Slides and recorded, narrated, demo from my Engage.ug session on OAuth

Last week at the Engage user group in Eindhoven, The Netherlands, I gave a session on OAuth 2.0, how the protocol works and how easy it is the code against. The demo I showed at the end of the session showed just how easy it is and how little code is required to make a fully functioning OAuth 2.0 Client. Below you’ll find the slides on Slideshare as well as a recorded, narrated, demo. The demo walks you through coding an OAuth 2.0 app in Eclipse and deploying it to IBM Bluemix.

Oh and do remember… Never, EVER, use a library until you understand the protocol.

http://www.slideshare.net/lekkim/slideshelf

Introduction to OAuth – the technology you need but never really learned

OAuth is core to integrations these days but I see many developers that try and use OAuth without really understanding the protocol. The protocol is very easy to understand so I created this presentation to try and explain it in easy, visual, chunks. I’ll present on the topic tomorrow (Friday 6 November 2015) at the Social Connections IX conference in Stuttgart, Germany. I hope you’ll come see it live if you are at the conference.

PaaS, Bluemix and controlling runtime costs with cron

Back at IBM ConnectED 2015 I created a small demo for IBM using the yet-to-be-released extensibility API of IBM Verse to show of third party extension of IBM Verse. Ever since IBM has been using the demo which is great. The app I wrote is running on Bluemix and I turn it on and off whenever they need it. Now with Bluemix being a Platform As A Service (PaaS) offering I pay for the resource I use and since IBM is still to own up and provider partners with a free plan or larger allowance the monthly allowance of free gigabyte hours is cherished. Simply having it run day in and day out is burning up this free allowance. What is a geek to do? Script it of couse…

Since Bluemix is controllable using the cf command line tool I wrote a small script to allow me to start and stop the app on Bluemix using a script (see below). Invoking it is as simple as doing “versedemo_ctrl.sh start” or “versedemo_ctrl.sh stop” allowing me to do this remotely.

#!/bin/sh
cf login -a https://api.ng.bluemix.net -u {username} -p {password}
cf $1 "IBM ConnectED 2015 Verse Demo Contribution"

Even better is that I’ve added it to an existing on-prem servers crontab so that it starts and stops on business days in the period of time I need it. The cronjob even attaches the log of the start/stop and forwards it to our scheduled job management console so I’m only notified if stuff goes wrong. Love it. Below is a sample crontab entry.

0 12 * 9-11 1-5 ~/versedemo_ctrl.sh start 2>&1 > ~/versedemo.log && mail -s "Verse Demo App Started"
     -a ~/versedemo.log ***XXX***@intravision.dk

The above job simply starts the app Mon-Fri at 12pm (Sept-Nov) and then emails the job logs to our Job Controller service as an attachment.

Getting ready for iOS 9 and App Transport Security (ATS)

Much has already been written on the web about the upcoming iOS 9 release and how Apple is tightening security with App Transport Security (ATS) which basically only allows for HTTPS traffic using advanced and secure ciphers. Other voices in the community is staying on top and blogging much more about it and how it pertains to IBM Traveler and particularly if you are terminating your IBM Traveler connections on Domino. As it stands now (IBM Domino 9.0.1 FP4) IBM Domino cannot deliver the ciphers required for ATS. While the latest beta of iOS 9 can still connect insecurely I suggest you start to look for a right solution that is terminating your IBM Traveler traffic using TLS v. 1.2 using Elliptic Curve crypto and Diffie-Hellman key exchange.

For one of our OnTime Group Calendar demo servers we have IBM HTTP Server (IHS) in front which made the process pretty easy as IHS already support the required ciphers. As always configuring security is a mix of securing your server while keeping compatibility with older operating systems and browsers. For me this meant allowing both TLS v. 1.0, 1.1 and 1.2 and keeping some less secure ciphers for older operating systems and browsers while also enabling strong crypto to support ATS.

Below is our configuration from domino.conf which is used to configured IHS for IBM Domino (there are two ciphers supported by ATS that are not supported by IHS (based on SHA-1)).

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA256
SSLCipherSpec ALL TLS_RSA_WITH_AES_128_CBC_SHA
SSLCipherSpec ALL TLS_RSA_WITH_AES_256_CBC_SHA
SSLCipherSpec ALL SSL_RSA_WITH_3DES_EDE_CBC_SHA

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

Making the above configuration changed will give you a A- score on ssllabs.com which is a pretty nice score while keeping backwards compatibility. If that kind of config isn’t needed turn off TLS v. 1.0 and 1.1 and remove the lines starting with “SSLCipherSuite ALL” – that will give you a score of A.

Listen 0.0.0.0:443
<VirtualHost *:443>
ServerName demo.ontimesuite.com
SSLEnable
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
SSLCipherSpec ALL NONE
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSLCipherSpec TLSv12 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

# Enable strict CBC padding (TLS Poodle)
SSLAttributeSet 471 1

</VirtualHost>
KeyFile C:/Lotus/Domino/ihs/key.kdb
SSLDisable

IBM Connections Cloud (SmartCloud) FINALLY adds much awaited feature

We have had OnTime Group Calendar working with IBM Connections Cloud (SmartCloud) for a years so that customers could move all or part of their mail users to IBM Connections Cloud and host OnTime Group Calendar on-premises or (IBM SmartCloud Notes Hybrid). We have seen adoption and do have customers using it but the main obstacle to full adoption by customers has been the lack of mailfile ACL controls for the customers. Since we require access to the mail files (we do need to read data you know…) a PMR to change ACL’s and/or a custom mail template in IBM Connections Cloud was required to add on-premises Domino servers to the cloud mail file ACL’s. With the latest update of IBM Connections Cloud this capability has finally been added to the administration panel so that customers may control these capabilities themselves. Yay!!

Administrators can control access to mail files from administrator interface (available on or after August 17 2015)

Company administrators can now control access to mail files through the Users page of the IBM SmartCloud Notes administration interface. Previously, IBM services needed to review, and then apply the template to the users. Administrators can now make the ACL changes directly against the mail file, saving them time and money.

For more information refer to the info center (Administration: control access to mail files).

IBM announce dates for bringing TLS v. 1.2 to IBM Domino

So in October of 2014 I wrote about the upcoming TLS (transport layer security) enhancements that IBM was planning to bring to IBM Domino as part of the industry wide panic about the POODLE attack which I still consider mainly theoretical. I was a bit critical towards IBM as they chose to patch their seriously lacking SSL v. 1.3 implementation and implement TLS v. 1.0 on top of IBM Domino v. 9.0.x (IBM Domino, POODLE, SHA-1 and why it’s also sad when IBM decides to update the security stack). The reason I was critical was that I thought that you either take security serious and bring the stack to the front of the line (TLS v. 1.2, v. 1.3 in draft) or get out of the game.

Since then I have been pleasantly surprised to hear about the initiatives IBM has going on. At IBM ConnectED 2015 I attended a very nice session by David Kern from IBM and Daniel Nashed (IBM Business Partner) on the TLS and security improvements planned for IBM Domino. Among others was massive cipher suite updates incl. upcoming support for Diffie-Hellman and perfect-forward-secrecy. Cool stuff! Yesterday I was very pleased to see that IBM now has announced the support for TLS v. 1.2 coming in Q1/Q2 of 2015 (the technote is a bit confusing as to when it will be out).

So all appears to be good and IBM is moving in the right direction with this. Very nice.

Hiding widget on my own profile

Was looking through widgets-config.xml for IBM Connections v.5 to diagnose a customer issue and stumbled on the below widgetDef attribute. Now I haven’t tried it yet but it looks like you can use it to hide a certain widget on your own profile e.g. only show when viewing other peoples profile. Could be useful.

hideWidgetForMyProfile=”true”

Loading widget data in IBM Connections 5 by the aggregator

One of the areas that changed fundamentally in IBM Connections 5 is how widget resources (JavaScript and CSS) is loaded by the browser. In prior versions the resources were loaded by the end-user browser through the AJAX proxy in IBM Connections Profiles or Communities depending on the feature in use. Starting with IBM Connections 5 the resources are aggregated and loaded by the Common feature that now also caches the resources. For end users this is great as speed and performance improves but for developers and admins it can be hard to diagnose what’s going on.

In Profiles it’s pretty easy – once you know how – to see what the aggregator is aggregating for the current user. The below video shows how to see this is Profiles. I’m still trying to fully understand it in Communities and will post the info once I have it.