 |
Open Mic replay: Security certificate expiration for signed applets - Q&A on 13 May 2009 and 14 May 2009
|
| | | Abstract | | On Wednesday, May 13, and Thursday, May 14, IBM Lotus Support hosted Open Mic conference calls on the topic of the security certificate expiration for signed applets in Lotus Domino, Lotus Sametime,and Lotus Quickr services for Lotus Domino that will occur on May 18, 2009. | | | |  | | | Content | | A panel from IBM Lotus Support gathered to discuss the actions you can take to prevent your users from seeing a warning message as of May 19 indicating that the certificate for signed Java applets in Lotus Domino, Lotus Sametime, and Lotus Quickr services for Lotus Domino has expired. These messages do not mean security has been compromised. It simply reflects the expiration of the signature originally provided in the security certificate used with certain applets.
Information about the problem and fixes can be found in the following technotes:
Recordings of the three Open Mic sessions are now available. Click the links below to play the recording of the conference call (MP3 format). Right-click and select Save As to store the file on your local computer for later playback.
An index of questions (timeline) for each call will be added to this document at a later time.
Replay details for each session
Call # 1
Date/time: 13 May 2009 at 11:00 a.m. EDT (15:00 GMT)
Open Mic Call # 1 MP3 file, using FTP
file size of 13,243,176 bytes
run time of 1:25:19
Timeline of questions:
Approximate time | Summary of question | 0:00:00 | Introduction and opening remarks | 0:07:40 | How can I test my environment to make sure the warning messages are resolved? | 0:12:04 | I'm using the Sametime Connect for Java client. Can you confirm that is only in Sametime 7.0? How to update for that client? | 0:13:10 | During my testing, I checked the browser list in the Java Control Panel? Will that certification list in the Control Panel view on my workstation be updated next time I connect? | 0:15:06 | Is it the expected behavior that users will be prompted to accept the new certificate once the updates are applied? | 0:15:43 | Can you confirm that the remediation for this issue is a file swap? Replacement of existing files with new files? | 0:16:20 | Verifying that one-time acceptance of the new certificate. If you selected Trust IBM before, then do you still get one-time prompt for new certificate? | 0:16:56 | Does this applet certificate expiration affect Blackberry? | 0:17:31 | Shutting down the HTTP task for one Domino server did not allow me to rename the JAR file. Do you have to shut down the whole server or just HTTP? | 0:19:30 | Will this affect single sign on? | 0:19:57 | For the Lotus Sametime Limited client, are any steps necessary? I'm using the Instant Messaging in the Notes client. | 0:20:59 | Using Notes 7.0.3 with integrated Sametime and DWA, are users prompted to trust the new certificate once updates applied? | 0:22:13 | What about the Notes client? Is that affected? | 0:22:26 | Will this affect Notes Traveler? | 0:23:02 | If accessing the JAR files programmatically, such as NCSO.jar by IIOP or by API (not using a browser), is there any affect if you do not apply the patch? | 0:24:15 | What is the order to use when replacing both Domino and Sametime applets? | 0:24:38 | My testing process included moving the server date forward. What steps should I use to test?
(Note: A line echo begins at this point.) | 0:25:02 | Does this issue affect Sametime instant meetings as well? | 0:25:24 | If I apply the patch to update the certificate this Friday, when do users see the new certificate prompt? | 0:26:09 | What options are possible for Sametime 6.5.1, which is no longer supported? | 0:28:20 | Questions about a scenario with Sametime EMS and FIPS encryption. Affected? | 0:29:46 | If I've received a fix or hotfix in the past, would those fixes be in the resigned JAR files? For a special configuration we have with customized fixes, can we extract the certificates from the JARs to recreate them in our environment?
(Note: Line echo corrected during this segment.) | 0:32:59 | Is there a fix available for Sametime 7.5? | 0:34:18 | Domino 6.5.6 servers, users all using the iNotes 6 template. Any impact here? | 0:35:21 | I applied the applet changes to a Domino 8.5 server, opened mail using standard mail template, but did not get asked to Trust the new certificate. Expected behavior? | 0:36:59 | Using Lotus Quickr, no Sametime integration, and ActiveX not Java applet for drag and drop. Is this configuration affected? | 0:38:28 | Mixed environment. Domino 7.03 severs with Notes 6 or 7 clients using either iNotes 6 or DWA 7 template. How affected? | 0:39:20 | Is Sametime Connect for browsers affected? | 0:39:56 | For the certificate expiration, what is the behavior in different time zones. Is expiration adjusted to local time? | 0:41:33 | I understand that DWA alone is not affected. What if I'm using Sametime awareness in DWA? | 0:43:17 | Are there any plans to update these JAR files that are included in the Notes client distribution? | 0:44:39 | What are plans for future deliverables? Will the updated files be in fix packs and future releases? | 0:48:10 | I had to stop the server, not just HTTP, to replace one JAR file for Domino 7.0.3. I saw some prompts after that in my browser. Are these the expected prompts? | 0:51:58 | For Lotus QuickPlace 7, do you have to do the steps in the order listed in the technote? | 0:54:21 | In general, how can you check the expiration date for a certificate used to sign these applets? | 0:56:15 | I'm using Domino, Sametime, and Quickr. Once I patch all three products, will a user be prompted only once, or for each product? | 0:56:40 | For Sametime, do I apply both the Sametime and Domino updates? For mix of Sametime 8 and 6.5.1 servers, what do I do for 6.5.1? | 0:57:23 | For QuickPlace 6.5.1, can you confirm that a fix is planned? What about the Domino 6.5 server that I use with QuickPlace? | 0:58:37 | Going forward, what deliverables will be updated? If I download 8.0.1 from Passport Advantage in the future, do I apply the fix on top of that? | 0:59:34 | For QuickPlace 651, when will resigned JARs be available? | 1:00:35 | Complex environment running multiple Lotus products and WebSphere Portal as front-end with portlets to get info from other products. Is the Single Sign On (SSO) affected, that certificate? Or only applets? | 1:02:45 | Using Quickr 8.0.0.2 with HF28. Do I replace both Domino and Quickr files? | 1:03:00 | Using Domino Document Manager on top of Domino 7.0.2. If I update Domino, is that all I need to do? | 1:04:18 | I have many legacy Web applications running on a Domino R5 server. Any recourse? | 1:05:05 | Feedback on providing additional clarity for some of the instructions. What to do with STcomm.Jar? For Quickr, do you copy PeopleOnline31.Jar to Sametime server too? | 1:06:39 | In my testing, I could not generate the prompt. What could cause that? | 1:09:16 | Using Quickr with Sametime integration. Do I also need to apply Domino fixes? | 1:10:29 | I found a problem when using a VB script to look for sever version, so need to know if the fix files for Domino 8.0 and 8.5 are the same. | 1:13:11 | Running Domino 7.0.2 and DWA 6.5.3 template. Will we be affected? | 1:13:45 | WebSphere Portal users connect to Sametime. Are we affected? | 1:14:08 | Is BlackBerry use affected? | 1:14:35 | What STlinks.jar file do we use - the one with Domino or Sametime? Where can I check how I did the initial setup for DWA? | 1:18:00 | Most of my users use DWA 7 so won't be affected. Is there any harm done to replace the applets anyway? Will those DWA 7 users see any prompt when they access their mail after I replace the applet files? | 1:20:00 | If I do not replace the applet files, how many times does a Web user see the expiration warning? | 1:21:51 | Are there any issues if calling these JARs programmatically? Will code continue to run? | 1:22:42 | What specific templates and database in Domino are affected? | 1:23:27 | If I upgrade later on from Sametime 7.5.1 CF1 to 7.5.1 CF2, do I have to apply the updated applet files for CF2? |
Call # 2
Date/time: 13 May 2009 at 8:30 p.m. EDT (14 May 2009 00:30 GMT)
Open Mic Call # 2 MP3 file, using FTP
file size of 6,724,656 bytes
run time of 44:37
Timeline of questions:
Approximate time | Summary of question | 0:00:00 | Introduction and opening remarks | 0:06:20 | I am an individual user of Notes 6.5. Does this expiration affect me? | 0:08:16 | We have many customized Domino applications that Web users access. Do I have to download and apply the applets on all servers on which the applications are hosted? And to mail-only servers? | 0:11:14 | Using QuickPlace and Sametime integration. Confirm that PeopleOnline31 goes to the Sametime server? Do you need to apply Domino fixes on QuickPlace server? | 0:15:57 | How can I determine the version of my Sametime server? I'm not running the HTTP task on this server (IBM i). | 0:17:55 | You mentioned stlinks.jar might be a file to replace when integrating Notes and Sametime instant messaging. Can you explain how to determine if affected? | 0:18:28 | If I only use Notes Instant Messaging, not DWA, how affected? | 0:20:37 | The documentation indicates that new JAR files have an expiration date of 2012. Will we have to do this same exercise in 3 years? | 0:23:50 | Sites around the world use certificates. Why don't Web users see expiration prompts all the time? | 0:25:14 | I understand that DWA/iNotes are not affected. Is there any effect if using the Webmail user interface? | 0:26:03 | What preparation is required to prevent warning in this scenario: upgrading users' mail template from version 7 to 8 and integrating Sametime in iNotes? | 0:26:48 | I'm running QuickPlace 6.5.1 but do not use Sametime awareness. Do we need to do anything? | 0:27:03 | What sequence should I use to update the JAR files when using Domino and Sametime? Does sequence matter? | 0:28:25 | If I download software made available before May 18, do I then apply updated applets after installing the software? | 0:32:14 | Is there any way to find out if a Domino application is actually using these applets? | 0:33:03 | How can I test prior to the expiration date to see if my environment is ready? | 0:35:45 | For a Sametime server, do I only apply the stlinks.jar and/or the 14 other files in the fix package? | 0:37:00 | For future releases of Domino, including hotfixes and fix packs, will the resigned applets be in there? | 0:37:51 | Will users have any issue accepting the certificate for the resigned applets if they do not have local administrative rights on their machine? | 0:40:41 | Where do I find the updated STcomm.jar file? |
Call # 3
Date/time: 14 May 2009 at 12:00 p.m. EDT (16:00 GMT)
Open Mic Call # 3 MP3 file, using FTP
file size of 7,966,368 bytes
run time of 50:25
Timeline of questions:
Approximate time | Summary of question | 0:00:00 | Introduction and opening remarks | 0:06:15 | We use Domino 8.0.2 fix pack 1 with mail template that goes with that, also DWA. If I move my date forward, I do not see any prompts. Should I expect some? | 0:08:46 | Using Domino 6.5 set up for HTTP access. If we do nothing, then users see expiration popup. If we do replace the files, do users see anything at all? | 0:10:12 | If we decide to do nothing, do users have the option to select Always Trust in the expiration warning to prevent it from appearing again? Or does it pop up all the time? | 0:10:45 | For Domino application servers, is there a database that has these applets enabled to test with? | 0:13:24 | I am upgrading a Domino server this weekend. If I download the software from Passport Advantage, are the updated files in there? Or do I replace these applet files after the upgrade? | 0:15:29 | I understand that there is no impact to iNotes or Notes clients. Is it good to apply these files anyway? | 0:17:13 | If we decide at a future time to allow Sametime use for DWA, then if the applets aren't updated, will prompt appear then? | 0:18:00 | I cannot find the file websvc.jar on my Domino for iSeries server. Where should that file be? | 0:20:06 | How can I test this issue and show the warning? My testing is not showing the prompt as expected. | 0:21:32 | If I have checked to Always Trust IBM. Should I expect not to see any warnings? | 0:22:06 | How can you tell at what time the expiration occurs? Is the time zone a factor? | 0:22:47 | For questions, is there a specific forum we should use on developerWorks? | 0:24:24 | Domino on iSeries. Using iNavigator, I see 2 paths for these files. Which locations do I need to replace? | 0:27:34 | If I update the applet files tonight, is the certificate updated at that point? | 0:28:38 | Can you explains about stlinks? If it's unsigned stlinks that you use, does that affect DWA, Portal, or Quickr? | 0:30:31 | Is it recommendation to replace all of these applets regardless if using Domino, Sametime, and Quickr? | 0:31:38 | You can import the new signed certificate into a client machine's JVM, but then you have to push that certificate to everyone's JVM. Is that another option to resolve this? | 0:32:35 | For stlinks, is it okay to apply that on servers that aren't using Sametime? Any harm? | 0:33:30 | For Sametime Mobile, is there any use of certificates when downloading the mobile client? | 0:35:12 | We are applying fix pack 9 to Lotus Quickr 8.1 (8.1.0.9). I see stcomm.jar and peopleonline31.jar are required for Sametime integration. How do I get updated peopleonline31.jar? | 0:35:59 | For Sametime on iSeries, the readme refereces a data directory but I do not see that in the *.zip file. Is that correct? | 0:37:11 | In the Sametime files, I see STcomm.jar but cannot find that on my Sametime server. What is it for? | 0:38:18 | I have a mixed environment of Domino servers integrating with Sametime. From where do I source the stlinks file? | 0:39:23 | Users are going to get prompted if we do nothing or if we replace the applets, correct? Is the difference the type of message they see? | 0:40:12 | I understand DWA is not affected. Am I prompted, though, if I open another database and lookup an address in names.nsf? | 0:41:05 | Can you confirm when the QuickPlace fixes are expected? | 0:41:16 | If you upgrade to Domino 7.0.4 and use JVM 1.5, you are not affected. Is that correct? Is 1.5 bundled in 7.0.4? | 0:42:00 | I am buidling new Domino 8.5 servers and using iNotes. Do I need to apply this update? | 0:43:24 | I am using Sametime and DWA/iNotes with instant messaging. Do I need to update the DWA server as well as the Sametime server? | 0:45:02 | Can you explain when you do or do not copy the stlinks.jar file? | 0:45:34 | If I apply the updated files, do users still get a prompt? | 0:46:22 | If we use only DWA, no Sametime integration, do we have to take any actions? | 0:47:34 | Where can I find the forums that you made reference to earlier? | 0:49:04 | Is the call being recorded? | | | | | | | | | Cross Reference information | | Segment | Product | Component | Platform | Version | Edition | | Messaging Applications | Lotus Notes | Lotus Notes | Linux, Mac OS, Windows | 8.5, 8.0, 7.0, 6.5 | | | Organizational Productivity- Portals & Collaboration | Lotus Sametime | Lotus Sametime Server | AIX, i5/OS, Linux, Solaris, Windows | 8.0, 7.5.1, 7.0 | | | Organizational Productivity- Portals & Collaboration | Lotus Quickr services for Lotus Domino | Administration | AIX, i5/OS, Solaris, Windows | 8.1, 8.0 | | | Organizational Productivity- Portals & Collaboration | Lotus QuickPlace | Administration | AIX, i5/OS, Linux, Solaris, Windows | 7.0, 6.5.1 | |
| | |
|
|
| IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. |
|
|
|
|
| Please take a moment to complete this form to help us better serve you. |
|
 |
|
|
|
|
|
|
| Product categories: |
|
| | Software | |
| | Organizational Productivity, Portals & Collaboration | |
| | Real-time & Team Collaboration | |
| | Lotus QuickPlace | |
| | Administration | |
|
| Operating system(s): |
| |
AIX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS
|
|
| Software version: |
| |
6.5, 7.0, 8.0, 8.5
|
|
| Reference #: |
| |
1385662
|
|
| IBM Group: |
| | Software Group |
|
| Modified date: |
| | 2009-05-15 |
|
|
