September 14 2016 Wednesday
9.0.1 FP7 and how to enable the new port encryption settings
Update : Check the comments, Shaun has added a link to the actual IBM technote..... you may or may not want 127 as the value, so check that before doing anything.
Here is the HCL technote, now IBM has killed them all : https://help.hcltechsw.com/domino/10.0.1/conf_port_enc_adv_r.html
9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.
So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined this a few months back and was able to pretty easily figure it from there......
This is not everything, there seems to be at least one other setting, but this will get you AES port encryption, so it's a start
It's a server side notes.ini setting called PORT_ENC_ADV and it's a bitmask value. Based on Dave's post I set this value to 127. That gets me the best available (based on current standards) port encryption that Notes can do. In this case AES_GCM_256, with a AES_128 ticket.
It is backward compatible, I tested with FP6 and FP7 clients with this new ini setting with no issue. I see no reason why any client from 6.x onwards would be an issue, but test all the same.. So to enable add this to you server notes.ini:
Update : you probably want 84
Restart Domino. If you have a FP7 or later client then you will be using AES. To prove this you can enable these two notes.ini settings on the client:
Debug_Console=1
And you can now see the new port encryption being used. Here's a (just upgraded) FP7 client debug output:
Here's a FP6 client, where the server fails back to RC4_128:
Here is the HCL technote, now IBM has killed them all : https://help.hcltechsw.com/domino/10.0.1/conf_port_enc_adv_r.html
9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.
So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined this a few months back and was able to pretty easily figure it from there......
This is not everything, there seems to be at least one other setting, but this will get you AES port encryption, so it's a start
It's a server side notes.ini setting called PORT_ENC_ADV and it's a bitmask value. Based on Dave's post I set this value to 127. That gets me the best available (based on current standards) port encryption that Notes can do. In this case AES_GCM_256, with a AES_128 ticket.
It is backward compatible, I tested with FP6 and FP7 clients with this new ini setting with no issue. I see no reason why any client from 6.x onwards would be an issue, but test all the same.. So to enable add this to you server notes.ini:
PORT_ENC_ADV=127
Update : you probably want 84
Restart Domino. If you have a FP7 or later client then you will be using AES. To prove this you can enable these two notes.ini settings on the client:
LOG_AUTHENTICATION=1
Debug_Console=1
And you can now see the new port encryption being used. Here's a (just upgraded) FP7 client debug output:
Here's a FP6 client, where the server fails back to RC4_128:
Darren Duke
|
September 14 2016 03:37:42 AM
|
domino notes security
|
Tecnote is available via IBM Support Portal - { http://www-01.ibm.com/support/docview.wss?uid=swg21990283 }
Pretty poor that IBM couldn't have linked directly to that!