<< Previous | Home

Presentation from IBM ConnectED 2015

Below is my presentation on using IBM Connections as an application development platform from IBM ConnectED 2015.

Præsentation af IBM Connections 5 Gæstemodel

Herunder er min præsentation fra Dannotes i november 2014 omkring gæstemodellen i IBM Connections 5. Hvad kræver det, hvordan ser det ud og hvad er det med småt...

Atlassian SourceTree Pro-Tip

I'm finding myself use Atlassian SourceTree more and more for my Git work as it's both intuitive, fast and very pleasing to the eye. Yesterday at an Atlassian event (Getting Git Right) I noticed that the branches were nested in one of the demos. I wondered how they did that but it turns out to be very simple. If you (re)name a branch and use slashes (/) in the name then SourceTree will automatically nest them. Very nice and does make it easier to distinguish between feature, release, bugfix branches etc. The below video shows how you rename a branch in SourceTree using slash.

Loading widget data in IBM Connections 5 by the aggregator

One of the areas that changed fundamentally in IBM Connections 5 is how widget resources (JavaScript and CSS) is loaded by the browser. In prior versions the resources were loaded by the end-user browser through the AJAX proxy in IBM Connections Profiles or Communities depending on the feature in use. Starting with IBM Connections 5 the resources are aggregated and loaded by the Common feature that now also caches the resources. For end users this is great as speed and performance improves but for developers and admins it can be hard to diagnose what's going on.

In Profiles it's pretty easy - once you know how - to see what the aggregator is aggregating for the current user. The below video shows how to see this is Profiles. I'm still trying to fully understand it in Communities and will post the info once I have it.

Presentation from Social Connections VII Stockholm

Below is my presentation from Social Connections VII in Stockholm on 13-14 November 2014.

An important tool results from the whole POODLE/SHA-2 debacle

My stance on the POODLE / SHA-2 issues with Domino is well known and I haven't been holding anything back. And now - after a while - IBM is starting to release the promised tools to lay the foundation for SHA-2 signature support and TLS 1.0 support on IBM Domino. As part of my IBM Support Updates today I saw and entry called "Planned SHA-2 deliveries for IBM Domino 9.x". This is a technote outlining how IBM is bringing TLS 1.0 and SHA-2 support. This is all well and good and great that IBM starts to deliver on its promises.

But that's not all... And by far the most interesting thing to find in that technote.

Burried within this technote is a mention of a tool called kyrtool which replaces iKeyman as the way to work with the KYR keystore file used by IBM Domino. It's a command line tool and allows for import of standard x509 certificates generated using OpenSSL or similar and produces a KYR and a STH (stash) file as the result. There is documentation about the tool in the wikis (Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool). As an added bonus the examples with OpenSSL is done on Dave Kerns paranoia Linux box (dskern@paranoia).

The release of this tool is very good news and cannot be overstated and in my eyes far overshines the support for TLS 1.0 and SHA-2 as it allows administrators to work with the KYR files on Windows versions newer than Windows XP. It ever supports win32, win64, linux32 and linux64. How do you like them apples?

Thank you IBM.

IBM Domino, POODLE, SHA-1 and why it's also sad when IBM decides to update the security stack

Over the last few weeks the news hit about the PODDLE attack and the withdrawal of SHA-1 as an acceptable hash algorithm by Google Chrome. This is turn has prompted IBM to update the security stack in IBM Domino for all web protocols incl HTTP, LDAP and SMTP. While this is VERY good news and it will be very welcomed that we do no longer have to resort to fronting IBM Domino by IBM HTTP Server or Apache to get adequate TLS protocol support I find the whole situation a bit sad. In full disclosure I have to say that I get most of my security updates these days from the Security Now! podcast on the TWIT network and the discussion on both POODLE and the SHA-1 debacle as opened my eyes. The sad part about these updates to IBM Domino is that it has taken a theoretical attack on SSL v. 3 (POODLE) and a premature hash algorithm withdrawal by a single browser vendor (SHA-1 and Google) to have IBM update the stack. To be fair Microsoft is also removing SHA-1 support from their security stack in their OS'es but from 2017 giving customers ample time to fix it.

In other words if these attacks hadn't come out IBM would have left IBM Domino customers with ancient protocols and keystore formats - remember it takes Windows XP to run an iKeyman old enough to edit the .key files used in Domino.

Besides being good marketing and blowing some life into the dying embers of IBM Domino it's almost a sad move when it's done so late. And then IBM doesn't even take it seriously enough to go all the way. Instead they outlines their "plan to deliver SHA-2 support for Domino 9.x" and promises a fix to bring TLS 1.0 to IBM Domino. Version 1.0 - seriously?! TLS is in version 1.2 at present and the draft for v. 1.3 is out. Now I know that implementing TLS for SMTP is much different from doing so for HTTP but security cannot be done half heartedly so if you want to make it a priority do that. Do not stop short and plug a hole by not going all the way. In all honesty I would rather have IBM discontinue SSL/TLS all together on Domino than doing this. I know it's sad but it's how I feel about it right now.

For a very nice discussion of the PODDLE attack, and why it's a theoretical attack, do listen to Security Now! episode 478 from 33:22 minutes in.

Mac Yosemite, Java, IBM Notes and OnTime Group Calendar

After upgrading my Mac to OS X Yosemite (10.10) I had to reinstall Java to make IBM Notes startup just like Rene describes. To install go to the download page for Java on apple.com, download and install. It takes around 5 minutes and you are ready to go. Once installed the Java runtime makes IBM Notes fly again and I can confirm that the OnTime Group Calendar UI's run just fine on OS X Yosemite.