ID Vault Trust Certificates expire after 10 years. AKA that was a stupid decision and breaks ID Vault  

By Darren Duke | 4/15/20 3:24 PM | Infrastructure - Notes / Domino | Added by Oliver Busse

No meaningful blog posts in ages, then 257 in the space of 3 days. Yeah, COVID quarantine is a killer. Anyway, apparently ID Vaults stop working after 10 years. Not the best decision ever made but the head shed at IBM when 8.5 shipped. I only discovered this when trying to reset a vaulted password. What's even worse is the error of this type of failure.

Domino logging to Syslog  

By Darren Duke | 9/19/18 6:53 AM | Infrastructure - Notes / Domino | Added by John Oldenburger

So you have Domino. And you have a syslog server where everything except Domino is logged to. You want Domino to play along with everything else. What can you do? For starters there is this event handler type in events4.nsf. But in typical IBM fashion the documentation for the above is practically non-existent on how this works.

CollabSphere 2018 Presentation - Domino on the web, it’s (probably) hackable  

By Darren Duke | 7/26/18 10:33 AM | Infrastructure - Notes / Domino | Added by Oliver Busse

Here's my CollabSphere 2018 presentation from the conference in Ann Arbor, MI. Again, a huge thank you to Richard and Leann Moy for organizing another spectacular conference.

How to prevent ROBOT (Return Of Bleichenbacher’s Oracle Threat) on Domino servers  

By Darren Duke | 1/16/18 12:07 AM | Infrastructure - Notes / Domino | Added by John Oldenburger

Last month, in December 2017 a new (well old, but new) vulnerability was discovered in TLS, the ROBOT attack (Return Of Bleichenbacher's Oracle Threat) and yes, your Domino servers are probably susceptible to it. To avoid re-posting everything from that article go read it them come back.

Moving Domino NIF indexes out of the NSF  

By Darren Duke | 3/29/17 2:23 PM | Infrastructure - Notes / Domino | Added by Oliver Busse

New in Fix Pack Feature Pack 8 is the ability to move the view index files out of the NSF. NIF is the technical term for these index files and end with the file suffix of NDX. I decided to upgrade my production cluster to FP8 and turn on this new feature that was originally slated for 9.0.2. Here's what I did.

9.0.1 FP7 and how to enable the new port encryption settings  

By Darren Duke | 9/14/16 10:18 AM | Infrastructure - Notes / Domino | Added by Oliver Busse

9.0.1 FP7 has shipped. It's not all we hoped (only three new features, and no Java 8) but yet again the Domino security team has added stuff, this time the oft requested update to Notes client port encryption. But (at the time of writing) all the technotes on how to enable this either go to the wrong page (ICCA) or a nice looking, but still pointless 404 page.

Supercharge your Domino servers with OCSP Stapling - real go faster stripes  

By Darren Duke | 9/16/15 8:33 AM | Infrastructure - Notes / Domino | Added by John Oldenburger

OK, so I know I said IBM were dropping the ball on 9.0.2 but the Domino security team have been knocking the ball out of the park lately (IBM, don't ignore security again.....just saying). Anyhow, yesterday was HSTS, today I give you OCSP Stapling in Domino.

Domino adds HSTS to it’s security arsenal  

By Darren Duke | 9/15/15 10:33 AM | Infrastructure - Notes / Domino | Added by Kenio Carvalho

HTTPS Strict Transport Security (HSTS) starting in Domino 9.0.1 FP3 IF2

A completely password-less IBM Notes set up using SAML and ADFS - the movie  

By Darren Duke | 9/2/15 11:20 AM | Infrastructure - Notes / Domino | Added by John Oldenburger

So in the post yesterday I kind of kicked IBM in the balls as bit. So today I'll give them kudos....while the Notes and SAML implementation is 9.0 is a bit ropey (it was new), in 9.0.1 they fixed all the issues and have now provided a truly impressive bit of functionality.

MWLUG 2015 Presentation - Domino Security - not knowing is not an option  

By Darren Duke | 8/24/15 3:55 PM | Business - Events / People | Added by John Oldenburger

Wow. This conference keeps getting better. 210+ attendees, great sponsors, literally a 5 star location. Great work Richard Moy, Lisa, Mike McGarel and Leann Moy. Here is my Domino Security presentation (no I'm not posting the World According to Darren Part 2).

SOLUTION - Domino Directory Assistance to Active Directory when using SSL DOES NOT break with 9.0.1 FP4  

By Darren Duke | 7/16/15 8:32 AM | Infrastructure - Notes / Domino | Added by John Oldenburger

In my last post I made a mistake. I made the mistake of believing that R9 changed something for the better that it apparently does not, and that when the product gets updated. so do the tools. My bad. Basically I'm moron. First the good news, Domino 9.0.1 FP4 does work with Active Directory 2012 with TLS1.2.

Domino Directory Assistance to Active Directory when using SSL breaks with 9.0.1 FP4  

By Darren Duke | 7/15/15 9:28 AM | Infrastructure - Notes / Domino | Added by John Oldenburger

Over the past few days I've been working to figure out why 9.0.1 FP4 can no longer connect to Active Directory when using a SSL connection for the LDAP connection from Domino. Specifically this is AD 2012 but I would guess the same issues hit 2012 R2. Not sure about 2008.

TLS 1.2 in Domino and the settings I use  

By Darren Duke | 4/6/15 8:13 AM | Infrastructure - Notes / Domino | Added by Johnny Oldenburger

Unless you have been living under a rock somewhere you no doubt know that IBM finally gave use TLS 1.2 for IBM Domino servers. This means that Domino servers can now use SSLv3, TLS 1.0 and TLS 1.2. But it's IT, so just because you can does not mean you should......for example I would suggest most servers (I'll get the outliers further down the page) would probably want SSLv3 disabled.

Domino and SSL ciphers. The server document may not be doing what we expect it to do  

By Darren Duke | 2/3/15 8:45 AM | Business - Events / People | Added by Johnny Oldenburger

Now, I'm back in the office it's time to address this. So based on that session it seems as if LDAP, SMTP, DIIOP, POP3 and IMAP (and Remote debug monitor?) protocols do not adhere to the cipher list in the server document (there was no mention of internet sites documents, but I would presume they are affected by this issue too).

ConnectED-sphere sudo review  

By Darren Duke | 2/2/15 5:16 PM | Business - Events / People | Added by Johnny Oldenburger

I was fully expecting to write a "what a train wreck" review before I went. I was not expecting to say I had a metric shit ton of fun. But I did. And based on other posts I've perused it seems almost everyone else did. There are far more eloquent reviews elsewhere, so this will be bare bones. Domino4Wine run DDE and Admin on OSX and/Linux. See more here http://vimeo.com/117342115.

How to disable SSLv3 in Domino  

By Darren Duke | 12/12/14 8:07 AM | Infrastructure - Notes / Domino | Added by Johnny Oldenburger

In my POODLE TLS post from a few days back, there was a comment asking how to fully disabling SSLv3 in Domino. You'll notice in the comments I mention that there is a way but at the time it was under NDA. Well, apparently not anymore.Now, fair warning this may not yet be supported by IBM so if you choose to do this, you do it at your own risk (while under NDA on this, it was stated that is unsupported so YMMV).

POODLE TLS - The POODLE Strikes Back - change your settings now  

By Darren Duke | 12/9/14 11:16 AM | Infrastructure - Notes / Domino | Added by Johnny Oldenburger

After a brief chat in the Lotus Notes Skype chat with Jim Casle, Declan Lynch, Steve Pridemore and Frederick Norling it has become apparent that Domino maybe susceptible to the newly discovered POODLE TLS issue (POODLE 2.0 if you will). Anyway, provided you are using 9.0.1 FP IF1 (the TLS fix that IBM provided a while back) the apparent Domino fix is to disable AES and 3DES ciphers and run with only RC4.

Here is a freely available VM to reverse proxy Domino - shoot the poodle  

By Darren Duke | 10/15/14 8:47 AM | Infrastructure - Notes / Domino | Added by Oliver Busse

In an effort to help Domino customers mitigate the disaster that is the SSLv3 Poodle bug, I am providing the virtual machine linked at the bottom of this post. Note, you can also use the IBM HTTP Server bundled with R9 if you are on a Windows server....if that is the case, stop reading.

Use a custom notes.ini file and pre-populate user settings on Notes first startup  

By Darren Duke | 12/3/13 12:16 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

I alluded to this a a few days ago in my ManageEngine Desktop Central (DC) post (not that you need DC for this, it just makes it easier if you have a application that can push out files to the OS....Group Policy can probably do it too) but you can simply customize a notes.ini file and have Notes fill-in all those complicated user-prompted fields like server, address, name....etc.

Using ManageEngine’s DesktopCentral to deploy Lotus Notes  

By Darren Duke | 11/27/13 12:31 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

I mentioned in my last blog post that ManageEngine's software was one of my winners for 2013. They make great, reasonably priced software.

Remember to check *both* Domino and Traveler for fixes  

By Darren Duke | 10/18/13 12:17 AM | - | Added by Niklas Heidloff

Organizations patch their Traveler servers at a fast and furious rate. There is nothing wrong with that. Indeed given the rate at which new mobile OS updates comes out you pretty much have to, and IBM are doing a great job here.

Domino Directories and local replicas - another bad idea  

By Darren Duke | 8/14/13 12:14 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

In the post yesterday Mail file users having manager ACL and why it's a bad idea brought up some questions about getting the Domino Directory on the client as a replica.

Mail file users having "Manager" ACL, and why it’s a bad idea  

By Darren Duke | 8/13/13 12:58 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

Every few weeks or so I get into an argument with people when I recommend they drop the ACL level for a user from "Manager" to "Editor" on a users' mai file.

Enabling DAOS on the Domino mail template  

By Darren Duke | 6/11/13 1:34 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

If you enable DAOS on your mail templates then when a new mail file is created DAOS is already enabled. Do this of all of your mail templates in a similar fashion to what I show below for the mail85.ntf template.

Setting up IBM HTTP Server to redirect all traffic to HTTPS when fronting Domino  

By Darren Duke | 6/3/13 1:04 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

In this (now) part 3 I will show how to redirect all IHS traffic to SSL when using the Domino 9 built-in IHS server. This is most likely how you want iNotes or Traveler servers set up.....so here goes.

Setting up IBM HTTP Server to redirect all traffic to HTTPS when fronting Domino  

By Darren Duke | 5/30/13 9:21 AM | Infrastructure - Notes / Domino | Added by Per Henrik Lausten

In this (now) part 3 I will show how to redirect all IHS traffic to SSL when using the Domino 9 built-in IHS server. This is most likely how you want iNotes or Traveler servers set up.....so here goes.

Exporting Domino SSL keyfiles to another format for use with IHS  

By Darren Duke | 5/28/13 3:40 PM | Infrastructure - Notes / Domino | Added by Per Henrik Lausten

In my last post I'd indicated that IBM HTTP Server (IHS) is included with Domino 9 on Windows and that I think this is a pretty good addition (if cop out). Anyway, you most likely already have an SSL certificate on Domino for web mail or Traveler and with IHS in front of Domino you now want to move that SSL certificate to IHS. As you most likely know Domino's SSL key format is a tad esoteric so how does one go about getting that pesky KYR format into the KDB format that IHS likes?

IBM Domino now includes IBM HTTP Server - but how do you find it?  

By Darren Duke | 5/15/13 11:55 PM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

Well, first you probably want to know why IBM added the IBM HTTP Server (IHS) to Domino.....basically to allow Domino to do TLS over HTTP (which native Domino HTTP cannot do....it can do TLS over SMTP but not HTTP).

ATLUG is May 16th and I will be presenting on IBM Lotus Traveler security  

By Darren Duke | 5/7/13 12:35 AM | Business - Events / People | Added by Niklas Heidloff

Here's the abstracts and the registration details for the IBM hosted event from 11:30AM to 1:30PM on May 16th.

Update to the Domino cluster post, when to use "SERVER_RESTRICTED"  

By Darren Duke | 5/2/13 12:28 AM | Infrastructure - Notes / Domino | Added by Niklas Heidloff

After the last clustering post, Stop users accidentally connecting to passive Domino cluster servers I've had several people ask when I would use SERVER_RESTRICTED as I'd indicated I would not use that to keep users off my clusters.