How to deliver industry standard browser security to the native Domino HTTP stack, using company-wide wildcard certificates deployed across all platforms.
Important tips on Router and SMTP mail routingjayeshpar2006
This document provides tips on router and SMTP mail routing in Lotus Domino. It discusses 21 tips covering topics like ignoring location document email addresses, hiding SMTP details, setting message size restrictions, using authentication for SMTP relays, and setting mail routing priorities. The tips are presented by various IBM ICS support engineers and SWAT team members and include references to IBM support documents for additional details.
HCL Domino V12 Key Security Features Overview hemantnaik
Domino 12 introduces several new security features, including improved TLS certificate management, enforcement of internet password lockouts based on IP address, and support for forward secrecy in NRPC encryption and TLS 1.2 ciphers using new elliptic curves. A new Certificate Manager server task automates requesting, configuring, and renewing certificates from Let's Encrypt to improve certificate management. Internet password lockouts can now be enforced based on failed login attempts from IP addresses. NRPC encryption and TLS 1.2 ciphers add support for forward secrecy using the X25519 curve for improved security of long-term secrets.
Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesChristoph Adler
Are you looking to deploy Domino V10 but don’t know where to start? Upgrade servers or clients first? Should I upgrade the ODS? If you have questions like these, this session is for you. Get a complete understanding of the process to upgrade to Domino V10, and learn from best practices and tips from the field.
Domino Server Health - Monitoring and ManagingGabriella Davis
This document provides information on monitoring and managing Domino server health. It discusses analyzing and maintaining Domino server logs, using log filters, and analyzing log results. It also covers monitoring message tracking, mail probes, statistics, events, activity trends, and configuring the New Relic reporting tool. The document discusses database maintenance tasks like compacting and fixing up databases. It also discusses using the Domino Configuration Tuner tool and leveraging cluster symmetry and automatic database repairs.
Integrated Web Authentication (IWA) allows automatic authentication between Microsoft clients and servers. IWA uses SPNEGO to negotiate Kerberos or NTLM authentication protocols. Configuring IWA for Domino requires setting up Service Principal Names (SPNs) in Active Directory for Domino hostnames, configuring Domino to start as an Active Directory service account, and configuring browser settings for supported browsers. Troubleshooting may involve checking SPN and account configuration or debugging HTTP authentication with Domino.
Important tips on Router and SMTP mail routingjayeshpar2006
This document provides tips on router and SMTP mail routing in Lotus Domino. It discusses 21 tips covering topics like ignoring location document email addresses, hiding SMTP details, setting message size restrictions, using authentication for SMTP relays, and setting mail routing priorities. The tips are presented by various IBM ICS support engineers and SWAT team members and include references to IBM support documents for additional details.
HCL Domino V12 Key Security Features Overview hemantnaik
Domino 12 introduces several new security features, including improved TLS certificate management, enforcement of internet password lockouts based on IP address, and support for forward secrecy in NRPC encryption and TLS 1.2 ciphers using new elliptic curves. A new Certificate Manager server task automates requesting, configuring, and renewing certificates from Let's Encrypt to improve certificate management. Internet password lockouts can now be enforced based on failed login attempts from IP addresses. NRPC encryption and TLS 1.2 ciphers add support for forward secrecy using the X25519 curve for improved security of long-term secrets.
Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
Domino Tech School - Upgrading to Notes/Domino V10: Best PracticesChristoph Adler
Are you looking to deploy Domino V10 but don’t know where to start? Upgrade servers or clients first? Should I upgrade the ODS? If you have questions like these, this session is for you. Get a complete understanding of the process to upgrade to Domino V10, and learn from best practices and tips from the field.
Domino Server Health - Monitoring and ManagingGabriella Davis
This document provides information on monitoring and managing Domino server health. It discusses analyzing and maintaining Domino server logs, using log filters, and analyzing log results. It also covers monitoring message tracking, mail probes, statistics, events, activity trends, and configuring the New Relic reporting tool. The document discusses database maintenance tasks like compacting and fixing up databases. It also discusses using the Domino Configuration Tuner tool and leveraging cluster symmetry and automatic database repairs.
Integrated Web Authentication (IWA) allows automatic authentication between Microsoft clients and servers. IWA uses SPNEGO to negotiate Kerberos or NTLM authentication protocols. Configuring IWA for Domino requires setting up Service Principal Names (SPNs) in Active Directory for Domino hostnames, configuring Domino to start as an Active Directory service account, and configuring browser settings for supported browsers. Troubleshooting may involve checking SPN and account configuration or debugging HTTP authentication with Domino.
AdminP is an elementary server task for your IBM Lotus Domino Administration. This session explains which administration processes are available and how those can make your day-to-day administration tasks easier. We will cover the best practices for setup and troubleshooting using AdminP, in projects like recertifications and server consolidations.
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
While installing a new HCL Domino server is a relatively straight forward task, configuring the server properly requires knowledge. Lacking this knowledge means that several key steps may be missed resulting in a server with potential security and performance issues. Additionally there are several key features that will save you time on administration of the server. Domino server settings also affect the performance and security of custom applications. Even if you are a developer you should be aware of the options available when configuring a server.
Join our incredibly experienced presenters as they share their many years of Domino expertise. They will cover the finer details to correctly setup a Domino server environment that is optimized for performance, security and sustainable administration. Plus use this information presented in this webinar to modify and improve your existing server environment.
Presenters:
Heather Hottenstein, HCL Ambassador
Roberto Boccadoro, HCL Ambassador
Serdar Basegmez, HCL Ambassador
Additonal Panelists (Q and A)
John Paganetti, HCL
In this session (reloaded for Notes V11), you will learn how easy it can be to maximize Notes client performance. Let Chris show you, what can be tuned and how to resolve the best possible performance for your Notes client infrastructure. Discover tips and tweaks - how to debug your Notes client, deal with outdated ODS, network latency and application performance issues and the measurable benefit that provides to your users. You’ll discover the current best practices for streamlining location and connection documents and why the catalog.nsf is still so important. You will leave the session with the knowledge you need to improve your Notes V11 client installations and to provide a better experience for happier administration and happier end-users!
Session from NCUG. Stockholm 12.06.2019.
Basic Domino Performance Tuning. Ideas how to improve performance, statistics how to get information that we have issues and how to fix them
Fast. Dangerous. Always in control.
Learn the dirty secrets of the Notes Client and how you can turn them into golden features that will make you shine. You will leave the workshop equipped with new knowledge for your next Notes Client deployment and/or optimization project. You will be able to get better Notes client performance and stability by using less of the system resources, like CPU, Memory and File I/O – just because of the right tailor-made configuration of the Notes client for your very own system requirements. Get geared up for your next Notes V11 deployment with the best-practice tips to get Notes Clients deployed, configured, maintained and ‘finally’ loved by your users.
Don’t forget, IBM Notes V11 is not far away from being released.
This document summarizes how to configure Time-based One Time Password (TOTP) two-factor authentication for Domino server access without third party software. It involves using the mfamgmt command to issue certificates, enabling TOTP in the server document and vault ID policy, and configuring the web server and login form to support TOTP. Users must install an authenticator app, scan a QR code, and enter generated codes for setup and login. Admins can reset TOTP profiles from the vault ID.
Presentation from Engage 2022 in Bruges
From day to day administration to advanced configuration from automated maintenance to running the best multi client mail server on the market, from advanced security to data access.
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
Is your organization flirting with a move to Microsoft 365? Or are you managing an infrastructure that includes both Domino servers and Microsoft 365 cloud services? As Microsoft 365’s footprint grows, many HCL Domino environments are finding the need for the two technologies to coexist. This session will discuss best practices, native options and third-party tools to allow the two environments to work together, ultimately reducing your overhead and allowing your users to be productive. Just because you are running dual environments, does not mean you have to duplicate efforts to manage them. Let us give you tips on how to save time and give your users a cohesive experience.
- The document discusses Document Attachment Object Service (DAOS), a feature introduced in Domino 8.5 that separates attachments from documents to reduce database size and improve performance.
- Key aspects of DAOS include setting up a separate repository for attachments, enabling it on servers and applications, and benefits like reduced storage, faster tasks, and less network traffic.
- Considerations for DAOS include prerequisites, transaction logging, backup procedures, and its effects on replication and other features.
Domino memory is composed of shared and private memory pools. Shared memory is available to all Domino tasks, while private memory is allocated to individual tasks. The NSF buffer pool caches frequently accessed databases in shared memory. Memory dumps and memstats reports can be used to diagnose memory leaks by identifying continually increasing memory addresses over time. The DEBUG_TRAPLEAKS and DEBUG_SHOWLEAKS parameters can help trap specific memory leaks.
IBM Lotus Domino Domain Monitoring (DDM)Austin Chang
This document provides an overview of Lotus Domino Server Domain Monitoring (DDM) for administrators. DDM allows administrators to monitor servers in their domain through configurable probes that check for issues and automate corrective actions. It discusses the key components of DDM including the server collection hierarchy, monitoring configuration, probes, and filters. It also provides examples of how to set up monitoring for common scenarios like database compaction, replication, and system resources.
The document discusses techniques for compacting, compressing, and de-duplicating data in Domino applications to reduce storage usage and improve performance. It covers compacting databases, compressing design elements, documents, and attachments, using DAOS to store attachments externally, and tools for defragmenting files.
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Christoph Adler
Created by Christoph Adler (panagenda) & Luis Guirigay (IBM)
There is always room for improvement! Maximizing the IBM Notes client and Domino server performance doesn't have to be complicated. Reloaded for the latest IBM Notes/Domino 9 version (9.0.1 Feature Pack 10 or later), join Chris and Luis to find out the best and latest performance tuning tips. Learn how to debug your clients(s) and server(s), deal with outdated ODS, network latency, application/mail performance issues and more. Improve your IBM Notes client installations to provide a better experience for happier administration and happier end users! As a special bonus, Chris will show you how to reduce the startup time of virtualized IBM Notes Clients (Citrix / VMWare / etc).
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
Aufnahme: http://pan.news/20210420de
Abstract: Server sind das Rückgrat Ihrer IT-Umgebung. Deren Sicherheit ist für jeden IT-Profi von größter Bedeutung. Besonders bei Servern mit Fernzugriff wird dies zu einer heiklen Angelegenheit. Es ist ein schmaler Grat zwischen der komfortablen Nutzung auf der einen Seite und dem Schutz gegen Angreifer auf der anderen Seite.
Zu den Sicherheitsbedenken gehören die mangelnde physische Sicherheit von Geräten, die Verwendung ungesicherter Netzwerke, die ungewollte externe Verfügbarkeit interner Ressourcen und der unbefugte Zugriff aus dem eigenen Unternehmen.
HCL Domino ist eine leistungsfähige und ausgereifte Serverplattform mit einem großen Funktionsumfang. Das macht sie zwar zu einer guten Wahl für viele Anwendungen, bedeutet aber auch, dass es viele potenzielle Möglichkeiten gibt, sich angreifbar zu machen.
In diesem Webinar helfen Ihnen unsere Experten, jeden Aspekt der Absicherung Ihrer Domino-Umgebungen zu betrachten:
• Lernen Sie die Grundlagen der Domino-Server-Sicherheit kennen
• Beheben Sie Probleme mit der Standardkonfiguration und vermeiden Sie häufige Fallstricke
• Sorgen Sie für einen sicheren Zugriff über Notes-Client, HTTP oder SMTP
• Richten Sie eine Datenbank-Zugriffskontrolle für Ihre gesamte Infrastruktur ein
• Schützen Sie Ihre Server vor internen Angriffen
• Vermeiden Sie Schwachstellen, indem Sie Domino-Server und Betriebssystem auf dem neuesten Stand halten
IBM Notes Performance Boost - Reloaded (DEV-1185)Christoph Adler
IBM Notes Performance Boost - Reloaded (DEV-1185)
Maximizing IBM Notes client to performance doesn't have to be complicated! Reloaded for the latest IBM Notes 9 version, join Chris and find out what can be tuned - and how to resolve it. Learn how to debug your client, deal with outdated ODS, network latency and application performance issues and the measurable benefit that provides to users. Gather best practices on how to streamline location and connection documents and why the catalog.nsf is so important. Improve your IBM Notes client installations to provide a better experience for happier administration and happier end users! As a special bonus, Chris will show you how to increase the startup time of virtualized IBM Notes clients (Citrix / vmware / etc) up to 70%!
Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet.
An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server.
From frustration to fascination: dissecting ReplicationBenedek Menesi
1.) The presenters will discuss replication in Domino/Notes, including the replicator server task, connection documents, and cluster replication.
2.) Connection documents control replication between servers by specifying which databases and documents are replicated. They also define replication settings like type and schedule.
3.) Cluster replication uses in-memory replication to synchronize databases across cluster members in real-time. It disregards selective replication formulas. Traditional replication is still needed as a backup.
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
The document discusses new features in IBM Domino 9 and 9.0.1, including improvements to the Database Management Tool (DBMT) for automating database maintenance tasks. DBMT allows administrators to compact databases, purge deletion stubs, expire soft deletes, and perform other maintenance without interrupting users. It can run maintenance tasks in parallel and ensure tasks are completed even if they exceed allocated time frames. The document also covers new options for DBMT related to mail file compaction and delivery failover in clustered environments.
Domino Security - not knowing is not an option (2016 edition)Darren Duke
This document provides a summary of security best practices for Domino servers, including enabling SHA2 certificates, upgrading to TLS 1.2, enabling perfect forward secrecy and HTTP strict transport security, disabling insecure protocols like SSLv3, using a reverse proxy for SSL offloading and load balancing, and thoroughly testing configurations with tools like SSL Labs. It also covers antivirus exclusions needed for Domino servers and clients, securing LDAP connections to Active Directory, and new security features expected in future Domino releases like Java 8 support and encrypted Notes RPC.
AdminP is an elementary server task for your IBM Lotus Domino Administration. This session explains which administration processes are available and how those can make your day-to-day administration tasks easier. We will cover the best practices for setup and troubleshooting using AdminP, in projects like recertifications and server consolidations.
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesHoward Greenberg
While installing a new HCL Domino server is a relatively straight forward task, configuring the server properly requires knowledge. Lacking this knowledge means that several key steps may be missed resulting in a server with potential security and performance issues. Additionally there are several key features that will save you time on administration of the server. Domino server settings also affect the performance and security of custom applications. Even if you are a developer you should be aware of the options available when configuring a server.
Join our incredibly experienced presenters as they share their many years of Domino expertise. They will cover the finer details to correctly setup a Domino server environment that is optimized for performance, security and sustainable administration. Plus use this information presented in this webinar to modify and improve your existing server environment.
Presenters:
Heather Hottenstein, HCL Ambassador
Roberto Boccadoro, HCL Ambassador
Serdar Basegmez, HCL Ambassador
Additonal Panelists (Q and A)
John Paganetti, HCL
In this session (reloaded for Notes V11), you will learn how easy it can be to maximize Notes client performance. Let Chris show you, what can be tuned and how to resolve the best possible performance for your Notes client infrastructure. Discover tips and tweaks - how to debug your Notes client, deal with outdated ODS, network latency and application performance issues and the measurable benefit that provides to your users. You’ll discover the current best practices for streamlining location and connection documents and why the catalog.nsf is still so important. You will leave the session with the knowledge you need to improve your Notes V11 client installations and to provide a better experience for happier administration and happier end-users!
Session from NCUG. Stockholm 12.06.2019.
Basic Domino Performance Tuning. Ideas how to improve performance, statistics how to get information that we have issues and how to fix them
Fast. Dangerous. Always in control.
Learn the dirty secrets of the Notes Client and how you can turn them into golden features that will make you shine. You will leave the workshop equipped with new knowledge for your next Notes Client deployment and/or optimization project. You will be able to get better Notes client performance and stability by using less of the system resources, like CPU, Memory and File I/O – just because of the right tailor-made configuration of the Notes client for your very own system requirements. Get geared up for your next Notes V11 deployment with the best-practice tips to get Notes Clients deployed, configured, maintained and ‘finally’ loved by your users.
Don’t forget, IBM Notes V11 is not far away from being released.
This document summarizes how to configure Time-based One Time Password (TOTP) two-factor authentication for Domino server access without third party software. It involves using the mfamgmt command to issue certificates, enabling TOTP in the server document and vault ID policy, and configuring the web server and login form to support TOTP. Users must install an authenticator app, scan a QR code, and enter generated codes for setup and login. Admins can reset TOTP profiles from the vault ID.
Presentation from Engage 2022 in Bruges
From day to day administration to advanced configuration from automated maintenance to running the best multi client mail server on the market, from advanced security to data access.
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
Is your organization flirting with a move to Microsoft 365? Or are you managing an infrastructure that includes both Domino servers and Microsoft 365 cloud services? As Microsoft 365’s footprint grows, many HCL Domino environments are finding the need for the two technologies to coexist. This session will discuss best practices, native options and third-party tools to allow the two environments to work together, ultimately reducing your overhead and allowing your users to be productive. Just because you are running dual environments, does not mean you have to duplicate efforts to manage them. Let us give you tips on how to save time and give your users a cohesive experience.
- The document discusses Document Attachment Object Service (DAOS), a feature introduced in Domino 8.5 that separates attachments from documents to reduce database size and improve performance.
- Key aspects of DAOS include setting up a separate repository for attachments, enabling it on servers and applications, and benefits like reduced storage, faster tasks, and less network traffic.
- Considerations for DAOS include prerequisites, transaction logging, backup procedures, and its effects on replication and other features.
Domino memory is composed of shared and private memory pools. Shared memory is available to all Domino tasks, while private memory is allocated to individual tasks. The NSF buffer pool caches frequently accessed databases in shared memory. Memory dumps and memstats reports can be used to diagnose memory leaks by identifying continually increasing memory addresses over time. The DEBUG_TRAPLEAKS and DEBUG_SHOWLEAKS parameters can help trap specific memory leaks.
IBM Lotus Domino Domain Monitoring (DDM)Austin Chang
This document provides an overview of Lotus Domino Server Domain Monitoring (DDM) for administrators. DDM allows administrators to monitor servers in their domain through configurable probes that check for issues and automate corrective actions. It discusses the key components of DDM including the server collection hierarchy, monitoring configuration, probes, and filters. It also provides examples of how to set up monitoring for common scenarios like database compaction, replication, and system resources.
The document discusses techniques for compacting, compressing, and de-duplicating data in Domino applications to reduce storage usage and improve performance. It covers compacting databases, compressing design elements, documents, and attachments, using DAOS to store attachments externally, and tools for defragmenting files.
Engage 2018: IBM Notes and Domino Performance Boost - Reloaded Christoph Adler
Created by Christoph Adler (panagenda) & Luis Guirigay (IBM)
There is always room for improvement! Maximizing the IBM Notes client and Domino server performance doesn't have to be complicated. Reloaded for the latest IBM Notes/Domino 9 version (9.0.1 Feature Pack 10 or later), join Chris and Luis to find out the best and latest performance tuning tips. Learn how to debug your clients(s) and server(s), deal with outdated ODS, network latency, application/mail performance issues and more. Improve your IBM Notes client installations to provide a better experience for happier administration and happier end users! As a special bonus, Chris will show you how to reduce the startup time of virtualized IBM Notes Clients (Citrix / VMWare / etc).
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
Aufnahme: http://pan.news/20210420de
Abstract: Server sind das Rückgrat Ihrer IT-Umgebung. Deren Sicherheit ist für jeden IT-Profi von größter Bedeutung. Besonders bei Servern mit Fernzugriff wird dies zu einer heiklen Angelegenheit. Es ist ein schmaler Grat zwischen der komfortablen Nutzung auf der einen Seite und dem Schutz gegen Angreifer auf der anderen Seite.
Zu den Sicherheitsbedenken gehören die mangelnde physische Sicherheit von Geräten, die Verwendung ungesicherter Netzwerke, die ungewollte externe Verfügbarkeit interner Ressourcen und der unbefugte Zugriff aus dem eigenen Unternehmen.
HCL Domino ist eine leistungsfähige und ausgereifte Serverplattform mit einem großen Funktionsumfang. Das macht sie zwar zu einer guten Wahl für viele Anwendungen, bedeutet aber auch, dass es viele potenzielle Möglichkeiten gibt, sich angreifbar zu machen.
In diesem Webinar helfen Ihnen unsere Experten, jeden Aspekt der Absicherung Ihrer Domino-Umgebungen zu betrachten:
• Lernen Sie die Grundlagen der Domino-Server-Sicherheit kennen
• Beheben Sie Probleme mit der Standardkonfiguration und vermeiden Sie häufige Fallstricke
• Sorgen Sie für einen sicheren Zugriff über Notes-Client, HTTP oder SMTP
• Richten Sie eine Datenbank-Zugriffskontrolle für Ihre gesamte Infrastruktur ein
• Schützen Sie Ihre Server vor internen Angriffen
• Vermeiden Sie Schwachstellen, indem Sie Domino-Server und Betriebssystem auf dem neuesten Stand halten
IBM Notes Performance Boost - Reloaded (DEV-1185)Christoph Adler
IBM Notes Performance Boost - Reloaded (DEV-1185)
Maximizing IBM Notes client to performance doesn't have to be complicated! Reloaded for the latest IBM Notes 9 version, join Chris and find out what can be tuned - and how to resolve it. Learn how to debug your client, deal with outdated ODS, network latency and application performance issues and the measurable benefit that provides to users. Gather best practices on how to streamline location and connection documents and why the catalog.nsf is so important. Improve your IBM Notes client installations to provide a better experience for happier administration and happier end users! As a special bonus, Chris will show you how to increase the startup time of virtualized IBM Notes clients (Citrix / vmware / etc) up to 70%!
Without taking special precautions, Lotus Domino will act as an open mail relay on the Internet.
An open mail relay means that anyone, anywhere that can connect to your Domino server, can use it to send email, without needing to be authenticated to your server.
From frustration to fascination: dissecting ReplicationBenedek Menesi
1.) The presenters will discuss replication in Domino/Notes, including the replicator server task, connection documents, and cluster replication.
2.) Connection documents control replication between servers by specifying which databases and documents are replicated. They also define replication settings like type and schedule.
3.) Cluster replication uses in-memory replication to synchronize databases across cluster members in real-time. It disregards selective replication formulas. Traditional replication is still needed as a backup.
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
The document discusses new features in IBM Domino 9 and 9.0.1, including improvements to the Database Management Tool (DBMT) for automating database maintenance tasks. DBMT allows administrators to compact databases, purge deletion stubs, expire soft deletes, and perform other maintenance without interrupting users. It can run maintenance tasks in parallel and ensure tasks are completed even if they exceed allocated time frames. The document also covers new options for DBMT related to mail file compaction and delivery failover in clustered environments.
Domino Security - not knowing is not an option (2016 edition)Darren Duke
This document provides a summary of security best practices for Domino servers, including enabling SHA2 certificates, upgrading to TLS 1.2, enabling perfect forward secrecy and HTTP strict transport security, disabling insecure protocols like SSLv3, using a reverse proxy for SSL offloading and load balancing, and thoroughly testing configurations with tools like SSL Labs. It also covers antivirus exclusions needed for Domino servers and clients, securing LDAP connections to Active Directory, and new security features expected in future Domino releases like Java 8 support and encrypted Notes RPC.
This document summarizes the transport layer and the key protocols TCP and UDP. It explains that the transport layer establishes communication sessions between applications, segments data for transmission, and ensures proper delivery. TCP provides reliable, ordered delivery using acknowledgements, while UDP is simpler but unreliable. Popular applications of each are discussed, showing how TCP and UDP address different network requirements.
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
There have been a ton of changes to Domino security over the past few months. See what they are, why you need them and how to implement them, including but not limited to: SSL/TLS Notes port encryption reverse proxies SHA2 certificates SAML/NFL Perfect Forward Secrecy Learn. Implement. Sleep well.
Logging Wars: A Cross-Product Tech Clash Between Experts Benedek Menesi
Things WILL get VERY technical when two experts face-off in a unique session that explores polar perceptions regarding various types of logs, verbosity levels, data extraction, responses for alerts, and more. Be it Domino, Sametime, or Traveler operating on-prem. or in Hybrid and Cloud environments, it is vital to have an understanding of log data structure, what is (or isn't) logged and why, and how to search logs effectively. But aren't there ways to find your information without having to pipe everything into the log? Where does one's best practice end and another's begin? From this collision of opposing viewpoints and real-world stories, you'll take away knowledge and tools ready to deploy to various scenarios, products, and log types.
Aplication and Transport layer- a practical approachSarah R. Dowlath
This presentation was done for a Networking course. It really shows from a more practical standpoint how the application layer and the transport layer communicates with each other and operates on a whole to get the job done. It gives the reader more insight of how the pieces come together in an IT networking world.
Advanced Crypto Service Provider – cryptography as a serviceSmart Coders
Data and information security is crucial and essential for most of the IT environments. As data is more often stored in the cloud securing it becomes a non trivial challenge.
IBM Advanced Crypto Service Provider (ACSP) is a solution that enables remote access to the IBM’s cryptographic coprocessors. Such approach allows for utilization of strong hardware based cryptography as a service (“cryptography as a service”) in distributed environments where data security cannot be guaranteed.
ACSP is a “network hardware security module (NetHSM)” that provides access to cryptographic resources via IBM Common Cryptographic Architecture (CCA) interface and the PKCS#11 standard.
More at https://ibm.box.com/v/acsp-vault-ibm-forum-2015
Video recording from that presentation can be found at https://vimeo.com/smartcoders/acsp-vault-ibm-forum-2015
Recover A RSA Private key from a TLS session with perfect forward secrecyPriyanka Aash
This document discusses recovering an RSA private key from a TLS session using a side channel attack that exploits the RSA-CRT optimization. It begins with background on side channel attacks and an overview of the roadmap. It then discusses how RSA signatures work, the RSA-CRT optimization, and how a fault during signature generation using RSA-CRT can leak a private key factor. The document demonstrates checking for faulty signatures in TLS and recovering the private key. It notes the attack requires RSA-CRT, signatures on known values, and a faulty signature.
IBM Connect 2014 BP103: Ready, Aim, Fire: Mastering the Latest in the Adminis...Benedek Menesi
This session has been presented in the Best Practices track at the IBM Connect conference in Orlando, FL, USA, January 2014.
--
Being armed with the newest set of weapons is crucial for not being left behind when it comes to efficiently administering your servers. The number of new features added to recent IBM releases is staggering, yet workload time constraints cause us to stick to our old ways of doing things despite the opportunity to increase our effectiveness and thereby efficiency. In this in-depth, problem/solution formatted session we’ll discuss some of the latest and greatest features for administering IBM Domino, IBM iNotes and IBM Traveler through customer examples and real world scenarios. We’ll share best practices that allowed us to successfully solve architecture challenges in critical areas such as security, mail routing, replication, web/mobile capabilities and more.
Многие компании сегодня вынуждены искать замену решению Microsoft Forefront Threat Management Gateway, разработка которого была прекращена. Превосходной альтернативой является решение F5 Secure Web Gateway Services, обеспечивающее контроль и безопасную работу в Интернете.
TechEd Africa 2011 - OFC308: SharePoint Security in an Insecure World: Unders...Michael Noel
One of the biggest advantage of using SharePoint as a Document Management and collaboration environment is that a robust security and permissions structure is built-in to the application itself. Authenticating and authorizing users is a fairly straightforward task, and administration of security permissions is simplified. Too often, however, security for SharePoint stops there, and organizations don’t pay enough attention to all of the other considerations that are part of a SharePoint Security stack, and more often than not don’t properly build them into a deployment. This includes such diverse categories including Edge, Transport, Infrastructure, Data, and Rights Management Security, all areas that are often neglected but are nonetheless extremely important. This session discusses the entire stack of Security within SharePoint, from best practices around managing permissions and ACLs to comply with Role Based Access Control, to techniques to secure inbound access to externally-facing SharePoint sites. The session is designed to be comprehensive, and includes all major security topics in SharePoint and a discussion of various real-world designs that are built to be secure. • Understand how to use native technologies to secure all layers of a SharePoint environment, including Data, Transport, Infrastructure, Edge, and Rights Management. • Examine tools and technologies that can help secure SharePoint, including AD Rights Management Services, Forefront Unified Access Gateway, SQL Transparent Data Encryption, and more. • Understand a Role-Based Access Control (RBAC) permissions model and how it can be used to gain better control over authorization and access control to SharePoint files and data
The document summarizes an IT architect conference presentation on architecting enterprise security for service-oriented architectures (SOA). The presentation discusses key enterprise security concerns like governance, infrastructure, applications and how SOA brings changes that impact security. It provides examples of security architecture policies and how to implement aspects of security like threat protection, transport layer security, service virtualization, externalizing and centralizing security management, authenticating and authorizing all messages.
This document discusses virtualization, cloud computing, and SDN technologies. It covers some of the key challenges in application provisioning across network layers that can lead to long deployment times. The document presents solutions from F5 that aim to simplify and accelerate application deployments through a high-performance services fabric and integration with technologies like Cisco ACI and VMware NSX to enable automated, policy-based provisioning of load balancing and other application services.
В связи с завершением разработки Microsoft Forefront Threat Management Gateway (TMG) множество организаций, использующих или планировавших использовать TMG столкнулись с дилеммой: как и, более важно, что администраторы будут использовать для защиты своих приложений Microsoft, имеющих доступ в Интернет типа Exchange, SharePoint и Lync?
F5 Networks предлагает ответ на эти вопросы. Подробности описываются в данной презентации.
F5 has added new solutions that combine its BIG-IP Application Security Manager with Oracle Database Firewall to provide stronger protection against SQL injection attacks. The integrated solution monitors and blocks traffic at the web and database layers, tracking application sessions from client to database. When anomalies are detected by the Application Security Manager, they are logged by both the Application Security Manager and Oracle Database Firewall, providing complete visibility of attacks from source to SQL transaction. This ensures administrators have consistent, correlated application monitoring data and web tier attacks are blocked while undetected attacks reaching the database are blocked by the Database Firewall.
Legacy security systems are failing because attacks have moved "up the stack" to target applications rather than just networks. While 90% of security investment focuses on network threats, 75% of attacks now target applications. The top 10 web application vulnerabilities remain unaddressed, leaving many sites open to injection attacks, XSS, authentication issues, and more. To better protect applications, a next-generation security platform needs to be scalable, adaptable to change, understand context, involve the security community, and take a unified approach.
This document introduces IBM Message Hub, which is Apache Kafka as a service on Bluemix. Message Hub provides Kafka with additions like multi-tenancy, security features, REST APIs, administration interfaces, and monitoring. It discusses how Message Hub is based on Kafka 0.9 but with IBM contributions back to the community. The document also outlines the key features of Message Hub around multi-tenancy, security, flexibility, management, and performance. Other related Bluemix services like Message Connect and the Message Hub Incubator are also briefly mentioned.
Cisco Trustsec & Security Group TaggingCisco Canada
This presentation covers the protocols and functions that create a trusted network. We will discuss the best practices when deploying this tagging ability using campus switches including migration techniques from non-SGT capable to devices to a fully SGT capable network deployment. For more information please visit our website here: http://www.cisco.com/web/CA/index.html
SSL was developed in 1994 to secure communications between web browsers and servers. It uses public key cryptography and X.509 certificates to authenticate peers and encrypt data in transit. However, the current public key infrastructure (PKI) model that underpins SSL has several flaws, including being controlled by a small number of certificate authorities, making it vulnerable to hacks and insider threats. Some propose decentralizing trust decisions so that individuals, rather than centralized authorities, ultimately determine what is trusted. Others are working on alternative approaches like certificate pinning to avoid relying solely on the existing PKI model. Overall, there is recognition that the current system for establishing trust in SSL/TLS needs improvement.
Presented at Codebits V, 11/11/11 Lisbon.
Video and more info here: https://codebits.eu/intra/s/session/180
note: this talk was co-presented by me and Luís Grangeia (www.slideshare.net/lgrangeia)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
This document discusses deploying SHA2 certificates and the SSL problem. It begins with introductions of the presenters. It then provides background on encryption, certificates, and common acronyms related to security like SSL, TLS, HTTPS. The document outlines several past security vulnerabilities like POODLE, Heartbleed, and discusses solutions deployed. It then provides step-by-step instructions for creating certificates using OpenSSL and deploying them for Domino and WebSphere servers.
SSL (Secure Sockets Layer) provides authentication, encryption, and data integrity between web servers and browsers. It uses public and private encryption keys to encrypt data in transit and verify identities to prevent sensitive information from being accessed or altered by unauthorized parties. There are different types of SSL certificates that validate domains, organizations, or extended validation of legal entities. Symantec offers various SSL certificate solutions to secure websites and applications along with features like daily malware scanning and vulnerability assessments to help protect websites.
Sesión del Global Azure Bootcamp 2017. Azure Key Vault nos permite asegurar los servicios alojados, las claves y contraseñas en un almacenamiento especial y protegido. En esta sesión exploraremos las capacidades de Azure Key Vault y veremos como es necesario su uso en la Star Trek para garantizar la seguridad.
Refugees on Rails Berlin - #2 Tech Talk on SecurityGianluca Varisco
1. Edward Snowden's NSA leaks from 2013 increased public awareness of privacy issues and prompted tech companies to improve privacy protections for users.
2. Major security breaches in 2014-2015 exposed vulnerabilities like Heartbleed and compromised user data from companies like Ashley Madison, TalkTalk, and VTech.
3. The growing Internet of Things introduces new security threats as more devices become connected, and human error remains a major weak point that can undermine other security defenses. Basic security practices like strong unique passwords and two-factor authentication are recommended.
Securing the Foundation to Secure the CloudTrent Adams
Secure clouds don't exist in a vacuum. The very nature of a secure cloud relies on effective standardized, interoperable, and scalable Internet security. As the cloud metaphor displaces the concept of proprietary point-to-point networked servers, the key to its value can be found in the interoperability of service protocols.
Securing these connections requires understanding and deploying standards such as TLS HSTS, CT, CSP, DMARC, and FIDO. Each protocol addresses specific security concerns encountered when you extend your security perimeter to include external cloud services. Developing and deploying technologies like these requires a holistic view of the security landscape, and working within a robust Internet security ecosystem.
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
Tresorit is an encrypted cloud storage service that aims to address security and privacy concerns with cloud storage. It uses zero-knowledge encryption where files are encrypted on the client before being uploaded and Tresorit does not have access to decryption keys. Tresorit offers syncing of encrypted files across devices, sharing of encrypted files with others, and public links to shared files that decrypt in the browser without installing software. The company is based in Switzerland and Hungary and stores encrypted user data in EU servers.
This document summarizes Bruno Gonçalves de Oliveira's talk on hacking web file servers for iOS. It introduces Bruno and his background in offensive security and discusses how iOS devices store a lot of information and mobile applications are often poorly designed and vulnerable. It provides examples of vulnerable file storage apps, outlines features and vulnerabilities like lack of encryption, authentication, XSS issues, and path traversal flaws. The document demonstrates exploits like unauthorized access to file systems on jailbroken devices and how to find vulnerable systems through mDNS queries. It concludes that mobile apps are the future but designers still do not prioritize security and there are too many apps for users to vet carefully.
The document discusses Let's Encrypt, an automated certificate authority that aims to simplify and encourage adoption of TLS encryption. It provides free SSL/TLS certificates that software can automatically obtain and renew. The document also discusses using DNSSEC and DANE to cryptographically bind certificates to domain names to improve security over traditional certificate authorities that can issue certificates for any domain. It describes an experiment conducted by the Internet Society and Go6Lab to test DANE validation of email connections that found low adoption of DNSSEC and DANE currently limits their effectiveness for validating TLS certificates.
This document discusses recommendations for improving web security in 2019. It recommends: 1) Redirecting all sites to HTTPS; 2) Using TLS protocols 1.2 or newer and disabling legacy protocols; 3) Optimizing cipher suites to use perfect forward secrecy and disable weak ciphers; and 4) Adding security headers to browsers to restrict content and functionality. Following these recommendations will help sites adopt modern encryption standards and security best practices.
When you browse the net - you often send sensitive and highly personal data - passwords, banking information and so much more. One of the basic protections we have is a secure connection - or HTTPS instead of a HTTP. What does this mean? Should you enable this secure connection on your website? How can you inform your users to seek out these connections?
Typing our banking information, secure passwords or our credit card information into an unsecure connection - can put at anyone at high risk of having our information stolen.
This scenario and various others are all to true in the digital age and can wreak havoc on many individual’s personal lives. Some leading towards bankruptcy and financial ruin. This webinar will discuss:
- what HTTPS is
- how it functions
- how to enable it
- where to get a SSL certificate that will sign your HTTPS implementation
-along with where it should be implemented.
The document discusses IoT security and methods for using Java to build more secure IoT applications. It covers recent IoT attacks exploiting weaknesses like default passwords. The Java Cryptography Architecture and libraries like Bouncy Castle provide cryptography support for tasks like encryption and digital signatures. Secure elements and JavaCard provide hardware-backed security by executing code and storing keys in a protected environment. The document emphasizes that security needs to be considered from the start of a project to reduce costs and vulnerabilities.
Dileep Kalidindi presented on securing enterprise and cloud applications. He began with an overview of common cyber threats and their impact. He then discussed cryptography concepts like hashing, symmetric and asymmetric encryption. Next, he covered considerations for securing data in the cloud, including issues around data residency, encryption key management and shared infrastructure vulnerabilities. Finally, he outlined secure coding practices for Java like preventing injection attacks and cross-site scripting, and discussed penetration testing tools and methodologies.
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
This document provides an introduction to information and cyber security concepts. It defines information security as protecting data from all threats, while cyber security specifically addresses cyber threats. The three pillars of cybersecurity are outlined as confidentiality, integrity, and availability of data. Common computer protocols like HTTP, HTTPS, FTP, and protocols that make up the TCP/IP model are explained. Basic security terminology and functions of cookies are also covered to introduce fundamental IT and cyber security concepts.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
1. Best Practice Transport Layer Security
(TLS) for IBM Domino using TLS 1.2
Jared Roberts | Senior Consultant
primaxis.com.au
2. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
• This presentation represents my individual experiences, thoughts and opinions
and do not represent of the views of my employer, Inform2016, AusLUG, IBM,
IBM Business Partners or any other organisation or entity.
• This presentation may contain the following copyrighted, trademarked, and/or
restricted terms:
• I (most likely) don’t know more about stuff than you do…. feel free to call me out on
errors in my presentation & publicly humiliate me as you see fit.
Disclaimer
• IBM® Notes®
• IBM® Domino®
• IBM® Connections
• IBM® WebSphere®
• IBM® DB2
• IBM® AIX®
• Tivoli®
• Linux®
• Java®
• Microsoft®
• Windows®
• Red Hat®
• Skype®
• Twitter®
• Facebook®
3. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Speaker
Jared Roberts ● Senior Consultant – Primaxis
• From Melbourne
• 11-year rookie in IBM Collaboration Software
• Admin of many of the things we are here talking
about
• I’m a fan of “The User”
• Business analysis, presales, consulting, security
audits, design & delivery of Domino, Notes,
Sametime, Traveler, Connections, TDI, SoftLayer
and all the related bits they interact with
• Remarkably average but adequate and often
completely useless developer
• Drummer in Desecrator (the best band you’ve never heard of)
4. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL/TLS - Who Cares right?
5. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL/TLS - Who Cares right?
• Encryption in not a ‘nice to have’ – it’s an absolute MUST
• Data can be intercepted while being transferred between clients
and servers, or between servers ie:
– Email
– Payment Information
– Credentials
• Now seeing the deprecation/planned deprecation of SSLv3 and
SHA1 support in Browsers
– IE (Jan 2017, code-signing Jan 2016)
– Chrome (Jan 2017, version and cert date conditional)
– FireFox (Jan 2017, phased)
– Safari (same?)
6. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Encryption
what is encryption?
• The most effective way to achieve ‘data security’
– process of encoding information so only authorised parties can read it
– data is ‘unrecognisable’ or unreadable unless you have the ‘key’ to decrypt it
– does not prevent interception
what are SSL certificates?
• Small digital files that that authenticate the identity of a website
and encrypt information
• Binds the ‘key’ to the organisation’s details
7. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL Certificate
• An SSL certificate holds the following info:
– The certificate holder's name
– The certificate's serial number and expiration date
– A copy of the certificate holder's public key
– The digital signature of the certificate-issuing authority
8. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
SSL
• Secure Sockets Layer
• A cryptographic protocol designed to provide communications
security over a computer network
• 3 versions (version 1.0 never publicly released) all of which are
now deprecated and considered insecure
– SSLv1.0
– SSLv2.0
– SSLv3.0
• POODLE exploit was the nail in the coffin for SSLv3
– replaced by TLS
9. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
TLS
• Transport Layer Security
• A cryptographic protocol same as SSL. It’s actually SSL’s
‘successor’
– SSLv3.1 but was renamed to reflect open standard
• 3 versions
– TLS1.0 (considered insecure due to ability to downgrade to SSLv3*)
– TLS1.1
– TLS1.2
• Updated constantly as required
– version 1.3 in Draft now
10. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
HTTPS
• Method for secure communication over HyperText Transfer
Protocol (HTTP)
• Often referred to as HTTP Secure, HTTP over TLS/SSL
• Data transferred over HTTPS provides:
– bidirectional encryption of data in transit
– with correct implementation can protect against MIM attacks*, and a
level of confidence that you’re connecting with who you think you are
connecting to!
11. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
SHA1
• Cryptographic hash function traditionally used in most SSL
certificates
• Widely used in many protocols (TLS and SSL, PGP, SSH, S/MIME, and IPsec)
• M$, G00gle and Mozilla have announced deprecation plans
SHA2
• Family of cryptographic hash functions
• An updated version of SHA1
– SHA1 found to be more insecure
• 6 hash functions (SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256)
12. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Acronyms!!!
AES
• Advanced Encryption Standard
• Based on “Rijndael” cipher family - widely used as government
standard
• Supersedes DES (Data Encryption Standard) which is now
vulnerable to brute force attack
Ciphers
• Algorithm for performing encryption and decryption
• Work on blocks of symbols usually of a fixed size (block ciphers),
or on a continuous stream of symbols (stream ciphers)
13. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
Man In The Middle Attack (MIM, MITM)
14. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
Man In The Middle Attack (MIM, MITM)
• A type of attack where the attacker secretly intercepts, relays and
possibly alters communication between two parties who believe
they are directly communicating with each other
15. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
POODLE
• “Padding Oracle On Downgraded Legacy Encryption”
• An exploit that allowed attackers to trick a session to use SSL
rather than TLS then during that session use a design flaw in SSL
3.0 to snoop on the session
What it did
• It allowed attackers to perform a man in the middle attack
How it was stopped
• We all turned off SSLv3 on the servers (then users screamed at us and
the browser war escalated)
16. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
SLOTH
• “Security Loss due to the use of Obsolete and Truncated Hash
constructions”
• SLOTH relies on the ability to exploit older hash techniques
• If the hash technique isn’t sophisticated enough a “collision” of a
hash for two different messages can be generated
• OpenSSL 1.0.1.e and earlier are affected
• Any servers using TLS 1.2 and MD5 encryption are affected
17. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
FREAK
• “Factoring RSA Export Keys”
• A vulnerability cased by the growth of cheap computing power
• A "512-bit export-grade key“ now be broken with a bit of math's
called the "Number Field Sieve algorithm"* and about ~ $150 of
cloud computing
What it did
• Allowed the attacker to perform a man in the middle attack
How it was stopped
• Disabled "TLS export cipher suites" either by updating browsers,
disabling the feature in servers or updating libraries that used
them
18. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
HEARTBLEED
A "buffer over-read" vulnerability in the TLS heartbeat extension of
OpenSSL caused by a missing input validation check
What it did
• Allowed an attacker to read up to 64 kilobytes of the servers active
memory for each attack, memory that was very likely to contain
secure information
How it was stopped
• Updated all clients/servers to a patched version of OpenSSL
• Reissued all certificates where there was any chance they could
have been compromised
19. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
What happened and keeps
happening…
• BEAST
• LOGJAM
• CRIME
• BREACH
• DROWN
• BERSERK
• KOMODIA
• …......more
20. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Creating a Certificate
CERTIFICATE STRUCTURE
• Certificate Authority (CA)
• Private Key
• Trusted Roots (root and intermediate certificates)
• To generate a certificate and key store
– key file
– certificate request with the details of your certificate
– trusted roots and intermediates (or your CA)
– signed certificate from your CA
21. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
The key – creating the identity
22. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
TLS Handshake - validation
• How validation works (the TLS handshake)
24. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Structure of Certificates
• Personal Information Exchange Format (PKCS#12)
– .pfx
– .p12
• Cryptographic Message Syntax Standard (PKCS#7)
– .p7b
– .p7r
• Base64-encoded X.509
– .cer
– .crt
• DER-encoded binary X.509
– .cer
– .crt
– .der
• Privacy-enhanced Electronic Mail
– .pem
• Certificate Signing Request
– .csr
• OpenSSL can convert most certificate forms to most other forms
Certificate formats
25. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
What you need:
• OpenSSL
– An open source library of SSL and TLS cryptography
– Available for most platforms
– Developed and managed by https://www.openssl.org
– Create, convert & extract certificates and keystores
• Domino KYR Tool
– Tool to create SHA2 key stores for Domino
• Certificate Signing Authority
26. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Creating a SHA2 Certificate in Domino
• SHA2 Support introduced in 2015
• Domino must be 9.0.1 FP3 or higher
• Notes must be 9.0.1 FP3 or higher
27. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Installing OpenSSL
• Shining Light Productions download
– https://slproweb.com/download/Win64OpenSSL_Light-1_0_2g.exe
• Available for most platforms
• Only need the Lite version for this application
29. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Firstly decide on the key size
– May be decided by business or legal requirements
– Larger the better – harder to decrypt
– Not all systems support larger key sizes
• Set the OPEN_SSL_Conf environment variable (Windows only)
– Set OpenSSL_Conf=c:opensslopenssl.cfg
30. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Verify the file has been created
31. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Create a key of length 4096*
– openssl genrsa –out pmxsrver.key 4096
32. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Create a Certificate Signing Request (CSR)
• You send this to your Certificate Authority (CA)
– either on-premise or purchase
• The CSR is checked and verified the the CA.
• Any errors – you can recreate the request
33. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• openssl req -new -sha256 –key pmxserver.key –out pmxserver.csr
34. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Verify the file has been created
35. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Send to the signing fairies
– Company CA
– Third Party CA (VeriSign, Symantec, GeoTrust, RapidSSL)
36. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Domino KYR Files
– Traditionally used the Server Certificate Admin application (certsrv.nsf)
– Certsrv.nsf not used any more
– Domino KYR Tool (must be 9.0.1 FP2 IF1 and above)
– Creates a SHA2 keystore that is recognised by Domino
• Download the KYR Tool from Fix Central
– http://ibm.co/1SAYX5E
• Unpack & place kyrtool.exe in Notes/Domino Program directory
• **opinion**
Please don’t run the kyrtool on your Domino server – use a Notes client !
37. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Create the KYR keystore
– kyrtool create -k c:IBMNotesdatapmxwildserver.kyr -p somethingstrongplease
38. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• This will create 2 files
– Domino KYR key store (.kyr)
– Key store password stash file (.sth)
39. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Collect your files
– Server Private Key
– Server Certificate Request
– Server Certificate (signed and returned to you by CA)
– Root and Intermediate certificates
– Key store file and stash file
• Root and Intermediate certs – order matters
40. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Now need to install all of the root, intermediate, server and keys
into the key store.
• 2 options
– Use OpenSSL to merge the roots, inters, server certs and keys into
one text file before importing into the KYR file
– Import the certificates individually
41. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
• concatenate all certificates to a text file
– type pmxserver.key pmxserver.crt intermediate1.crt intermediate2.crt root.crt >
pmxallcerts.txt
42. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
43. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
• Verify the certificate chain
– kyrtool verify C:TLSpmxallcerts.txt
Successfully read 4096 bit RSA private key
INFO: Successfully read 4 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: IssuerName of cert 2 matches the SubjectName of cert 3
44. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import using combined file
• Import the text file to the KYR
– kyrtool import all -k C:TLSpmxwildserver.kyr -i C:TLSpmxallcerts.txt
45. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
Import individually
• Issue series of import commands to merge the root, intermediates,
server cert and server key into the key ring file
– kyrtool import roots -i C:TLSGeoTrust_Global_CA.cer -k C:TLSpmxwildserver.kyr
– kyrtool import roots -i C:TLSintermediate1.txt -k C:TLSpmxwildserver.kyr
– kyrtool import roots -i C:TLSintermediate2.txt -k C:TLSpmxwildserver.kyr
– kyrtool import keys -i C:TLSpmxserver.key -k C:TLSpmxwildserver.kyr
– kyrtool import certs -i C:TLSpmxcert.crt -k C:TLSpmxwildserver.kyr
46. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Getting it done in Domino
• Verify! Verify!
– kyrtool show keys -k C:TLSpmxwildserver.kyr
– kyrtool show certs -k C:TLSpmxwildserver.kyr
47. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
• Install to servers & configure internet site documents
• Can be used in the following:
– ANY web site (iNotes, apps, etc)
– Traveler
– S/MIME (encrypted mail)
– Mail Protocols (SMTP, IMAP, POP3)
– LDAP
– DIIOP (must have 9.0.1 FP5)
48. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
49. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
Best Practice
• Disable SSLv3
– Notes.ini - DISABLE_SSLV3=1
• Disable TLS1.0 (if required)
– Notes.ini - SSL_DISABLE_TLS_10
• Cipher configuration...
50. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Ciphers – what are they again?
• Algorithm for performing encryption and decryption
• Combination of authentication, encryption, message
authentication code (MAC) and key exchange algorithms used
to negotiate the security settings for a network connection
SHA2 - Using it in Domino
51. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SHA2 - Using it in Domino
Ciphers
• TLS delivered as IF prevented updates to Admin client
• Cipher configuration via UI no longer used
• Notes.ini parameter SSLCipherSpec to control ciphers
– example: SSLCipherSpec=C030009F009D
53. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Transferrable to WebSphere?
• A 4096 certificate can generate an error when attempting to add to
WebSphere
• “RSA premaster secret” error
• You need to add the unrestricted policy files to WebSphere for the
4096 certificate length to be imported
- ibm.co/1JZGs3z
54. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Transferrable to WebSphere?
• OpenSSL
– use to create p12/jks keystore and import cert & private key
• IBM HTTP Server
– open existing kdb key store and import from p12
• Make sure your roots and intermediate certs are up to date!
55. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Transferrable to WebSphere?
• Mail, Traveler, Connections, Sametime all using same certificate
56. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Development
• Where possible – try and implement production certificates into
the development environment
• If not possible – create a self-signed certificate with the same
parameters
• Keep documentation up to date!
57. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
SSL Labs test
58. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
Summary
• Hackers across the internet are working around the clock to bust
encryption
• Every week there are vulnerabilities discovered
• You need to understand where the vulnerabilities are, how to
watch for them and how to protect against them
59. March 10th & 11th, Sydney, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2016
THANK YOU !!
http://auslug.org/survey2016