Update : Check the comments, Shaun has added a link to the actual IBM technote..... you may or may not want 127 as the value, so check that before doing anything.

Here is the HCL technote, now IBM has killed them all :

9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.

So how do you enable this? We'll after scouring the design partner forum I found a post from the lovely Dave Kern that outlined this a few months back and was able to pretty easily figure it from there......

This is not everything, there seems to be at least one other setting, but this will get you AES port encryption, so it's a start

It's a server side notes.ini setting called PORT_ENC_ADV and it's a bitmask value. Based on Dave's post I set this value to 127. That gets me the best available (based on current standards) port encryption that Notes can do. In this case AES_GCM_256, with a AES_128 ticket.

It is backward compatible, I tested with FP6 and FP7 clients with this new ini setting with no issue. I see no reason why any client from 6.x onwards would be an issue, but test all the same.. So to enable add this to you server notes.ini:


Update : you probably want 84

Restart Domino. If you have a FP7 or later client then you will be using AES. To prove this you can enable these two notes.ini settings on the client:


And you can now see the new port encryption being used. Here's a (just upgraded) FP7 client debug output:

Image:9.0.1 FP7 and how to enable the new port encryption settings

Here's a FP6 client, where the server fails back to RC4_128:

Image:9.0.1 FP7 and how to enable the new port encryption settings
Darren Duke   |   September 14 2016 03:37:42 AM   |    domino  notes  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (2)

Gravatar Image
1 - Shaun       09/14/2016 7:05:36 AM

Tecnote is available via IBM Support Portal - { http://www-01.ibm.com/support/docview.wss?uid=swg21990283 }

Pretty poor that IBM couldn't have linked directly to that!

Gravatar Image
2 - Darren Duke       09/14/2016 8:14:10 AM

@1, Thanks Shaun. I've put an update at the top of the post.