Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!
Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it then just remember to renew it every couple of years. Then suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them as strongly as possible this session will show you how."
Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis
What is valuable about a single identity, why is that something people want and how achievable is it? As people work across multiple systems they encounter an equal number of barriers where they must authenticate or otherwise prove their identity in order to gain access. Ideally we always want to be showing the same information about ourselves regardless of where someone searches or how we are found. In this session we’ll discuss the issues behind both creating a single identity and simplifying authentication. We’ll also review the risks you need to be aware of, the technologies available to you and the importance of good and current personal information.
This is an updated presentation that includes some speaker notes for clarity
IBM Traveler Management, Security and PerformanceGabriella Davis
Traveler is a core component of most companies’ mail infrastructure but its maintenance and security goes far beyond Domino server management. In this session we’ll look at a Traveler environment from daily tasks to enforcing TLS and starting with understanding how Traveler behaves. We’ll review both standalone and high availability configurations and discuss common problems, as well how best to plan and design a secure and stable infrastructure.
The document discusses ensuring high availability for IBM Sametime deployments. It describes how to cluster various Sametime services like instant messaging, meetings, and media services behind a load balancer. It provides tips for clustering the Sametime system console, database server, and Domino directories to maintain availability. The document emphasizes designing systems to scale for future growth and ensuring consistency across clustered servers.
How to deliver industry standard browser security to the native Domino HTTP stack, using company-wide wildcard certificates deployed across all platforms.
Having a full set of Sametime features available on mobile devices has been a priority for IBM so if you are deploying, whether it’s the complete feature set including meetings audio and video or just instant messaging you can extend the functionality using IBM Connections Chat and IBM Connections Meetings applications which are available for most mobile platforms. In this session we will review both the backend server configuration and the features available via the mobile applications and discuss usability, bandwidth and security implications
This document provides information about becoming an IBM Connections administrator. It discusses the wide range of skills and technologies required, including CSS, Java, LDAP, databases, IBM HTTP Server configuration, and WebSphere administration. It emphasizes planning resources, verifying configurations, backing up data, monitoring logs, and following documentation to install, customize, and maintain Connections successfully.
Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it then just remember to renew it every couple of years. Then suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them as strongly as possible this session will show you how."
Benefits and Risks of a Single Identity - IBM Connect 2017Gabriella Davis
What is valuable about a single identity, why is that something people want and how achievable is it? As people work across multiple systems they encounter an equal number of barriers where they must authenticate or otherwise prove their identity in order to gain access. Ideally we always want to be showing the same information about ourselves regardless of where someone searches or how we are found. In this session we’ll discuss the issues behind both creating a single identity and simplifying authentication. We’ll also review the risks you need to be aware of, the technologies available to you and the importance of good and current personal information.
This is an updated presentation that includes some speaker notes for clarity
IBM Traveler Management, Security and PerformanceGabriella Davis
Traveler is a core component of most companies’ mail infrastructure but its maintenance and security goes far beyond Domino server management. In this session we’ll look at a Traveler environment from daily tasks to enforcing TLS and starting with understanding how Traveler behaves. We’ll review both standalone and high availability configurations and discuss common problems, as well how best to plan and design a secure and stable infrastructure.
The document discusses ensuring high availability for IBM Sametime deployments. It describes how to cluster various Sametime services like instant messaging, meetings, and media services behind a load balancer. It provides tips for clustering the Sametime system console, database server, and Domino directories to maintain availability. The document emphasizes designing systems to scale for future growth and ensuring consistency across clustered servers.
How to deliver industry standard browser security to the native Domino HTTP stack, using company-wide wildcard certificates deployed across all platforms.
Having a full set of Sametime features available on mobile devices has been a priority for IBM so if you are deploying, whether it’s the complete feature set including meetings audio and video or just instant messaging you can extend the functionality using IBM Connections Chat and IBM Connections Meetings applications which are available for most mobile platforms. In this session we will review both the backend server configuration and the features available via the mobile applications and discuss usability, bandwidth and security implications
This document provides information about becoming an IBM Connections administrator. It discusses the wide range of skills and technologies required, including CSS, Java, LDAP, databases, IBM HTTP Server configuration, and WebSphere administration. It emphasizes planning resources, verifying configurations, backing up data, monitoring logs, and following documentation to install, customize, and maintain Connections successfully.
NetDruid Communication Server is a Linux-based solution that provides cost-effective email, web, DNS, DHCP, firewall, and other network services. It exploits various server capabilities offered by Linux to reduce costs compared to separate hardware and software. NetDruid is developed in Perl and Linux scripting and consists of mail, proxy, DHCP, DNS, firewall, web, FTP, and instant messaging servers. It provides easy manageability and high performance on Linux.
Planning and Completing an IBM Connections UpgradeGabriella Davis
So you have IBM Connections installed, but now you need to decide what and when to update. It could be a WebSphere fix or a DB2 fixpack, a new application, a database schema or an entirely new version. Some updates are for security, some for performance and some for new features. In this session we'll discuss how you can decide when and what to upgrade, how to plan for and perform a safe upgrade regardless of its size, and test when it’s complete. We’ll also discuss what things can trip you up along the way.
Domino Security - not knowing is not an option (2016 edition)Darren Duke
This document provides a summary of security best practices for Domino servers, including enabling SHA2 certificates, upgrading to TLS 1.2, enabling perfect forward secrecy and HTTP strict transport security, disabling insecure protocols like SSLv3, using a reverse proxy for SSL offloading and load balancing, and thoroughly testing configurations with tools like SSL Labs. It also covers antivirus exclusions needed for Domino servers and clients, securing LDAP connections to Active Directory, and new security features expected in future Domino releases like Java 8 support and encrypted Notes RPC.
Integrated Web Authentication (IWA) allows automatic authentication between Microsoft clients and servers. IWA uses SPNEGO to negotiate Kerberos or NTLM authentication protocols. Configuring IWA for Domino requires setting up Service Principal Names (SPNs) in Active Directory for Domino hostnames, configuring Domino to start as an Active Directory service account, and configuring browser settings for supported browsers. Troubleshooting may involve checking SPN and account configuration or debugging HTTP authentication with Domino.
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
It's Friday and a new customer calls. Their mission critical app is taking :05 to open documents and the users are quite concerned. Where do you start when handed a 20 year old application you have never seen, on a server you barely know? Join two IBM Champions as they dissect a complex Domino performance problem from both the administration and development side to provide a complete customer solution. The session includes best practices around problem solving techniques and a checklist you can use internally to solve quickly problems you encounter.
Adminlicious - A Guide To TCO Features In Domino v10Gabriella Davis
With v10 of EVERYTHING due out in Q4 and the public beta now available it’s time to talk about what we know is coming and how to plan for upgrades. In this session I show the features I'm most inspired by (NDAs allowing!) talk about how I'm getting ready and why this is a really exciting time to be an admin!
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...Gabriella Davis
Later this year HCL will be releasing the first major updates for Domino, Sametime, Traveler and Verse on Premises for several years. We've already heard about developments on the way such as a Notes client for tablet and phone as well as structural changes like the removal of the 64GB file limit. The more up to date and well designed your infrastructure is, the easier these upgrades are going to be so In this session Gab will explain how to audit, evaluate and fix your environment as well as what changes you can (and should) do in preparation so you can be fast to move when the products arrive..
Presented At CollabSphere 2018 in Ann Arbor, MI
Notes, domino and the single sign on soupDarren Duke
This document discusses various approaches to implementing single sign-on (SSO) with IBM Notes and Domino. It describes offload, synchronization, and integration approaches and provides examples of each. Specifically, it covers Notes Shared Login (NSL), synchronization using Tivoli Directory Integrator (TDI), Security Protocol for Next Generation Networks (SPNEGO), and Security Assertion Markup Language (SAML)/Notes Federated Logon (NFL). It emphasizes that a common user ID between the identity source and Domino is required and provides tips for setting up the Notes client with SSO.
The document discusses improving website security by enabling HTTPS and related protocols. It outlines problems such as HTTP traffic being unencrypted and vulnerable to interception, and solutions such as enabling HTTPS, configuring it securely, using HSTS and HTTPS preloading to force encryption, and services like Let's Encrypt to easily issue certificates for free. While progress has been made, challenges remain around certificate authorities, content delivery, and dependency on third parties. Adopting standards like HTTP Public Key Pinning and Certificate Transparency can help address some challenges.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
An Introduction to Configuring Domino for DockerGabriella Davis
You may know that docker is a container solution but what does that mean and how could it affect your Domino infrstructure? In this session I will explain what Docker may offer, highlight the decisions to consider when designing container architecture , how to construct a container, how to install and run Domino inside one and discuss options for clustering. Is Docker for you?
Presented at CollabSphere 2018 in Ann Arbor, MI
How to Protect Yourself From Heartbleed Security FlawConnectSafely
This document provides tips on how to protect yourself from the Heartbleed security flaw. It advises users to check if sites they visit are vulnerable, change passwords once sites are confirmed not vulnerable, monitor accounts for suspicious activity, use strong and unique passwords at least 8 characters with numbers, symbols and capital letters, consider two-factor authentication, avoid phishing scams, and use a password manager for strong randomly generated passwords.
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
The move to Office365 has become increasingly popular in the last few years. As a penetration tester, I'm seeing more organizations shuttle their domain credentials up to the cloud for easier management of their Office365 environment. By federating with Microsoft, many organizations are exposing a larger attack surface area to the internet. During this talk, I will show you how to identify domains that are Microsoft managed, help you guess passwords for users on those domains, and show you how to pivot from the cloud environment into a company's internal network. Since manually completing attacks against these endpoints can be tedious, I've created some PowerShell tools to help automate these attacks. We'll go over how to use these tools from an external penetration test perspective and show how Office365 in the cloud can be a great target for attackers.
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
There have been a ton of changes to Domino security over the past few months. See what they are, why you need them and how to implement them, including but not limited to: SSL/TLS Notes port encryption reverse proxies SHA2 certificates SAML/NFL Perfect Forward Secrecy Learn. Implement. Sleep well.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...Heiko Voigt
This document discusses using Node.js, React, and Express with Domino V10. It provides an overview of a demo that uses these technologies to build a survey application with a real-time dashboard. The demo includes a Notes/iPad app for surveys, a React frontend, a Node.js/Express REST API, and a Node.js/Socket.io real-time backend. It discusses the benefits of this approach, including scalability, flexibility, and reusability. It also provides recommendations for tooling and resources for learning more.
(This is the version of the session given at ICON UK, 13/9/18).
Domino v10 development will bring us Node.js integration in the form of the “NERD” stack - Node, Express, React and Domino. Using Node and React programming skills developers will be able to access Domino data via a Domino module running under Node. BUT WHAT IS NODE? In this session Tim explains what Node is, how to work with it, and how Domino developers will be be able to take advantage of this new platform.
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
This document discusses deploying SHA2 certificates and the SSL problem. It begins with introductions of the presenters. It then provides background on encryption, certificates, and common acronyms related to security like SSL, TLS, HTTPS. The document outlines several past security vulnerabilities like POODLE, Heartbleed, and discusses solutions deployed. It then provides step-by-step instructions for creating certificates using OpenSSL and deploying them for Domino and WebSphere servers.
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
This document provides an introduction to information and cyber security concepts. It defines information security as protecting data from all threats, while cyber security specifically addresses cyber threats. The three pillars of cybersecurity are outlined as confidentiality, integrity, and availability of data. Common computer protocols like HTTP, HTTPS, FTP, and protocols that make up the TCP/IP model are explained. Basic security terminology and functions of cookies are also covered to introduce fundamental IT and cyber security concepts.
NetDruid Communication Server is a Linux-based solution that provides cost-effective email, web, DNS, DHCP, firewall, and other network services. It exploits various server capabilities offered by Linux to reduce costs compared to separate hardware and software. NetDruid is developed in Perl and Linux scripting and consists of mail, proxy, DHCP, DNS, firewall, web, FTP, and instant messaging servers. It provides easy manageability and high performance on Linux.
Planning and Completing an IBM Connections UpgradeGabriella Davis
So you have IBM Connections installed, but now you need to decide what and when to update. It could be a WebSphere fix or a DB2 fixpack, a new application, a database schema or an entirely new version. Some updates are for security, some for performance and some for new features. In this session we'll discuss how you can decide when and what to upgrade, how to plan for and perform a safe upgrade regardless of its size, and test when it’s complete. We’ll also discuss what things can trip you up along the way.
Domino Security - not knowing is not an option (2016 edition)Darren Duke
This document provides a summary of security best practices for Domino servers, including enabling SHA2 certificates, upgrading to TLS 1.2, enabling perfect forward secrecy and HTTP strict transport security, disabling insecure protocols like SSLv3, using a reverse proxy for SSL offloading and load balancing, and thoroughly testing configurations with tools like SSL Labs. It also covers antivirus exclusions needed for Domino servers and clients, securing LDAP connections to Active Directory, and new security features expected in future Domino releases like Java 8 support and encrypted Notes RPC.
Integrated Web Authentication (IWA) allows automatic authentication between Microsoft clients and servers. IWA uses SPNEGO to negotiate Kerberos or NTLM authentication protocols. Configuring IWA for Domino requires setting up Service Principal Names (SPNs) in Active Directory for Domino hostnames, configuring Domino to start as an Active Directory service account, and configuring browser settings for supported browsers. Troubleshooting may involve checking SPN and account configuration or debugging HTTP authentication with Domino.
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
It's Friday and a new customer calls. Their mission critical app is taking :05 to open documents and the users are quite concerned. Where do you start when handed a 20 year old application you have never seen, on a server you barely know? Join two IBM Champions as they dissect a complex Domino performance problem from both the administration and development side to provide a complete customer solution. The session includes best practices around problem solving techniques and a checklist you can use internally to solve quickly problems you encounter.
Adminlicious - A Guide To TCO Features In Domino v10Gabriella Davis
With v10 of EVERYTHING due out in Q4 and the public beta now available it’s time to talk about what we know is coming and how to plan for upgrades. In this session I show the features I'm most inspired by (NDAs allowing!) talk about how I'm getting ready and why this is a really exciting time to be an admin!
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...Gabriella Davis
Later this year HCL will be releasing the first major updates for Domino, Sametime, Traveler and Verse on Premises for several years. We've already heard about developments on the way such as a Notes client for tablet and phone as well as structural changes like the removal of the 64GB file limit. The more up to date and well designed your infrastructure is, the easier these upgrades are going to be so In this session Gab will explain how to audit, evaluate and fix your environment as well as what changes you can (and should) do in preparation so you can be fast to move when the products arrive..
Presented At CollabSphere 2018 in Ann Arbor, MI
Notes, domino and the single sign on soupDarren Duke
This document discusses various approaches to implementing single sign-on (SSO) with IBM Notes and Domino. It describes offload, synchronization, and integration approaches and provides examples of each. Specifically, it covers Notes Shared Login (NSL), synchronization using Tivoli Directory Integrator (TDI), Security Protocol for Next Generation Networks (SPNEGO), and Security Assertion Markup Language (SAML)/Notes Federated Logon (NFL). It emphasizes that a common user ID between the identity source and Domino is required and provides tips for setting up the Notes client with SSO.
The document discusses improving website security by enabling HTTPS and related protocols. It outlines problems such as HTTP traffic being unencrypted and vulnerable to interception, and solutions such as enabling HTTPS, configuring it securely, using HSTS and HTTPS preloading to force encryption, and services like Let's Encrypt to easily issue certificates for free. While progress has been made, challenges remain around certificate authorities, content delivery, and dependency on third parties. Adopting standards like HTTP Public Key Pinning and Certificate Transparency can help address some challenges.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
An Introduction to Configuring Domino for DockerGabriella Davis
You may know that docker is a container solution but what does that mean and how could it affect your Domino infrstructure? In this session I will explain what Docker may offer, highlight the decisions to consider when designing container architecture , how to construct a container, how to install and run Domino inside one and discuss options for clustering. Is Docker for you?
Presented at CollabSphere 2018 in Ann Arbor, MI
How to Protect Yourself From Heartbleed Security FlawConnectSafely
This document provides tips on how to protect yourself from the Heartbleed security flaw. It advises users to check if sites they visit are vulnerable, change passwords once sites are confirmed not vulnerable, monitor accounts for suspicious activity, use strong and unique passwords at least 8 characters with numbers, symbols and capital letters, consider two-factor authentication, avoid phishing scams, and use a password manager for strong randomly generated passwords.
Automating Attacks Against Office365 - BsidesPDX 2016Karl Fosaaen
The move to Office365 has become increasingly popular in the last few years. As a penetration tester, I'm seeing more organizations shuttle their domain credentials up to the cloud for easier management of their Office365 environment. By federating with Microsoft, many organizations are exposing a larger attack surface area to the internet. During this talk, I will show you how to identify domains that are Microsoft managed, help you guess passwords for users on those domains, and show you how to pivot from the cloud environment into a company's internal network. Since manually completing attacks against these endpoints can be tedious, I've created some PowerShell tools to help automate these attacks. We'll go over how to use these tools from an external penetration test perspective and show how Office365 in the cloud can be a great target for attackers.
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
There have been a ton of changes to Domino security over the past few months. See what they are, why you need them and how to implement them, including but not limited to: SSL/TLS Notes port encryption reverse proxies SHA2 certificates SAML/NFL Perfect Forward Secrecy Learn. Implement. Sleep well.
The last few years have seen a dramatic increase in the number of PowerShell-based penetration testing tools. A benefit of tools written in PowerShell is that it is installed by default on every Windows system. This allows us as attackers to “”live off the land””. It also has built-in functionality to run in memory bypassing most security products.
I will walk through various methodologies I use surrounding popular PowerShell tools. Details on attacking an organization remotely, establishing command and control, and escalating privileges within an environment all with PowerShell will be discussed. You say you’ve blocked PowerShell? Techniques for running PowerShell in locked down environments that block PowerShell will be highlighted as well.
Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...Heiko Voigt
This document discusses using Node.js, React, and Express with Domino V10. It provides an overview of a demo that uses these technologies to build a survey application with a real-time dashboard. The demo includes a Notes/iPad app for surveys, a React frontend, a Node.js/Express REST API, and a Node.js/Socket.io real-time backend. It discusses the benefits of this approach, including scalability, flexibility, and reusability. It also provides recommendations for tooling and resources for learning more.
(This is the version of the session given at ICON UK, 13/9/18).
Domino v10 development will bring us Node.js integration in the form of the “NERD” stack - Node, Express, React and Domino. Using Node and React programming skills developers will be able to access Domino data via a Domino module running under Node. BUT WHAT IS NODE? In this session Tim explains what Node is, how to work with it, and how Domino developers will be be able to take advantage of this new platform.
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
This document discusses deploying SHA2 certificates and the SSL problem. It begins with introductions of the presenters. It then provides background on encryption, certificates, and common acronyms related to security like SSL, TLS, HTTPS. The document outlines several past security vulnerabilities like POODLE, Heartbleed, and discusses solutions deployed. It then provides step-by-step instructions for creating certificates using OpenSSL and deploying them for Domino and WebSphere servers.
Lesson 1. General Introduction to IT and Cyber Security.pptxJezer Arces
This document provides an introduction to information and cyber security concepts. It defines information security as protecting data from all threats, while cyber security specifically addresses cyber threats. The three pillars of cybersecurity are outlined as confidentiality, integrity, and availability of data. Common computer protocols like HTTP, HTTPS, FTP, and protocols that make up the TCP/IP model are explained. Basic security terminology and functions of cookies are also covered to introduce fundamental IT and cyber security concepts.
Telnet is an early network protocol that allows text-based access to remote systems but lacks security features. It works at the application layer and provides bidirectional interactive text communication through a virtual terminal connection. SSH was developed as a secure replacement for Telnet, supporting encryption, authentication, and integrity to prevent eavesdropping and spoofing. It uses public/private key cryptography to securely transmit data and authenticate systems. While still used occasionally, SSH is now generally preferred over Telnet for remote access due to its enhanced security.
This document provides a high-level overview of TLS (Transport Layer Security) in 3 sentences or less:
TLS allows two parties to establish an encrypted connection by using public key cryptography for authentication during the initial handshake and then using symmetric encryption for faster encrypted data transfer. It relies on certificate authorities to validate server identities through digital signatures on their public keys. The initial handshake establishes a shared secret for deriving the symmetric encryption keys through techniques like Diffie-Hellman key exchange to provide forward secrecy if private keys are later compromised.
In this talk, I will explain the foundations of the TLS protocol: symmetric encryption, digital signature, PKI, and how these concepts come together to secure your network connections
Certificate pinning in android applicationsArash Ramez
Certificate pinning is a security mechanism where an app specifies certificates from trusted authorities and only accepts connections signed by those certificates. This prevents man-in-the-middle attacks. The document discusses implementing certificate pinning in Android apps by configuring the network security configuration file or using third party libraries like OkHttp that have CertificatePinner classes to restrict which certificates an app will accept. It also describes how to retrieve a server's public key hashes to include in the pinning configuration.
Basic security principles for information systems development/deployment. Information security is concerned with the confidentiality, integrity, and availability of information. From these three 'pillars', the following principles must be applied when implementing and maintaining an information system: Accountability.
The document provides an overview of cryptography and SSH (Secure Shell) protocol basics. It discusses encoding vs encryption, symmetric and asymmetric encryption, digital signatures, certificates and PKI. It then describes problems like eavesdropping, spoofing and replay attacks that SSH aims to mitigate using encryption, host key verification, and unique session keys. Finally, it outlines the SSH protocol layers and authentication process using public key or PAM methods.
This document discusses the importance of using more encryption on the Internet to increase privacy and security. It makes the following key points:
1) The Internet has become too easy to monitor as we have built it without sufficient security protections by default. More encryption needs to be implemented across Internet services and protocols to make eavesdropping more difficult.
2) Developers should enable encryption by default for all new Internet protocols. Opportunistic encryption techniques can provide some protections even without full authentication.
3) Individuals can help push for more encryption by requiring encrypted connections when using services and enabling tools like HTTPS Everywhere on their browsers. Transitioning to encrypted connections wherever possible raises the bar for surveillance.
This document discusses how TLS (Transport Layer Security) works to securely encrypt internet communication. It explains the key aspects of TLS including authentication, key exchange, encryption, integrity protection, and forward secrecy. It discusses X.509 certificates and certificate chains. It also covers choosing strong cryptographic algorithms and key lengths to provide adequate security. Examples of cipher suites are provided that specify the cryptographic primitives and parameters used to implement security. Finally, resources for further learning about TLS/SSL and ways to validate TLS configurations are recommended.
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
The document discusses Perspectives, a system that aims to strengthen SSH-style host authentication by using multiple network notaries to monitor and verify public keys for hosts. It describes how Perspectives works, including how notaries probe hosts to monitor keys over time, how clients query notaries to check key consistency, and how this approach provides improved security compared to traditional PKI or SSH-style authentication alone while retaining simplicity and low cost.
Introduction to SSL and How to Exploit & SecureBrian Ritchie
The document discusses SSL/TLS, how it works to securely transmit data between endpoints, and potential vulnerabilities. It provides an overview of SSL/TLS protocols and how data is encrypted and transmitted. It then outlines several common endpoint issues that can compromise SSL/TLS, such as inconsistent DNS configurations, self-signed certificates, incomplete certificates, and mixing plain text and encrypted sessions. Exploiting these issues allows man-in-the-middle attacks that can intercept and decrypt encrypted traffic.
TLS (Transport Layer Security) is a cryptographic protocol that provides encryption and security for data sent over the internet. It is used by HTTPS to encrypt communication between web browsers and servers. TLS 1.2, the previous standard, had security flaws in how it exchanged encryption keys. TLS 1.3 improves security by using Diffie-Hellman key exchange so keys are not sent directly over the network. To upgrade a website from HTTP to HTTPS, an SSL certificate must be purchased and installed, all links on the site must be changed to HTTPS, and HTTP traffic should be redirected to HTTPS.
This document discusses SSL/TLS protocols and how to set up your own certificate authority (CA) or use Let's Encrypt for free SSL certificates.
It provides a brief history of SSL and TLS protocols, outlines the key differences between versions, and lists common TLS implementations like OpenSSL. It then explains how to set up your own CA by generating root and intermediate certificates and signing server/client certificates.
Finally, it introduces Let's Encrypt as a free and automated CA that aims to promote SSL security. It explains how Let's Encrypt validates domain ownership and issues certificates to ensure communications are private, integrity is maintained, and parties can be trusted.
We need to protect our Internet communication - from basic web surfing to IP telephony, E-mail and Internet of things. This presentation gives some background and introduces one of the core security protocols - TLS, Transport Layer Security. This presentation is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License.
Update: See http://www.slideshare.net/oej/morecrypto-with-tis-version-20
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
This Session will focus on Mobile Top 10 2014-M3 : Insufficient Transport Layer protection. We will try to understand Transport Layer, Transport layer security (TLS), insecurities in TLS/SSL, and how this affects the overall security of Mobile Devices as well as what kind of protection can be applied and how this can be identified..
1. Cryptography is used to provide security in electronic commerce by ensuring privacy, authenticity, and preventing forgery, alteration, eavesdropping and tracing of messages.
2. There are two main types of cryptography - symmetric which uses the same key for encryption and decryption, and asymmetric (public key) which uses different keys for encryption and decryption.
3. Common symmetric algorithms are DES and AES while RSA is an example of an asymmetric algorithm commonly used for digital signatures and encryption.
This document provides an overview of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL). It begins with an introduction to TLS/SSL, explaining what they are and their purposes of providing encryption, authentication and integrity verification. It then discusses digital certificates, the TLS/SSL handshake protocol and record protocol. It explains the four upper layer protocols: record, change cipher spec, alert and handshake. It provides details on SSL, TLS, their implementations and applications. The document is intended to explore how TLS works, best practices for its use, and its various applications in securing business computing.
Similar to The SSL Problem and How to Deploy SHA2 Certificates (20)
If you are a Domino Administrator in any size company you already have a range of skills that make you an expert administrator across many platforms and technologies.
In this session Gab explains how to apply those skills and that knowledge to take your career wherever you want to go.
Presentation from Engage 2022 in Bruges
From day to day administration to advanced configuration from automated maintenance to running the best multi client mail server on the market, from advanced security to data access.
. Design Decisions: Developing for Mobile - The Template Experience ProjectGabriella Davis
HCL Nomad allows us to access our Notes applications on tablet and mobile. Currently available for iOS the team behind Template Experience have been working with HCL development and UI design to redesign the standard discussions template for Notes and produce a whitepaper based on that work to assist you with your own mobile development. The beta of that template and whitepaper have now been published and this presentation accompanies that work
Domino Server Health - Monitoring and ManagingGabriella Davis
This document provides information on monitoring and managing Domino server health. It discusses analyzing and maintaining Domino server logs, using log filters, and analyzing log results. It also covers monitoring message tracking, mail probes, statistics, events, activity trends, and configuring the New Relic reporting tool. The document discusses database maintenance tasks like compacting and fixing up databases. It also discusses using the Domino Configuration Tuner tool and leveraging cluster symmetry and automatic database repairs.
How do Exchange on premises and the various Outlook clients line up against Domino on premises and its clients? In this session we'll look at the configuration options and management interfaces for each server as well as the client options and client behaviours. We'll also discuss the general ecosystems, considerations for migrating or co-existing and lessons learned. A great session for Domino admins who want to know more about the other side.
Presented at Engage.ug in Brussels May 2019
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
DMARC is a SMTP security standard being increasingly requested by customers to protect against email spoofing. It uses a combination of SPF (Sender Policy Framework) records and DKIM (DomainKeys Identified Mail). Using DMARC you would publicly specify how your outbound mail is sent and the receiving server would verify that the mail it receives matches your requirements. In this session we’ll discuss DMARC deployments and what to do if your mail server (like IBM Domino or SmartCloud) does not yet support DKIM?
Presented at Collabsphere 2018 in Ann Arbor, MI
An introduction to configuring Domino for DockerGabriella Davis
9.0.1 FP10 brings support for Domino on a docker platform. You may know that docker is a container solution but what does that mean and how could it affect your Domino infrstructure? In this session we'll review how to install and run Domino in a docker container, whether it can support external clustering and the decisions to consider when designing container architecture.
In this session, presented as a workshop outline, we will walk you through your GDPR responsibilities and how to assess your risk. We’ll give some recommendations on high priority but easy to fix issues and how to discover, secure and take ownership of existing data. At the end of the session we will share the workshop outline to help with your own planning.
Prepared for Social Connections 13 in Philadelphia April 2018
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
Presented at Social Connections 13 in Philadelphia April 2018.
DMARC is a SMTP security standard being increasingly requested by customers to protect against email spoofing. It uses a combination of SPF (Sender Policy Framework) records and DKIM (DomainKeys Identified Mail). Using DMARC you would publicly specify how your outbound mail is sent and the receiving server would verify that the mail it receives matches your requirements. In this session we’ll discuss DMARC deployments and what to do if your mail server (like IBM Domino or SmartCloud) does not yet support DKIM?
In this session presented during Community Day at IBM Think, Gabriella Davis discusses the importance of a personal brand, why you have one, how to create one and how to move your brand to a new space.
A Guide To Single Sign-On for IBM Collaboration SolutionsGabriella Davis
Single sign-on, single identity and even password synchronization—in this session, we will take you through all the options available to minimize or eradicate logins across IBM's Collaboration Solutions (ICS); whether it is a Domino web server, IHS, Notes client, Traveler, Sametime, Connections or Verse, on-premises or cloud. The discussion will cover security certificates, password synchronization, IWA, SPNEGO and SAML Federation. We will explain what you can (and can't) do, and how to do it. Presented at Think 2018
The document discusses the Imposter Syndrome and provides tips to help deal with its effects. It explains that Imposter Syndrome causes people to feel like frauds and have doubts about their abilities, even when successful. It recommends challenging yourself with difficult tasks, admitting what you don't know, talking to others about feelings of inadequacy, praising others' work, and writing down accomplishments to build confidence and overcome imposter feelings.
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
This document provides a summary of new features in IBM Notes, Sametime, and Verse on-premises in version 10:
- IBM Notes version 10 includes upgrades to Eclipse/OSGI to version 4.6.2, embeds Sametime version 9.0.1x, allows compiling to Java 1.8, includes an add-on installer for CCM, and addresses some defects.
- Sametime is upgraded to version 9.0.1x when IBM Notes is upgraded to version 10. Administrators must manually update Sametime configuration if it was previously modified.
- New features in IBM Notes version 10 include the ability to send email in EML format, improved send mail
In this session from MWLUG 2017 I introduce the concepts of containerisation and discuss Docker architecture, design, deployment considerations and risks.
In this session we introduce administrators to the concepts of Docker and discuss architectural decisions that will come into play when deploying containers. Although this session was originally presented as part of IBM's New Way To Learn initiative it does not discuss any specific aspects of IBM technology
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudGabriella Davis
Are you looking at Cloud options and wondering how and if you can get there from where you are? If you have Domino on premises and are considering Cloud then a good option is a hybrid architecture which maintains all your on premises configuration managed by your own administrators but adds Cloud client access managed by IBM. We will look at how simple it is to create this hybrid solution using Domino passthru servers and review how things like user and directory maintenance, client access and mail routing will then work. From Domino Admin to Domino Hybrid Admin in a few simple steps.
Presentation from IBM InterConnect in Las Vegas March 2017.
Enabling Internet of Things (IoT) so your employees and your customers can have a simplified experience with new services and products sounds exciting. In this session, we will dig into the top ten risks that come with the IoT experience. Due to the rapidly evolving nature of IoT and associated threats, there are risks in allowing access to your enterprise resources. Custom firmware, embedded operating systems and wi-fi connectivity of IoT devices offer many possible areas for exploits and misuse. Come explore current security offerings and get a first look at best practices. Walk away with an immediate checklist to benefit your enterprise as it deploys and offers IoT access.
How often do you hear that the business is discussing moving mail platforms because “our users want X” where X is nothing to do with the server and everything to do with the client UI. Domino remains the best mail server available but often user dissatisfaction drives a move and that comes from being asked to use the wrong client or from a bad deployment. If you’re using Domino you have an ever expanding range of clients to choose from browsers, iNotes, Verse, Traveler with iOS integration, Android applications, POP3 and IMAP. Come to this session to learn how to find the right client to fit the business and keep your Domino infrastructure.
This document discusses Penumbra Briefings, which are town hall discussions by experts on IBM products, technologies, and strategies. Penumbra Partnering consists of 18 member companies who are major IBM Business Partners. The briefings aim to provide independent opinion and clear explanations to help customers understand announcements and consider their strategies. At IBM Connect 2017, Penumbra plans to have daily briefings broadcast from San Francisco to discuss that day's news and sessions, with contributors from Penumbra members and IBM. The briefings are intended for Connect attendees, non-attendees, and anyone seeking to better understand IBM products. A survey is included to gather feedback on the briefings.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
What is Master Data Management by PiLog Groupaymanquadri279
PiLog Group's Master Data Record Manager (MDRM) is a sophisticated enterprise solution designed to ensure data accuracy, consistency, and governance across various business functions. MDRM integrates advanced data management technologies to cleanse, classify, and standardize master data, thereby enhancing data quality and operational efficiency.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
How Can Hiring A Mobile App Development Company Help Your Business Grow?ToXSL Technologies
ToXSL Technologies is an award-winning Mobile App Development Company in Dubai that helps businesses reshape their digital possibilities with custom app services. As a top app development company in Dubai, we offer highly engaging iOS & Android app solutions. https://rb.gy/necdnt
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
Using Query Store in Azure PostgreSQL to Understand Query PerformanceGrant Fritchey
Microsoft has added an excellent new extension in PostgreSQL on their Azure Platform. This session, presented at Posette 2024, covers what Query Store is and the types of information you can get out of it.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Oracle 23c New Features For DBAs and Developers.pptx
The SSL Problem and How to Deploy SHA2 Certificates
1. The SSL Problem & How
To Deploy SHA2
Certificates
Mark Myers
Director - LDC Via
mark@ldcvia.com
Gabriella Davis
Technical Director - The Turtle Partnership
gabriella@turtlepartnership.com
2. Who Are We?
❖ Admin of all things and especially
quite complicated things where the
fun is
❖ Working with security , healthchecks,
single sign on, design and deployment
of Domino, ST, Connec>ons and things
that they talk to
❖ Stubborn and relentless problem
solver
❖ Lives in London about half of the >me
❖ gabriella@turtlepartnership.com
❖ twiDer: gabturtle
3. Who Are We?
❖ Member of the London Developer Co-
op
❖ Co-writer of LDCVia hDp://
www.ldcvia.com
❖ IBM Connec>ons, Domino, Mobile
and Web development
❖ Hire me!
❖ Developer from a support background
❖ 14+ years on Domino, 17+ years in IT
❖ Speaker at 6x Lotuspheres/Connects,
6 x UKLUGs, 1 x ILUG, 3 x BLUG/
Engage
4. Why This Session?
• Encrypting and securing information is not just a thing you
add to complete a project, it’s a necessity
• Information can be intercepted en route between client
and server or between servers
• This can include credentials which can they expose
further information
• The speed at which hackers are working around
encryption standards is growing, major attacks and
vulnerabilities appear every week
• You need to understand where the vulnerabilities are,
how to watch for them and how to protect against them
5. Encryption and Certificates
❖ What is Encryption?
❖ It is a process of making data unrecognizable
❖ Unless you have “key” to unlocking the data.
❖ Without the key, it should be imposable or more commonly
unfeasible to read the data in a reasonable timeframe.
❖ What are Certificates?
❖ Digital Certificates are a way of trying to prove that the security “key”
they contain actually belong to the person they were issued to.
❖ This is done via a trusted third party that both parties in communication
can rely on.
7. SSL
❖ Stands for Secure Socket Layer
❖ A cryptographic protocol (A set of agreed rules for coding and
decoding messages so as to keep those messages secure)
❖ Each version was replaced by another version due to security
flaws and now is completely deprecated ( June 2015 by RFC
7568)
❖ Its death knell was the block cipher attack used by Poodle (see
later slide) in 2014
❖ Replaced by...
8. TLS
❖ “Transport Layer Security”
❖ Like SSL it is cryptographic protocol (A set of agreed rules for
coding and decoding messages so as to keep those messages
secure)
❖ The successor to SSL (TLS 1.0 is actually SSL 3.1 but was
renamed to mark the change to an open standard rather than
Netscape's protocol)
❖ Currently has 3 versions 1.0, 1.1, 1.2 (1.3 in Draft)
❖ Like SSL it is a constantly changing protocol
9. S/MIME
❖ This is another protocol, this time for allowing email in the
MIME format (basically all SMTP mail) to be both signed
or/and encrypted
❖ Signed: To ensure to your email recipients that you
actually sent the email
❖ Encrypted: To protect the content from being read by
other entities than the intended recipients.
❖ Just about the only intersystem security standard that all
vendors can agree on.
10. HTTPS
❖ This is the transfer of data using the Hypertext Transfer
Protocol over a link secured be either SSL or TLS
❖ Provides:
❖ Bidirectional encryption of your data in transit
❖ A reasonable guarantee that you are talking to who
you think you are.
❖ Defends against "Man in the Middle" and third party
snooping attacks.
11. SHA2
❖ An upgrade to the popular hashing algorithm used by the
majority of SSL certificates
❖ Its predecessor SHA1 was found to be more insecure that
was previously thought (not broken just not as secure)
❖ Microsoft Google and Mozilla all announced deprecation
plans for SHA1
❖ When people talk about "SHA256" they are talking about
one of the 6 hash functions with digests that make up the
SHA2 family
12. AES
❖ “Advanced Encryption Standard”
❖ Based on 3 members of the Rijndael cipher family
(developed by Joan Daemen and Vincent Rijmen) each
with a block size of 128 bits, but three different key
lengths: 128, 192 and 256 bits.
❖ Used worldwide and a federal government standard
❖ It supersedes DES (Data Encryption Standard) which
you can now brute force attack
14. Man in the Middle Attack
❖ An attack where someone intercepts communication
between two systems and acts as a proxy between the
parties without either of them knowing
15. Betty knows the internet is scary.
She always clicks the link
She likes to shop and bank online
This is Betty
Betty gets emails telling her to click on a
link and give her password
16. Hank knows Betty will click on the link
.. and that it will be his fault if her
money goes missing
This is Hank
Hank owns a bank
He needs to keep
Betty’s money safe.
17. Jazz is cool
Jazz has to keep corporate data secure whilst
keeping access simple & staying ahead of
hackers
Jazz is a system
administrator
Jazz doesn’t sleep much
This is Jazz
18. Harry is a jerk
with no
morals
He only cares about getting
money and causing disruption
This is Harry
19. Hi Betty ! Hi Betty !
181939FJFUETJDA
JGDAKSGDAJKL1
GDAJKGADJKGL
D90FD9184053290
532AJKGPAURWE
OU4
It’s all about the key. How strong is it?
How secure is it? Is it even the right key?
Encryption
20. Man in the middle
Hi Betty ! Bye Betty!
181939FJFUETJDA
JGDAKSGDAJKL1
GDAJKGADJKGL
D90FD9184053290
532AJKGPAURWE
OU4181939FJFUET
JDAJGDAKSGDAJ
KL1GDAJKGADJK
GLD90FD91840532
90532AJKGPAUR
WEOU4181939FJF
UETJDAJGDAKSG
DAJKL1GDAJKG
ADJKGLD90FD918
4053290532AJKGP
AURWEOU4
Bye BettyHi Betty !
21. With SHA2 & Strong Keys
Hi Betty ! Hi Betty!
181939FJFUETJDA
JGDAKSGDAJKL1
GDAJKGADJKGL
D90FD9184053290
532AJKGPAURWE
OU4181939FJFUET
JDAJGDAKSGDAJ
KL1GDAJKGADJK
GLD90FD91840532
90532AJKGPAUR
WEOU4181939FJF
UETJDAJGDAKSG
DAJKL1GDAJKG
ADJKGLD90FD918
4053290532AJKGP
AURWEOU4
!
***
22. POODLE
❖ "Padding Oracle On Downgraded Legacy Encryption“
❖ An exploit that allowed attackers to trick a session to use SSL
rather than TLS then during that session use a design flaw in SSL
3.0 to Snoop on the session
❖ What it did
❖ It allowed attackers to perform a man in the middle attack
❖ How it was stopped
❖ We all turned off SSL V3.0 on the servers (and were then
grumbled at by people who used old browsers)
23. ShellShock or Bashdoor
❖ An Bug from the original version of Bash* allowed you
to launch child instances of Bash but supply your own
variables
❖ What it did
❖ It allowed an attacker to execute bash commands on
the target server
❖ How it was stopped
❖ Patched all servers running Bash
*A program that all lot of Unix-based systems use to execute
command lines and command scripts
24. Heartbleed
❖ A "buffer over-read" vulnerability in the TLS heartbeat extension of OpenSSL
caused by a missing input validation check (but really by not enough peer
review)
❖ What it did?
❖ Allowed an attacker to read up to 64 kilobytes of the servers active memory
for each attack, memory that was very likely to contain secure information.
❖ How it was stopped?
❖ We updated all clients/servers to a patched version of OpenSSL
❖ Reissued all certificates where there was any chance they could have been
compromised.
25. Freak - “Factoring RSA Export Keys”
❖ A vulnerability cased by the growth of cheap commuting power
❖ A "512-bit export-grade key“ now be broken with a bit of math's
called the "Number Field Sieve algorithm"* and about ~ $150 of
cloud computing
❖ What it did?
❖ Allowed the attacker to perform a man in the middle attack
❖ How it was stopped?
❖ We disabled "TLS export cipher suites" either by updating browsers,
disabling the feature in servers or updating libraries that used them
(such as OPENSSL to versions that did not)
*https://en.wikipedia.org/wiki/General_number_field_sieve
27. What’s Next?
❖ Who knows!! the important thing we have all learnt is that just
because something has been around for a while is no guarantee of it
being bomb proof.
❖ No system is perfect
❖ Open source software is a great concept, but relies on ACTIVE
members picking at each others code and performing peer review.
❖ Closed Source relies on the competency of hidden processes and
testers not succumbing to pressure to “Ship now”.
❖ Just remember there is always someone cleverer than you.
28. So We Need The Strongest Certificate That
Uses The Best Algorithm & Is Kept Up To Date
How Do We Do That?
29. Certificate Structures
❖ Certificate authorities
❖ Private keys
❖ Trusted roots
❖ Generating a certificate
❖ You’ll need a keyfile
❖ You’ll need a request with all the details of your certificate
❖ You’ll need the trusted roots and intermediate certificates or your CA
❖ You’ll need the final certificate itself
30.
31.
32.
33. File Extensions For Certificates
❖ More Acronyms
❖ Certificate formats
❖ PEM (….. BEGIN CERTIFICATE….)
❖ CRT
❖ CER
❖ KEY
❖ DER binary
❖ PFX or P12
❖ ….CSR (certificate signing request)
❖ OpenSSL can convert most certificate forms to most others
34. OpenSSL
❖ An open source library of SSL and TLS cryptography
❖ Available for most platforms
❖ Developed and managed by https://www.openssl.org
❖ repository for downloads on https://github.com/openssl/
openssl
❖ Create certificates
❖ Convert certificates
❖ Extract certificates
36. Installing OpenSSL - For the brave
❖ https://www.openssl.org/source/
❖ ftp://ftp.openssl.org/source/ previous version
❖ ftp://ftp.openssl.org/source/old older versions
❖ Download the compressed file and extract
❖ Read the ReadME for instructions e.g run
❖ INSTALL Linux, Unix, etc.
❖ INSTALL.W32 Windows (32bit)
❖ INSTALL.W64 Windows (64bit)
❖ https://wiki.openssl.org/index.php/Compilation_and_Installation
37. Installing OpenSSL Under Windows
❖ I found the easiest solution (as an Admin)
is to install the pre built Windows
executable from Shining Light - there are
other’s out there
❖ https://slproweb.com/products/
Win32OpenSSL.html
❖ Download the most recent “lite”
version
❖ Currently 1.0.2h
(Win32OpenSSL_Light-1_0_2h)
38.
39.
40. Installing OpenSSL For Linux
❖ For Linux many distros come with a pre compiled
version of OpenSSL
❖ yum install openssl
❖ each OS may have its own method for configuration
42. Domino – Creating A SHA2 Certificate
❖ Domino no longer uses the Secure Server Certificate
database to generate keyfiles or merge certificates
❖ We use a combination of OpenSSL and an IBM utility for
Domino called kyrtool
❖ download kyrtool from IBM Fixcentral http://
ibm.co/1SAYX5E
❖ copy it to your Notes or Domino program directory
❖ The program files must be 9.0.1 FP3 or higher
43. Domino – Creating A SHA2 Certificate
❖ We need to decide the size of the key pair we want to create
❖ the larger the key pair the harder it is to decrypt
❖ not all software systems support the largest key pairs
❖ If using Windows set the environment variable for OpenSSL first
❖ Set OpenSSL_Conf=c:opensslbinopenssl.cfg
❖ verify openssl.cfg actually exists in that directory
❖ To create a 4096 key pair
❖ c:opensslbinopenssl genrsa -out mynewserver.key 4096
44. Create a Certificate Signing Request
❖ When buying a new certificate this sends to your CA
❖ openssl req -new -sha256 -key mynewserver.key -out
mynewserver.csr
❖ note that we are requesting a SHA2 certificate
❖ the CSR will be verified by the CA when you submit it
so you can check that it’s right
❖ if not you can recreate it by running the command
again
47. Now Comes The Domino Bit
❖ We have to create a keyring file in a format Domino will be able to read
❖ For that we use the kyrtool we downloaded from FixCentral
❖ From your Notes program directory
❖ kyrtool create -k c:notesdatamynewserver.kyr -
p <passwordyouwanttouse>
❖ this will create two files
❖ mynewserver.kyr
❖ mynewserver.sth (this is the stashed password that unlocks the
keyring)
48. Nearly There…
❖ We have our keyring file
❖ We have sent our request for a certificate, generated off our
new key pair to our CA
❖ When the CA sends the certificate back we can merge the new
certificate into our keyring file
❖ we need to merge ALL the certificates, root, intermediate and
server into a single “key” file
❖ c:opensslbintype mynewserver.key server.crt
intermediate.crt root.crt >mynewserver.txt
49. Last Step
❖ We now add our new txt file with all the certificates in it
into our new Domino keyring
❖ c:ibmnoteskyrtool import all -k c:notesdata
mynewserver.kyr -i c:opensslbinmynewserver.txt
❖ That’s it. We now have a shiny keyring pair to use with
our Domino server
50. Installing A SHA2 Certificate Under Domino
❖ Install Using Internet Site Documents
❖ The first keyring file in the Internet Site docs view that matches the
server configuration “wins”.
❖ Avoid too many wildcard or duplicate Internet Site Documents
❖ What can you use it for
❖ HTTPS (Traveler, Websites)
❖ S/MIME (encrypted mail)
❖ TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3)
❖ DIIOP as of 9.0.1 FP5
51. More Domino SSL
❖ Remove weak ciphers from the site documents
❖ Add Disable_SSLV3=1 to the notes.ini on the server
❖ Domino support TLS 1.2 now
❖ SSL_DISABLE_TLS_10
❖ https://www-10.lotus.com/ldd/dominowiki.nsf/
dx/TLS_1.2
52. Working With WebSphere Certificates
❖ WebSphere installs with its own keystores for each cell
and node you add
❖ The keystores are created and owned by IBM and have
the hostname of the server you’re installing onto by
default
❖ The cell keystores are found in
❖ /profiles/Dmgr01/config/cells/{cellname}/trust.p12
❖ /profiles/Dmgr01/config/cells/{cellname}/key.p12
53. Accessing The SSL Configuration
❖ Login to the WebSphere ISC
❖ Security - SSL Certificate and Key Management
54.
55. Adding A New Certificate To WebSphere
❖ Go to the CellDefaultTrustStore if the certificate existing on another server
already you can “Retrieve from port”
❖ Add your root and intermediate certificates here
56. Personal Certificate Request
❖ The simplest way to generate a
WAS certificate
❖ create a CSR in WAS
❖ “receive” it into WAS when
sent from the CA
❖ you can’t “receive” a
certificate you didn’t
request
57. WebSphere and 4096 Key Length Certificates
❖ A 4096 certificate can generate an error when attempting
to add to WebSphere
❖ “RSA premaster secret”
❖ You need to add the unrestricted policy files to
WebSphere for the 4096 certificates to be imported
59. Exporting A Certificate From WebSphere
❖ Export a WAS certificate so that it can be imported onto
other systems
❖ Such as a keyfile database generated by ikeyman and
used by IBM HTTP Server
60. Working With Ikeyman
❖ There are different versions of ikeyman that create
keyfile databases recognised by different products
❖ Look in the program directory for your installed
product to find the right one
❖ For IBM HTTP Server the file is in /IBM/HTTPServer/
bin
❖ On Linux you’ll need to configure X11 forwarding if you
don’t have a graphical interface
61. Working With IKeyMan - Signer Certificates
❖ Import the WebSphere certificate we extracted earlier
❖ Add root and intermediate certificates
63. Editing httpd.conf to add SSL configuration
❖ Example content
❖ LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
❖ Listen 0.0.0.0:443
❖ <VirtualHost *:443>
❖ SSLEnable
❖ SSLProtocolDisable SSLv2
❖ </VirtualHost>
❖ KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb
❖ SSLDisable
❖ Restart IHS - use netstat to see if 443 is active and listening
❖ Check IHS logs for SSL errors
❖ If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t
share a trusted root, they won’t be able to communicate
64. SSL and Development
❖ Despite the initial pain see if you can get a proper production
SSL certificate to use on your development environment.
❖ If you can not (for cost reasons) ensure you create a self cert
that is EXACTLY the same type as your production
environment
❖ Identify ALL your third party libraries to your Admins as
well as any changes in versions in a proper release document.
particularly if you are overriding an existing library on the
server
65. Testing SSL On Your Site
❖ https://www.ssllabs.com/ssltest/
66. ❖ You can’t stay ahead of the hackers but you must be
vigilant and keep up
❖ Have a plan for monitoring
❖ Have a plan for lock down at the first appearance of
exposure
❖ Have a plan to fix the vulnerability
❖ Have a plan to identify what information may be
compromised
❖ Have a plan to make that information of as little value as
possible
What Else?
67. Resources
❖ Working with OpenSSL https://www.feistyduck.com/
books/openssl-cookbook/
❖ Creating SHA2 For Domino http://turtleblog.info/
2015/06/22/creating-sha-2-4096-ssl-certificates-for-
domino/
❖ Unrestricted policy files for WebSphere http://
www-01.ibm.com/support/docview.wss?
uid=swg21663373