How do I get SHA-2 support in IBM Domino?
|Prior to Notes & Domino 9.0.1 Fix Pack 3|
- SHA-2 signing - IBM Notes and Domino Social Edition 9.0 updated the cryptographic libraries in the product to lay the foundation for using SHA-2. It was this cryptographic work that allowed the Notes 9.0 functionality to verify and send SHA-2 signed e-mail messages.
- IHS Proxy solution - Domino 9.0 introduced the IBM HTTP Server (IHS) that supports SHA-2 and TLS (up to 1.2). This configuration routes HTTP traffic through IHS either directly on the same machine as the Windows Domino 9.x server or as a separate server in front of your existing Domino server.
|SHA-2 support as of Notes & Domino 9.0.1 Fix Pack 3|
SHA-2 support for Domino 9.x has been delivered in 9.0.1 Fix Pack 3 and above (previously available via Interim Fixes for 9.0.1 Fix Pack 2 and 9.0).
- With this Fix Pack, Domino administrators will be able to configure Domino 9.x to use a SHA-2 certificate over HTTP, SMTP, LDAP, POP, and IMAP. With a SHA-2 certificate in place, users will be able to use a browser to connect to iNotes, XPages, traditional Domino Web apps, and Sametime (based on Domino HTTP).
- Once the Interim Fix is applied, browser users will not receive a security alert since Domino will be configured with SHA-2. Domino administrators will be able to import a 3rd-party SHA-2 cert or generate SHA-2 certs with the Domino Administrator client with Domino 9.x running the Interim Fix on all supported platforms.
- As mentioned in the above section, the cryptographic infrastructure needed to provide these features was new to Domino 9.x. For this reason, we will not be able to support SHA-2 on Domino 8.5.x.
IBM is committed to delivering a secure and reliable offering. It is our intention to continue to address general enhancements including security updates as is our general practice in our product development cycles or in our ongoing subscription updates.
|How to implement SHA-2 for Domino|
- Note: Without this patch you will receive "Certificate signature does not match contents" error during step 17, "Merge Trusted Roots"
Step 2: Download and install the KYRTool on the same Domino Administrator client referenced in step 1 by placing the W32 kyrtool.exe in the Notes program directory. Refer to the wiki articles linked below for instructions on installing and running KYRTool
- KYRTool is a new tool that replaces iKeyMan. KYRTool is capable of handling SHA-1 and SHA-2 certificates.
Step 3: Upgrade your Domino server running the CA process to 9.0.1 Fix Pack 3. This Fix Pack will allow the CA process on the Domino server to process SHA-2 certificates.
For more information, refer to the following Wiki articles:
- Generating a SHA-2 Keyring file
- Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
- Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool
- Installing and Running the Domino keyring tool
No. Domino 8.5.x lacks the cryptographic infrastructure for SHA-2. This means if you import the cert using 9.x and the Interim Fix and and KYRTool described above, you can use that keyring on a Domino 9.0 or above server, but not on a Domino server pre-Domino 9.0.
Q2: Can I get a hotfix on 8.5.x or earlier to support SHA-2?
No. This is not possible since releases prior to Domino 9.0 lack the cryptographic infrastructure for SHA-2.
Q3: Is IBM Notes impacted?
- If you use the default operating system browser, then Notes is not impacted.
- The native embedded browser in Notes does not support SHA-2 and TLS. We recommend that users configure Notes to use the default browser of the operating system. See the following IBM Tips Podcast post for instructions: How to change the default browser for Notes
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM’s sole discretion. Information regarding potential future products is intended to outline our general product direction and it should not be relied on in making a purchasing decision. The information mentioned regarding potential future products is not a commitment, promise, or legal obligation to deliver any material, code or functionality. Information about potential future products may not be incorporated into any contract. The development, release, and timing of any future features or functionality described for our products remains at our sole discretion.