Potential security issue with Domino Certificate Authority (CA) process commands

Technote (FAQ)


Question

A customer contacted IBM® Lotus® to report a potential security issue with the usage of Certificate Authority (CA) process commands on the Lotus Domino® server console.

The use of uppercase characters with either the CA "activate" or "unlock" commands on the server console could result in the password being displayed in clear text.



Cause

To use the Domino server-based CA process, you must issue several commands at the server console. Both the "activate" (tell ca activate <certifier number> <password>) and unlock (tell ca unlock <idfile> <password>) require that a password be used.


Prior to Domino version 6.5.4, the password could be shown in clear text to the console.log text file and Admin panel depending on the operating systems. For more details, refer to Technote # 1167487 "Security Issue with CA Process in Domino 6.x Console on Solaris".

In Domino 6.5.4 or later, it has been found that if any character in the words "ca", "activate", or "unlock" are typed in uppercase, the password will be reflected in clear text on the console.log and Admin panel.


Answer

This issue was reported to Quality Engineering as SPR# KHON738QB6, and has been fixed in Lotus Domino releases 7.0.3 and 8.0. Refer to the Upgrade Central site for details on upgrading Notes/Domino.


Workaround
In prior releases, enter CA "activate" or "unlock" commands on the console using all lowercase.



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino

Software version:

6.0, 6.5, 7.0

Operating system(s):

AIX, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:

1261095

Modified date:

2009-06-22

Translate my page

Machine Translation

Content navigation