Professional Documents
Culture Documents
Open Mic
April 10, 2013
Agenda
Additional Security
Port Configuration
Available HTTP Methods
Secure Single Sign-on
Internet Lockout
Protecting the Internet Password
Agenda
Sharing Certificates
Wildcard Certificates
3 |
-Background
Sockets Layer (SSL), is an communication protocols that provide secure transmission over the
Internet, by use of asymmetric cryptography
4 |
5 |
6 |
7 |
Request a base 64 encoded cer or crt file when submitting the new CSR
Before installing the returned signed cert into the kyr, we need to tell Domino it can trust certs
from this provider
Step #3 Install Trusted Root Certificate can be repeated depending on number of intermediate
root your CA is using
9 |
Save out begin cert end cert data and create a new ssl.cer file
Doubleclick to open that new .cer file in the Windows certificate viewer
Certification Path tab, highlight topmost root and View Certificate (opens a new certificate window)
On the new window on Details tab, select Copy to File to extract out to file
Repeat for any additional intermediate roots to import into the domino kyr
http://www10.lotus.com/ldd/dominowiki.nsf/dx/Extract_the_root_certificate_from_a_signed_stamped_SSL_server_certificate
10 |
With the trusted root installed, Domino now trusted the SSL certificate provider
With new certs installed, copy the kyr and sth from local machine to Domino server for use
11 |
-Sharing Certificates
As we are unable to import private key, we cannot share an SSL wildcard cert with another
(non-Domino) webserver.
To share a wldcard cert with other Domino servers simply copy over the kyr/sth files amongst
the Domino webservers in the same Internet domain
12 |
-Sharing Certificates
In addition to confirming the server's identity, the ssl kyr stores the trusted root info for other
protocols
If only using Domino as an SSL client you can possibly share the ssl kyr file among multiple
Domino servers
WebService consumer
Directory Assistance secure LDAP client
When Domino is the SSL client (regardless of loading Internet site configuration)
we load the keyring info from the Server document ports- > Internet ports tab
If loading Internet sites, this field will be obscured - will need to temporarily disable
Internet site config to expose the SSL kyr settings found in the Server document
13 |
Agenda
14 |
Recommend disabling null/weak along with CBC based ssl ciphers associated with BEAST
based man in the middle security attacks
To only allow RC4 ciphers: go to Server document Ports Internet Ports SSL Ciphers
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC
http://www.ibm.com/support/docview.wss?uid=swg21254333
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin.doc
%2FDOC%2FH_CHANGING_THE_CIPHER_SPECIFICATION_USED_FOR_SSL.html
http://www.ibm.com/support/docview.wss?uid=swg21568229
15 |
Starting in Domino versions 8.0.2 Fix Pack 6, 8.5.1 Fix Pack 4, and 8.5.2, you can disable SSL
renegotiation by adding the following parameter to the notes.ini:
SSL_DISABLE_RENEGOTIATE=1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
16 |
FIPS140-2
Domino webserver SSL library does not meet stringent FIPS 14-2 compliance
Other components of domino are compliant, secure IDs, document encryption, secure email
messaging, ltpa2 style sso tokens
To achieve compliance over HTTP, IBM recommends the use of a FIPS 140-2 compliant proxy
Relying on the https/tls libraries of the compliant proxy to interface with the end user and
then forward the request to the non-compliant backend Domino webserver
this can be either unencrypted port 80, or encrypted ssl
Title: Is the Domino Web Server SSL engine FIPS 140-2 compliant?
Doc #: 1237209
URL: http://www.ibm.com/support/docview.wss?uid=swg21237209
http://www12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/f4b82fbb75e942a6852566ac0037f284/6a712967730
65d2d85257b19005b3895?OpenDocument
17 |
Agenda
Additional Security
Port Configuration
Available HTTP Methods
Secure Single Sign-on
Internet Lockout
Setup
18 |
Additional Security
-Port Configuration
19 |
Additional Security
Security scanning software will often recommend disabling certain methods such as TRACE
Can be configured in Internet site web site doc:
HTTPDisableMethods=TRACE,CONNECT,OPTIONS
20 |
Additional Security
-Secure Single Sign-on
Idle Minimum Timeout
Domino based SSO LTPAtokens and Single Server DomAuthSessId cookies allow use of an
idle timeout (note min timeout is not available for WAS based ltpa SSO)
Helps prevent an eavesdropper to hijack a temporarily unattended web session of an idle user
Single sign idle timeout is straight forward -specify timeout in min you want to use
Multiple Server SSO minimum timeout should be thought of as a range of time a user could be
idle timed out varying up to 2x of the time specified
Example
if wanting to ensure all users are timed out by 30 min,
configure the min timeout at 1/2 the desired value (15min)
21 |
Additional Security
-Secure Single Signon
Authentication / Cookie Restrictions
Title: Can a Domino server be restricted from sending the SSO token over non-secure HTTP
Doc #: 1215246
URL: http://www.ibm.com/support/docview.wss?uid=swg21215246
22 |
Additional Security
Setup
-Internet Lockout
Further Internet authentication protection can be found by enabling the Internet Lockout feature
Can review number of strikes and currently locked out users in the created inetlockout.nsf
http://www.ibm.com/developerworks/lotus/library/domino8-lockout/
23 |
Additional Security
-Internet Lockout
Concerns With Name Variations
When using internet lockout make sure that the webserver Server document Security tab
Internet Access section is configured for Fewer Name Variations with higher security
Otherwise normally successful logs can inadvertently cause strikes against users with similar
names
Successful login for Joe User causes lockout strike for Joe Admin
Likewise failed attempts can cause lockouts for multiple users
Can use xACL to place further security to the individual fields which store the internet password
HttpPassword and set the Read and Write access settings to Deny
dspHttpPassword and set the Read and Write access settings to Deny
Domino offers the choice of three algorithms for storing the Internet password in the Person
record
The original a single unsalted hash
More secure Internet password format, salted hash v4.6 password verification
the hashed value will be different for every user even if share the same password
value
(HxjwcIqBO2jkvPBxJcxBnLZ0Ha30Ha3KHa30HafSeFdviILT4)
The more secure password format is required if you choose to synchronize a user's
Internet password with their Notes password.
26 |
Agenda
Q&A
27 |
writes out htthr thread logs in the domino/data/ibm technical support folder
SSL setup/debug
http://www10.lotus.com/ldd/dominowiki.nsf/dx/Knowledge_Collection__Setting_up_and_troubleshoot
ing_SSL_on_Domino
Notes.ini Debug_SSL_ALL=1 (requires http task restart)
Webserver Configuration
Console command tell http show security
Questions?
Press *1 on your telephone to ask a question.
Visit our Support Technical Exchange page or our Facebook page for details on future
events.
To help shape the future of IBM software, take this quality survey and share your
opinion of IBM software used within your organization: https://ibm.biz/BdxqB2
WebSphere Portal
http://twitter.com/IBM_ICSSupport
29 |