SlideShare a Scribd company logo

The SSL Problem and How to Deploy SHA2 Certificates

Gabriella Davis
Gabriella Davis

Two years ago enabling your site with SSL was a simple affair, buy a certificate or create your own, install it, then just remember to renew it every couple of years. Then, suddenly security holes are being found in SSL virtually every month , popular browsers stop connecting to your site to protect themselves, and you’re continually being told your users data is at risk. In this session we will discuss how it all went wrong and can go wrong again, then go through each step of requesting, generating and deploying a 4096 SHA-2 certificate to use in a keyfile by Domino, IBM Connections, IBM Sametime and other WebSphere products. If you work with these IBM products and need to secure them with confidence this session will show you how!

1 of 67
Download to read offline
The SSL Problem & How To Deploy SHA2 Certificates Mark Myers Director - LDC Via mark@ldcvia.com Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com
Who Are We? ❖ Admin of all things and especially quite complicated things where the fun is ❖ Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connec>ons and things that they talk to ❖ Stubborn and relentless problem solver ❖ Lives in London about half of the >me ❖ gabriella@turtlepartnership.com ❖ twiDer: gabturtle
Who Are We? ❖ Member of the London Developer Co- op ❖ Co-writer of LDCVia hDp:// www.ldcvia.com ❖ IBM Connec>ons, Domino, Mobile and Web development ❖ Hire me! ❖ Developer from a support background ❖ 14+ years on Domino, 17+ years in IT ❖ Speaker at 6x Lotuspheres/Connects, 6 x UKLUGs, 1 x ILUG, 3 x BLUG/ Engage
Why This Session? • Encrypting and securing information is not just a thing you add to complete a project, it’s a necessity • Information can be intercepted en route between client and server or between servers • This can include credentials which can they expose further information • The speed at which hackers are working around encryption standards is growing, major attacks and vulnerabilities appear every week • You need to understand where the vulnerabilities are, how to watch for them and how to protect against them
Encryption and Certificates ❖ What is Encryption? ❖ It is a process of making data unrecognizable ❖ Unless you have “key” to unlocking the data. ❖ Without the key, it should be imposable or more commonly unfeasible to read the data in a reasonable timeframe. ❖ What are Certificates? ❖ Digital Certificates are a way of trying to prove that the security “key” they contain actually belong to the person they were issued to. ❖ This is done via a trusted third party that both parties in communication can rely on.
Let’s Talk Acronyms
SSL ❖ Stands for Secure Socket Layer ❖ A cryptographic protocol (A set of agreed rules for coding and decoding messages so as to keep those messages secure) ❖ Each version was replaced by another version due to security flaws and now is completely deprecated ( June 2015 by RFC 7568) ❖ Its death knell was the block cipher attack used by Poodle (see later slide) in 2014 ❖ Replaced by...
TLS ❖ “Transport Layer Security” ❖ Like SSL it is cryptographic protocol (A set of agreed rules for coding and decoding messages so as to keep those messages secure) ❖ The successor to SSL (TLS 1.0 is actually SSL 3.1 but was renamed to mark the change to an open standard rather than Netscape's protocol) ❖ Currently has 3 versions 1.0, 1.1, 1.2 (1.3 in Draft) ❖ Like SSL it is a constantly changing protocol
S/MIME ❖ This is another protocol, this time for allowing email in the MIME format (basically all SMTP mail) to be both signed or/and encrypted ❖ Signed: To ensure to your email recipients that you actually sent the email ❖ Encrypted: To protect the content from being read by other entities than the intended recipients. ❖ Just about the only intersystem security standard that all vendors can agree on.
HTTPS ❖ This is the transfer of data using the Hypertext Transfer Protocol over a link secured be either SSL or TLS ❖ Provides: ❖ Bidirectional encryption of your data in transit ❖ A reasonable guarantee that you are talking to who you think you are. ❖ Defends against "Man in the Middle" and third party snooping attacks.
SHA2 ❖ An upgrade to the popular hashing algorithm used by the majority of SSL certificates ❖ Its predecessor SHA1 was found to be more insecure that was previously thought (not broken just not as secure) ❖ Microsoft Google and Mozilla all announced deprecation plans for SHA1 ❖ When people talk about "SHA256" they are talking about one of the 6 hash functions with digests that make up the SHA2 family
AES ❖ “Advanced Encryption Standard” ❖ Based on 3 members of the Rijndael cipher family (developed by Joan Daemen and Vincent Rijmen) each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits. ❖ Used worldwide and a federal government standard ❖ It supersedes DES (Data Encryption Standard) which you can now brute force attack
What Went Wrong
 … and keeps going wrong
Man in the Middle Attack ❖ An attack where someone intercepts communication between two systems and acts as a proxy between the parties without either of them knowing
Betty knows the internet is scary. She always clicks the link She likes to shop and bank online This is Betty Betty gets emails telling her to click on a link and give her password
Hank knows Betty will click on the link .. and that it will be his fault if her money goes missing This is Hank Hank owns a bank He needs to keep Betty’s money safe.
Jazz is cool Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers Jazz is a system administrator Jazz doesn’t sleep much This is Jazz
Harry is a jerk with no morals He only cares about getting money and causing disruption This is Harry
Hi Betty ! Hi Betty ! 181939FJFUETJDA JGDAKSGDAJKL1 GDAJKGADJKGL D90FD9184053290 532AJKGPAURWE OU4 It’s all about the key. How strong is it? How secure is it? Is it even the right key? Encryption
Man in the middle Hi Betty ! Bye Betty! 181939FJFUETJDA JGDAKSGDAJKL1 GDAJKGADJKGL D90FD9184053290 532AJKGPAURWE OU4181939FJFUET JDAJGDAKSGDAJ KL1GDAJKGADJK GLD90FD91840532 90532AJKGPAUR WEOU4181939FJF UETJDAJGDAKSG DAJKL1GDAJKG ADJKGLD90FD918 4053290532AJKGP AURWEOU4 Bye BettyHi Betty !
With SHA2 & Strong Keys Hi Betty ! Hi Betty! 181939FJFUETJDA JGDAKSGDAJKL1 GDAJKGADJKGL D90FD9184053290 532AJKGPAURWE OU4181939FJFUET JDAJGDAKSGDAJ KL1GDAJKGADJK GLD90FD91840532 90532AJKGPAUR WEOU4181939FJF UETJDAJGDAKSG DAJKL1GDAJKG ADJKGLD90FD918 4053290532AJKGP AURWEOU4 ! ***
POODLE ❖ "Padding Oracle On Downgraded Legacy Encryption“ ❖ An exploit that allowed attackers to trick a session to use SSL rather than TLS then during that session use a design flaw in SSL 3.0 to Snoop on the session ❖ What it did ❖ It allowed attackers to perform a man in the middle attack ❖ How it was stopped ❖ We all turned off SSL V3.0 on the servers (and were then grumbled at by people who used old browsers)
ShellShock or Bashdoor ❖ An Bug from the original version of Bash* allowed you to launch child instances of Bash but supply your own variables ❖ What it did ❖ It allowed an attacker to execute bash commands on the target server ❖ How it was stopped ❖ Patched all servers running Bash *A program that all lot of Unix-based systems use to execute command lines and command scripts
Heartbleed ❖ A "buffer over-read" vulnerability in the TLS heartbeat extension of OpenSSL caused by a missing input validation check (but really by not enough peer review) ❖ What it did? ❖ Allowed an attacker to read up to 64 kilobytes of the servers active memory for each attack, memory that was very likely to contain secure information. ❖ How it was stopped? ❖ We updated all clients/servers to a patched version of OpenSSL ❖ Reissued all certificates where there was any chance they could have been compromised.
Freak - “Factoring RSA Export Keys” ❖ A vulnerability cased by the growth of cheap commuting power ❖ A "512-bit export-grade key“ now be broken with a bit of math's called the "Number Field Sieve algorithm"* and about ~ $150 of cloud computing ❖ What it did? ❖ Allowed the attacker to perform a man in the middle attack ❖ How it was stopped? ❖ We disabled "TLS export cipher suites" either by updating browsers, disabling the feature in servers or updating libraries that used them (such as OPENSSL to versions that did not) *https://en.wikipedia.org/wiki/General_number_field_sieve
Why Is This A Growing Problem?
What’s Next? ❖ Who knows!! the important thing we have all learnt is that just because something has been around for a while is no guarantee of it being bomb proof. ❖ No system is perfect ❖ Open source software is a great concept, but relies on ACTIVE members picking at each others code and performing peer review. ❖ Closed Source relies on the competency of hidden processes and testers not succumbing to pressure to “Ship now”. ❖ Just remember there is always someone cleverer than you.
So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date How Do We Do That?
Certificate Structures ❖ Certificate authorities ❖ Private keys ❖ Trusted roots ❖ Generating a certificate ❖ You’ll need a keyfile ❖ You’ll need a request with all the details of your certificate ❖ You’ll need the trusted roots and intermediate certificates or your CA ❖ You’ll need the final certificate itself
File Extensions For Certificates ❖ More Acronyms ❖ Certificate formats ❖ PEM (….. BEGIN CERTIFICATE….) ❖ CRT ❖ CER ❖ KEY ❖ DER binary ❖ PFX or P12 ❖ ….CSR (certificate signing request) ❖ OpenSSL can convert most certificate forms to most others
OpenSSL ❖ An open source library of SSL and TLS cryptography ❖ Available for most platforms ❖ Developed and managed by https://www.openssl.org ❖ repository for downloads on https://github.com/openssl/ openssl ❖ Create certificates ❖ Convert certificates ❖ Extract certificates
HERE BE TIGERS
Installing OpenSSL - For the brave ❖ https://www.openssl.org/source/ ❖ ftp://ftp.openssl.org/source/ previous version ❖ ftp://ftp.openssl.org/source/old older versions ❖ Download the compressed file and extract ❖ Read the ReadME for instructions e.g run ❖ INSTALL Linux, Unix, etc. ❖ INSTALL.W32 Windows (32bit) ❖ INSTALL.W64 Windows (64bit) ❖ https://wiki.openssl.org/index.php/Compilation_and_Installation
Installing OpenSSL Under Windows ❖ I found the easiest solution (as an Admin) is to install the pre built Windows executable from Shining Light - there are other’s out there ❖ https://slproweb.com/products/ Win32OpenSSL.html ❖ Download the most recent “lite” version ❖ Currently 1.0.2h (Win32OpenSSL_Light-1_0_2h)
Installing OpenSSL For Linux ❖ For Linux many distros come with a pre compiled version of OpenSSL ❖ yum install openssl ❖ each OS may have its own method for configuration
Let’s Create Some Certificates
Domino – Creating A SHA2 Certificate ❖ Domino no longer uses the Secure Server Certificate database to generate keyfiles or merge certificates ❖ We use a combination of OpenSSL and an IBM utility for Domino called kyrtool ❖ download kyrtool from IBM Fixcentral http:// ibm.co/1SAYX5E ❖ copy it to your Notes or Domino program directory ❖ The program files must be 9.0.1 FP3 or higher
Domino – Creating A SHA2 Certificate ❖ We need to decide the size of the key pair we want to create ❖ the larger the key pair the harder it is to decrypt ❖ not all software systems support the largest key pairs ❖ If using Windows set the environment variable for OpenSSL first ❖ Set OpenSSL_Conf=c:opensslbinopenssl.cfg ❖ verify openssl.cfg actually exists in that directory ❖ To create a 4096 key pair ❖ c:opensslbinopenssl genrsa -out mynewserver.key 4096
Create a Certificate Signing Request ❖ When buying a new certificate this sends to your CA ❖ openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr ❖ note that we are requesting a SHA2 certificate ❖ the CSR will be verified by the CA when you submit it so you can check that it’s right ❖ if not you can recreate it by running the command again
MyNewServer.CSR ❖ -----BEGIN CERTIFICATE REQUEST----- ❖ MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG ❖ A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw ❖ JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG ❖ SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+ ❖ CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp ❖ R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/ ❖ JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj ❖ GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN ❖ GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe ❖ nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC ❖ o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n ❖ IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E ❖ Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1 ❖ 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE ❖ H4btBohD7B6fiqdozsOsvN1s ❖ -----END CERTIFICATE REQUEST-----
Now Comes The Domino Bit ❖ We have to create a keyring file in a format Domino will be able to read ❖ For that we use the kyrtool we downloaded from FixCentral ❖ From your Notes program directory ❖ kyrtool  create -k c:notesdatamynewserver.kyr - p <passwordyouwanttouse> ❖ this will create two files ❖ mynewserver.kyr ❖ mynewserver.sth (this is the stashed password that unlocks the keyring)
Nearly There… ❖ We have our keyring file ❖ We have sent our request for a certificate, generated off our new key pair to our CA ❖ When the CA sends the certificate back we can merge the new certificate into our keyring file ❖ we need to merge ALL the certificates, root, intermediate and server into a single “key” file ❖ c:opensslbintype mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt
Last Step ❖ We now add our new txt file with all the certificates in it into our new Domino keyring ❖ c:ibmnoteskyrtool import all -k c:notesdata mynewserver.kyr -i c:opensslbinmynewserver.txt ❖ That’s it. We now have a shiny keyring pair to use with our Domino server
Installing A SHA2 Certificate Under Domino ❖ Install Using Internet Site Documents ❖ The first keyring file in the Internet Site docs view that matches the server configuration “wins”. ❖ Avoid too many wildcard or duplicate Internet Site Documents ❖ What can you use it for ❖ HTTPS (Traveler, Websites) ❖ S/MIME (encrypted mail) ❖ TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3) ❖ DIIOP as of 9.0.1 FP5
More Domino SSL ❖ Remove weak ciphers from the site documents ❖ Add Disable_SSLV3=1 to the notes.ini on the server ❖ Domino support TLS 1.2 now ❖ SSL_DISABLE_TLS_10 ❖ https://www-10.lotus.com/ldd/dominowiki.nsf/ dx/TLS_1.2
Working With WebSphere Certificates ❖ WebSphere installs with its own keystores for each cell and node you add ❖ The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default ❖ The cell keystores are found in ❖ /profiles/Dmgr01/config/cells/{cellname}/trust.p12 ❖ /profiles/Dmgr01/config/cells/{cellname}/key.p12
Accessing The SSL Configuration ❖ Login to the WebSphere ISC ❖ Security - SSL Certificate and Key Management
Adding A New Certificate To WebSphere ❖ Go to the CellDefaultTrustStore if the certificate existing on another server already you can “Retrieve from port” ❖ Add your root and intermediate certificates here
Personal Certificate Request ❖ The simplest way to generate a WAS certificate ❖ create a CSR in WAS ❖ “receive” it into WAS when sent from the CA ❖ you can’t “receive” a certificate you didn’t request
WebSphere and 4096 Key Length Certificates ❖ A 4096 certificate can generate an error when attempting to add to WebSphere ❖ “RSA premaster secret” ❖ You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported
The Unrestricted Policy Files ❖ ibm.co/1JZGs3z
Exporting A Certificate From WebSphere ❖ Export a WAS certificate so that it can be imported onto other systems ❖ Such as a keyfile database generated by ikeyman and used by IBM HTTP Server
Working With Ikeyman ❖ There are different versions of ikeyman that create keyfile databases recognised by different products ❖ Look in the program directory for your installed product to find the right one ❖ For IBM HTTP Server the file is in /IBM/HTTPServer/ bin ❖ On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface
Working With IKeyMan - Signer Certificates ❖ Import the WebSphere certificate we extracted earlier ❖ Add root and intermediate certificates
Working With IKeyman - Personal Certificates
Editing httpd.conf to add SSL configuration ❖ Example content ❖ LoadModule ibm_ssl_module modules/mod_ibm_ssl.so ❖ Listen 0.0.0.0:443 ❖ <VirtualHost *:443> ❖ SSLEnable ❖ SSLProtocolDisable SSLv2 ❖ </VirtualHost> ❖ KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb ❖ SSLDisable ❖ Restart IHS - use netstat to see if 443 is active and listening ❖ Check IHS logs for SSL errors ❖ If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate
SSL and Development ❖ Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment. ❖ If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment ❖ Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server
Testing SSL On Your Site ❖ https://www.ssllabs.com/ssltest/
❖ You can’t stay ahead of the hackers but you must be vigilant and keep up ❖ Have a plan for monitoring ❖ Have a plan for lock down at the first appearance of exposure ❖ Have a plan to fix the vulnerability ❖ Have a plan to identify what information may be compromised ❖ Have a plan to make that information of as little value as possible What Else?
Resources ❖ Working with OpenSSL https://www.feistyduck.com/ books/openssl-cookbook/ ❖ Creating SHA2 For Domino http://turtleblog.info/ 2015/06/22/creating-sha-2-4096-ssl-certificates-for- domino/ ❖ Unrestricted policy files for WebSphere http:// www-01.ibm.com/support/docview.wss? uid=swg21663373

Recommended

Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 Certificates
Gabriella Davis
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
Gabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High Availability
Gabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
Gabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
Gabriella Davis
 

Recommended

Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 Certificates
Gabriella Davis
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
Gabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High Availability
Gabriella Davis
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM Domino
Jared Roberts
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
Gabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
Gabriella Davis
 
Netdruid Presentation
Netdruid PresentationNetdruid Presentation
Netdruid Presentation
dineshmisal
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
Gabriella Davis
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
David Hablewitz
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
Gabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Bill Malchisky Jr.
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
Darren Duke
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
Cristian Vat
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
Darren Duke
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
Heiko Voigt
 
What is Node.js? (ICON UK)
What is Node.js? (ICON UK)What is Node.js? (ICON UK)
What is Node.js? (ICON UK)
Tim Davis
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
Jezer Arces
 

More Related Content

What's hot

Netdruid Presentation
Netdruid PresentationNetdruid Presentation
Netdruid Presentation
dineshmisal
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
Gabriella Davis
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
David Hablewitz
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
Darren Duke
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
Gabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Bill Malchisky Jr.
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
Gabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
Darren Duke
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
Cristian Vat
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
Gabriella Davis
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
Karl Fosaaen
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
Darren Duke
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
Beau Bullock
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
Gabriella Davis
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
Heiko Voigt
 
What is Node.js? (ICON UK)
What is Node.js? (ICON UK)What is Node.js? (ICON UK)
What is Node.js? (ICON UK)
Tim Davis
 

What's hot (20)

Netdruid Presentation
Netdruid PresentationNetdruid Presentation
Netdruid Presentation
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
 
Notes, domino and the single sign on soup
Notes, domino and the single sign on soupNotes, domino and the single sign on soup
Notes, domino and the single sign on soup
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016Automating Attacks Against Office365 - BsidesPDX 2016
Automating Attacks Against Office365 - BsidesPDX 2016
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
Pwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShellPwning the Enterprise With PowerShell
Pwning the Enterprise With PowerShell
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
What is cool with Domino V10, Proton and Node.JS, and why would I use it in ...
 
What is Node.js? (ICON UK)
What is Node.js? (ICON UK)What is Node.js? (ICON UK)
What is Node.js? (ICON UK)
 

Similar to The SSL Problem and How to Deploy SHA2 Certificates

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
Gabriella Davis
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
Jezer Arces
 
Telnet & Secure Shell
Telnet & Secure ShellTelnet & Secure Shell
Telnet & Secure Shell
WILLA REYES
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
Worteks
 
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
Paris Open Source Summit
 
How encryption works
How encryption worksHow encryption works
How encryption works
RaxTonProduction
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
 
crypto2ssh
crypto2sshcrypto2ssh
crypto2ssh
Hasan Sharif
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
OWASP
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
Vijayanand Yadla
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
OWASP EEE
 
#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS
Olle E Johansson
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvan
itrraincity
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
Shehzad Imran
 

Similar to The SSL Problem and How to Deploy SHA2 Certificates (20)

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
Telnet & Secure Shell
Telnet & Secure ShellTelnet & Secure Shell
Telnet & Secure Shell
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
 
How encryption works
How encryption worksHow encryption works
How encryption works
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
crypto2ssh
crypto2sshcrypto2ssh
crypto2ssh
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
[Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things![Wroclaw #8] TLS all the things!
[Wroclaw #8] TLS all the things!
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
 
Comptia Security+ Exam Notes
Comptia Security+ Exam NotesComptia Security+ Exam Notes
Comptia Security+ Exam Notes
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Secrity project keyvan
Secrity project keyvanSecrity project keyvan
Secrity project keyvan
 
What is TLS/SSL?
What is TLS/SSL? What is TLS/SSL?
What is TLS/SSL?
 

More from Gabriella Davis

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
Gabriella Davis
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
Gabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
Gabriella Davis
 
Home Working
Home WorkingHome Working
Home Working
Gabriella Davis
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
Gabriella Davis
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
Gabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
Gabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
Gabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
Gabriella Davis
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Gabriella Davis
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
Gabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
Gabriella Davis
 
Penumbra briefing
Penumbra briefingPenumbra briefing
Penumbra briefing
Gabriella Davis
 

More from Gabriella Davis (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
 
Home Working
Home WorkingHome Working
Home Working
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
Penumbra briefing
Penumbra briefingPenumbra briefing
Penumbra briefing
 

Recently uploaded

Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
brainerhub1
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
aymanquadri279
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 

Recently uploaded (20)

Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Unveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdfUnveiling the Advantages of Agile Software Development.pdf
Unveiling the Advantages of Agile Software Development.pdf
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 

The SSL Problem and How to Deploy SHA2 Certificates

  • 1. The SSL Problem & How To Deploy SHA2 Certificates Mark Myers Director - LDC Via mark@ldcvia.com Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com
  • 2. Who Are We? ❖ Admin of all things and especially quite complicated things where the fun is ❖ Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connec>ons and things that they talk to ❖ Stubborn and relentless problem solver ❖ Lives in London about half of the >me ❖ gabriella@turtlepartnership.com ❖ twiDer: gabturtle
  • 3. Who Are We? ❖ Member of the London Developer Co- op ❖ Co-writer of LDCVia hDp:// www.ldcvia.com ❖ IBM Connec>ons, Domino, Mobile and Web development ❖ Hire me! ❖ Developer from a support background ❖ 14+ years on Domino, 17+ years in IT ❖ Speaker at 6x Lotuspheres/Connects, 6 x UKLUGs, 1 x ILUG, 3 x BLUG/ Engage
  • 4. Why This Session? • Encrypting and securing information is not just a thing you add to complete a project, it’s a necessity • Information can be intercepted en route between client and server or between servers • This can include credentials which can they expose further information • The speed at which hackers are working around encryption standards is growing, major attacks and vulnerabilities appear every week • You need to understand where the vulnerabilities are, how to watch for them and how to protect against them
  • 5. Encryption and Certificates ❖ What is Encryption? ❖ It is a process of making data unrecognizable ❖ Unless you have “key” to unlocking the data. ❖ Without the key, it should be imposable or more commonly unfeasible to read the data in a reasonable timeframe. ❖ What are Certificates? ❖ Digital Certificates are a way of trying to prove that the security “key” they contain actually belong to the person they were issued to. ❖ This is done via a trusted third party that both parties in communication can rely on.
  • 7. SSL ❖ Stands for Secure Socket Layer ❖ A cryptographic protocol (A set of agreed rules for coding and decoding messages so as to keep those messages secure) ❖ Each version was replaced by another version due to security flaws and now is completely deprecated ( June 2015 by RFC 7568) ❖ Its death knell was the block cipher attack used by Poodle (see later slide) in 2014 ❖ Replaced by...
  • 8. TLS ❖ “Transport Layer Security” ❖ Like SSL it is cryptographic protocol (A set of agreed rules for coding and decoding messages so as to keep those messages secure) ❖ The successor to SSL (TLS 1.0 is actually SSL 3.1 but was renamed to mark the change to an open standard rather than Netscape's protocol) ❖ Currently has 3 versions 1.0, 1.1, 1.2 (1.3 in Draft) ❖ Like SSL it is a constantly changing protocol
  • 9. S/MIME ❖ This is another protocol, this time for allowing email in the MIME format (basically all SMTP mail) to be both signed or/and encrypted ❖ Signed: To ensure to your email recipients that you actually sent the email ❖ Encrypted: To protect the content from being read by other entities than the intended recipients. ❖ Just about the only intersystem security standard that all vendors can agree on.
  • 10. HTTPS ❖ This is the transfer of data using the Hypertext Transfer Protocol over a link secured be either SSL or TLS ❖ Provides: ❖ Bidirectional encryption of your data in transit ❖ A reasonable guarantee that you are talking to who you think you are. ❖ Defends against "Man in the Middle" and third party snooping attacks.
  • 11. SHA2 ❖ An upgrade to the popular hashing algorithm used by the majority of SSL certificates ❖ Its predecessor SHA1 was found to be more insecure that was previously thought (not broken just not as secure) ❖ Microsoft Google and Mozilla all announced deprecation plans for SHA1 ❖ When people talk about "SHA256" they are talking about one of the 6 hash functions with digests that make up the SHA2 family
  • 12. AES ❖ “Advanced Encryption Standard” ❖ Based on 3 members of the Rijndael cipher family (developed by Joan Daemen and Vincent Rijmen) each with a block size of 128 bits, but three different key lengths: 128, 192 and 256 bits. ❖ Used worldwide and a federal government standard ❖ It supersedes DES (Data Encryption Standard) which you can now brute force attack
  • 13. What Went Wrong
 … and keeps going wrong
  • 14. Man in the Middle Attack ❖ An attack where someone intercepts communication between two systems and acts as a proxy between the parties without either of them knowing
  • 15. Betty knows the internet is scary. She always clicks the link She likes to shop and bank online This is Betty Betty gets emails telling her to click on a link and give her password
  • 16. Hank knows Betty will click on the link .. and that it will be his fault if her money goes missing This is Hank Hank owns a bank He needs to keep Betty’s money safe.
  • 17. Jazz is cool Jazz has to keep corporate data secure whilst keeping access simple & staying ahead of hackers Jazz is a system administrator Jazz doesn’t sleep much This is Jazz
  • 18. Harry is a jerk with no morals He only cares about getting money and causing disruption This is Harry
  • 19. Hi Betty ! Hi Betty ! 181939FJFUETJDA JGDAKSGDAJKL1 GDAJKGADJKGL D90FD9184053290 532AJKGPAURWE OU4 It’s all about the key. How strong is it? How secure is it? Is it even the right key? Encryption
  • 20. Man in the middle Hi Betty ! Bye Betty! 181939FJFUETJDA JGDAKSGDAJKL1 GDAJKGADJKGL D90FD9184053290 532AJKGPAURWE OU4181939FJFUET JDAJGDAKSGDAJ KL1GDAJKGADJK GLD90FD91840532 90532AJKGPAUR WEOU4181939FJF UETJDAJGDAKSG DAJKL1GDAJKG ADJKGLD90FD918 4053290532AJKGP AURWEOU4 Bye BettyHi Betty !
  • 21. With SHA2 & Strong Keys Hi Betty ! Hi Betty! 181939FJFUETJDA JGDAKSGDAJKL1 GDAJKGADJKGL D90FD9184053290 532AJKGPAURWE OU4181939FJFUET JDAJGDAKSGDAJ KL1GDAJKGADJK GLD90FD91840532 90532AJKGPAUR WEOU4181939FJF UETJDAJGDAKSG DAJKL1GDAJKG ADJKGLD90FD918 4053290532AJKGP AURWEOU4 ! ***
  • 22. POODLE ❖ "Padding Oracle On Downgraded Legacy Encryption“ ❖ An exploit that allowed attackers to trick a session to use SSL rather than TLS then during that session use a design flaw in SSL 3.0 to Snoop on the session ❖ What it did ❖ It allowed attackers to perform a man in the middle attack ❖ How it was stopped ❖ We all turned off SSL V3.0 on the servers (and were then grumbled at by people who used old browsers)
  • 23. ShellShock or Bashdoor ❖ An Bug from the original version of Bash* allowed you to launch child instances of Bash but supply your own variables ❖ What it did ❖ It allowed an attacker to execute bash commands on the target server ❖ How it was stopped ❖ Patched all servers running Bash *A program that all lot of Unix-based systems use to execute command lines and command scripts
  • 24. Heartbleed ❖ A "buffer over-read" vulnerability in the TLS heartbeat extension of OpenSSL caused by a missing input validation check (but really by not enough peer review) ❖ What it did? ❖ Allowed an attacker to read up to 64 kilobytes of the servers active memory for each attack, memory that was very likely to contain secure information. ❖ How it was stopped? ❖ We updated all clients/servers to a patched version of OpenSSL ❖ Reissued all certificates where there was any chance they could have been compromised.
  • 25. Freak - “Factoring RSA Export Keys” ❖ A vulnerability cased by the growth of cheap commuting power ❖ A "512-bit export-grade key“ now be broken with a bit of math's called the "Number Field Sieve algorithm"* and about ~ $150 of cloud computing ❖ What it did? ❖ Allowed the attacker to perform a man in the middle attack ❖ How it was stopped? ❖ We disabled "TLS export cipher suites" either by updating browsers, disabling the feature in servers or updating libraries that used them (such as OPENSSL to versions that did not) *https://en.wikipedia.org/wiki/General_number_field_sieve
  • 26. Why Is This A Growing Problem?
  • 27. What’s Next? ❖ Who knows!! the important thing we have all learnt is that just because something has been around for a while is no guarantee of it being bomb proof. ❖ No system is perfect ❖ Open source software is a great concept, but relies on ACTIVE members picking at each others code and performing peer review. ❖ Closed Source relies on the competency of hidden processes and testers not succumbing to pressure to “Ship now”. ❖ Just remember there is always someone cleverer than you.
  • 28. So We Need The Strongest Certificate That Uses The Best Algorithm & Is Kept Up To Date How Do We Do That?
  • 29. Certificate Structures ❖ Certificate authorities ❖ Private keys ❖ Trusted roots ❖ Generating a certificate ❖ You’ll need a keyfile ❖ You’ll need a request with all the details of your certificate ❖ You’ll need the trusted roots and intermediate certificates or your CA ❖ You’ll need the final certificate itself
  • 30.
  • 31.
  • 32.
  • 33. File Extensions For Certificates ❖ More Acronyms ❖ Certificate formats ❖ PEM (….. BEGIN CERTIFICATE….) ❖ CRT ❖ CER ❖ KEY ❖ DER binary ❖ PFX or P12 ❖ ….CSR (certificate signing request) ❖ OpenSSL can convert most certificate forms to most others
  • 34. OpenSSL ❖ An open source library of SSL and TLS cryptography ❖ Available for most platforms ❖ Developed and managed by https://www.openssl.org ❖ repository for downloads on https://github.com/openssl/ openssl ❖ Create certificates ❖ Convert certificates ❖ Extract certificates
  • 36. Installing OpenSSL - For the brave ❖ https://www.openssl.org/source/ ❖ ftp://ftp.openssl.org/source/ previous version ❖ ftp://ftp.openssl.org/source/old older versions ❖ Download the compressed file and extract ❖ Read the ReadME for instructions e.g run ❖ INSTALL Linux, Unix, etc. ❖ INSTALL.W32 Windows (32bit) ❖ INSTALL.W64 Windows (64bit) ❖ https://wiki.openssl.org/index.php/Compilation_and_Installation
  • 37. Installing OpenSSL Under Windows ❖ I found the easiest solution (as an Admin) is to install the pre built Windows executable from Shining Light - there are other’s out there ❖ https://slproweb.com/products/ Win32OpenSSL.html ❖ Download the most recent “lite” version ❖ Currently 1.0.2h (Win32OpenSSL_Light-1_0_2h)
  • 38.
  • 39.
  • 40. Installing OpenSSL For Linux ❖ For Linux many distros come with a pre compiled version of OpenSSL ❖ yum install openssl ❖ each OS may have its own method for configuration
  • 41. Let’s Create Some Certificates
  • 42. Domino – Creating A SHA2 Certificate ❖ Domino no longer uses the Secure Server Certificate database to generate keyfiles or merge certificates ❖ We use a combination of OpenSSL and an IBM utility for Domino called kyrtool ❖ download kyrtool from IBM Fixcentral http:// ibm.co/1SAYX5E ❖ copy it to your Notes or Domino program directory ❖ The program files must be 9.0.1 FP3 or higher
  • 43. Domino – Creating A SHA2 Certificate ❖ We need to decide the size of the key pair we want to create ❖ the larger the key pair the harder it is to decrypt ❖ not all software systems support the largest key pairs ❖ If using Windows set the environment variable for OpenSSL first ❖ Set OpenSSL_Conf=c:opensslbinopenssl.cfg ❖ verify openssl.cfg actually exists in that directory ❖ To create a 4096 key pair ❖ c:opensslbinopenssl genrsa -out mynewserver.key 4096
  • 44. Create a Certificate Signing Request ❖ When buying a new certificate this sends to your CA ❖ openssl req -new -sha256 -key mynewserver.key -out mynewserver.csr ❖ note that we are requesting a SHA2 certificate ❖ the CSR will be verified by the CA when you submit it so you can check that it’s right ❖ if not you can recreate it by running the command again
  • 45.
  • 46. MyNewServer.CSR ❖ -----BEGIN CERTIFICATE REQUEST----- ❖ MIIEvjCCAqYCAQAweTELMAkGA1UEBhMCR0IxDzANBgNVBAgMBkxvbmRvbjEjMCEG ❖ A1UECgwaVGhlIFR1cnRsZSBQYXJ0bmVyc2hpcCBMdGQxCzAJBgNVBAsMAklUMScw ❖ JQYDVQQDDB50cmF2ZWxlci50dXJ0bGVwYXJ0bmVyc2hpcC5jb20wggIiMA0GCSqG ❖ SIb3DQEBAQUAA4ICDwAwggIKAoICAQDG5S3l7CtwiZQDHPXPxZMt3tQa8styCuZ+ ❖ CyipKAyqAKvaurqGfb232kYjLdR9hDh/TAswAeG40+DuQN4LKW4efWB91tQTKyZp ❖ R9Kt5y6hVgKLjWbkZUqJcBRq60w7E1x+ufAqADLlhQAH0Q5fVe8aLhkYc5qIz4u/ ❖ JIm1Y+RgO3M/80v4xl85s6R/wEUSOdynKjrpBOsgWXUWu6pkCmxQOTD0lZfII5Lj ❖ GztF9m7It8KcUojV4IdlsBNGlmOwdRgRwV1oqR0C3wdK9325xEbZcQgBnLBYprcN ❖ GxZTwQpkIkv9tHVs7jhmrJsIYCRv7uDgIVpd3VXcTpGJXdBNgAxy7zW2q/EBlFMe ❖ nPoavA8yyEID4tRHAQwCsDd4aoM/y3ZJRdU9ZyJE6fbcja2lDoB1r0dQWzA17UTC ❖ o4qFgdLqJ94IKlEhnkYF7Dotj3lt0tBpNLRdL3MQwMdpGpetYYhLATQRNaXaOz9n ❖ IsSFI/kIb5KKmFJX39vX7LjeAi9uRe4TbUBWBIWl+kmIT8n4xjUbjIeLrFWYUD4E ❖ Aft6qEmXyScIRufqorbWMz88juuC9Svkcm3zjGcLFjGSuxXOhrrMA6LpCqQJXHI1 ❖ 5NCjZMdh/1xD1K39JhcYvSdfcpEtOe3CIXMpmkmJK0kANWrUOgeajoz7xC1vsUcE ❖ H4btBohD7B6fiqdozsOsvN1s ❖ -----END CERTIFICATE REQUEST-----
  • 47. Now Comes The Domino Bit ❖ We have to create a keyring file in a format Domino will be able to read ❖ For that we use the kyrtool we downloaded from FixCentral ❖ From your Notes program directory ❖ kyrtool  create -k c:notesdatamynewserver.kyr - p <passwordyouwanttouse> ❖ this will create two files ❖ mynewserver.kyr ❖ mynewserver.sth (this is the stashed password that unlocks the keyring)
  • 48. Nearly There… ❖ We have our keyring file ❖ We have sent our request for a certificate, generated off our new key pair to our CA ❖ When the CA sends the certificate back we can merge the new certificate into our keyring file ❖ we need to merge ALL the certificates, root, intermediate and server into a single “key” file ❖ c:opensslbintype mynewserver.key server.crt intermediate.crt root.crt >mynewserver.txt
  • 49. Last Step ❖ We now add our new txt file with all the certificates in it into our new Domino keyring ❖ c:ibmnoteskyrtool import all -k c:notesdata mynewserver.kyr -i c:opensslbinmynewserver.txt ❖ That’s it. We now have a shiny keyring pair to use with our Domino server
  • 50. Installing A SHA2 Certificate Under Domino ❖ Install Using Internet Site Documents ❖ The first keyring file in the Internet Site docs view that matches the server configuration “wins”. ❖ Avoid too many wildcard or duplicate Internet Site Documents ❖ What can you use it for ❖ HTTPS (Traveler, Websites) ❖ S/MIME (encrypted mail) ❖ TLS (HTTP/HTTPS, LDAP/LDAPS, SMTP, IMAP, and POP3) ❖ DIIOP as of 9.0.1 FP5
  • 51. More Domino SSL ❖ Remove weak ciphers from the site documents ❖ Add Disable_SSLV3=1 to the notes.ini on the server ❖ Domino support TLS 1.2 now ❖ SSL_DISABLE_TLS_10 ❖ https://www-10.lotus.com/ldd/dominowiki.nsf/ dx/TLS_1.2
  • 52. Working With WebSphere Certificates ❖ WebSphere installs with its own keystores for each cell and node you add ❖ The keystores are created and owned by IBM and have the hostname of the server you’re installing onto by default ❖ The cell keystores are found in ❖ /profiles/Dmgr01/config/cells/{cellname}/trust.p12 ❖ /profiles/Dmgr01/config/cells/{cellname}/key.p12
  • 53. Accessing The SSL Configuration ❖ Login to the WebSphere ISC ❖ Security - SSL Certificate and Key Management
  • 54.
  • 55. Adding A New Certificate To WebSphere ❖ Go to the CellDefaultTrustStore if the certificate existing on another server already you can “Retrieve from port” ❖ Add your root and intermediate certificates here
  • 56. Personal Certificate Request ❖ The simplest way to generate a WAS certificate ❖ create a CSR in WAS ❖ “receive” it into WAS when sent from the CA ❖ you can’t “receive” a certificate you didn’t request
  • 57. WebSphere and 4096 Key Length Certificates ❖ A 4096 certificate can generate an error when attempting to add to WebSphere ❖ “RSA premaster secret” ❖ You need to add the unrestricted policy files to WebSphere for the 4096 certificates to be imported
  • 58. The Unrestricted Policy Files ❖ ibm.co/1JZGs3z
  • 59. Exporting A Certificate From WebSphere ❖ Export a WAS certificate so that it can be imported onto other systems ❖ Such as a keyfile database generated by ikeyman and used by IBM HTTP Server
  • 60. Working With Ikeyman ❖ There are different versions of ikeyman that create keyfile databases recognised by different products ❖ Look in the program directory for your installed product to find the right one ❖ For IBM HTTP Server the file is in /IBM/HTTPServer/ bin ❖ On Linux you’ll need to configure X11 forwarding if you don’t have a graphical interface
  • 61. Working With IKeyMan - Signer Certificates ❖ Import the WebSphere certificate we extracted earlier ❖ Add root and intermediate certificates
  • 62. Working With IKeyman - Personal Certificates
  • 63. Editing httpd.conf to add SSL configuration ❖ Example content ❖ LoadModule ibm_ssl_module modules/mod_ibm_ssl.so ❖ Listen 0.0.0.0:443 ❖ <VirtualHost *:443> ❖ SSLEnable ❖ SSLProtocolDisable SSLv2 ❖ </VirtualHost> ❖ KeyFile /opt/IBM/HTTPServer/Plugins/config/webserver1/plugin-cfg.kdb ❖ SSLDisable ❖ Restart IHS - use netstat to see if 443 is active and listening ❖ Check IHS logs for SSL errors ❖ If WebSphere doesn’t have a copy of the IHS certificate and IHS doesn’t have a copy of the WebSphere certificate or they don’t share a trusted root, they won’t be able to communicate
  • 64. SSL and Development ❖ Despite the initial pain see if you can get a proper production SSL certificate to use on your development environment. ❖ If you can not (for cost reasons) ensure you create a self cert that is EXACTLY the same type as your production environment ❖ Identify ALL your third party libraries to your Admins as well as any changes in versions in a proper release document. particularly if you are overriding an existing library on the server
  • 65. Testing SSL On Your Site ❖ https://www.ssllabs.com/ssltest/
  • 66. ❖ You can’t stay ahead of the hackers but you must be vigilant and keep up ❖ Have a plan for monitoring ❖ Have a plan for lock down at the first appearance of exposure ❖ Have a plan to fix the vulnerability ❖ Have a plan to identify what information may be compromised ❖ Have a plan to make that information of as little value as possible What Else?
  • 67. Resources ❖ Working with OpenSSL https://www.feistyduck.com/ books/openssl-cookbook/ ❖ Creating SHA2 For Domino http://turtleblog.info/ 2015/06/22/creating-sha-2-4096-ssl-certificates-for- domino/ ❖ Unrestricted policy files for WebSphere http:// www-01.ibm.com/support/docview.wss? uid=swg21663373