278 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Traveler 9.0.1.13 released with some fixes
Thu, Aug 18th 2016 16
Extended Master Secret Extension issue affects all Internet Protocols including STARTTLS
Wed, Jul 27th 2016 9
Secure LDAP to Active Directory fails with Domino 9.0.1 FP5 IF1 and higher
Wed, Jul 27th 2016 7
IBM Traveler 9.0.12 released including a security fix
Thu, Jul 14th 2016 4
IBM Traveler 9.0.1.12 released including a security fix
Thu, Jul 14th 2016 9
BM mail support for Microsoft Outlook officially released
Wed, Jun 29th 2016 15
Domino Catalog vs Domain Catalog
Sat, Jun 11th 2016 9
Top 10
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 21
Traveler 9.0.1.13 released with some fixes
Thu, Aug 18th 2016 16
BM mail support for Microsoft Outlook officially released
Wed, Jun 29th 2016 15
Critical: glibc security and bug fix update
Wed, Feb 17th 2016 13
DNUG Domino Day in Düsseldorf
Wed, Nov 18th 2015 12
Add-On Tool for Domino Restore
Mon, Nov 30th 2015 12
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 11
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 11
Domino Start Script New Version 3.1.0
Thu, Feb 11th 2016 11
Domino Server Controller does not connect after upgrade to Java6SR16FP20
Tue, Feb 16th 2016 11


Daniel Nashed
Blog Title Daniel Nashed’s Blog
Blog Description Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...
Blog URL http://blog.nashcom.de
RSS Feed http://blog.nashcom.de/nashcomblog.nsf/feed.rss
Validate Feed feedvalidator.org or validator.w3.org
Feed Last Checked Aug 24, 2016 9:46:12 AM EST. Realtime Update:
Location Germany


Recent Blog Posts
16
Traveler 9.0.1.13 released with some fixes
Thu, Aug 18th 2016 6:12p   Daniel Nashed
There is a new traveler release that just shipped. Some of the issues might affect you. APAR # Abstract LO82881 Domino server may crash if $NTTrack field is corrupted. LO89471 Traveler invitee status may be incorrect if using mixed case internet addresses. LO89606 Number of recipients limited to 100 when sending mail from a mobile device. LO89745 Traveler server enters constrained state when load balancing a large number of users. LO89772 Meeting chair may receive multiple notices
9
Extended Master Secret Extension issue affects all Internet Protocols including STARTTLS
Wed, Jul 27th 2016 8:23a   Daniel Nashed
There is a an issue described in a technote which describes an issue with Win 2008 R2 and LDAP. This issue also occurs for other internet protocols!! It is specially important for servers using STARTTLS because you don't control which version and settings the receiving/sending host is using. So the issue I blogged about today does also affect other protocols. That's why I decided to have two blog posts to ensure it is better found on the web. Hiere is the info from the other blog po
7
Secure LDAP to Active Directory fails with Domino 9.0.1 FP5 IF1 and higher
Wed, Jul 27th 2016 2:21a   Daniel Nashed
Domino 9.0.1 FP5 IF1 adds support for the Extended Master Secret Extension with TLS 1.2. Windows 2008 R2 does only supports TLS 1.0 but still sends the Extended Master Secret Extension in the server helo. Domino fails to connect because once this is offered Domino wants to use it. There is a work-around to disable this new functionality globally on the server via notes.ini SSL_DISABLE_EXTENDED_MASTER_SECRET=1 This is just a work-around and the real fix would be that Microsoft prov
4
IBM Traveler 9.0.12 released including a security fix
Thu, Jul 14th 2016 9:45a   Daniel Nashed
IBM Traveler 9.0.12 shipped with some important changes. The first change is a security fix which is described below. But there is another security fix in the installer on Windows as well and some other fixes that could be affecting you. Upgraded my server already. -- Daniel Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039) IBM Traveler is vulnerable to a denial of service caused by an XML External Entity Injection (XXE) error wh
9
IBM Traveler 9.0.1.12 released including a security fix
Thu, Jul 14th 2016 3:45a   Daniel Nashed
IBM Traveler 9.0.1.12 shipped with some important changes. The first change is a security fix which is described below. But there is another security fix in the installer on Windows as well and some other fixes that could be affecting you. Upgraded my server already. -- Daniel Security Bulletin: XML External Entities Injection Vulnerability in IBM Traveler (CVE-2016-3039) IBM Traveler is vulnerable to a denial of service caused by an XML External Entity Injection (XXE) er
15
BM mail support for Microsoft Outlook officially released
Wed, Jun 29th 2016 10:49a   Daniel Nashed
Finally IBM has released IMSMO 2.0. It has been around already under controlled distribution and is finally available for all customers and partners. It enables you to connect a Microsoft Outlook 2013 client to a Domino V9.0.1 Server. The software is an add-on to your Domino server similar to what a Traveler does (in fact they share some code base but they are not the same!). Also the gateway need to resist on the mail-server of the user. We asked to have a way to use a gateway server app
9
Domino Catalog vs Domain Catalog
Sat, Jun 11th 2016 12:50p   Daniel Nashed
I while ago I ran into this and I did analyse how it works in detail. But I never posted this information. Today we ran into this again and I looked for my old documentation. -- Daniel Here is how it is intended to work and how most admins are currently using it. I was very surprised when I figured out how the catalog and domain catalog really work. My impression was always that the catalog.nsf is a replica that is replicated everywhere. But there are two different types of catalogs
7
DE-Mail Mail-Template with Command Line DNS Lookup
Wed, Jun 8th 2016 2:43a   Daniel Nashed
We ran into a limitation with the DE-Mail Template that T-System implemented in their Notes Mail Template. It turned out that they are invoking a cmd.exe because this is the only way to return data directly from nslookup to the application with a redirect on Windows. The function is used to check if the recipient's domain is a DE-Mail domain and queries SRV records defined in RFC RFC 2782 (check https://en.wikipedia.org/wiki/SRV_record for details). SRV Records can not be queried with s
4
43. DNUG 1. + 2. June in Hamburg
Thu, May 26th 2016 4:58a   Daniel Nashed
Hi and good morning! This will be my first blog entry in Germany and it's about German about our German "Notes" User Group "DNUG"... Bei der DNUG hat sich einiges getan in den letzten Monaten! Seitdem die DNUG einen neuen Vorstand hat, werden einige Dinge anders angegangen und auch die Art und Weise, wie die DNUG Konferenz geplant wird, hat sich geändert. Die Geschäfts-Stelle ist jetzt virtuell und auch die Server der DNUG sind entsprechend virtualisiert. Aber auch an anderen S
7
Domino 9.0.1 FP6
Sun, May 22nd 2016 4:55p   Daniel Nashed
Domino 9.0.1 FP6 has been released a while ago. I have installed it and I got positive feedback from customers already. FP6 contains all the fixes from previous IFs and also the updated JVM Java60SR16FP20 which addresses a couple of security fixes. Also the server controller interoperability issue is fixed. But for a client based connection you also need to update your admin client! All the TLS fixes are also included and there is an additional fix for an issue in a TLS handshake. SPR#
8
Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Mon, Apr 25th 2016 12:14p   Daniel Nashed
In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations. Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365. In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0. Both configurations are not officially support
9
Server Controller Issue when applying 9.0.1 FP5 IF2
Thu, Mar 31st 2016 9:27a   Daniel Nashed
After applying 9.0.1 FP5 IF2 you cannot connect to the server controller -- again! That's another issue that cannot be fixed allowing MD5 in the java security files. What you need is an updated version of the JVM patch. The new patch has a release data of 25.3.2016 an can be downloaded from Fixcentral. Here is the relevant information from the updated technote referenced in the SPR. SPR RSSNA6UU79 is fixed in version 9.0.1FP5 Interim Fix 2 (IF2) via a server code fix and an updated JV
9
Security Issue - IBM Domino AES GCM weak nonce generation vulnerability
Tue, Mar 29th 2016 6:02a   Daniel Nashed
There is a new vulnerability affecting AES GCM ciphers which have been introduced in 9.01. FP3 (enabled by default). For very large data sets, IBM Domino Web servers using TLS and AES GCM generate a weak nonce which could be potentially used for a man-in-the-middle-attack. All Domino 9 versions supporting those ciphers are affected and there is new IF (9.0.1 FP5 IF2) which addresses this issue. The IBM Domino AES GCM weak nonce generation vulnerability is tracked as SPR #KLYHA6ZP4F. If
13
Critical: glibc security and bug fix update
Wed, Feb 17th 2016 8:02a   Daniel Nashed
There is a critical issue with the glibc lib that Linux and other systems are using. The best short description I found is the following: "A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called
11
Domino Server Controller does not connect after upgrade to Java6SR16FP20
Tue, Feb 16th 2016 1:33p   Daniel Nashed
The IBM Java Team disabled MD5 in there latest patch to tighten security. But the Server Console currently can only use MD5 right now. So by this intentionally change by the IBM Java Team the Domino Console cannot connect any more. For now to have the Server Controller local and remotely working again you have to re-enable MD5. This is a similar issue than what we had when the IBM Java team disabled SSLV3 some time ago. There are two lines that you have to chance in the ..jvm/lib/securit
11
Domino Start Script New Version 3.1.0
Thu, Feb 11th 2016 10:26a   Daniel Nashed
As already mentioned at IBM ConnectED last week, I am working on a new version of my start script. Most of the new functionality has been build in because I found it useful for the customer environments I am working in. On top of the new functionality I added a new script "rc_all" that can start, stop, cleanup, diag ... all partitions a the same time. The new rc_all script is a separate script that will search for your Domino partition rc-scripts and is mainly interesting when you run L
6
Domino 9.0.1 FP5 IF1 with Security Fixes
Sat, Jan 30th 2016 9:47a   Daniel Nashed
There is a new IF1 for Domino 9.0.1 that includes two fixes we have waited for in the TLS area specially when communicating with STARTTLS and web-services as posted before on my blog. SPR #KLYHA57S37 - Disable TLS Session Resumption on outbound connections by default This fix addresses and issue for outgoing STARTLS sessions on SMTP. See some more details in my other blog post --> http://blog.nashcom.de/nashcomblog.nsf/dx/tls-1.2-connection-issues-with-protection.
9
Linuxfest VII Gets a Slot at IBM Connect 2016
Sat, Jan 30th 2016 8:17a   Daniel Nashed
If you are attending IBM ConnectED in Orlando and you are interested in Linux you should attend the Linuxfest Session. Thanks to Bill Malchisky we made it again into the agenda! I am looking forward to this session and will bring the brand new Start Script Version 3.1.0 with many enhancements. Here is a copy of Bills' original post. Looking forward to this session. -- Daniel Linuxfest VII Gets a Slot at IBM Connect 2016 Bill Malchisky January 28 2016 02:00:00 AM Linuxfest VII -
9
Traveler 9.0.1.9 shipped
Sat, Jan 16th 2016 8:23a   Daniel Nashed
Traveler 9.0.1.9 is the first update shipped this year. It comes with a number of fixes. See details here --> http://www.ibm.com/support/docview.wss?uid=swg21700212#9019 And it solves an important issue for Traveler HA Servers. There is a technote describing the issue in detail and you should have a look into the new command introduced in this version as soon you have updated your servers. The following TN #1974741 "Two scenarios where multiple accounts for users could be created on
21
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 6:57a   Daniel Nashed
Two of my customers had issues connecting to the Microsoft hosted environment over TLS 1.2 once we got the session resumption working (see previous blog posts). My environment had the same configuration and could connect just fine. It looks like the servers are behaving different with different certificates. That's the only difference we saw in configuration. After a couple of tests and working with IBM support we got a hotfix that we successfully tested yesterday. I know of 3 custom
9
STARTTLS Outbound Sessions might fail with TLS 1.0 used and TLS 1.2 Ciphers
Tue, Dec 15th 2015 2:18p   Daniel Nashed
We have been running into some issues and I got multiple customers reporting that outgoing STARTTLS did not work in some cases specially for some German provides like web.de and gmx.net. The error you see when enabling debugging is SSLEncodeClientHello> We offered SSL/TLS version TLS1.0 (0x0301) FindCipherSpec> Cipher spec DHE_RSA_WITH_AES_256_CBC_SHA256 (107) is not supported with TLS1.0 It turned out that session resumtion in combination with the new introduced TLS 1.2 causes
11
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 9:19a   Daniel Nashed
I have been helping a customer who had issues with Backup Exec for Domino. They got issues with their backups. The error message pointed to issues with their tapes. But it turned out it had to do with the DAOS integration which is not fully working with Domino 9.0.1 The error they got pointed to issues with the back media: Final Error Code: e00084ca HEX (0xe00084ca HEX) or a00084cd HEX (0xa00084cd HEX) Final Error Description: The data being read from the media is inconsistent. Final
4
Domino 9.0.1 FP5 Security Fixes and Functionality
Fri, Dec 4th 2015 8:14p   Daniel Nashed
This week Domino 9.0.1 FP5 has been released. The client fixpack seems to have issues. I have seen a Support Flash alert and a couple of customers/partners contacted me with problems. On the client side I would wait until those problems have been resolved. But on the server side you should look into implementing FP5 soon. I have deployed it on my production server and I have now also incoming and outgoing "STARTTLS" enabled with additional logging via my SpamGeek application. In addit
12
Add-On Tool for Domino Restore
Mon, Nov 30th 2015 10:58a   Daniel Nashed
Most backup solutions are still not really flexible when it comes to restore operations. I am currently involved into some backup projects and build a tool that can be used on top of a Domino aware backup solution. Some software can disable replication when restoring a NSF file. Other applications can change the replica when restoring a database. But I have not seen application that can do both at the same time. And there are also other operations that could make sense. I would wish back
7
Cluster Failover on W2008 and higher - disable Port Stealth Mode
Sat, Nov 21st 2015 3:34a   Daniel Nashed
I should have blogged about this earlier. It was in my 2013 IBM Connected presentation but beside the TN and my presentation there is not much information. If you are using Domino clustering on Win2008 or higher you should really disable the port Stealth mode! This week I ran into a customer crash situation with repeated crashs which took a while to fix. The failover on their Win2012 R2 servers was painful slow. In Win2008 Microsoft introduced a feature called the Port Stealth mode.
12
DNUG Domino Day in Düsseldorf
Wed, Nov 18th 2015 12:32p   Daniel Nashed
Last call! In case you did not know yet. There is a new type of event organized by DNUG next Tuesday. I am very interested to see how the feedback to this new event type is. The event is free for DNUG members and in case you are not a member there is a small fee. Also the way to get enroll is different. The DNUG board to make it easier and tries different ways to organise the event. I am looking forward to the event and I hope to see many of you next week! The sessions are all
4
Traveler 9.0.1.8 Fixes and DBMaint Command
Wed, Oct 7th 2015 5:36p   Daniel Nashed
A new Traveler Version has been released to day. There are a couple of important fixes and you should consider updating soon. Below you find a fix list. There is also a new Traveler command mainly for enterprise database management called DBMaint. Here is a link to the updated documentation section --> http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/IBMTravelerDatabaseMaintenance.html Because it is brand new I have to check how it works in detail and there is a planned O
3
test
Wed, Oct 7th 2015 5:36p   Daniel Nashed
APAR # Abstract LO85584 Explicit commit is not needed for database select statements. LO86339 Warning may be displayed for redirect to SSL setting that is not in effect. LO86341 Add covering index to improve performance of update queries. LO86366 User may stop syncing after migration to HA environment AND change mail template. LO86445 Traveler syncs attachments in very small chunks causing mail delays and possible server crash. LO86448 Enable Calendar ghosting for ActiveSync devices when r
3
Higher Crypt-Standards with Notes/Domino and updated JVM 1.6
Fri, Oct 2nd 2015 3:46p   Daniel Nashed
There is a brand new new TN describing how to enable higher security for the updated JVM 1.6 in Notes/Domino. -->http://www.ibm.com/support/docview.wss?uid=swg21967996 The IBM 1.6 JVM does support TLS 1.2 and also some modern ciphers. Sadly by default they cannot be used because they use higher encryption levels (AES 256) which are disabled by default in the IBM and even in the current Oracle JVM 1.8. The TN describes a download for something that is called "Java Cryptography Ext
7
OSX 10.11 El Capitan does not only support ECDHE Ciphers
Thu, Oct 1st 2015 6:21a   Daniel Nashed
After updating to OSX 10.11 I did a quick test. It wasn't sure if Apple will only support ECDHE and implementing their new standard ATS. The first tests shows that the current ciphers are there but Apple does even support quite simple ciphers like RSA_WITH_RC4_128_SHA / MD5 as a fall back. But you never know if this is going away in one of the next updates. Here is a trace from against a Domino 9.0.1 FP4 IF2 server. You can see all supported common ciphers and I highlighted the most
9
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 10:03a   Daniel Nashed
Wow the Mac 64bit Client has been released today! If you are looking for it, the description and the part number might help. Already downloaded from Partnerworld. I hope you also find it in Passport Downloads already. IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN ). And here is the technote -> http://www.ibm.com/support/docview.wss?uid=swg21962311 Have fun! Daniel
7
Domino 9.0.1 FP4 IF2 Security Update
Sat, Sep 26th 2015 4:38a   Daniel Nashed
After updating to the new IF which introduces ECDHE with some additional settings you can get to a "A+" SSL Labs rating. When you install IF2 by default you get a good set of ciphers. In the previous sets oif fixes DHE was disabled by defaiult. Now you have DHE and also ECDHE enabled by default. There is not much in addition to that you have to do. Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites at the end) TLS_ECDHE_RSA_WITH_AES_256_G
4
Domino 9.0.1 FP4 IF2 shipped with ECDHE support
Fri, Sep 25th 2015 10:35a   Daniel Nashed
Domino 9.0.1 Fix Pack 4 Interim Fix 2 shipped. It contains some important fixes in the security area. First of all it corrects some bugs in the DHE and AES-GCM area. And also fixes in MIME conversion specially important for Traveler servers. But it also introduces ECDHE ciphers! Again the Domino security team did a great job implementing important new functionality in an Interims Fix. As posted before Apple iOS 9 which shipped last week requires ECDHE at least for custom applicat
6
IBM Champion Nomination
Thu, Sep 17th 2015 7:41a   Daniel Nashed
The IBM Champion program is a great way to thank active members of the community. "The IBM Champion program recognizes innovative thought leaders in the technical community — and rewards these contributors by amplifying their voice and increasing their sphere of influence. An IBM Champion is an IT professional, business leader, developer, or educator who influences and mentors others to help them make best use of IBM software, solutions, and services." So if there is someone you th
4
iOS 9 Released and Traveler continues to work without ECDHE
Wed, Sep 16th 2015 3:00p   Daniel Nashed
Yesterday Apple released the final version of iOS 9. As posted before it wasn't sure which part of the ATS specification they will enforce for ActiveSync connections and other internal applications like the Safari web browser. My tests have shown that Apple is not enforcing the requirement for ECDHE and not even TLS 1.2 for ActiveSync connections yet. I have been still able to connect with the final iOS 9 release. So the ATS standard is just enforced for custom applications (I did not tes
5
IBM Traveler 9.0.1.7 shipped with iOS 9 support
Mon, Sep 7th 2015 8:46a   Daniel Nashed
Traveler 9.0.1.7 shipped while I was away for holidays. I have updated my server already over the weekend and it looks good. I have also not heard anything negative from any customer yet. This release does not only add support for iOS 9 but also Windows 10 Pro on tablet devices and the latest MS SQL Server. - Support for Windows 10 Pro running on tablet devices. - Support for Apple iOS 9.x running on all Apple devices. - Support for Microsoft SQL Server 2014 Enterprise Edition. Here




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition