268 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Apple App Transport Security
Wed, Jul 22nd 2015 13
Crash on iNotes when applying IF1 or the new 9.0.1 FP4 version
Mon, Jul 20th 2015 12
Crash after applying 9.0.1 FP4
Tue, Jul 7th 2015 21
IBM Notes Traveler 9.0.1.6 released with some important fixes
Wed, Jul 1st 2015 13
IBM Verse Client for iOS shipped
Thu, Apr 30th 2015 10
Traveler 9.0.1.4 shipped
Wed, Apr 29th 2015 13
Traveler 9.0.1.3 server crashes when attempting to sync a MIME-formatted document missing a RFC822 header
Mon, Apr 13th 2015 8
Top 10
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 22
Notes/Domino 9.0.1 FP3 has shipped
Wed, Jan 21st 2015 22
Crash after applying 9.0.1 FP4
Tue, Jul 7th 2015 21
Some Additonal TLS 1.0 Information
Thu, Nov 6th 2014 20
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 16
Domino 9.0.1 FP3 IF3 is about to ship
Sun, Mar 29th 2015 16
Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3
Fri, Apr 3rd 2015 16
iNotes Redirect without Anonymous Access
Fri, Dec 5th 2014 15
DAOS NLO Encryption and Decryption
Wed, May 28th 2014 14
Traveler Issues with Attachments containing special chars after updating to 9.0.1 IF6
Sat, Sep 27th 2014 14


Daniel Nashed
Blog Title Daniel Nashed’s Blog
Blog Description Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...
Blog URL http://blog.nashcom.de
RSS Feed http://blog.nashcom.de/nashcomblog.nsf/feed.rss
Validate Feed feedvalidator.org or validator.w3.org
Feed Last Checked Jul 22, 2015 6:30:12 AM EST. Realtime Update:
Location Germany


Recent Blog Posts
13
Apple App Transport Security
Wed, Jul 22nd 2015 6:50a   Daniel Nashed
Apple is introducing a new standard for their next OS versions. App Transport Security (ATS) is planned for iOS 9 and OS X 10.11. The current plan is to only support TLS 1.2 >= 2048 bit RSA SHA-256 signed web server certificates ECDHE!! TLS 1.2 is a good idea, 2048 RSA keys are a good idea and SHA-256 is also a good idea because SHA-1 is rated as insecure. The general requirement for PFS ciphers (https://en.wikipedia.org/wiki/Forward_secrecy) is a good idea from security point
12
Crash on iNotes when applying IF1 or the new 9.0.1 FP4 version
Mon, Jul 20th 2015 12:05a   Daniel Nashed
One of my customers and another partner reported a new crash when applying 9.0.1 FP4 IF1. They both reported the exact same call-stack both running on Linux. I have no details yet but given the fact that there are two independent crash reports with the same call-stack this might be a more general issue. I am waiting for more information and will update you ASAP once I hear anything new. For now I would stay on the last IF of FP3 until we know what is happening. Enclosed you find the cal
21
Crash after applying 9.0.1 FP4
Tue, Jul 7th 2015 1:33a   Daniel Nashed
I am working with IBM support since I installed FP4 directly after it shipped. After installing FP4 I got a crash on startup. I first thought this is special to my environment and IBM support was blaming my unsupported CentOS 6.5 environment. But it turned out that there was already a SPR # LKIM9UPQBL which has been already escalated to development. So it sounded like a more general issue that can happen in some configurations. The bug has been reproduced on one of my customers with SLES
13
IBM Notes Traveler 9.0.1.6 released with some important fixes
Wed, Jul 1st 2015 7:33p   Daniel Nashed
IBM Traveler 9.0.1.6 ships a couple of importan APAR fixes for the IBM Traveler Some of the fixes solve problems in MIME & attachment handling which have been introduced in the last releases when the new MIME handling has been introduced. Fixlist: APAR # Component Abstract LO84879 Server Calendar notice may be sent multiple times or be sent by the server ID. LO85144 Server E-mail containing invalid zero character in WBXML encoding ma
10
IBM Verse Client for iOS shipped
Thu, Apr 30th 2015 3:24a   Daniel Nashed
Finally the IBM Verse App for iOS is released https://itunes.apple.com/de/app/ibm-verse/id949952976 You can either use it to access the IBM Connections Cloud or Traveler On-Premise environments. Currently you can only use one account against either On-Premise or the cloud. Take care that the first Traveler release supporting the client is 9.0.1.3 but you should install the latest 9.0.1.4 version. The Verse client is a container app. You can still continue to use ActiveSync w
13
Traveler 9.0.1.4 shipped
Wed, Apr 29th 2015 5:42a   Daniel Nashed
IBM has released the Traveler 9.0.1.4 which fixes the reported crash issue with MIME conversions mentioned earlier --> http://www.ibm.com/support/docview.wss?uid=swg1LO84505 If you are on 9.0.1.3 you should update asap. There are a couple of other important fixes included -- see below. Already installed, thanks Sebastian for the heads up! -- Daniel Release Date Component Build Level Documentation April 29, 2015 Server 9.0.1.4 201504201605_20 IBM Traveler 9.0.1.4 Releas
8
Traveler 9.0.1.3 server crashes when attempting to sync a MIME-formatted document missing a RFC822 header
Mon, Apr 13th 2015 3:05a   Daniel Nashed
You might want to wait updating your Traveler Server to 9.0.1.3 because of a MIME related bug that can cause crashes. IBM now released a technote with official information about the issue --> www.ibm.com/support/docview.wss?uid=swg21701590. If you already updated and have abnormal process terminations in the Traveler servertask you should not try to downgrade but instead request a fix from IBM (going back to an earlier version would cause a complete resync of all devices). IBM is worki
2
New Start Script Version 3.0 with systemd support released
Tue, Apr 7th 2015 4:12a   Daniel Nashed
There is a new version of the start script for Domino on Linux (also AIX and Solaris) that supports RHEL 7 and SLES 12 which a both now using systemd instead of the older init scripts. When you are migrating to one of those platforms you have to switch to the new start script and also use systemd to start/stop your Domino server. Also for the new versions of Linux the start script remains the main main entry point for all your operations with the server. But for start and stop you will need
7
DHA with more than 1024 key size and Java still works
Mon, Apr 6th 2015 5:58p   Daniel Nashed
As posted before Java 6 and 7 cannot handle DHE key sizes above 1024 bit. The work-around was to limit the DHE key size via notes.ini parameter SSL_DH_KEYSIZE=1024. But this reduced the key size for all other clients that used DHE as well. There is another idea who to work-around this limitation. Java does only support the following DHE cipher: 33 - DHE_RSA_WITH_AES_128_CBC_SHA This is the weakest DHE cipher supported by Domino. If we disable this cipher, Java will not use DHE any
9
New Version of KyrTool released
Fri, Apr 3rd 2015 3:38a   Daniel Nashed
There is a newer version of the key ring tool that has been released on fix-central. Here is the list of fixes for the newer version. You should also update your client and server to the latest available IF because there are also fixes in the back-end for some issues parsing certificates. By the way ... I really like the command line kyrtool. A couple of days ago a customer asked me for some maintenance of their existing key ring files. Their CA expired and we had to remove the root CA f
16
Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3
Fri, Apr 3rd 2015 2:15a   Daniel Nashed
As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3. IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0. So once you update your server but not your client you cannot access your server over the server controller. If you update your server but not your client you are running in the same issue the other way round. The only solution was to have two sepa
14
Traveler 9.0.1.3 Available - Verse iOS - Trash folder sync - Invitee status - Android push notifications
Thu, Apr 2nd 2015 4:22a   Daniel Nashed
Traveler 9.0.1.3 has shipped with a couple of interesting new features. And the what's new section does give you some interesting other hints. I have copied the what's new information to this document but want to give you some additional hints. We had many customer asking for Trash folder sync support. It was already included in a previous version but disabled by default -- apparently because they needed to do some more testing. Now it is enabled by default. The Google Cloud Messaging
8
engage conference security presentation
Wed, Apr 1st 2015 7:24a   Daniel Nashed
Yesterday at engage conference in Ghent (http://www.engage.ug/) I gave an updated presentation based on the ConnectED 2015 presentation. I added most of the new notes.ini parameter and also information how to enable those new ciphers and rewrote/reordered a bunch of slides and added more information after the latest IF has been shipped. During the conference I got the question what I would recommend . Here is what I would recommend for the latest fix -- which is sort of a short summary of
2
enage conference security presentation
Wed, Apr 1st 2015 6:24a   Daniel Nashed
Yesterday at engage conference in Ghent I gave an updated presentation based on the ConnectED 2015 presentation. I added most of the new notes.ini parameter and also information how to enable those new ciphers and rewrote/reordered a bunch of slides and added more information after the latest IF has been shipped. During the conference I got the question what I would recommend . Here is what I would recommend for the latest fix -- which is sort of a short summary of the presentation. By
4
First Perfect Forward Secrecy Ciphers shipped with 9.0.1 FP2 IF2
Mon, Mar 30th 2015 8:14a   Daniel Nashed
As posted before IBM shipped a new IF that introduces TLS 1.2 Along with this new version a set of ciphers have been added. Some of them are enabled by default and other can be enabled using notes.ini settings. Other ciphers that are regarded as "weak" have been removed from the default cipher list. So by default without any additional settings you get the ciphers that IBM currently recommends. What has been added to the default are the AEAD (AES-GCM) ciphers -- see details below. The
9
First Perfect Forward Secrecy Ciphers shipped with 9.0.1 FP3 IF2
Mon, Mar 30th 2015 7:14a   Daniel Nashed
As posted before IBM shipped a new IF (9.0.1 FP3 IF2/IF3) that introduces TLS 1.2 Along with this new version a set of ciphers have been added. Some of them are enabled by default and other can be enabled using notes.ini settings. Other ciphers that are regarded as "weak" have been removed from the default cipher list. So by default without any additional settings you get the ciphers that IBM currently recommends. What has been added to the default are the AEAD (AES-GCM) ciphers -- s
16
Domino 9.0.1 FP3 IF3 is about to ship
Sun, Mar 29th 2015 7:33a   Daniel Nashed
Domino 9.0.1 FP3 IF3 is about to ship. There is IF2 with a release date of 27.3.2015 which only includes the fix for the PNG vulnerability that recently came up. 9.0.1 Fix Pack 3 Interim Fix 2 SPR #PSIH9SSAHC / http://www.ibm.com/support/docview.wss?uid=swg21698994 -- PNG Vulnerability -- libpng is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the png_combine_row function when decompressing the IDAT_data. A remote attacker could exploit this vul
4
Find us at Engage Conference next Week
Thu, Mar 26th 2015 7:32a   Daniel Nashed
Next week many of us are travelling to Engage conference in Ghent. I am already looking forward to an interesting conference and hopefully will see many of you there. My presentation will be an updated version of the IBM Security Best Practices session Dave Kern and me presented at ConnectED conference in Orlando. I will speak about the current status and the new stuff coming in end of Q1 in the area of TLS, SHA-256 and related security topics. And as mentioned before I am working on R
13
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 3:53a   Daniel Nashed
The problem came up a couple of times and the solution seems still hard to find even it is listed in Kbase. When you try to install a fixpack or hotfix the installer reports that "Notes/Domino related process is still running" even Domino and NSD Service is stopped. It looks like that when the Notes statistics are registered on OS level the "Windows Management Instrumentation Service" (short WMI Service) keeps Notes DLLs blocked. The workaround is to stop the "Windows Management Ins
4
Fritzbox phone number lookup pre-delivery agent
Mon, Mar 9th 2015 6:03a   Daniel Nashed
There is a e-mail notification option in the Fritzbox which I am using for a while. But I did not find a nice way to sync my IBM Notes contacts to my Fritzbox yet. They offer just a connection to certain German e-mail providers. But since my mailfile contains all contacts, having a pre-delivery agent to do the lookup for an incoming call-notification was my "plan B". I build a view that ensures that the lookup can work against an international number format with +country code + area co
4
Domino Start Script systemd Support
Fri, Mar 6th 2015 7:54a   Daniel Nashed
Domino 9.0.1 FP3 IF1 also supports SLES12. So it is time to finish my work on systemd support which is the new service model used in RHEL7 and SLES12. Enclosed you find the current description of the changes in the start script for systemd support. Some parts really need to change to support the new model. But I am keeping the concept that rc_domino is the main entry point for all your operations. The following is a short description. I am currently writing the documentation for the n
8
SSL V2 HELO can be re-enabled with 9.0.1 FP3 IF1
Wed, Feb 25th 2015 3:45p   Daniel Nashed
As discussed before the security fixes introduced with the additon of TLS 1.0 removed V2 SSL HELO support. This caused issues with applications that still use the V2 SSL HELO for compatibility issues. Specially older OpenSSL Versions did use V2 SSL HELO unless explicitly specifying TLS 1.0. For most applications you can work-around it with updating the OpenSSL version to a current level. But specially when using the SMTP STARTTLS extension we don't control what the connecting server uses
3
SLES 12 support added in 9.0.1 FP3 IF1
Tue, Feb 24th 2015 1:19p   Daniel Nashed
There is a new section that you should note and regularly check: http://www.lotus.com/ldd/fixlist.nsf/WhatsNew/ This section will provide important updates to the fixlist. In this case the support for SLES 12 with 9.0.1 FP3 IF1! WOW! That was a fast response! Normally new major OS versions have to wait at least for a dot release! THANKS!!! As posted before there was a technical issue with restricted ports because bindsock did not work any more because of kernel changes in SLES 12. IBM a
16
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 5:35a   Daniel Nashed
As discussed before, it's not a good idea to completely disable SSLv3 too soon. Notes/Domino 9.0.1 FP3 ships with a newer JVM version that completely disables SSLv3. The Oracle team disabled SSLV3 by default but the IBM JVM team completely removed SSLv3. The Domino server controller and Server Console are based on Java and use the SSL/TLS stack for communication. Domino before FP3 uses SSLv3 only -- I don't want to start any theories about why ... The newer version with FP3 and highe
7
Planned Domino 9 SLES 12 Support
Thu, Jan 29th 2015 6:25p   Daniel Nashed
The question for SLES 12 has been raised during IIBM ConnectED. There is an issue with Domino on SLES 12 and SLES 12 is not currently supported (in contrast with RHEL 7). There is a SPR # YXYX9RA56Z "Error - Unable to Bind port 443 or 80" on SUSE12. I have checked in the Lab and got a similar info than what has been posted before on the web: "There is a known issue with SLES 12 where bindsock has issues. Before we can support SLES 12 and any other newer kernel with this issue, we will
5
ConnectED Session Slides posted BP102: Practical IBM Notes and Domino Internet Security
Tue, Jan 27th 2015 10:45p   Daniel Nashed
Today I had the pleasure to present with Dave Kern about Domino internet security. Now that the presentation is public, I can speak about all the details that we presented. See the slides for all details. We covered what is already available in 9.0.1 FP3 and what is coming after FP3 quite soon. In the session demo we had a the SSL Test website showing a A- up to A+ rating depending on the configuration. There is a lot good stuff coming up in a scheduled interims fix. This includes TLS
22
Notes/Domino 9.0.1 FP3 has shipped
Wed, Jan 21st 2015 11:09a   Daniel Nashed
Today Notes/Domino 9.0.1 FP3 has been shipped. Already installed it on my production server. There are new new "SSL/TLS" releated fixes in FP3. But there are updates planned after FP3. So updating to FP3 is the base and you should consider an update soon. It's always better to install a FP than a IF which is technically a combo hotfix. There are also a couple of other important fixes in FP3. When you look into the Fixlist you see a couple of database/DAOS releated fixes. The FP al
11
Domino TLS POODLE Fix released
Sun, Dec 21st 2014 5:12a   Daniel Nashed
As reported before the IF that introduced TLS 1.0 is vulnerable to the new PODDLE issue. IBM released a new IF for all supported versions that fixes this issue. After installing the IF you can re-enable the CBC ciphers which are now reported as not vulnerable by the SSL Labs Test site. In addition to this fix IBM officially introduces a new notes.ini variable to disable SSL V3. DISABLE_SSLV3=1 will disable SSL V3 completely. But as mentioned before you should be completely sure if you wa
4
New-Domino-POOLE-Iussue-now-with-TLS
Tue, Dec 9th 2014 11:16p   Daniel Nashed
There is a new exploit that affects TLS! Not all implementations of TLS are affected. But Domino and also some other solutions like the F5 load-balancer are on the list. For more details read --> https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls The problem effects all CBC ciphers. IBM is working on a solution. Meanwhile you can disable the CBC ciphers. Currently there are only two ciphers left. Not really completely what we want but it sounds like IBM
15
iNotes Redirect without Anonymous Access
Fri, Dec 5th 2014 9:15a   Daniel Nashed
When running iNotes you might only want to allow authenticated connections to your Domino Server over HTTP. But on the other side you want to use the iNotes Redirect database which contains some images and other design that should load even the user is not yet authenticated. There is a Wiki article that describes in detail what to do. Thanks to IBM pointing out that parameter! http://www.lotus.com/ldd/dominowiki.nsf/dx/Allowing_Anonymous_Access_to_iNotes_Redirect_images__while_preventing_An
13
Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats
Tue, Dec 2nd 2014 5:11a   Daniel Nashed
Now that more and more customers are using the new keyring tool we run into interesting constellations. Microsoft uses binary formats instead of the ascii based PEM format that the keyring tool requires. Openssl does not only help you to create the key and the certficates. You can also use it to convert the certificate formats. I have written a short step by step short documentation for my customer including some troubleshooting steps and tricks. To keep it short I have left out the re
22
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 5:15a   Daniel Nashed
Finally Traveler 9.0.1 IF7 is available. I don't see a fixlist yet but I got a fixlist from a customer from the latest hotfix he got. The IF should fix all attachment issues which came up with IF6, includes the latest Android client and should also have an updated certificate for APNS. So now you can install 9.0.1 IF7 in combination with Domino 9.0.1 FP2 IF1 which introduces TLS 1.0 in one go with just one downtime. FixCentral Download Link: http://www.ibm.com/support/fixcentr
20
Some Additonal TLS 1.0 Information
Thu, Nov 6th 2014 11:12a   Daniel Nashed
TLS 1.0 and the removal of SSL 3.0 from browsers that triggered the whole discussion is not just something that needs to be addresses on a Domino server. IBM has done a lot of work in quite a short time and now that customers are implementing the fix it shows that also other software is effected. Introducing TLS 1.0 for Domino was the first step from IBM to ensure that clients that only support TLS 1.0 and higher can still connect to the Domino server. For now IBM still has SSL 3.0 enabled
11
Domino TLS 1.0 SHA-2 Support to prevent POODLE has been shipped today
Mon, Nov 3rd 2014 6:16p   Daniel Nashed
As blogged before IBM was already working on addressing the POODLE attack by finally implementing TLS 1.0 for all internet protocols. Today IBM shipped an Interims Fix to introduce TLS 1.0 which is very important because many browsers and other software vendors are about to drop SSL 3.0 support. So you need those fixes to continue to use secure protocols like HTTS, secure SMTP, LDAP, IMAP, POP3, DIIOP.. There are a couple of changes which are described in the following Wiki documents. And
8
TLS and SHA-2 Support and the POODLE Attack
Tue, Oct 21st 2014 12:11p   Daniel Nashed
IBM has officially responded to the POODLE attack and also officially responded to newer crypto standards. Very good news for Domino! IBM will introduce TLS 1.0/1.2 and SHA-2 support for all protocols soon! The current technotes mention a very short timeframe and it looks like we are going to get fixes at least for the current Domino 9.0.1 code stream. Some fixes will be also in the 8.5.x code-stream but some of the improvements like SHA-2 support cannot be back ported. So you should be pr
14
Traveler Issues with Attachments containing special chars after updating to 9.0.1 IF6
Sat, Sep 27th 2014 6:12a   Daniel Nashed
Before leaving for holidays last week the first customer contacted me about issues with attachments that have blanks, umlauts or other characters in the attachment name. I could not reproduce it on iOS but on Android but without the error message in the log that he got. Meanwhile it is clear that this issue affects all devices types and there is a fix that should hopefully address this problem. IBM is working on a new IF to address the issue and also possible other related issues but mean
11
My Top 3 Formula Commands for working in the Notes Client
Thu, Sep 18th 2014 11:16p   Daniel Nashed
All of those commands are not new at all. They are all round for a very long time. But they make my day easier. I am surprised that many still don't know at least the first two. The last one is more a convenience when working with replicas. @Command([AdminRemoteConsole]) Before Release 5 there wasn't an admin client and the admin/designer was integrated into the normal client. The old live console is still in the client and you don't need an admin client -- just the right per
6
Important Update on Traveler iOS 8 Support -- You have to install an IF!
Mon, Sep 15th 2014 3:13p   Daniel Nashed
There are some last minute changes in iOS which are only in the final version. Apple changed the EAS Sync ID which used to match the Device ID. There has been planning for that change for a while but Apple should have introduce that change already in the Beta releases. However this change causes issues in device mapping for the companion/todo app. IBM released a IF for 9.0.1/9.0.0.1/8.5.3 UP2 today to address this issue and added some background logic to map the device ID. There is a A
12
Traveler iOS 8 Support
Wed, Sep 10th 2014 10:12a   Daniel Nashed
iOS is released soon (hopefully 17.9 for existing devices) and I already got some customer questions about it. There is a technote describing the Traveler support for iOS 8. The good news everything should work fine and new app versions for iOS are on their way. Traveler supports iOS 8 with 8.5.3 Upgrade Pack 2 and higher but I would highly recommend that you update to the latest and greates release 9.0.1 IF5 anyway. Only the latest IFs will recognize iOS 8 correctly because they have




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition