The Domino Web Server Level 2 Support team hosted an Open Mic Webcast on April 10, 2013. They discussed overall Domino web server security. The team presented on features such as idle session timeout, increasing the password hash, internet password lockout, and more.
Follow highlights from these Open Mics live on Twitter using #ICSOpenMic or simply follow us on Twitter @IBM_ICSsupport.
IBM Collaboration Solutions (Lotus) support wants to help you take full advantage of your products. Join us for our Open Mic webcasts as technical experts share their knowledge and answer your questions.
These webcasts are designed to address specific topics and provide an in-depth and focused technical exchange in a convenient online webcast format.
Topic: Securing an IBM Domino Web Server
Day: Wednesday, April 10, 2013
Time: 11:00 AM EDT (15:00 UTC/GMT, UTC-4 hours) for 60 minutes
For more information about our Open Mic webcasts, visit the IBM Collaboration Solutions Support Open Mics page.
Securing an IBM Domino Web Server Open Mic Apr 10 2013 (edited).mp3
Q: So one cannot create a 2048-bit key size with this method?
A: That is correct a Domino Certificate Authority will only create up to 1024 certificates
Do not skip the CA profile step, errors have arisen due to skipping that step.
Domino CA is going to be a smaller bit size.
Q: CSR's created in Domino are encrypted with an MD5 hash, which some CA's (Symantec) won't accept. Are there plans to address this in future releases?
A: There are currently no plans the MD5 hash in the Domino CSR generation, Domino 9, has been shipped with a IHS component that can be configured to sit in front of domino. The IHS CSR can be created with using the new SHA encryption.
Q: Do any other servers use KYR files other than Domino?
A: Not that we are aware of.
Q: Does IBM have plans to allow wild card certificates?
A: It's possible to use wildcard certificates between domino servers. The requirement is that the CSR request for the wildcard certificate originates from a Domino keyfile.
Q: Is it possible to convert a Domino KYR file to a P12 certificate file?
A: It is possible to export a certificate from a KYR file to P12 format using certain versions of the IKEYMAN utility.
Q: Is there documentation for using a wild card certificate?
A: It is the same steps as the standard process for setting up SSL with a 3rd party certificate, just need to specify the common name as *.mydomain.com. For the wildcard just make the common name "*.blah.com" for example. You will make the common name *.test.com and this will be in step 3.
Q: I got a CA certificate from godaddy.com (Starfield Technologies), all browsers work fine except Safari (in Mac or PC). PC Safari wants me to select a certificate which did not show the one I got, Mac simply says it cannot connect securely. Any idea how to fix this?
A: The issue you describe seems to be caused by Safari's ability to trust the godaddy certificate, I suggest engaging Safari support for assistance.
Q: What about folks who need to renew a cert but aren't ready to upgrade to R9? Can IBM help in those situations?
A: Pre Domino 9, there is not much that can be done, What we have experienced in support is that if you call the vendor and speak to a person (instead of using the automated websites) most ssl vendor will make an exception and accept the MD5 hash
Q: If you have a server that hosts multiple websites, it seems that you cannot create multiple SSL configurations for each site. You can create the certs, but when a user tries on open the SSL connection to the IP address, only the first cert registered on the IP address will work. Is there a way around this?
A: The only way to work around this is to have more than one IP address associated with your server.
Q: Yes, that is how we do it at the moment. But it really is a waste of IP addresses.
A: Unfortunately the problem is that SSL must be established before the server reads the header information sent by the client.
Q: Is it possible to customize the server certificate admin database to remove unwanted root CA's and/or add new ones? The idea would be to create keyrings that already have the necessary root CA certificates.
A: You can keep all the roots in the keyfile as a keystore, does not hurt anything, and you can delete them if you wish.
Q: If we have to use KYR formats, then there REALLY needs to be a useful and good support document on how to convert them for other uses (i.e. not just Domino). Right now iKeyMan documentation and examples are strewn between technotes, infocenters and some blogs (and the blogs are the best resource which tells me you are doing it wrong)
A: We will look into getting the documentation updated so there is one goto document for exporting/converting certificates from KYR files to different formats.
Q: Can session be highjacked after SSL implementation since there are many vulnerabilities related to web mail?
A: We would like to say our product is vulnerability free, but it's not. We are putting every effort to address them as they are being discovered. Is there a specific vulnerability you are concerned about?
Q: Is Websphere Edge an entitlement with Domino?
A: I do not believe so, they are separate IBM products. What to you mean by an entitlement?
Q: Entitlement = free with Domino or Notes....like Sametime Limited, Connections FIle, etc...
A: I do not believe so.
Q: Why do you have "Enforce server access settings" disabled?
A: As you are probably aware, if you want HTTP to use the deny access fields for users attempting to authenticate, then you will want to set that to yes.
Q: How about IBM HTTP Server IHS? Is there an entitlement for that, or is it also a separate license?
A: With R9 IHS is shipped with Domino. If you select the custom install you can select to install IHS.
Q: How can I force HTTP to restart in order to prevent a hanging HTTP that states "waiting for session to be finished"?
A: This cannot be done, Domino is designed to allow http worker threads to finish the request they are processing on even during an http shutdown. If the worker thread is already hung, they will see the "waiting for session to be finished" message. the only way to recover from this is to restart the Domino server.
Q: Are there any built in facilities for self service unlock/password reset?
A: There is not a self service facility to self rest internet lockout or password (unless the user has a notes client and can access into the person documents). This kind of feature would require custom design.
Q: How can you allow anonymous access for casual browsing then force acl for authentication for SSL? Can you force only internet address for authentication?
A: First, you would need to make anonymous set to YES in the server document. Then set ACLs accordingly to allow anonymous for some databases and then set anonymous to none for databases that you want to require the users to authenticate.
You can increase the security of the login by changing the Internet authentication field in the server doc-->security tab to fewer name variations, more security...This will limit the way a user can authenticate and will only allow for full user name and inter net address
Q: Is the information from the two verbose_trace debug settings stored in the debug outfile or elsewhere?
A: The information will show up in the console and also the debug output file - console.log
Q: Could I have authentication against credentials different from my fullname and internet address? If Yes, how?
A: You can allow your users to authenticate using their short name also. You can add additional names in their user name field. The Internet authentication field in server doc >> security section....change the value to more name variations, less security. This will allow more options; users will be able to login with their short names, etc...
Q: One more Question: How would I start a WebQuery Open Agent in a Custom Login Form? And how can I hook into Authentication With XPages? read How would I do a custom Login Form with Xpages?
A: It might be nice to know why the HTTP hang but you might be able to create a Program document in the Domino Directory to schedule the http task to restart...
Q: We cannot restart HTTP on Schedule because it is not reliable as it hangs every now and then. We would also like to know why it hangs and the sessions never end - but we see no way how to find out. And since our Domino admins do not get OS Access, we cannot even kill and restart a Domino Server.
A: Here is a great guide we use to troubleshoot this problem : http://www-01.ibm.com/support/docview.wss?uid=swg27010969
Your issues initially sound unique. We would need to determine what the thread is doing, what database it is accessing, and what it is doing in the database...
I recommend running an NSD at the time of the hanging threads, making sure semaphore debug is enabled, http://www-01.ibm.com/support/docview.wss?uid=swg21089976, This will give us a better idea what is going on. Then open a PMR with us to review the data.
Q: Are there any built in facilities for self service unlock/password reset for the authenticating user, other than the time out?
A: There are Third Party Products for that - eg. Secure Domino. You can force users to change their passwords the next time they log in, the adminp process would facilitate this, but you must select the users that would need to update their passwords.
Q: With Shared Login, the client and web password no longer sync. Any way to get them to sync again?
A: SPR SAKI7P88GT: Enhancement request: Need synchronization between Notes Shared log-in password and DWA
Currently, the Internet Password and the Notes Shared Login Notes ID password cannot be synchronized. Unfortunately due to the functionality of NSL, the standard password sync is no longer possible. The issue is that with NSL you are no longer accessing the server with an ID.
New 8.5 Notes Shared Login "Gotchas" http://www-01.ibm.com/support/docview.wss?uid=swg21405060
Q: OK so just checked and password expiration requires "Check passwords on Notes IDs" so I'm still unsure on how to force a HTTP password expire without an ID.
A: See the following technote 1232227:
Q: Currently, this presentation is timely, we have a consultant working with us configuring a NetScaler to handle SSL. Is that something that can actually be done?
A: This would be similar to what we've talked about: Set up a proxy in front of Domino, have the NetScaler handle the SSL secure communications, then have proxy traffic unencrypt Domino. You can go for the SSL configuration over Domino for 443, or over port 80, the server is not worried about eavesdropping.
Q: The communications between the web browser remotely and the Domino server still as secure at that point?
A: It will be secure between the browser and NetScaler, which will be the one exposed from the DMZ.
Q: This is a question about the Internet password the user may use and the hash it generates, We have a few users who their Notes password is usually the same as their internet password, and for some reason those get out of synch, and you almost have to manually force the internet password to be whatever they think their new password is. I was wondering if that was related to anything we need to look for? We just don't know what we're looking at when we're trying to debug this issue. The user has not accessed the web apps in a while, so the password may be what it was 2 changes ago.
A: "Change HTTP password" request in the Admin4 database, that may not be making it's way up to the hub server. It has to go up and be sent back down via replication. There is also a security policy to keep the passwords in synch between Notes and Internet. If the users change the Notes password, it should change the internet password as well. That policy should not allow the user to change their HTTP password.
Q: Are there any issues from the server being upgraded from 8.5x to 9.0 in terms of policies and keys carrying over?
A: We are not aware of issues at this time in terms of policies.
Q: We are trying to configure our Domino servers to connect to WorkServices or some third party company, and it looks like the Domino server doesn't send the certificate properly. Is there any documentation on how to properly send out connections from Domino server to some web services?
A: What you want to do is make sure the certificate, if you are using the web services consumer design element, then you would utilize the kill error file and the server document. If you are doing your own home grown java calls, that's going to be in the CA Certs.
We can check the documentation, but if you are consuming then the code is running on the server as the consumer and that certificate authority of the web service provider needs to be merged into the keyfile. If you're not using a web service consumer, if you just consume via a java agent vs different security keystore that the JVM uses which is CA Certs, that a different keystore that is specific to the JVM. So depending on when that consumption you're using can be used for that.
Q: On the other end of the equation, you showed us how to harden the server, but obviously our users are a force unto themselves, there is no way to force a password expiration or password complexity over HTTP. So wouldn't that also be a requirement to have on the webserver?
A: They should be using policies, you can use password complexity and password expiration, those are things that can be mandated in the security policy on the web. And similarly if you synchronize your Notes and Internet password, you can essentially inherit the Notes password security policy you a place for complexity.
Q: Lots of customers moving from Notes ID to iNotes and Connections. There is no way to force expiration via a policy without a Notes ID and Client.
A: It is available for Internet passwords. If you want, you can open a PMR and we can walk you through where to find that.
Q: Would the complexity of the internet password that we want to put through the security policy "force change password"; how can that work with the DOMCFG? Is it the DOMCFG that controls it, or the names.nsf that is taking control of it?
A: The DOMCFG just provides the interface and options for login screen, or login forms. The policies are going to set the complexity and expiration. The underlying code is going to present the users with the fact that the password needs to be changed.
Q: Any documentation on how the DOMCFG talks to the names.nsf with regards to the change password?
A: There may not be any documentation on that specifically because the DOMCFG is going to be just the front end to provide the forms to you as opposed to being in the code that actually prevents the changing of the password. There is a link in the discussion a little while ago concerning this topic: how change password takes place. As you submit the request to change password, the process on that local domino goes to the admin4 on that server, replicate admin4 to the admin4, admin4 processes that request, sends request to home mail server admin4.nsf, changes internet password on home mail server's person document, and then you have to wait for the names.nsf to replicate back for that server to know the user has changed their password. Based on replication topology, there could be delays.
The resources mentioned during the Open Mic were also posted to our support Twitter account at http://twitter.com/IBM_ICSsupport #icsopenmic
- Quick guide to setting up SSL using Domino as the Certificate Authority: https://ibm.biz/Bdx8HA
- Cannot open session with Domino over SSL after Windows: https://ibm.biz/Bdx8HJ
- Extract the root certificate from a signed stamped SSL server certificate: https://ibm.biz/Bdx8HV
- Selecting SSL Ciphers on Domino: https://ibm.biz/Bdx8H8
- Changing the Cipher Specification used for SSL: https://ibm.biz/Bdx8Hg
- IBM Lotus Domino remedy for BEAST Secure Socket Layer (SSL) 3.0 exploit recently published (CVE-2011-3389): https://ibm.biz/Bdx8Hh
- Common Vulnerabilities and Exposures: https://ibm.biz/Bdx8He
- Technote 1430331: Is it possible to disable SSL renegotiation on a Domino server: https://ibm.biz/Bdx8Hb
- Technote 1615409: Verifying SSL renegotiation is disabledDoc: https://ibm.biz/Bdx8Hp
- Technote 1237209:Is the Domino Web Server SSL engine FIPS 140-2 compliant? https://ibm.biz/Bdx8Hn
- Using the new internet lockout feature: https://ibm.biz/Bdx8Hf
- Domino 8 Internet Lockout feature locks out multiple users: https://ibm.biz/Bdx8Hq
- Admin Help article Securing Internet Passwords: https://ibm.biz/Bdx8HY
- SSL setup/debug: https://ibm.biz/Bdx8Hj
- TN 1201202: How to enable or disable HTTP: https://ibm.biz/Bdx8Ha
- TN 1160458: Use of "Minimum Timeout" Field on the Web SSO DocumentDoc: https://ibm.biz/Bdx8HK
- TN 1215246: Can a Domino server be restricted from sending the SSO token over non-secure HTTP Doc: https://ibm.biz/Bdx8Hv
- Techdoc 7010969 Collecting data for HTTP hang or performance issues on a Lotus Domino server
- Technote 1089976 Turning on semaphore debugging parameters in notes.ini for Domino
- Technote 1405060 New 8.5 Notes Shared Login "Gotchas"
- Technote 1232227 Ability for password synchronization to flow from HTTP to Notes