This document discusses deploying SHA2 certificates and the SSL problem. It begins with introductions of the presenters. It then provides background on encryption, certificates, and common acronyms related to security like SSL, TLS, HTTPS. The document outlines several past security vulnerabilities like POODLE, Heartbleed, and discusses solutions deployed. It then provides step-by-step instructions for creating certificates using OpenSSL and deploying them for Domino and WebSphere servers.

1. The SSL Problem & Deploying SHA2
Certificates
Gabriella Davis
The Turtle Partnership
Mark Myers
LDC Via
T1-1086
Monday 1st February 2016

2. Who Are We?
• Admin of all things and especially quite
complicated things where the fun is
• Working with security , healthchecks,
single sign on, design and deployment
of Domino, ST, Connections and things
that they talk to
• Stubborn and relentless problem
solver
• Lives in London about half of the time
• gabriella@turtlepartnership.com
• twitter: gabturtle

3. Who Are We?
• Member of the London Developer Co-op
▪ Co-writer of LDCVia
http://www.ldcvia.com
▪ IBM Connections, Domino, Mobile and
Web development
▪ Hire me!
• Developer from a support background
• 14+ years on Domino, 17+ years in IT
• Speaker at 6x Lotuspheres/Connects, 6 x
UKLUGs, 1 x ILUG, 3 x BLUG/Engage

4. Why This Session?
• Encrypting and securing information is not just a thing you add to
complete a project, it’s a necessity
• Information can be intercepted en route between client and
server or between servers
• This can include credentials which can they expose further
information
• The speed at which hackers are working around encryption
standards is growing, major attacks and vulnerabilities appear
every week
• You need to understand where the vulnerabilities are, how to
watch for them and how to protect against them

5. Encryption and Certificates
• What is Encryption?
▪ It is a process of making data unrecognizable
• Unless you have “key” to unlocking the data.
• Without the key, it should be imposable or more commonly
unfeasible to read the data in a reasonable timeframe.
• What are Certificates?
▪ Digital Certificates are a way of trying to prove that the security “key”
they contain actually belong to the person they were issued to.
▪ This is done via a trusted third party that both parties in
communication can rely on.

6. Let’s Talk Acronyms

7. SSL
• Stands for Secure Socket Layer
• A cryptographic protocol (A set of agreed rules for coding and
decoding messages so as to keep those messages secure)
• Each version was replaced by another version due to security
flaws and now is completely deprecated ( June 2015 by RFC
7568)
• Its death knell was the block cipher attack used by Poodle (see
later slide) in 2014
• Replaced by...

8. TLS
• “Transport Layer Security”
• Like SSL it is cryptographic protocol (A set of agreed rules for
coding and decoding messages so as to keep those messages
secure)
• The successor to SSL (TLS 1.0 is actually SSL 3.1 but was
renamed to mark the change to an open standard rather than
Netscape's protocol)
• Currently has 3 versions 1.0, 1.1, 1.2 (1.3 in Draft)
• Like SSL it is a constantly changing protocol

9. Man in the Middle Attack
• An attack where someone intercepts communication between
two systems and acts as a proxy between the parties without
either of them knowing

10. S/MIME
• This is another protocol, this time for allowing email in the MIME
format (basically all SMTP mail) to be both signed or/and
encrypted
▪ Signed: To ensure to your email recipients that you actually
sent the email
▪ Encrypted: To protect the content from being read by other
entities than the intended recipients.
• Just about the only intersystem security standard that all
vendors can agree on.

11. HTTPS
• This is the transfer of data using the Hypertext Transfer Protocol
over a link secured be either SSL or TLS
• Provides:
▪ Bidirectional encryption of your data in transit
▪ A reasonable guarantee that you are talking to who you
think you are.
▪ Defends against "Man in the Middle" and third party
snooping attacks.

12. SHA2
• An upgrade to the popular hashing algorithm used by the
majority of SSL certificates
• Its predecessor SHA1 was found to be more insecure that was
previously thought (not broken just not as secure)
• Microsoft Google and Mozilla all announced deprecation plans
for SHA1
• When people talk about "SHA256" they are talking about one of
the 6 hash functions with digests that make up the SHA2 family

13. AES
• “Advanced Encryption Standard”
• Based on 3 members of the Rijndael cipher family (developed
by Joan Daemen and Vincent Rijmen) each with a block size of
128 bits, but three different key lengths: 128, 192 and 256 bits.
• Used worldwide and a federal government standard
• It supersedes DES (Data Encryption Standard) which you can
now brute force attack

14. What Went Wrong
… and keeps going wrong

15. POODLE
• "Padding Oracle On Downgraded Legacy Encryption“
• An exploit that allowed attackers to trick a session to use SSL
rather than TLS then during that session use a design flaw in
SSL 3.0 to Snoop on the session
• What it did
▪ It allowed attackers to perform a man in the middle attack
• How it was stopped
▪ We all turned off SSL V3.0 on the servers (and were then
grumbled at by people who used old browsers)

16. ShellShock or Bashdoor
• An Bug from the original version of Bash* allowed you to launch
child instances of Bash but supply your own variables
• What it did
▪ It allowed an attacker to execute bash commands on the
target server
• How it was stopped
▪ Patched all servers running Bash
*A program that all lot of Unix-based systems use to execute command
lines and command scripts

17. Heartbleed
• A "buffer over-read" vulnerability in the TLS heartbeat extension of
OpenSSL caused by a missing input validation check (but really by not
enough peer review)
• What it did?
▪ Allowed an attacker to read up to 64 kilobytes of the servers
active memory for each attack, memory that was very likely to
contain secure information.
• How it was stopped?
▪ We updated all clients/servers to a patched version of OpenSSL
▪ Reissued all certificates where there was any chance they could
have been compromised.

18. Freak - “Factoring RSA Export Keys”
• A vulnerability cased by the growth of cheap commuting power
▪ A "512-bit export-grade key“ now be broken with a bit of math's
called the "Number Field Sieve algorithm"* and about ~ $150 of
cloud computing
• What it did?
▪ Allowed the attacker to perform a man in the middle attack
• How it was stopped?
▪ We disabled "TLS export cipher suites" either by updating
browsers, disabling the feature in servers or updating libraries that
used them (such as OPENSSL to versions that did not)
*https://en.wikipedia.org/wiki/General_number_field_sieve

19. SLOTH
• Security Loss due to the use of Obsolete and Truncated Hash
constructions
▪ Primarily affects TLS 1.2 and MD5
▪ SLOTH relies on the ability to exploit older hash techniques
▪ If the hash technique isn’t sophisticated enough a “collision”
of a hash for two different messages can be generated
▪ OpenSSL 1.0.1.e and earlier are affected
▪ Any servers using TLS 1.2 and MD5 encryption are affected

20. What’s Next?
• Who knows!! the important thing we have all learnt is that just
because something has been around for a while is no guarantee
of it being bomb proof.
• No system is perfect
▪ Open source software is a great concept, but relies on
ACTIVE members picking at each others code and
performing peer review.
▪ Closed Source relies on the competency of hidden
processes and testers not succumbing to pressure to “Ship
now”.
• Just remember there is always someone cleverer than you.

21. Constructing A Certificate

22. Certificate Structures
• Certificate authorities
• Private keys
• Trusted roots
• Generating a certificate
• You’ll need a keyfile
• You’ll need a request with all the details of your certificate
• You’ll need the trusted roots and intermediate certificates or
your CA
• You’ll need the final certificate itself

26. File Extensions For Certificates
• More Acronyms
▪ Certificate formats
• PEM (….. BEGIN CERTIFICATE….)
– CRT
– CER
– KEY
• DER binary
• PFX or P12
▪ ….CSR (certificate signing request)
• OpenSSL can convert most certificate forms to most others

27. OpenSSL
• An open source library of SSL and TLS cryptography
• Available for most platforms
• Developed and managed by https://www.openssl.org
• repository for downloads on
https://github.com/openssl/openssl
• Create certificates
• Convert certificates
• Extract certificates

28. HERE BE TIGERS

29. Installing OpenSSL - For the brave
• https://www.openssl.org/source/
• ftp://ftp.openssl.org/source/ previous version
• ftp://ftp.openssl.org/source/old older versions
• Download the compressed file and extract
• Read the ReadME for instructions e.g run
• INSTALL Linux, Unix, etc.
• INSTALL.W32 Windows (32bit)
• INSTALL.W64 Windows (64bit)
• https://wiki.openssl.org/index.php/Compilation_and_Installation

30. Installing OpenSSL Under Windows
• I found the easiest solution (as an Admin) is to install the pre
built Windows executable from Shining Light - there are other’s
out there
• https://slproweb.com/products/Win32OpenSSL.html
• Download the most recent “lite” version
• Currently 1.0.2f (Win32OpenSSL_Light-1_0_2f)

33. Installing OpenSSL For Linux
• For Linux many distros come with a pre compiled version of
OpenSSL
• yum install openssl
• each OS may have its own method for configuration

34. Let’s Create Some Certificates

35. Domino – Creating A SHA2 Certificate
• Domino no longer uses the Secure Server Certificate database
to generate keyfiles or merge certificates
• We use a combination of OpenSSL and an IBM utility for
Domino called kyrtool
• download kyrtool from IBM Fixcentral
http://ibm.co/1SAYX5E
• copy it to your Notes or Domino program directory
• The program files must be 9.0.1 FP3 or higher

36. Domino – Creating A SHA2 Certificate
• We need to decide the size of the key pair we want to create
• the larger the key pair the harder it is to decrypt
• not all software systems support the largest key pairs
• If using Windows set the environment variable for OpenSSL first
• Set OpenSSL_Conf=c:opensslbinopenssl.cfg
• verify openssl.cfg actually exists in that directory
• To create a 4096 key pair
• c:opensslbinopensslgenrsa -out mynewserver.key4096

37. Create a Certificate Signing Request
• When buying a new certificate this sends to your CA
• openssl req -new -sha256 -key mynewserver.key -out
mynewserver.csr
• note that we are requesting a SHA2 certificate
• the CSR will be verified by the CA when you submit it so you
can check that it’s right
• if not you can recreate it by running the command again

39. MyNewServer.CSR
• -----BEGIN CERTIFICATE REQUEST-----
• MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG
• A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw
• JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG
• SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+
• CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp
• R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/
• JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj
• GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN
• GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe
• nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC
• o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n
• IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E
• Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1
• 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE
• H4btBohD7B6fiqdozsOsvN1s
• -----END CERTIFICATE REQUEST-----

40. Now Comes The Domino Bit
• We have to create a keyring file in a format Domino will be able to
read
• For that we use the kyrtool we downloaded from FixCentral
• From your Notes program directory
• kyrtool create -k c:notesdatamynewserver.kyr -
p <passwordyouwanttouse>
• this will create two files
• mynewserver.kyr
• mynewserver.sth (this is the stashed password that unlocks
the keyring)

41. In the past we used a Domino database to
create this keyring file pair but no more

42. Nearly There…
• We have our keyring file
• We have sent our request for a certificate, generated off our
new key pair to our CA
• When the CA sends the certificate back we can merge the new
certificate into our keyring file
▪ we need to merge ALL the certificates, root, intermediate
and server into a single “key” file
• c:opensslbintype mynewserver.key server.crt intermediate.crt
root.crt >mynewserver.txt

43. Last Step
• We now add our new txt file with all the certificates in it into our
new Domino keyring
• c:ibmnoteskyrtool import all -k c:notesdatamynewserver.kyr
-i c:opensslbinmynewserver.txt
• That’s it. We now have a shiny keyring pair to use with our
Domino server

44. Installing A SHA2 Certificate Under Domino
• Install Using Internet Site Documents
• The first keyring file in the Internet Site docs view that
matches the server configuration “wins”.
• Avoid too many wildcard or duplicate Internet Site
Documents
• What can you use it for
▪ HTTPS (Traveler, Websites)
▪ S/MIME (encrypted mail)
▪ TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3)
• DIIOP as of 9.0.1 FP5

45. More Domino SSL
• Remove weak ciphers from the site documents
• Add Disable_SSLV3=1 to the notes.ini on the server
• Domino support TLS 1.2 now
▪ SSL_DISABLE_TLS_10
▪ https://www-10.lotus.com/ldd/dominowiki.nsf/dx/TLS_1.2

46. Working With WebSphere Certificates
• WebSphere installs with its own keystores for each cell and
node you add
• The keystores are created and owned by IBM and have the
hostname of the server you’re installing onto by default
• The cell keystores are found in
• /profiles/Dmgr01/config/cells/{cellname}/trust.p12
• /profiles/Dmgr01/config/cells/{cellname}/key.p12

47. Accessing The SSL Configuration
• Login to the WebSphere ISC
• Security - SSL Certificate and Key Management

48. the default passwords for the stores,set by IBM during install
are WebAS

49. Adding A New Certificate To WebSphere
• Go to the CellDefaultTrustStore if the certificate existing on
another server already you can “Retrieve from port”
• Add your root and intermediate certificates here

50. Personal Certificate Request
• The simplest way to generate a WAS certificate
• create a CSR in WAS
• “receive” it into WAS when sent from the CA
• you can’t “receive” a certificate you didn’t request

51. WebSphere and 4096 Key Length Certificates
• A 4096 certificate can generate an error when attempting to add
to WebSphere
• “RSA premaster secret”
• You need to add the unrestricted policy files to WebSphere for
the 4096 certificates to be imported

52. The Unrestricted Policy Files
• ibm.co/1JZGs3z

53. Exporting A Certificate From WebSphere
• Export a WAS certificate so that it can be imported onto other
systems
• Such as a keyfile database generated by ikeyman and used
by IBM HTTP Server

54. Working With Ikeyman
• There are different versions of ikeyman that create keyfile
databases recognised by different products
• Look in the program directory for your installed product to find
the right one
• For IBM HTTP Server the file is in /IBM/HTTPServer/bin
• On Linux you’ll need to configure X11 forwarding if you don’t
have a graphical interface

55. Working With IKeyMan - Signer Certificates
• Import the WebSphere certificate we extracted earlier
• Add root and intermediate certificates

56. Working With IKeyman - Personal Certificates

57. Editing httpd.conf to add SSL configuration
• Example content
• LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
• Listen 0.0.0.0:443
• <VirtualHost *:443>
• SSLEnable
• SSLProtocolDisable SSLv2
• </VirtualHost>
• KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb
• SSLDisable
• Restart IHS - use netstat to see if 443 is active and listening
• Check IHS logs for SSL errors
• If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the
WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate

58. SSL and Development
• Despite the initial pain see if you can get a proper production
SSL certificate to use on your development environment.
• If you can not (for cost reasons) ensure you create a self cert
that is EXACTLY the same type as your production environment
• Identify ALL your third party libraries to your Admins as well as
any changes in versions in a proper release document.
particularly if you are overriding an existing library on the server

59. Testing SSL On Your Site
• https://www.ssllabs.com/ssltest/

60. • You can’t stay ahead with the hackers but you must be vigilant
and keep up
• Have a plan for monitoring
• Have a plan for lock down at the first appearance of exposure
• Have a plan to fix the vulnerability
• Have a plan to identify what information may be compromised
• Have a plan to make that information of as little value as
possible

61. Resources
• Working with OpenSSL
https://www.feistyduck.com/books/openssl-cookbook/
• Creating SHA2 For Domino
http://turtleblog.info/2015/06/22/creating-sha-2-4096-ssl-
certificates-for-domino/
• Unrestricted policy files for WebSphere http://www-
01.ibm.com/support/docview.wss?uid=swg21663373

62. Thank you

63. Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational
purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to
verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM
shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this
presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and
conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual
environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of,
stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.

64. Acknowledgements and Disclaimers cont.
© Copyright IBM Corporation 2015. All rights reserved.
• U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
• IBM, the IBM logo, ibm.com, IBM WebSphere, IBM Domino are trademarks or registered trademarks of International Business Machines Corporation in the
United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark
symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks
may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark
information” at www.ibm.com/legal/copytrade.shtml
Other company, product, or service names may be trademarks or service marks of others.