1. IBM is making changes to security requirements for its mobile apps like IBM Verse and IBM Traveler apps, requiring HTTPS/TLS connections and valid certificates by March.
2. These changes are being made to protect against cyber attacks and data vulnerabilities over unencrypted connections, in line with requirements from mobile OS vendors.
3. Administrators need to ensure their environments meet the new requirements like having valid SHA-2 certificates on servers, migrating devices configured over HTTP, and negotiating TLS 1.2.
2. Ask the Experts Team
Ranjit Rai - IBM ICS SWAT
Focusing on entire Notes/Domino
Narendra Nesarikar – IBM ICS Support Facilitator for Open
Mics
IBM Collaboration Solutions
2
Shrikant Ahire - IBM L2 Support
Manish Jha - IBM L2 Support
3. Agenda
Upcoming Security changes with IBM Traveler
Importance of these restrictions
Making your environment ready for these changes
Key changes and challenges
References
Q &A
IBM Collaboration Solutions
3
4. Upcoming Security changes with IBM Traveler
Minimum HTTPS / TLS connection and certificate security requirements for IBM Verse for
iOS, IBM Verse for Android, IBM Traveler Companion and IBM Traveler To Do mobile apps.
Mobile devices configured over HTTP will not be able to sync emails
You must ensure that your IBM Verse Mobile and Traveler connections are secure and
compliant with these requirements by tentative Mid of March
Devices running Android prior to version 4.1 do not support TLS 1.2, they can no longer be
supported.
IBM Collaboration Solutions
4
5. Importance of these restrictions
• Cyber attacks are increasing, always searching for vulnerabilities to expose your private
data
• Data transmitted and received over the internet over unencrypted or weakly
encrypted connections is extremely vulnerable to compromise
• IBM does regular application scanning of our mobile apps, penetration testing of our
Traveler server code and Ethical Hacking testing of our product
• Strongly encrypted connections using valid certificates is required to ensure security
for data traveling over the Internet
• Mobile OS vendors are removing support for vulnerable ciphers and protocols
• Apple is requiring ATS for all public app store app submissions in 2017. Android
recently removed the RC4 cipher when Android 7 was released
• IBM will be modifying our mobile apps in the future to require a secure connection
that meets these minimum security requirements
IBM Collaboration Solutions
5
6. What is the context of the ‘connection’ here?
• Communications link between the mobile app and the TLS session endpoint
• TLS session endpoint may be the Traveler server if connecting directly
• Very often it is an edge proxy (reverse proxy)
– IBM Mobile Connect
– F5
– Citrix Netscalar
– MobileIron Sentry
– Many others
IBM Collaboration Solutions
6
7. Making your environment ready for these changes
• Mobile apps must connect over HTTPS and not unencrypted HTTP
• Server certificate cannot be expired or invalid
• Server certificate Common Name (CN) or Subject Alternate Names (SAN) list must
contain hostname which the mobile app is using to connect
• Negotiated Transport Layer Security version must be TLS 1.2
Domino hosting Traveler should be on version 901 FP5 or higher
• Server certificate must be trusted
• TLS cipher suite must support forward secrecy (see article for list)
• Server leaf certificate must be signed with RSA 2048 bit or ECC 256 bit key (or
higher)
• Server leaf certificate hashing algorithm must be SHA256 (or higher)
IBM Collaboration Solutions
7
8. Key changes and challenges
• Setting up SHA 2 certificate on server if already not deployed
• External URL needs to be reconfigured to use HTTPS if not already set
• Migrating existing devices configured with HTTP URL
• Android devices configured with HTTP using hostname can be forced to use
HTTPS without user intervention. Refer below document
URL : http://www-
01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=
OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E
IBM Collaboration Solutions
8
9. How do I check my environment?
• Most browsers provide a mechanism to examine your certificate
• Connect your browser to Traveler URL and check the certificate section to verify
your certificate
• You can use any SSL certificate checker such as QUERY SSL LABS to verify if
certificate is valid for Apple ATS Connections
IBM Collaboration Solutions
9
10. References
Securing connections for IBM Traveler mobile applications
https://www-01.ibm.com/support/docview.wss?uid=swg21989980
Download Options for Notes & Domino 9.0.1 Fix Packs
http://www-01.ibm.com/support/docview.wss?uid=swg24037141
How to set up SSL using a third-party Certificate Authority (CA)
http://www-01.ibm.com/support/docview.wss?uid=swg21268695
Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and
KYRTool on a Windows workstation
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-
2_with_OpenSSL_and_kyrtool?open
Android devices configured with HTTP using hostname can be forced to use HTTPS
without user intervention
http://www-
01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=OCSS
YRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E
IBM Collaboration Solutions
10