278 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
43. DNUG 1. + 2. June in Hamburg
Thu, May 26th 2016 55
Domino 9.0.1 FP6
Sun, May 22nd 2016 351
Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Mon, Apr 25th 2016 10
Server Controller Issue when applying 9.0.1 FP5 IF2
Thu, Mar 31st 2016 17
Security Issue - IBM Domino AES GCM weak nonce generation vulnerability
Tue, Mar 29th 2016 9
Critical: glibc security and bug fix update
Wed, Feb 17th 2016 13
Domino Server Controller does not connect after upgrade to Java6SR16FP20
Tue, Feb 16th 2016 17
Top 10
Domino 9.0.1 FP6
Sun, May 22nd 2016 351
43. DNUG 1. + 2. June in Hamburg
Thu, May 26th 2016 55
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 20
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 19
Traveler 9.0.1.8 Fixes and DBMaint Command
Wed, Oct 7th 2015 19
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 17
Domino Server Controller does not connect after upgrade to Java6SR16FP20
Tue, Feb 16th 2016 17
Server Controller Issue when applying 9.0.1 FP5 IF2
Thu, Mar 31st 2016 17
Some Additonal TLS 1.0 Information
Thu, Nov 6th 2014 16
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 15


Daniel Nashed
Blog Title Daniel Nashed’s Blog
Blog Description Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...
Blog URL http://blog.nashcom.de
RSS Feed http://blog.nashcom.de/nashcomblog.nsf/feed.rss
Validate Feed feedvalidator.org or validator.w3.org
Feed Last Checked May 26, 2016 4:10:43 AM EST. Realtime Update:
Location Germany


Recent Blog Posts
55
43. DNUG 1. + 2. June in Hamburg
Thu, May 26th 2016 4:58a   Daniel Nashed
Hi and good morning! This will be my first blog entry in Germany and it's about German about our German "Notes" User Group "DNUG"... Bei der DNUG hat sich einiges getan in den letzten Monaten! Seitdem die DNUG einen neuen Vorstand hat, werden einige Dinge anders angegangen und auch die Art und Weise, wie die DNUG Konferenz geplant wird, hat sich geändert. Die Geschäfts-Stelle ist jetzt virtuell und auch die Server der DNUG sind entsprechend virtualisiert. Aber auch an anderen S
351
Domino 9.0.1 FP6
Sun, May 22nd 2016 4:55p   Daniel Nashed
Domino 9.0.1 FP6 has been released a while ago. I have installed it and I got positive feedback from customers already. FP6 contains all the fixes from previous IFs and also the updated JVM Java60SR16FP20 which addresses a couple of security fixes. Also the server controller interoperability issue is fixed. But for a client based connection you also need to update your admin client! All the TLS fixes are also included and there is an additional fix for an issue in a TLS handshake. SPR#
10
Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Mon, Apr 25th 2016 12:14p   Daniel Nashed
In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations. Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365. In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0. Both configurations are not officially support
17
Server Controller Issue when applying 9.0.1 FP5 IF2
Thu, Mar 31st 2016 9:27a   Daniel Nashed
After applying 9.0.1 FP5 IF2 you cannot connect to the server controller -- again! That's another issue that cannot be fixed allowing MD5 in the java security files. What you need is an updated version of the JVM patch. The new patch has a release data of 25.3.2016 an can be downloaded from Fixcentral. Here is the relevant information from the updated technote referenced in the SPR. SPR RSSNA6UU79 is fixed in version 9.0.1FP5 Interim Fix 2 (IF2) via a server code fix and an updated JV
9
Security Issue - IBM Domino AES GCM weak nonce generation vulnerability
Tue, Mar 29th 2016 6:02a   Daniel Nashed
There is a new vulnerability affecting AES GCM ciphers which have been introduced in 9.01. FP3 (enabled by default). For very large data sets, IBM Domino Web servers using TLS and AES GCM generate a weak nonce which could be potentially used for a man-in-the-middle-attack. All Domino 9 versions supporting those ciphers are affected and there is new IF (9.0.1 FP5 IF2) which addresses this issue. The IBM Domino AES GCM weak nonce generation vulnerability is tracked as SPR #KLYHA6ZP4F. If
13
Critical: glibc security and bug fix update
Wed, Feb 17th 2016 8:02a   Daniel Nashed
There is a critical issue with the glibc lib that Linux and other systems are using. The best short description I found is the following: "A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called
17
Domino Server Controller does not connect after upgrade to Java6SR16FP20
Tue, Feb 16th 2016 1:33p   Daniel Nashed
The IBM Java Team disabled MD5 in there latest patch to tighten security. But the Server Console currently can only use MD5 right now. So by this intentionally change by the IBM Java Team the Domino Console cannot connect any more. For now to have the Server Controller local and remotely working again you have to re-enable MD5. This is a similar issue than what we had when the IBM Java team disabled SSLV3 some time ago. There are two lines that you have to chance in the ..jvm/lib/securit
9
Domino Start Script New Version 3.1.0
Thu, Feb 11th 2016 10:26a   Daniel Nashed
As already mentioned at IBM ConnectED last week, I am working on a new version of my start script. Most of the new functionality has been build in because I found it useful for the customer environments I am working in. On top of the new functionality I added a new script "rc_all" that can start, stop, cleanup, diag ... all partitions a the same time. The new rc_all script is a separate script that will search for your Domino partition rc-scripts and is mainly interesting when you run L
13
Domino 9.0.1 FP5 IF1 with Security Fixes
Sat, Jan 30th 2016 9:47a   Daniel Nashed
There is a new IF1 for Domino 9.0.1 that includes two fixes we have waited for in the TLS area specially when communicating with STARTTLS and web-services as posted before on my blog. SPR #KLYHA57S37 - Disable TLS Session Resumption on outbound connections by default This fix addresses and issue for outgoing STARTLS sessions on SMTP. See some more details in my other blog post --> http://blog.nashcom.de/nashcomblog.nsf/dx/tls-1.2-connection-issues-with-protection.
11
Linuxfest VII Gets a Slot at IBM Connect 2016
Sat, Jan 30th 2016 8:17a   Daniel Nashed
If you are attending IBM ConnectED in Orlando and you are interested in Linux you should attend the Linuxfest Session. Thanks to Bill Malchisky we made it again into the agenda! I am looking forward to this session and will bring the brand new Start Script Version 3.1.0 with many enhancements. Here is a copy of Bills' original post. Looking forward to this session. -- Daniel Linuxfest VII Gets a Slot at IBM Connect 2016 Bill Malchisky January 28 2016 02:00:00 AM Linuxfest VII -
3
Traveler 9.0.1.9 shipped
Sat, Jan 16th 2016 8:23a   Daniel Nashed
Traveler 9.0.1.9 is the first update shipped this year. It comes with a number of fixes. See details here --> http://www.ibm.com/support/docview.wss?uid=swg21700212#9019 And it solves an important issue for Traveler HA Servers. There is a technote describing the issue in detail and you should have a look into the new command introduced in this version as soon you have updated your servers. The following TN #1974741 "Two scenarios where multiple accounts for users could be created on
17
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 6:57a   Daniel Nashed
Two of my customers had issues connecting to the Microsoft hosted environment over TLS 1.2 once we got the session resumption working (see previous blog posts). My environment had the same configuration and could connect just fine. It looks like the servers are behaving different with different certificates. That's the only difference we saw in configuration. After a couple of tests and working with IBM support we got a hotfix that we successfully tested yesterday. I know of 3 custom
5
STARTTLS Outbound Sessions might fail with TLS 1.0 used and TLS 1.2 Ciphers
Tue, Dec 15th 2015 2:18p   Daniel Nashed
We have been running into some issues and I got multiple customers reporting that outgoing STARTTLS did not work in some cases specially for some German provides like web.de and gmx.net. The error you see when enabling debugging is SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301) FindCipherSpec> Cipher spec DHE_RSA_WITH_AES_256_CBC_SHA256 (107) is not supported with TLS1.0 It turned out that session resumtion in combination with the new introduced TLS 1.2 causes
9
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 9:19a   Daniel Nashed
I have been helping a customer who had issues with Backup Exec for Domino. They got issues with their backups. The error message pointed to issues with their tapes. But it turned out it had to do with the DAOS integration which is not fully working with Domino 9.0.1 The error they got pointed to issues with the back media: Final Error Code: e00084ca HEX (0xe00084ca HEX) or a00084cd HEX (0xa00084cd HEX) Final Error Description: The data being read from the media is inconsistent. Final
11
Domino 9.0.1 FP5 Security Fixes and Functionality
Fri, Dec 4th 2015 8:14p   Daniel Nashed
This week Domino 9.0.1 FP5 has been released. The client fixpack seems to have issues. I have seen a Support Flash alert and a couple of customers/partners contacted me with problems. On the client side I would wait until those problems have been resolved. But on the server side you should look into implementing FP5 soon. I have deployed it on my production server and I have now also incoming and outgoing "STARTTLS" enabled with additional logging via my SpamGeek application. In addit
6
Add-On Tool for Domino Restore
Mon, Nov 30th 2015 10:58a   Daniel Nashed
Most backup solutions are still not really flexible when it comes to restore operations. I am currently involved into some backup projects and build a tool that can be used on top of a Domino aware backup solution. Some software can disable replication when restoring a NSF file. Other applications can change the replica when restoring a database. But I have not seen application that can do both at the same time. And there are also other operations that could make sense. I would wish back
8
Cluster Failover on W2008 and higher - disable Port Stealth Mode
Sat, Nov 21st 2015 3:34a   Daniel Nashed
I should have blogged about this earlier. It was in my 2013 IBM Connected presentation but beside the TN and my presentation there is not much information. If you are using Domino clustering on Win2008 or higher you should really disable the port Stealth mode! This week I ran into a customer crash situation with repeated crashs which took a while to fix. The failover on their Win2012 R2 servers was painful slow. In Win2008 Microsoft introduced a feature called the Port Stealth mode.
6
DNUG Domino Day in Düsseldorf
Wed, Nov 18th 2015 12:32p   Daniel Nashed
Last call! In case you did not know yet. There is a new type of event organized by DNUG next Tuesday. I am very interested to see how the feedback to this new event type is. The event is free for DNUG members and in case you are not a member there is a small fee. Also the way to get enroll is different. The DNUG board to make it easier and tries different ways to organise the event. I am looking forward to the event and I hope to see many of you next week! The sessions are all
19
Traveler 9.0.1.8 Fixes and DBMaint Command
Wed, Oct 7th 2015 5:36p   Daniel Nashed
A new Traveler Version has been released to day. There are a couple of important fixes and you should consider updating soon. Below you find a fix list. There is also a new Traveler command mainly for enterprise database management called DBMaint. Here is a link to the updated documentation section --> http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/IBMTravelerDatabaseMaintenance.html Because it is brand new I have to check how it works in detail and there is a planned O
9
test
Wed, Oct 7th 2015 5:36p   Daniel Nashed
APAR # Abstract LO85584 Explicit commit is not needed for database select statements. LO86339 Warning may be displayed for redirect to SSL setting that is not in effect. LO86341 Add covering index to improve performance of update queries. LO86366 User may stop syncing after migration to HA environment AND change mail template. LO86445 Traveler syncs attachments in very small chunks causing mail delays and possible server crash. LO86448 Enable Calendar ghosting for ActiveSync devices when r
11
Higher Crypt-Standards with Notes/Domino and updated JVM 1.6
Fri, Oct 2nd 2015 3:46p   Daniel Nashed
There is a brand new new TN describing how to enable higher security for the updated JVM 1.6 in Notes/Domino. -->http://www.ibm.com/support/docview.wss?uid=swg21967996 The IBM 1.6 JVM does support TLS 1.2 and also some modern ciphers. Sadly by default they cannot be used because they use higher encryption levels (AES 256) which are disabled by default in the IBM and even in the current Oracle JVM 1.8. The TN describes a download for something that is called "Java Cryptography Ext
11
OSX 10.11 El Capitan does not only support ECDHE Ciphers
Thu, Oct 1st 2015 6:21a   Daniel Nashed
After updating to OSX 10.11 I did a quick test. It wasn't sure if Apple will only support ECDHE and implementing their new standard ATS. The first tests shows that the current ciphers are there but Apple does even support quite simple ciphers like RSA_WITH_RC4_128_SHA / MD5 as a fall back. But you never know if this is going away in one of the next updates. Here is a trace from against a Domino 9.0.1 FP4 IF2 server. You can see all supported common ciphers and I highlighted the most
20
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 10:03a   Daniel Nashed
Wow the Mac 64bit Client has been released today! If you are looking for it, the description and the part number might help. Already downloaded from Partnerworld. I hope you also find it in Passport Downloads already. IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN ). And here is the technote -> http://www.ibm.com/support/docview.wss?uid=swg21962311 Have fun! Daniel
9
Domino 9.0.1 FP4 IF2 Security Update
Sat, Sep 26th 2015 4:38a   Daniel Nashed
After updating to the new IF which introduces ECDHE with some additional settings you can get to a "A+" SSL Labs rating. When you install IF2 by default you get a good set of ciphers. In the previous sets oif fixes DHE was disabled by defaiult. Now you have DHE and also ECDHE enabled by default. There is not much in addition to that you have to do. Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end) TLS_ECDHE_RSA_WITH_AES_256_G
8
Domino 9.0.1 FP4 IF2 shipped with ECDHE support
Fri, Sep 25th 2015 10:35a   Daniel Nashed
Domino 9.0.1 Fix Pack 4 Interim Fix 2 shipped. It contains some important fixes in the security area. First of all it corrects some bugs in the DHE and AES-GCM area. And also fixes in MIME conversion specially important for Traveler servers. But it also introduces ECDHE ciphers! Again the Domino security team did a great job implementing important new functionality in an Interims Fix. As posted before Apple iOS 9 which shipped last week requires ECDHE at least for custom applicat
8
IBM Champion Nomination
Thu, Sep 17th 2015 7:41a   Daniel Nashed
The IBM Champion program is a great way to thank active members of the community. "The IBM Champion program recognizes innovative thought leaders in the technical community — and rewards these contributors by amplifying their voice and increasing their sphere of influence. An IBM Champion is an IT professional, business leader, developer, or educator who influences and mentors others to help them make best use of IBM software, solutions, and services." So if there is someone you th
7
iOS 9 Released and Traveler continues to work without ECDHE
Wed, Sep 16th 2015 3:00p   Daniel Nashed
Yesterday Apple released the final version of iOS 9. As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser. My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet. I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not tes
8
IBM Traveler 9.0.1.7 shipped with iOS 9 support
Mon, Sep 7th 2015 8:46a   Daniel Nashed
Traveler 9.0.1.7 shipped while I was away for holidays. I have updated my server already over the weekend and it looks good. I have also not heard anything negative from any customer yet. This release does not only add support for iOS 9 but also Windows 10 Pro on tablet devices and the latest MS SQL Server. - Support for Windows 10 Pro running on tablet devices. - Support for Apple iOS 9.x running on all Apple devices. - Support for Microsoft SQL Server 2014 Enterprise Edition. Here
6
Apple App Transport Security
Wed, Jul 22nd 2015 6:50a   Daniel Nashed
Apple is introducing a new standard for their next OS versions. App Transport Security (ATS) is planned for iOS 9 and OS X 10.11. The current plan is to only support TLS 1.2 >= 2048 bit RSA SHA-256 signed web server certificates ECDHE!! TLS 1.2 is a good idea, 2048 RSA keys are a good idea and SHA-256 is also a good idea because SHA-1 is rated as insecure. The general requirement for PFS ciphers (https://en.wikipedia.org/wiki/Forward_secrecy) is a good idea from security point
9
Crash on iNotes when applying IF1 or the new 9.0.1 FP4 version
Mon, Jul 20th 2015 12:05a   Daniel Nashed
One of my customers and another partner reported a new crash when applying 9.0.1 FP4 IF1. They both reported the exact same call-stack both running on Linux. I have no details yet but given the fact that there are two independent crash reports with the same call-stack this might be a more general issue. I am waiting for more information and will update you ASAP once I hear anything new. For now I would stay on the last IF of FP3 until we know what is happening. Enclosed you find the cal
12
Crash after applying 9.0.1 FP4
Tue, Jul 7th 2015 1:33a   Daniel Nashed
I am working with IBM support since I installed FP4 directly after it shipped. After installing FP4 I got a crash on startup. I first thought this is special to my environment and IBM support was blaming my unsupported CentOS 6.5 environment. But it turned out that there was already a SPR # LKIM9UPQBL which has been already escalated to development. So it sounded like a more general issue that can happen in some configurations. The bug has been reproduced on one of my customers with SLES
9
IBM Notes Traveler 9.0.1.6 released with some important fixes
Wed, Jul 1st 2015 7:33p   Daniel Nashed
IBM Traveler 9.0.1.6 ships a couple of importan APAR fixes for the IBM Traveler Some of the fixes solve problems in MIME & attachment handling which have been introduced in the last releases when the new MIME handling has been introduced. Fixlist: APAR # Component Abstract LO84879 Server Calendar notice may be sent multiple times or be sent by the server ID. LO85144 Server E-mail containing invalid zero character in WBXML encoding ma




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition