ibm – Page 3 – lekkimworld.com

An important tool results from the whole POODLE/SHA-2 debacle

My stance on the POODLE / SHA-2 issues with Domino is well known and I haven’t been holding anything back. And now – after a while – IBM is starting to release the promised tools to lay the foundation for SHA-2 signature support and TLS 1.0 support on IBM Domino. As part of my IBM Support Updates today I saw and entry called “Planned SHA-2 deliveries for IBM Domino 9.x“. This is a technote outlining how IBM is bringing TLS 1.0 and SHA-2 support. This is all well and good and great that IBM starts to deliver on its promises.

But that’s not all… And by far the most interesting thing to find in that technote.

Burried within this technote is a mention of a tool called kyrtool which replaces iKeyman as the way to work with the KYR keystore file used by IBM Domino. It’s a command line tool and allows for import of standard x509 certificates generated using OpenSSL or similar and produces a KYR and a STH (stash) file as the result. There is documentation about the tool in the wikis (Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool). As an added bonus the examples with OpenSSL is done on Dave Kerns paranoia Linux box (dskern@paranoia).

The release of this tool is very good news and cannot be overstated and in my eyes far overshines the support for TLS 1.0 and SHA-2 as it allows administrators to work with the KYR files on Windows versions newer than Windows XP. It ever supports win32, win64, linux32 and linux64. How do you like them apples?

Thank you IBM.

IBM Domino, POODLE, SHA-1 and why it’s also sad when IBM decides to update the security stack

Over the last few weeks the news hit about the PODDLE attack and the withdrawal of SHA-1 as an acceptable hash algorithm by Google Chrome. This is turn has prompted IBM to update the security stack in IBM Domino for all web protocols incl HTTP, LDAP and SMTP. While this is VERY good news and it will be very welcomed that we do no longer have to resort to fronting IBM Domino by IBM HTTP Server or Apache to get adequate TLS protocol support I find the whole situation a bit sad. In full disclosure I have to say that I get most of my security updates these days from the Security Now! podcast on the TWIT network and the discussion on both POODLE and the SHA-1 debacle as opened my eyes. The sad part about these updates to IBM Domino is that it has taken a theoretical attack on SSL v. 3 (POODLE) and a premature hash algorithm withdrawal by a single browser vendor (SHA-1 and Google) to have IBM update the stack. To be fair Microsoft is also removing SHA-1 support from their security stack in their OS’es but from 2017 giving customers ample time to fix it.

In other words if these attacks hadn’t come out IBM would have left IBM Domino customers with ancient protocols and keystore formats – remember it takes Windows XP to run an iKeyman old enough to edit the .key files used in Domino.

Besides being good marketing and blowing some life into the dying embers of IBM Domino it’s almost a sad move when it’s done so late. And then IBM doesn’t even take it seriously enough to go all the way. Instead they outlines their “plan to deliver SHA-2 support for Domino 9.x” and promises a fix to bring TLS 1.0 to IBM Domino. Version 1.0 – seriously?! TLS is in version 1.2 at present and the draft for v. 1.3 is out. Now I know that implementing TLS for SMTP is much different from doing so for HTTP but security cannot be done half heartedly so if you want to make it a priority do that. Do not stop short and plug a hole by not going all the way. In all honesty I would rather have IBM discontinue SSL/TLS all together on Domino than doing this. I know it’s sad but it’s how I feel about it right now.

For a very nice discussion of the PODDLE attack, and why it’s a theoretical attack, do listen to Security Now! episode 478 from 33:22 minutes in.

How to increase the number of worker threads for different internet protocols

Came across this technote outlining how to configure the worker threads for the different internet protocols on IBM Domino.

How to increase the number of worker threads for different internet protocols

Blog interview on IBMSocialSoftware.com

Last week I was interviewed for the IBM Social Software Blog and the interview is now live here. The interview is on my work with the activity stream and how to get started working with the activity stream.

IBM SmartCloud – credit where credit is due

On Friday I blogged about the changes that occured on IBM SmartCloud over the weekend (SmartCloud getting an overhaul this weekend with changes that is looooong overdue) and how I was waiting for IBM to add proper Sametime support in SmartCloud meaning Sametime Proxy, Sametime webchat and Sametime app support. As it turns out these capabilities are available just not visible in the dashboard or otherwise readily obvious. So I will give IBM credit for adding it but why didn’t I know?! Anyways – props to IBM.

So the Sametime webchat is available at webchat.na.collabserv.com/stwebclient/iphone_index.jsp and of course it also means that the Sametime Proxy is available. Whether we may use it for actual, 3rd party applications, I will need to find out. There are *still* some really annoying restrictions when it comes to the Sametime entitlement for Notes users (see this tweet). Still waiting for Scott Souder to come back on that one.

Another cool thing (which is an off-spring of the Sametime Proxy support) is that the iOS app works and Sametime availability works on my iPhone and iPad. And even better is that there is a pre-set community configuration for IBM SmartCloud so it’s real easy to configure. Pretty sweet.

SmartCloud getting an overhaul this weekend with changes that is looooong overdue

This weekend (8-9 June 2013) IBM is releasing their June 2013 Update to the SmartCloud for Social Business. Besides layout changes and notes about the URL used to access the service IBM is finally adding support for the Microsoft Office connectors and the Windows Explorer connector so that, using “click to cloud”, users may save, open and edit Office documents and other files directory from SmartCloud. This is of course a big win for users and a byproduct of IBM transitioning the SmartCloud offering to use more and more of the stock, on-premises, IBM Connections product. But this should still have been delivered before. Another byproduct is that of supporting the media gallery and mobile using the IBM Connections app from the Appstore.

For me as a SmartCloud Sametime user the most important thing is IBM allowing the use of the screen capture tool and file transfer in chat. FINALLY!!!!! These “advanced” capabilities are *long* overdue and will be a welcome addition to the service. Why this has taken so long is beyond me but great to finally see it added. Now we *just* IBM to also add IBM Sametime Proxy support so webchat and chat from the iOS app will be supported. Hoping this wont take as long as adding something simple as file transfer and screen capture has.

Oh and IBM is janking support for Microsoft IE 7.

For the full list of changes see the release notes (requires a SmartCloud for Social Business login). There are restrictions to the availability of these additions which are outlined in the release notes.

Just arrived – thank you IBM

There’s a new sheriff in town

Last week was the annual BLUG event this time in Leuven, Belgium, and as always Theo and team created an amazing event. The BLUG event is now the biggest user group in the a World with a staggering 325 attendes and it really makes BLUG a mini-Connect event attracting the top names from IBM as well as the top speakers from all over the World. This year was no exception and the attendees were gifted with 18 IBM Champions covering everything from Domino to Websphere, XPages to widgets and social to taxonomy. It was a great event.

Now as the title might suggest this post is not about BLUG per say.

One of the super cool things about the user groups (besides being FREE, FREE, FREE) is that IBM Collaboration Solution (ICS) is really stepping up to the plate. They are sending their top guys and this year was no exception. Among others we heard from Philippe Riand, Pete Janzen and Scott Souder who had made the trip across the Atlantic. Ed Brill also made a surprise appearance to talk about and promote the IBM MobileFirst initiative which he’s now evangelizing. Now these aren’t just anybody as these guys really are calling the shots when it comes to Notes, Domino, iNotes, Connections Mail and social appdev in Boston so if you had something to say to these guys at Connect 2013 and missed your chance because the IBMers just aren’t accessible at Connect this was your chance.

As always a big THANK YOU! to all the IBM’ers for making the trip and making themselves available to the European community as well. Thank you.

Now to the sheriff thing…

Scott is really the new Ed (who he jokingly referred to multiple times during the keynote) and thus the Program Director for Notes / iNotes / Connections Mail so he pretty much calls the shots across the board. And what an entry he made. Giving one of the best keynotes by an IBM’er I remember seeing (sharing the limelight with Louis Richardson) he really kicked the event off with a bang. He managed to introduce himself formally to the community, set the stage for the new IBM Notes / IBM Domino 9 release (released on the day of BLUG) and honestly talk about the road ahead and the changes IBM are making to “dumb down” the product.

So to finish off the sheriff metaphor, Scott securely took the reins and stod up in saddle for all to see. It was a great talk, great appearance and I’m very confident that IBM has found a great guy who really knows and cares about the products we all love and who has the ability to lead the teams forward.

As to the keynore I know Chris Miller had his camera out at the keynote and I’m pretty sure he filmed it so if/when it makes it online I highly suggest you watch it.

Remember to secure your IBM HTTP Server when implementing IBM Connections

In Security Now! episode 396 starting at 12:22 (to 25:25) Steve and Leo were talking about various SSL attacks and how one could verify sites. I decided to check out one of my own stock IBM Connections installs i.e. I verified the stock IBM HTTP Server (IHS) install. That was not a pleasant experience as the default IBM HTTP Server is very insecure in that it accepts SSL v.2 and hence some very weak ciphers. Using SSLLabs.com and their SSL Server Test it is very easy to test a SSL site.

Below is the results from a standard IHS install using a commercial SSL certificate. A grade of F isn’t nice.

After reading a bit on mod_ssl (the SSL module in Apache / IHS) I added the below lines to the mod_ssl section in the httpd.conf file.

## SSLv3 128 bit Ciphers
SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

Now I’m not a SSL wizard by any means so I suggest you do your own research as well but when I restarted the IHS I got a rating of A. BAM!! How’s them apples!?

How secure is the SSL stack for your IBM Connections environment?

New IBM Notes and Domino Certification Available – get 50% off until 25 June 2013

IBM has announced a nice new entry level certification for Notes and Domino and until 25 June 2013 you get 50% off the certification test so if it fits a suggest you go and get certified. The page I link to at the bottom has the promo code you need for the rebate.

“IBM Collaboration Solutions is pleased to announce a new associate level certification: IBM Certified Associate – Notes and Domino.
This credential requires successful completion of the test LOT-442: IBM Notes and Domino Fundamentals. This test covers IBM Notes and Domino material as it relates to competencies within the following areas:

Architecture

General Administration

Calendaring and Scheduling

Replication

Mail

Clientv
Security

XPages

Non-XPages Design

Troubleshooting

“