203 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Quickr Fix for Chrome 60+
Fri, Aug 25th 2017 6
MWLUG 2017 presentation - Notes, Domino and the single sign on soup
Thu, Aug 10th 2017 5
Renewing LetsEncrypt SSL certificates automatically - redux
Wed, Aug 2nd 2017 3
Domino NIFNSF update - you probably don’t want to enable it
Fri, Mar 31st 2017 4
Moving Domino NIF indexes out of the NSF
Wed, Mar 29th 2017 1
2016 the annus horribilis review
Mon, Dec 19th 2016 7
Renewing LetsEncrypt SSL certificates automatically with NginX
Fri, Dec 9th 2016 26
Top 10
Renewing LetsEncrypt SSL certificates automatically with NginX
Fri, Dec 9th 2016 26
SOLUTION - Domino Directory Assistance to Active Directory when using SSL DOES NOT break with 9.0.1 FP4
Thu, Jul 16th 2015 14
9.0.1 FP7 and how to enable the new port encryption settings
Wed, Sep 14th 2016 12
When installing ESXi be sure to get your server’s customized installer
Tue, Mar 18th 2014 8
On Domino 9? Have a cluster? You’re using DBMT right?
Wed, Mar 19th 2014 8
Domino and SSL ciphers. The server document may not be doing what we expect it to do
Tue, Feb 3rd 2015 8
TLS 1.2 in Domino and the settings I use
Mon, Apr 6th 2015 8
How to disable SSLv3 in Domino
Fri, Dec 12th 2014 7
Supercharge your Domino servers with OCSP Stapling - real go faster stripes
Wed, Sep 16th 2015 7
2016 the annus horribilis review
Mon, Dec 19th 2016 7


SOLUTION - Domino Directory Assistance to Active Directory when using SSL DOES NOT break with 9.0.1 FP4
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Darren Duke    

In my last post I made a mistake. I made the mistake of believing that R9 changed something for the better that it apparently does not, and that when the product gets updated. so do the tools. My bad. Basically I'm moron.

First the good news, Domino 9.0.1 FP4 does work with Active Directory 2012 with TLS1.2. Woohoo.

I was under the impression that you could now cross certify an internet certificate into the Domino Directory and it would now be trusted. I could have sworn I read this somewhere, but for the life of me I can't find it. See, previously you'd have to add the Active Directory's root certificate (in this case the Windows CA certificate) directly into your Domino key file using the certsrv.nsf application. But SHA2 Domino certificates make that approach irrelevant.

With the advent of SHA2 for Domino and my misplaced belief (at least for LDAP, other protocols may work this way for all I know) that the cross certificate would allow the LDAPS connection to work I was actually looking in the wrong place.

This snippet from the original post was actually correct, but my actions were not:

Image:SOLUTION - Domino Directory Assistance to Active Directory when using SSL DOES NOT break with 9.0.1 FP4

It seems you still do need the AD root CA in your Domino key file, whether you need to actually cross-certify is debatable (for the record I left the cross-certificate in the Domino Directory).
Doh on my part for not actually trying this out earlier. Now you can't do this with certsrv.nsf so I gambled on this and added the AD CA directly to the SHA2 Domino SSL key file. Here is how I did that:

1. Export your Windows CA root public certificate

2. Convert your CA public certificate into PEM format (either using OpenSSL or this site https://www.sslshopper.com/ssl-converter.html)

3. Using the krytool.exe application import  the PEM CA public certificate into your Domino SSL key file like this:

kyrtool ="e:Program FilesIBMDominonotes.ini" import roots -i c:ca_forWin.crt -k f:Dominodatakeyring_sha2_wildcard.kyr


4. Ensure your new CA certificate is in the key ring:

kyrtool ="e:Program FilesIBMDominonotes.ini" show roots -k f:Dominodatakeyring_sha2_wildcard.kyr


which should give something like this:

Using keyring path 'f:Dominodatakeyring_sha2_wildcard.kyr'

Trust Anchors:

Anchor 0 (name)

CN=blah-CA-PW-CA/DC=blah/DC=local

Anchor 0 (cert)

Subject:            CN=blah-CA-PW-CA/DC=blah/DC=local
Issuer:             CN=blah-CA-PW-CA/DC=blah/DC=local
Not Before:        04/13/2015 11:13:00 AM
Not After:        04/13/2035 11:23:00 AM
Key length:         2048 bits
Signature Alg:        sha256WithRSAEncryption


5. Add the new Domino key file to the server and voila, No more errors when Domino tries to make a TLS1.2 LDAPS connection to AD using SSL:

Here is the actual log on the server showing the connection, is indeed TLS1.2:

[1178:000B-0F58] 07/15/2015 06:10:11.36 PM SSL_Handshake> Protocol Version = TLS1.2 (0x303)
[1178:000B-0F58] 07/15/2015 06:10:11.36 PM SSL_Handshake> KeySize 256 bits
[1178:000B-0F58] 07/15/2015 06:10:11.36 PM SSL_Handshake> Current Cipher = 0x009F (DHE_RSA_WITH_AES_256_GCM_SHA384)
[1178:000B-0F58] 07/15/2015 06:10:11.36 PM SSL_Handshake> SSLErr = 0
[1178:000B-0F58] 07/15/2015 06:10:11.36 PM SSL_Handshake> TLS/SSL Handshake completed successfully
[1178:000B-0F58] 07/15/2015 06:10:11.36 PM SSL_Handshake> Exit Status = 0


Here is the mea culpa, I was only testing with the LDAPSearch utility and it was only yesterday when the server change window kicked in (thanks Windows Update!...never thought I'd say that. Ever.) that I was able to test the earlier findings in production. But that failed. WTF? LDAPSearch works, Domino fails....that's what sent me back to the drawing board and actually figured out the root cause (no pun intended) was a missing certificate in the key ring file.

So lesson of the day, an error is an error but the error message is not necessarily the error message. And even though the product may get updates, don't necessarily think that the tools get updated as well. In fact, even after the solution I found and implemented LDAPSearch still fails even thought DA using TLS1.2 actually does work.

DA working:


Image:SOLUTION - Domino Directory Assistance to Active Directory when using SSL DOES NOT break with 9.0.1 FP4

LDAPSearch breaking:



[0D70:0002-16CC] 07/15/2015 06:08:21.78 PM SSL_Handshake> Enter
[0D70:0002-16CC] 07/15/2015 06:08:21.78 PM SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)
[0D70:0002-16CC] 07/15/2015 06:08:21.78 PM SSL_Handshake> outgoing ->protocolVersion: 0303
[0D70:0002-16CC] 07/15/2015 06:08:21.78 PM SSLEncodeClientHello> We offered SSL/TLS version TLS1.2 (0x0303)

... snip ...

[0D70:0002-16CC] 07/15/2015 06:08:21.80 PM S_Write> Switching Endpoint to sync
[0D70:0002-16CC] 07/15/2015 06:08:21.80 PM S_Write> Posting a nti_snd for 7 bytes
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM SSL_EncryptData> SSL not init exit
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM S_Write> Switching Endpoint to async
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM SSL_EncryptDataCleanup> SSL not init exit
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM S_Write> nti_done return 0 bytes rc = 9
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM S_Write> nti_done return 0 bytes rc = 9 Event = 0x100
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM SSL_Handshake> After handshake2 state 2
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM SSL_Handshake> SSL Error: -6989
[0D70:0002-16CC] 07/15/2015 06:08:21.81 PM int_MapSSLError> Mapping SSL error -6989 to 4165 [SSLConnectionClosedError ]


ldap_bind_s( dn=cn=fppw ldap,cn=users,dc=blah,dc=local, pw=password, method=128 ) failed, error
: Not an LDAP errno 7289


SSL invalid certificate, may need to cross-certify.


Something else that just occurred to me while writing this that someone maybe able to shed some light on, maybe the AD CA root cross-certificate in the Domino Directory only works when you have a Domino CA enabled. At some point I need to test the theory.....again I swear I read this somewhere.....*grumble*






---------------------
http://blog.darrenduke.net/Darren/DDBZ.nsf/dx/solution-domino-directory-assistance-to-active-directory-when-using-ssl-does-not-break-with-9.0.1-fp4.htm
Jul 16, 2015
15 hits



Recent Blog Posts
6
Quickr Fix for Chrome 60+
Fri, Aug 25th 2017 8:53p   Darren Duke
Yeah, Quickr right? Long time since I've posted about Quickr. Still a great (if somewhat complicated and unsupported) product, Still being used by me and several clients despite IBM having several products claiming to replace it.. Despite IBM ceasing support many moons ago it chugged along very nicely so long as a reverse proxy is in front of it to allow TLS 1.2 and SHA2. Except Chrome 60 broke it. Google (and Safari before it) changed the way XHR works and basically buggered Quickr in the pro
5
MWLUG 2017 presentation - Notes, Domino and the single sign on soup
Thu, Aug 10th 2017 7:44p   Darren Duke
As promised, here is the presentation from my MWLUG 2017 session on SSO. If you need (for hire) help with any of this see the STS contact page.
3
Renewing LetsEncrypt SSL certificates automatically - redux
Wed, Aug 2nd 2017 10:56a   Darren Duke
After almost a year of using Let's Encrypt to secure this very site, I'm still running into issues automatically renewing the certificates every 90 days. In my last post about this I'd documented the procedure I was using but was unable to ever get it to work successfully via cron (it was fine manually). I've now switched to a different auto-renew method....Enter: certbot This seems much simpler, tidier solution. The only snag for me was it required Python 2.7 to be installed. I sent a
4
Domino NIFNSF update - you probably don’t want to enable it
Fri, Mar 31st 2017 2:33p   Darren Duke
In my last post about NIFNSF, Christian Hensler left this comment: I couldn't find anything on the internet, so off I went to the Design Partner forum. Now this is a NDA'd so I'm maybe skirting the rules here, but there is indeed an IBM reproduced issue with performance with NIFNSF. So this AM I did some testing and I was able to reproduce the issue. Base on my testing, on average, the current NIFNSF implementation is twice as slow as non-NIFNSF databases. So you many not want to impl
1
Moving Domino NIF indexes out of the NSF
Wed, Mar 29th 2017 4:16p   Darren Duke
New in Fix Pack Feature Pack 8 is the ability to move the view index files out of the NSF. NIF is the technical term for these index files and end with the file suffix of NDX. Doing this has several advantages including: Make the NSF smaller, so better backup times Help get more out of the 64GB limit....if 6GB of your NSF is NIF index, that's a logt of space Move NIF's to better performing storage, for example SSD's Allows concurrent access to to databases and views, so theoretically better
7
2016 the annus horribilis review
Mon, Dec 19th 2016 2:30p   Darren Duke
Firefox started at 43, ended at 50 (they are slowing down....) Chrome started at 47, ended at 55 (they are speeding up....) IE....you know what? F**k IE. Still using Chrome as my primary browser, although Vivaldi is slowly taking over Didn't go Connect 16. Won't be at Connect 17. I already know what's going to happen....IBM is going to tell you about all the products that they promise * cognitive* is being added too. Like Verse (2 years ago?) and Toscana. "No, really we are" the
26
Renewing LetsEncrypt SSL certificates automatically with NginX
Fri, Dec 9th 2016 4:06p   Darren Duke
A while back I blogged that I switched the SSL on this blog to Let's Encypt, the free SSL provider. I even linked to the Crontab post I used to renew the SSL certificate (they are only good for 90 days, so need to be renewed regularly). Except mine would not renew. Hum.... I eventually got around to looking at this before the certificate ran out on Dec 20th and it turns out I needed to do a few more steps. If you manually run the renew.sh on the server without these additional steps thi




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition