Securing an IBM Domino Web Server

Open Mic
April 10, 2013

Brandon Kutsch | Domino Webserver / iNotes / SmartCloud Meetings L2 Support

Powell Pendergraft | Domino Webserver / iNotes / SmartCloud Meetings L2 Support
IBM Collaboration Solutions

2013 IBM Corporation

Agenda

SSL for Domino

Background
Domino Certificate Authority
Third Party Certificate Authority
Sharing Certificates

Hardening the SSL Configuration

Configurable Ciphers
SSL Renegotiation
FIPS 140-2 compliance

Additional Security
Port Configuration
Available HTTP Methods
Secure Single Sign-on
Internet Lockout
Protecting the Internet Password

Resources / Available Debug

2 |

2013 IBM Corporation

Agenda

SSL for Domino

Background
Domino Certificate Authority

Configuring a home-grown Domino CA

Creating a kyr for the Webserver

Third Party Certificate Authority

KYR creation / CSR generation

Installing trusted and signed certificates

Sharing Certificates

Wildcard Certificates

Domino as SSL client

3 |

2013 IBM Corporation

SSL for Domino

-Background

Sockets Layer (SSL), is an communication protocols that provide secure transmission over the
Internet, by use of asymmetric cryptography

Provides encryption of transmission as well of identity confirmation

SSL client will verify

It trusts the issuing authority
The certificate has not yet expired
The certified name matches the expected host

Self Signed Certificate

Self-signed certs have no trusted root info to share
Some secure clients may experience problems connecting
Support discourages use of self-signed cert
Support instead recommends creating a Domino Based CA,
so that a Trusted Root certifcate can be installed

4 |

2013 IBM Corporation

SSL for Domino

-Domino Certificate Authority
Configuring a home-grown Domino CA

5 |

2013 IBM Corporation

SSL for Domino

-Domino Certificate Authority
Creating kyr for the webserver

Copy the generated kyr and sth file from local

notes client machine to Domino Server data
folder

Configure webserver to load new kyr,

Ports Internet Ports
Internet Sites Website Security Tab

Title: Quick guide to setting up SSL using

Domino as the Certificate Authority
Doc #:
1114148
URL: http://www.ibm.com/support/docview.wss?
uid=swg21114148

Title: Cannot open session with Domino over

SSL after Windows update
Doc #:
1613994
URL: http://www.ibm.com/support/docview.wss?
uid=swg21613994

6 |

2013 IBM Corporation

SSL for Domino

-Third Party Certificate Authority
KYR creation / CSR generation

7 |

2013 IBM Corporation

SSL for Domino

-Third Party Certificate Authority
Kyr creation / csr generation

Request a base 64 encoded cer or crt file when submitting the new CSR

Because Domino can't import a private key

avoid pkcs / p7 formatted certificates
We can only install signed certificates into the kyr file that were requested by the CSR
request generated with the csrv database
8 |

2013 IBM Corporation

SSL for Domino

-Third Party Certificate Authority
Installing trusted and signed certificates

Before installing the returned signed cert into the kyr, we need to tell Domino it can trust certs
from this provider

Step #3 Install Trusted Root Certificate can be repeated depending on number of intermediate
root your CA is using

Normally CA's will provide the necessary trusted root info

Provided along with the returned signed cert
As a public download from their website

Can sometimes extract out the trusted root info

from the returned signed certificate file

9 |

2013 IBM Corporation

SSL for Domino

-Third Party Certificate Authority
Installing trusted and signed certificates

Save out begin cert end cert data and create a new ssl.cer file

Doubleclick to open that new .cer file in the Windows certificate viewer

Certification Path tab, highlight topmost root and View Certificate (opens a new certificate window)

On the new window on Details tab, select Copy to File to extract out to file

Repeat for any additional intermediate roots to import into the domino kyr

http://www10.lotus.com/ldd/dominowiki.nsf/dx/Extract_the_root_certificate_from_a_signed_stamped_SSL_server_certificate

10 |

2013 IBM Corporation

SSL for Domino

-Third Party Certificate Authority
Installing trusted and signed certificates

With the trusted root installed, Domino now trusted the SSL certificate provider

Proceed to step #4 and install the signed certificate

With new certs installed, copy the kyr and sth from local machine to Domino server for use

11 |

2013 IBM Corporation

SSL for Domino

Wildcard certificates

-Sharing Certificates

Domino can be configured to use wildcard certificates

*.domain.com

Must be managed / requested by the Server Certificate Admin database

As we are unable to import private key, we cannot share an SSL wildcard cert with another
(non-Domino) webserver.

To share a wldcard cert with other Domino servers simply copy over the kyr/sth files amongst
the Domino webservers in the same Internet domain

12 |

2013 IBM Corporation

SSL for Domino

Domino as SSL client

-Sharing Certificates

In addition to confirming the server's identity, the ssl kyr stores the trusted root info for other
protocols

If only using Domino as an SSL client you can possibly share the ssl kyr file among multiple
Domino servers
WebService consumer
Directory Assistance secure LDAP client

When Domino is the SSL client (regardless of loading Internet site configuration)
we load the keyring info from the Server document ports- > Internet ports tab
If loading Internet sites, this field will be obscured - will need to temporarily disable
Internet site config to expose the SSL kyr settings found in the Server document

13 |

2013 IBM Corporation

Agenda

Hardening the SSL Configuration

Configurable Ciphers
SSL Renegotiation
FIPS 140-2

14 |

2013 IBM Corporation

Hardening the SSL Configuration -Configurable Ciphers

Restrict ssl ciphers with known security concerns

SSLv2 should be disabled in favor of more secure sslv3 ciphers

IE4 and later browsers support SSLv3

Recommend disabling null/weak along with CBC based ssl ciphers associated with BEAST
based man in the middle security attacks

To only allow RC4 ciphers: go to Server document Ports Internet Ports SSL Ciphers
RC4 encryption with 128-bit key and MD5 MAC
RC4 encryption with 128-bit key and SHA-1 MAC

Can be overriden by Notes.ini setting

SSLCipherSpec=0405

http://www.ibm.com/support/docview.wss?uid=swg21254333

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin.doc
%2FDOC%2FH_CHANGING_THE_CIPHER_SPECIFICATION_USED_FOR_SSL.html

http://www.ibm.com/support/docview.wss?uid=swg21568229

15 |

2013 IBM Corporation

Hardening the SSL Configuration -SSL Renegotiation

Starting in Domino versions 8.0.2 Fix Pack 6, 8.5.1 Fix Pack 4, and 8.5.2, you can disable SSL
renegotiation by adding the following parameter to the notes.ini:
SSL_DISABLE_RENEGOTIATE=1

Parameter addresses a security concern with respect to SSL renegotiation CVE-2009-3555

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555

Title: Is it possible to disable SSL renegotiation on a Domino server?

Doc #: 1430331
URL: http://www.ibm.com/support/docview.wss?uid=swg21430331

Title: Verifying SSL renegotiation is disabled

Doc #: 1615409
URL: http://www.ibm.com/support/docview.wss?uid=swg21615409

16 |

2013 IBM Corporation

Hardening the SSL Configuration

FIPS140-2

Domino webserver SSL library does not meet stringent FIPS 14-2 compliance
Other components of domino are compliant, secure IDs, document encryption, secure email
messaging, ltpa2 style sso tokens
To achieve compliance over HTTP, IBM recommends the use of a FIPS 140-2 compliant proxy
Relying on the https/tls libraries of the compliant proxy to interface with the end user and
then forward the request to the non-compliant backend Domino webserver
this can be either unencrypted port 80, or encrypted ssl

Any FIPS compliant proxy server will work

IBM recommend WebSphere Edge Server, and IBM HTTP Server IHS
New to Domino 9.0 Social Edition is the option to run IHS on the same box as Domino

Title: Is the Domino Web Server SSL engine FIPS 140-2 compliant?
Doc #: 1237209
URL: http://www.ibm.com/support/docview.wss?uid=swg21237209

http://www12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/f4b82fbb75e942a6852566ac0037f284/6a712967730
65d2d85257b19005b3895?OpenDocument

17 |

2013 IBM Corporation

Agenda

Additional Security
Port Configuration
Available HTTP Methods
Secure Single Sign-on

Idle Minimum Timeout

Authentication / Cookie Restrictions

Internet Lockout

Setup

Concerns With Name Variations

Protecting the Internet Password

Extended Access Control

More Secure Password

18 |

2013 IBM Corporation

Additional Security

-Port Configuration

Redirect all traffic to https://

Ensures user population (even those with old http:// bookmarks) uses secure HTTP config

Disable anonymous access at port

Ensures that everyone who accesses the Domino webserver is an authenticated user and
has provided Internet credentials
Effects all resources regardless if ACL allows anonymous and even protects non-nsf
resources which normally wouldn't have ACL protection

19 |

2013 IBM Corporation

Additional Security

-Available HTTP Methods

Security scanning software will often recommend disabling certain methods such as TRACE
Can be configured in Internet site web site doc:
HTTPDisableMethods=TRACE,CONNECT,OPTIONS

Note: Do not disable OPTIONS on a Notes Traveler install.

This is required for Apple devices to sync.

Title: How to enable or disable HTTP methods

Doc #: 1201202
URL: http://www.ibm.com/support/docview.wss?uid=swg21201202

20 |

2013 IBM Corporation

Additional Security
-Secure Single Sign-on
Idle Minimum Timeout

Domino based SSO LTPAtokens and Single Server DomAuthSessId cookies allow use of an
idle timeout (note min timeout is not available for WAS based ltpa SSO)

Helps prevent an eavesdropper to hijack a temporarily unattended web session of an idle user

Single sign idle timeout is straight forward -specify timeout in min you want to use

Multiple Server SSO minimum timeout should be thought of as a range of time a user could be
idle timed out varying up to 2x of the time specified
Example
if wanting to ensure all users are timed out by 30 min,
configure the min timeout at 1/2 the desired value (15min)

Title: Use of "Minimum Timeout" Field on the Web SSO Document

Doc #:1160458
URL: http://www.ibm.com/support/docview.wss?uid=swg21160458

21 |

2013 IBM Corporation

Additional Security
-Secure Single Signon
Authentication / Cookie Restrictions

Force login to SSL

Mandates ssl for authentication request POST /names.nsf?login
Secure passing of credentials even if rest of traffic over http

Additional SSO cookie security in SSO config doc

Prevent cookie from unencrypted traffic

Prevent browser from sending SSO Token over

an unprotected channel, ensures sso token can't
be stolen by network eavesdroppers

Prevent cookie from being available to javascript

limits exposure to malicious scripts

but can break some third party SSO config

Title: Can a Domino server be restricted from sending the SSO token over non-secure HTTP
Doc #: 1215246
URL: http://www.ibm.com/support/docview.wss?uid=swg21215246
22 |

2013 IBM Corporation

Additional Security
Setup

-Internet Lockout

Further Internet authentication protection can be found by enabling the Internet Lockout feature

Protection against password dictionary attacks

Logs and identifies incorrect authentication attempts
Can lock out an account based on a specified number of unsuccessful login attempts

Can review number of strikes and currently locked out users in the created inetlockout.nsf

Configured in the webserver's Configuration document Security tab

http://www.ibm.com/developerworks/lotus/library/domino8-lockout/
23 |

2013 IBM Corporation

Additional Security
-Internet Lockout
Concerns With Name Variations

When using internet lockout make sure that the webserver Server document Security tab
Internet Access section is configured for Fewer Name Variations with higher security

Otherwise normally successful logs can inadvertently cause strikes against users with similar
names
Successful login for Joe User causes lockout strike for Joe Admin
Likewise failed attempts can cause lockouts for multiple users

Title: Domino 8 Internet Lockout feature locks out multiple users

Doc #: 1295342
URL: http://www.ibm.com/support/docview.wss?uid=swg21295342
24 |

2013 IBM Corporation

Additional Security -Protecting the Internet Password

Extended Access Control

Can use xACL to place further security to the individual fields which store the internet password

HttpPassword and set the Read and Write access settings to Deny

dspHttpPassword and set the Read and Write access settings to Deny

Warning on using xACL on an LDAP server

xACLs (not the ldap config document)
will dictate the available attribute searchable to anonymous
as a result anonymous LDAP searches will fail

Admin Help article Securing Internet Passwords

25 |

2013 IBM Corporation

Additional Security -Protecting the Internet Password

More Secure Passwords

Recommend using the salted 'more secure' Internet password format

Domino offers the choice of three algorithms for storing the Internet password in the Person
record
The original a single unsalted hash
More secure Internet password format, salted hash v4.6 password verification

the hashed value will be different for every user even if share the same password
value

More secure salted hash v8.0.1 password verification

Hashed value of (GXjwcIq8VHJyth4a/jRQ)

(HxjwcIqBO2jkvPBxJcxBnLZ0Ha30Ha3KHa30HafSeFdviILT4)

The more secure password format is required if you choose to synchronize a user's
Internet password with their Notes password.

26 |

2013 IBM Corporation

Agenda

Resources / Available Debug

Q&A

27 |

2013 IBM Corporation

Resources / Available Debug

HTTP connection debug

tell http debug thread all

writes out htthr thread logs in the domino/data/ibm technical support folder

SSL setup/debug
http://www10.lotus.com/ldd/dominowiki.nsf/dx/Knowledge_Collection__Setting_up_and_troubleshoot
ing_SSL_on_Domino
Notes.ini Debug_SSL_ALL=1 (requires http task restart)

Authentication dynamic debug

set config webauth_verbose_trace=1

Inetlockout dyanmic debug

set config inetlockout_verbose_trace=1

Webserver Configuration
Console command tell http show security

Displays current kyr configuration

Console command tell http dump config

Outputs many other webserver config httpcfg.txt

28 |

2013 IBM Corporation

Questions?
Press *1 on your telephone to ask a question.

Visit our Support Technical Exchange page or our Facebook page for details on future
events.
To help shape the future of IBM software, take this quality survey and share your
opinion of IBM software used within your organization: https://ibm.biz/BdxqB2

IBM Collaboration Solutions Support page

http://www.facebook.com/IBMLotusSupport

WebSphere Portal
http://twitter.com/IBM_ICSSupport
29 |

2013 IBM Corporation