How to deliver industry standard browser security to the native Domino HTTP stack, using company-wide wildcard certificates deployed across all platforms.
1. Best Practice Transport Layer Security
(TLS) for IBM Domino using TLS 1.2
Jared Roberts | Senior Consultant
primaxis.com.au
2. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
• This presentation represents my individual experiences, thoughts and opinions
and do not represent of the views of my employer, Inform2016, AusLUG, IBM,
IBM Business Partners or any other organisation or entity.
• This presentation may contain the following copyrighted, trademarked, and/or
restricted terms:
• I (most likely) don’t know more about stuff than you do…. feel free to call me out on
errors in my presentation & publicly humiliate me as you see fit.
Disclaimer
• IBM® Notes®
• IBM® Domino®
• IBM® Connections
• IBM® WebSphere®
• IBM® DB2
• IBM® AIX®
• Tivoli®
• Linux®
• Java®
• Microsoft®
• Windows®
• Red Hat®
• Skype®
• Twitter®
• Facebook®
3. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Speaker
Jared Roberts ● Senior Consultant – Primaxis
• From Melbourne
• 11-year rookie in IBM Collaboration Software
• Admin of many of the things we are here talking
about
• I’m a fan of “The User”
• Business analysis, presales, consulting, security
audits, design & delivery of Domino, Notes,
Sametime, Traveler, Connections, TDI, SoftLayer
and all the related bits they interact with
• Remarkably average but adequate and often
completely useless developer
• Drummer in Desecrator (the best band you’ve never heard of)
4. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL/TLS - Who Cares right?
5. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL/TLS - Who Cares right?
• Encryption in not a ‘nice to have’ – it’s an absolute MUST
• Data can be intercepted while being transferred between clients
and servers, or between servers ie:
– Email
– Payment Information
– Credentials
• Now seeing the deprecation/planned deprecation of SSLv3 and
SHA1 support in Browsers
– IE (Jan 2017, code-signing Jan 2016)
– Chrome (Jan 2017, version and cert date conditional)
– FireFox (Jan 2017, phased)
– Safari (same?)
6. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Encryption
what is encryption?
• The most effective way to achieve ‘data security’
– process of encoding information so only authorised parties can read it
– data is ‘unrecognisable’ or unreadable unless you have the ‘key’ to decrypt it
– does not prevent interception
what are SSL certificates?
• Small digital files that that authenticate the identity of a website
and encrypt information
• Binds the ‘key’ to the organisation’s details
7. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL Certificate
• An SSL certificate holds the following info:
– The certificate holder's name
– The certificate's serial number and expiration date
– A copy of the certificate holder's public key
– The digital signature of the certificate-issuing authority
8. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
SSL
• Secure Sockets Layer
• A cryptographic protocol designed to provide communications
security over a computer network
• 3 versions (version 1.0 never publicly released) all of which are
now deprecated and considered insecure
– SSLv1.0
– SSLv2.0
– SSLv3.0
• POODLE exploit was the nail in the coffin for SSLv3
– replaced by TLS
9. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
TLS
• Transport Layer Security
• A cryptographic protocol same as SSL. It’s actually SSL’s
‘successor’
– SSLv3.1 but was renamed to reflect open standard
• 3 versions
– TLS1.0 (considered insecure due to ability to downgrade to SSLv3*)
– TLS1.1
– TLS1.2
• Updated constantly as required
– version 1.3 in Draft now
10. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
HTTPS
• Method for secure communication over HyperText Transfer
Protocol (HTTP)
• Often referred to as HTTP Secure, HTTP over TLS/SSL
• Data transferred over HTTPS provides:
– bidirectional encryption of data in transit
– with correct implementation can protect against MIM attacks*, and a
level of confidence that you’re connecting with who you think you are
connecting to!
11. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
SHA1
• Cryptographic hash function traditionally used in most SSL
certificates
• Widely used in many protocols (TLS and SSL, PGP, SSH, S/MIME, and IPsec)
• M$, G00gle and Mozilla have announced deprecation plans
SHA2
• Family of cryptographic hash functions
• An updated version of SHA1
– SHA1 found to be more insecure
• 6 hash functions (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256)
12. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
AES
• Advanced Encryption Standard
• Based on “Rijndael” cipher family - widely used as government
standard
• Supersedes DES (Data Encryption Standard) which is now
vulnerable to brute force attack
Ciphers
• Algorithm for performing encryption and decryption
• Work on blocks of symbols usually of a fixed size (block ciphers),
or on a continuous stream of symbols (stream ciphers)
13. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
Man In The Middle Attack (MIM, MITM)
14. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
Man In The Middle Attack (MIM, MITM)
• A type of attack where the attacker secretly intercepts, relays and
possibly alters communication between two parties who believe
they are directly communicating with each other
15. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
POODLE
• “Padding Oracle On Downgraded Legacy Encryption”
• An exploit that allowed attackers to trick a session to use SSL
rather than TLS then during that session use a design flaw in SSL
3.0 to snoop on the session
What it did
• It allowed attackers to perform a man in the middle attack
How it was stopped
• We all turned off SSLv3 on the servers (then users screamed at us and
the browser war escalated)
16. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
SLOTH
• “Security Loss due to the use of Obsolete and Truncated Hash
constructions”
• SLOTH relies on the ability to exploit older hash techniques
• If the hash technique isn’t sophisticated enough a “collision” of a
hash for two different messages can be generated
• OpenSSL 1.0.1.e and earlier are affected
• Any servers using TLS 1.2 and MD5 encryption are affected
17. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
FREAK
• “Factoring RSA Export Keys”
• A vulnerability cased by the growth of cheap computing power
• A "512-bit export-grade key“ now be broken with a bit of math's
called the "Number Field Sieve algorithm"* and about ~ $150 of
cloud computing
What it did
• Allowed the attacker to perform a man in the middle attack
How it was stopped
• Disabled "TLS export cipher suites" either by updating browsers,
disabling the feature in servers or updating libraries that used
them
18. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
HEARTBLEED
A "buffer over-read" vulnerability in the TLS heartbeat extension of
OpenSSL caused by a missing input validation check
What it did
• Allowed an attacker to read up to 64 kilobytes of the servers active
memory for each attack, memory that was very likely to contain
secure information
How it was stopped
• Updated all clients/servers to a patched version of OpenSSL
• Reissued all certificates where there was any chance they could
have been compromised
19. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
• BEAST
• LOGJAM
• CRIME
• BREACH
• DROWN
• BERSERK
• KOMODIA
• …......more
20. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Creating a Certificate
CERTIFICATE STRUCTURE
• Certificate Authority (CA)
• Private Key
• Trusted Roots (root and intermediate certificates)
• To generate a certificate and key store
– key file
– certificate request with the details of your certificate
– trusted roots and intermediates (or your CA)
– signed certificate from your CA
21. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
The key – creating the identity
22. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
TLS Handshake - validation
• How validation works (the TLS handshake)
24. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Structure of Certificates
• Personal Information Exchange Format (PKCS#12)
– .pfx
– .p12
• Cryptographic Message Syntax Standard (PKCS#7)
– .p7b
– .p7r
• Base64-encoded X.509
– .cer
– .crt
• DER-encoded binary X.509
– .cer
– .crt
– .der
• Privacy-enhanced Electronic Mail
– .pem
• Certificate Signing Request
– .csr
• OpenSSL can convert most certificate forms to most other forms
Certificate formats
25. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
What you need:
• OpenSSL
– An open source library of SSL and TLS cryptography
– Available for most platforms
– Developed and managed by https://www.openssl.org
– Create, convert & extract certificates and keystores
• Domino KYR Tool
– Tool to create SHA2 key stores for Domino
• Certificate Signing Authority
26. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Creating a SHA2 Certificate in Domino
• SHA2 Support introduced in 2015
• Domino must be 9.0.1 FP3 or higher
• Notes must be 9.0.1 FP3 or higher
27. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Installing OpenSSL
• Shining Light Productions download
– https://slproweb.com/download/Win64OpenSSL_Light-1_0_2g.exe
• Available for most platforms
• Only need the Lite version for this application
29. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Firstly decide on the key size
– May be decided by business or legal requirements
– Larger the better – harder to decrypt
– Not all systems support larger key sizes
• Set the OPEN_SSL_Conf environment variable (Windows only)
– Set OpenSSL_Conf=c:opensslopenssl.cfg
30. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Verify the file has been created
31. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Create a key of length 4096*
– openssl genrsa –out pmxsrver.key 4096
32. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Create a Certificate Signing Request (CSR)
• You send this to your Certificate Authority (CA)
– either on-premise or purchase
• The CSR is checked and verified the the CA.
• Any errors – you can recreate the request
33. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• openssl req -new -sha256 –key pmxserver.key –out pmxserver.csr
34. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Verify the file has been created
35. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Send to the signing fairies
– Company CA
– Third Party CA (VeriSign, Symantec, GeoTrust, RapidSSL)
36. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Domino KYR Files
– Traditionally used the Server Certificate Admin application (certsrv.nsf)
– Certsrv.nsf not used any more
– Domino KYR Tool (must be 9.0.1 FP2 IF1 and above)
– Creates a SHA2 keystore that is recognised by Domino
• Download the KYR Tool from Fix Central
– http://ibm.co/1SAYX5E
• Unpack & place kyrtool.exe in Notes/Domino Program directory
• **opinion**
Please don’t run the kyrtool on your Domino server – use a Notes client !
37. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Create the KYR keystore
– kyrtool create -k c:IBMNotesdatapmxwildserver.kyr -p somethingstrongplease
38. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• This will create 2 files
– Domino KYR key store (.kyr)
– Key store password stash file (.sth)
39. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Collect your files
– Server Private Key
– Server Certificate Request
– Server Certificate (signed and returned to you by CA)
– Root and Intermediate certificates
– Key store file and stash file
• Root and Intermediate certs – order matters
40. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Now need to install all of the root, intermediate, server and keys
into the key store.
• 2 options
– Use OpenSSL to merge the roots, inters, server certs and keys into
one text file before importing into the KYR file
– Import the certificates individually
41. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
• concatenate all certificates to a text file
– type pmxserver.key pmxserver.crt intermediate1.crt intermediate2.crt root.crt >
pmxallcerts.txt
42. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
43. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
• Verify the certificate chain
– kyrtool verify C:TLSpmxallcerts.txt
Successfully read 4096 bit RSA private key
INFO: Successfully read 4 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: IssuerName of cert 2 matches the SubjectName of cert 3
44. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
• Import the text file to the KYR
– kyrtool import all -k C:TLSpmxwildserver.kyr -i C:TLSpmxallcerts.txt
45. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import individually
• Issue series of import commands to merge the root, intermediates,
server cert and server key into the key ring file
– kyrtool import roots -i C:TLSGeoTrust_Global_CA.cer -k C:TLSpmxwildserver.kyr
– kyrtool import roots -i C:TLSintermediate1.txt -k C:TLSpmxwildserver.kyr
– kyrtool import roots -i C:TLSintermediate2.txt -k C:TLSpmxwildserver.kyr
– kyrtool import keys -i C:TLSpmxserver.key -k C:TLSpmxwildserver.kyr
– kyrtool import certs -i C:TLSpmxcert.crt -k C:TLSpmxwildserver.kyr
46. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Verify! Verify!
– kyrtool show keys -k C:TLSpmxwildserver.kyr
– kyrtool show certs -k C:TLSpmxwildserver.kyr
47. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
• Install to servers & configure internet site documents
• Can be used in the following:
– ANY web site (iNotes, apps, etc)
– Traveler
– S/MIME (encrypted mail)
– Mail Protocols (SMTP, IMAP, POP3)
– LDAP
– DIIOP (must have 9.0.1 FP5)
48. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
49. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
Best Practice
• Disable SSLv3
– Notes.ini - DISABLE_SSLV3=1
• Disable TLS1.0 (if required)
– Notes.ini - SSL_DISABLE_TLS_10
• Cipher configuration...
50. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Ciphers – what are they again?
• Algorithm for performing encryption and decryption
• Combination of authentication, encryption, message
authentication code (MAC) and key exchange algorithms used
to negotiate the security settings for a network connection
SHA2 - Using it in Domino
51. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
Ciphers
• TLS delivered as IF prevented updates to Admin client
• Cipher configuration via UI no longer used
• Notes.ini parameter SSLCipherSpec to control ciphers
– example: SSLCipherSpec=C030009F009D
53. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Transferrable to WebSphere?
• A 4096 certificate can generate an error when attempting to add to
WebSphere
• “RSA premaster secret” error
• You need to add the unrestricted policy files to WebSphere for the
4096 certificate length to be imported
- ibm.co/1JZGs3z
54. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Transferrable to WebSphere?
• OpenSSL
– use to create p12/jks keystore and import cert & private key
• IBM HTTP Server
– open existing kdb key store and import from p12
• Make sure your roots and intermediate certs are up to date!
55. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Transferrable to WebSphere?
• Mail, Traveler, Connections, Sametime all using same certificate
56. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Development
• Where possible – try and implement production certificates into
the development environment
• If not possible – create a self-signed certificate with the same
parameters
• Keep documentation up to date!
57. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL Labs test
58. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Summary
• Hackers across the internet are working around the clock to bust
encryption
• Every week there are vulnerabilities discovered
• You need to understand where the vulnerabilities are, how to
watch for them and how to protect against them
59. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
THANK YOU !!
http://auslug.org/survey2016