is leading in IT security in the Nordic region, we offer services and tools to help you protect your business.

Today, it is unavoidable that business critical infrastructure is exposed to attacks. You are most certainly attacked daily and probably without knowing it. The solution is to make the attacks visible to have a chance to protect yourself from intrusion and theft of business-critical business information.

What does the new data protection regulation (GDPR) entail in May 2018?

GDPR will affect all industries, companies and organizations which handle personal data. In addition to a more stringent security responsibility in your daily work, GDPR entails that detailed data on all detected data violations should be reported within 72 hours. This means that your IT department needs to establish security solutions to prevent, monitor and handle potential data violations.

Contact us to find out more about how our solutions in Identity & Access Management and Security Information and Event Management (SIEM) can help you meet the new requirements.

11
OCT
2017

0

Share

Blog

gdpr, iam, ibm, Infoware, security, siem

Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by: Mats

The objective of this article is to provide an example on how to do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: https://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: https://ibm.co/1SAYX5E
Fixcentral long: https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:
1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: https://stage.infoware.com/?p=7226

11
APR
2016

2

Share

Blog

certificate, configure, domino, domino security, Domino SSL, domino wildcard certificate, kyrtool, Open SSL, openssl, p12, PFX, Poodle, security, sha2, SSL, TLS, wildcard, wildcard certificate, Wildcard SSL

Open Sametime Meetings in IBM Notes Client using HTTPS

Posted by: Mats

Problem:
Users preference is to open all Sametime Meeting Rooms in the client. Customer does not allow mixed content in the browser (good thinking).
When user clicks on links to Meeting Servers that was setup with SSL, meaning the link is an https link instead of a http link Meeting Room is not opening in the client.

Cause(s):
1. Webapi is not enabled at all in the IBM Notes Client
2. Webapi on the Client is not SSL enabled
3. The login.jsp on the Meeting server can not handle request to the IBM Notes Client when accessed thru https
4. All of the above

I did all this in Windows so commands and packaging is different if you use eg. Linux, so don't hold that against me.
Probably this code can also be used on Linux but with different commands to check if it works, also I did an extended
version of the jar file that is only valid for Windows running in Administrative context.

I did this and tested it for IBM Notes client 9 only.

You can download code and textfiles here, please use the textfiles if you cut and paste because formatting on this site could otherwise give unpredictable results

Problem:
Users preference is to open all Sametime Meeting Rooms in the client.
When user clicks on links to Meeting Servers that was setup with SSL, meaning the link is an https link instead of a http link Meeting Room is not opening in the client.

Cause(s):
1. Webapi is not enabled at all in the IBM Notes Client
2. Webapi on the Client is not SSL enabled
3. The login.jsp on the Meeting server can not handle request to the IBM Notes Client when accessed thru https
4. All of the above

Solution(s):
1. Make sure that the following parameter is present in plugin_customization.ini (or distributed in some other way)
com.ibm.collaboration.realtime.webapi/startWebContainer=true
2. Use the Sametime SDK sample as a starting to develop your own jar file to include in the install package or distribute as an update
3. Change the content of login.jsp to meet your needs
4. Distribute the certificate file into the Trusted Root Certification Authorities store.
5. Do all of the above

Description(s):
1.
In my case 1. above was present and webapi was started in the client but was not listening on https only http.
The way this implemented is as follows:
http listens on port 59449
https listens on port 59669 (if enabled)

To see what is running use the following command:
netstat -an | findstr "59"

When the solution is working you should be able to see:
TCP 127.0.0.1:59449 0.0.0.0:0 LISTENING
TCP 127.0.0.1:59669 0.0.0.0:0 LISTENING

2.
The problem with doing 2. above is the following:
a. Install a Development environment
b. Develop something that can be installed inside a package and also thru provisioning to both single and multiuser clients
c. Solve the problem with installing unsigned code
d. Solve the problem with SSL certifikates on a local machine
e. Decide which part of IBM that has the correct answer to how a local machine is defined in the context of Sametime SDK, IBM Connections integration, Sametime Meeting server team.
The adress to a local url could basically be 127.0.0.1 or localhost
f. Poodle meaning TLS must be on otherwise browser will not work
g. Include the jar file inside the windows install package for Sametime Embedded (I guess this can be done in a DEB package as well), description not included here.

When all this is done login.jsp (3. above) must be changed to reflect decisions made earlier

For a. I downloaded and installed eclipse-jee-luna-R-win32, I got help from my developer friend @Tobias Gruvfält to include the sample code provided by the Sametime SDK in a new project

For c. I also tried to sign my jar file, but when I tried to install it was always failing (documentation on this is really poor I think), instead I decided to make changes to
plugin_customization.ini by changing the following 3 lines before installing:
com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY=ALLOW
com.ibm.rcp.security.update/UNSIGNED_PLUGIN_POLICY=ALLOW
com.ibm.rcp.security.update/UNTRUSTED_SIGNATURE_POLICY=ALLOW

For d. I created a keystore and a truststore valid for localhost (that I decided on e.), because SDK people and Connections people used localhost

Later on I needed f. and found documentation on how to disable SSLv3 and enable TLS

After that I made changes to certificate files and ssl config files as well as handlers to make sure that b. above was met.

For g. I used sametime.embedded.addon.win32_20141030-0523 (but other distributions can be used) and unzipped the zip file and added my jar file to the features catalog
(all jar files and certificate files as well as text to include in deploy is here ->webapissl-2)
Added 3 lines to site.xml:

I added it just below the definiton of com.ibm.collaboration.realtime.webapi.feature

And also added lines to the following 3 files located in the deploy catalog:

x. plugin_customization.ini

# Trying to fix the problem with signing for this addon
com.ibm.collaboration.realtime.webapi/startWebContainer=true
com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY=ALLOW
com.ibm.rcp.security.update/UNSIGNED_PLUGIN_POLICY=ALLOW
com.ibm.rcp.security.update/UNTRUSTED_SIGNATURE_POLICY=ALLOW

at the bottom of the file

y. install.addon.xml

just below com.ibm.collaboration.realtime.webapi.feature

z. uninstall.addon.xml

just below com.ibm.collaboration.realtime.webapi.feature

Remember to zip the features and deploy catalogs together with site.xml to a zip file with the same name as the old zip you earlier unzipped and replace the old zip file with the new one.

3.
If I remember correctly the original line inside login.jsp on the Meeting Server (please refer to your own environment on where to find it) is as follows:

window.installedClientWebApiUrl = "https://127.0.0.1:59449/stwebapi";

I changed that to the following:

window.installedClientWebApiUrl = (("http:" == document.location.protocol) ? "https://localhost:59449/stwebapi" : "https://localhost:59669/stwebapi");

4.
Talk to your Administrators and make them distribute the included localhosttrustedroot.der to all clients and put it in Trusted Root Certification Authorities
this will work for both IE and Chrome in Windows but for FF you need to make an exception by actually accessing the local site accepting the exception localhost:59669
you can use this url in FF to do it:
https://localhost:59669/stwebapi/listservices

I also made a second jarfile that included the installation of the certfile as root in Windows and that must be run in the context of an Administrator on the other hand
the installation of the total package should run in Administrative context
This version has only been tested on a development machine and also it should not be used if you use provisioning (updatesite) as this always runs in user context.

Catalogs included in the zipfile available for download is as follows ->webapissl-2:

1. "nocertificateinstall" this is the catalog where the jarfile to use for both icluding in package and update site that is also tested on customer site, certificate file for distribution also.
2. "withcertificateinstallwindows" this is the not so tested version where installation of the certfile is included in the package, please read above before using.
3. "webapissl.txt" same content as this article use this when do cut and paste
4. "nocertificateinstallworkspace1-2" source code (eclipse EE) for 1.
5. "withcertificateinstallwindowsworkspace2-2" source code (eclipse EE) for 2.
6. "com.ibm.collaboration.realtime.webapi.ssl.updateSite.zip" sample of zip file to use for provisioning based on 1. of course

The End

5
MAR
2015

0

Share

Administrator, Blog

127.0.0.1, 59449, 59669, Chrome, code for download, com.ibm.collaboration.realtime.webapi, com.ibm.collaboration.realtime.webapi.feature, com.ibm.collaboration.realtime.webapi.ssl.feature, com.ibm.rcp.security.update, Connections, Eclipse, FireFox, HTTPS, IBM Notes Client, IE, install.addon.xml, listservices, localhost, login.jsp, meeting, Meeting Room, Meeting Server, Notes Client, plugin_customization.ini, Poodle, provisioning, Sametime, Sametime Embedded, Sametime integration, Sametime Meeting Room, Sametime SDK, Sametime Web API, sametime.embedded.addon, security, SSL, SSLv3, startWebContainer, stwebapi, TLS, Trusted Root Certification Authorities, window.installedClientWebApiUrl