Daniel Nashed 2 July 2015 00:33:26IBM Traveler 184.108.40.206 ships a couple of importan APAR fixes for the IBM Traveler Some of the fixes solve problems in MIME & attachment handling which have been introduced in the last releases when the new MIME handling has been introduced. Fixlist: APAR # Component Abstract LO84879 Server Calendar notice may be sent multiple times or be sent by the server ID. LO85144 Server E-mail containing invalid zero character in WBXML encoding may not sync correctly to mobile device. LO85222 Server Attachment with an unknown content type may not download to device. LO85237 Server Proxy credentials may not be removed from notes.ini during startup. LO85260 Server When Trash sync first enabled, sync only today and later trash items to improve performance. LO85283 Server Mime format e-mail may sync to device without the body. LO85357 Server Attachment with forward slash in file name may not sync to mobile device. LO85444 Server Web Admin may not show data for a user and will recieve "Could not generated devicetype" error message. LO85445 Server Attachment with multiple dot characters in file name may not sync to mobile device. LO85477 Server On standalone server auto cleanup could impact security records then requiring re-approval if approval is enabled. Here is the download link --> http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Notes+Traveler&release=All&platform=All&function=all You should really consider updating your server if you are on 220.127.116.11 or 18.104.22.168. -- Daniel
Daniel Nashed 30 April 2015 09:24:40Finally the IBM Verse App for iOS is released https://itunes.apple.com/de/app/ibm-verse/id949952976
You can either use it to access the IBM Connections Cloud or Traveler On-Premise environments.
Currently you can only use one account against either On-Premise or the cloud.
Take care that the first Traveler release supporting the client is 22.214.171.124 but you should install the latest 126.96.36.199 version.
The Verse client is a container app. You can still continue to use ActiveSync with the integrated apps.
It's not a replacement. Both ways to access the Traveler server are fully supported.
If you want a container app, IBM Verse is a good option for you but you should be aware that contacts and calendar cannot be accessed outside the IBM Verse app.
What I really like is the notifications that you get via Apple push notifications.
For testing I am currently using both in parallel and get the best of both worlds.
But in normal environments you should decide for one way to access your Traveler data.
IBM published an FAQ (part of the Traveler Documentation): http://www.ibm.com/support/knowledgecenter/?lang=en#!/SSYRPW_9.0.1/iOSVerseIntro.html
Daniel Nashed 29 April 2015 10:42:56 IBM has released the Traveler 188.8.131.52 which fixes the reported crash issue with MIME conversions mentioned earlier --> http://www.ibm.com/support/docview.wss?uid=swg1LO84505 If you are on 184.108.40.206 you should update asap. There are a couple of other important fixes included -- see below. Already installed, thanks Sebastian for the heads up! -- Daniel
|APAR # ||Component ||Abstract |
|LO84142 ||Android ||Delay in displaying name lookup results from compose dialog. |
|LO84220 ||Server ||Change default for number of corporate lookup results from 30 to 120 results. |
|LO84239 ||Android ||Search e-mail on Android Tablet may display results from wrong e-mail. |
|LO84410 ||Server ||Incorrect language used when processing multiple calendar notices. |
|LO84334 ||Server ||Decline notice from device is not compatible with Exchange Server. |
|LO84316 ||Android ||Android client crash on old 2.x OS devices. |
|LO84411 ||Server ||Mime format calendar entries may not display special characters correctly. |
|LO84490 ||Android ||Send mail gets stuck in Outbox if the user is over quota. |
|LO84505 ||Server ||Server may crash processing a Mime document with invalid format. |
|LO84520 ||Android ||Imported calendars on Android device may not update unless there is Traveler Calendar update. |
|LO84555 ||Server ||Server busy message sent to the device may be misleading as to cause. |
|LO84568 ||Server ||Pre-approval and delete API may fail if orphan records encountered. |
|LO84569 ||Server ||Server performance issue related to HTTP getStatus request. |
|LO84597 ||Server ||E-mail using Delivery failure form may not sync full body to mobile device. |
|LO84660 ||Server ||Plain text conversion is adding extra space for div html tag. |
|LO84662 ||Server ||Mime format document with both plain and html text may not sync the plain text to the mobile device. |
|LO84663 ||Server ||Android may stop syncing mail after encountering a malformed Mime format document. |
|LO84665 ||Server ||Embedded images with name mime.jpg will not sync to mobile device. |
|LO84684 ||Server ||Change to device security settings may not sync immediately to BB and Windows devices. |
|LO84686 ||Server ||User stops receiving mail for couple hours if all mail replicas restarted in close proximity. |
|LO84723 ||Server ||No invitee status displayed for meetings created from Android client.|
Daniel Nashed 13 April 2015 09:05:51You might want to wait updating your Traveler Server to 220.127.116.11 because of a MIME related bug that can cause crashes.
IBM now released a technote with official information about the issue --> Technote 21701590
If you already updated and have abnormal process terminations in the Traveler servertask you should not try to downgrade but instead request a fix from IBM (going back to an earlier version would cause a complete resync of all devices).
IBM is working on a 18.104.22.168 version with will -- according to the technote -- be released in April.
I am running 22.214.171.124 since it was released and did not yet run into a crash.
But if you did not update yet you should wait for 126.96.36.199.
Daniel Nashed 7 April 2015 10:12:21There is a new version of the start script for Domino on Linux (also AIX and Solaris) that supports RHEL 7 and SLES 12 which a both now using systemd instead of the older init scripts. When you are migrating to one of those platforms you have to switch to the new start script and also use systemd to start/stop your Domino server. Also for the new versions of Linux the start script remains the main main entry point for all your operations with the server. But for start and stop you will need root permissions or your Linux admin can allow you to use the start script with root permissions via "sudo". The start script an invoke all the needed systemd commands to start and stop the Domino server. But you can also use the systemd commands instead. I have updated and rewrote part of the documentation. If you are familiar with the start script already you should be aware that there are some changes. There is a new "domino.service" file which represents the systemd service. You need one of those files for each partition along with the rc_domino file. In the domino.service file there are references to the rc_domino_script which need to match the path where you have installed the script. And also rc_domino needs information which service file should be used. By default the service name is commended out to work with previous versions. If you are running with systemd you have to set the "DOMINO_SYSTEMD_NAME" variable to your domino.service. The documentation contains information about all changes and there is a "systemd" section in the readme as well. In addition I added an additional status command. "statusd" gives you the systemd status for your service. And I have also added another not related command which I wanted for my own environments. The "resources" command shows you all resources the server currently uses (processes, shared memory, semaphores, MQs ..). Here is a link to the script page --> http://www.nashcom.de/nshweb/pages/startscript.htm You can request the new version with the form that page. There are also some other minor changes all documented in the version history. If you have any questions let me know by mail. Enjoy the new version Daniel
Daniel Nashed 6 April 2015 22:58:19As posted before Java 6 and 7 cannot handle DHE key sizes above 1024 bit. The work-around was to limit the DHE key size via notes.ini parameter SSL_DH_KEYSIZE=1024. But this reduced the key size for all other clients that used DHE as well. There is another idea who to work-around this limitation. Java does only support the following DHE cipher: 33 - DHE_RSA_WITH_AES_128_CBC_SHA This is the weakest DHE cipher supported by Domino. If we disable this cipher, Java will not use DHE any more and we are not limited by the DHE 1024 bit key-size that is the maximum size that Java supports. Disabling this cipher results in the following ciphers to be used. for Java For Java 8 a different DHE cipher is implemented and the 1024 does not apply for Java 8. Java 6u45 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
Java 7u25 TLS 1.0 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) No FS 128
Java 8u31 TLS 1.2 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) FS 128 This sounds like a good work-around for the Java DHE key-size limitation. The resulting cipher spec for DHE with all other recommended ciphers enabled is the following: SSLCIPHERSPEC=9D9C3D3C352F0A39676B9E9F For more details check my previous blog posts. -- Daniel
Daniel Nashed 3 April 2015 08:38:12There is a newer version of the key ring tool that has been released on fix-central. Here is the list of fixes for the newer version. You should also update your client and server to the latest available IF because there are also fixes in the back-end for some issues parsing certificates. By the way ... I really like the command line kyrtool. A couple of days ago a customer asked me for some maintenance of their existing key ring files. Their CA expired and we had to remove the root CA from over 150 key-ring files. Using a shell script in combination with the kyrtool allowed me to export the private key and certificates, use "sed" to modify the file, create a new key-ring file, re-import and verify the key-ring file. We even dumped information about the keys, certs etc and validation of the key-ring files into a CSV file to have an overview :-) -- Daniel
|DKEN9U5UEX ||Fix crash if pem file provided as input file has embedded nulls |
|KLYH9UBNGW ||Add Sha 256 Pinning to the kyrtool - displaying the digest on show commands |
|MKIN9QHT5W ||Fix kyrtool crashing when attempting the create command and giving an existing directory for the keyfile name |
|DKEN9RVQGD ||Fix kyrtool sometimes erroring on import all command|
Daniel Nashed 3 April 2015 08:15:05As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3. IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0. So once you update your server but not your client you cannot access your server over the server controller. If you update your server but not your client you are running in the same issue the other way round. The only solution was to have two separate clients for patched and unpatched servers. Ben Rose got a solution for this issue from IBM after escalating the problem. According to Ben there is a way to re-enable SSLv3 on your Notes client. You can set the following system variable on your workstation to pass the parameter to the embedded JVM used for the jconsole. Variable: JAVA_TOOL_OPTIONS Value: -Dcom.ibm.jsse2.disableSSLv3=false This should allow you to connect again from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers. Don't forget to remove the parameter once all your servers have been updated! Thanks Ben for insisting getting a solution and posting how to work-around the issue!
Daniel Nashed 2 April 2015 10:22:10Traveler 188.8.131.52 has shipped with a couple of interesting new features. And the what's new section does give you some interesting other hints. I have copied the what's new information to this document but want to give you some additional hints. We had many customer asking for Trash folder sync support. It was already included in a previous version but disabled by default -- apparently because they needed to do some more testing. Now it is enabled by default. The Google Cloud Messaging support (GCM) for Traveler Android clients can be very helpful to improve battery life because no active HTTP session is needed for push notifications. For GCM you need the following requirements: The IBM Traveler server will attempt to communicate with the Google Cloud Messaging service using host android.googleapis.com using port 443. Make sure that your firewall allows this connection!!! For more details see --> https://developer.android.com/google/gcm/http.html The IBM Traveler server will not attempt to contact GCM until it has a reason to do so. To verify that this connection is working, you should first connect an IBM Traveler for Android client from a device that is also logged in with a Google account. On the Traveler server, run the command: tell traveler push cmstatus See details here --> http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/google_messaging.dita
Traveler 184.108.40.206 does also support the new iOS Verse app which is currently in beta. The what's new section officially mentions it so I can officially speak about it. IBM Verse is available already but the iOS mobile client is not yet available. There will be a native iOS app that connects to IBM Verse and also to your Traveler servers. This Traveler version has official support for the Verse app. There is a site note that this is only supported when your Traveler server is running on top of Domino 9.0.1. I would always recommend to install the latest Traveler version along with the newest Domino release. Specially if you need TLS encryption you want to install the latest IF that introduced TLS 1.2 support for Domino. There are also a couple of additional fixes, list in the fixlist (see link at the end of the post).. You can download the latest updates using Fixcentral as usual. -- Daniel What's new in IBM Traveler 220.127.116.11 IBM Traveler 18.104.22.168 delivers the following new features for its supported devices. IBM Verse for iOS client support If you are part of the IBM Verse for Apple iOS program, you can connect the IBM Verse app to this version of the IBM Traveler server. There are some differences in functionality when the IBM Verse app connects to this on premises version of IBM Traveler versus when it connects to Connections Cloud. Trash folder syncing Support for the syncing of the Trash folder is now available in the client. However, it is dependent on the IBM Traveler server also providing this support. When the client is running against a server that supports Trash, a Trash folder will appear in IBM Traveler Mail. Deleted items will appear in the Trash folder and may be restored or permanently deleted from the Trash folder. Invitee status As the meeting organizer or chairperson, you now can see the response status for the attendees of your meeting on your mobile device. Google Cloud Messaging support for IBM Traveler for Android clients This version of the IBM Traveler server can now use Google Cloud Messaging (GCM) for real time push notifications to keep your Mail, Calendar, Contact and To Do data on your IBM Traveler for Android clients up to date. Using GCM can greatly improve the battery life of Android devices using IBM Traveler, as IBM Traveler no longer needs to stay constantly connected via HTTP to the IBM Traveler server for push notifications. For more information, refer to Google Cloud Messaging for IBM Traveler for Android clients and How do I configure automatic syncing on a Android device?. Expanded Domino server support This version of the IBM Traveler server can now be installed on 3 different base Domino servers: IBM Domino 8.5.3 with Upgrade Pack 1 installed (excluding IBM Traveler for iSeries) IBM Domino 9.0 IBM Domino 9.0.1 In the past, the IBM Traveler server could only have been installed on the latest Domino release. But now the IBM Traveler installer is able to detect which of the above Domino versions the IBM Traveler server is being installed onto, and install the appropriate binary files for that version. There are some limitations when running on a Domino 8.5.3 server versus a Domino 9.0.1, and the recommendation is to install the Traveler server on a Domino 9.0.1 server to gain access to the largest set of Traveler server features. IBM Traveler for iSeries must be installed on a Domino 9.0 or Domino 9.0.1 server. The IBM Verse client is only supported when Traveler is installed on a Domino 9.0 or Domino 9.0.1 server. Note: If you change the version of Domino server after installing the Traveler server, you must re-install Traveler again. All data will be preserved, but the re-install is required so that Traveler installs updated binary files that match the updated Domino server. Links: What's new in IBM Traveler 22.214.171.124 https://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/Whats_new_in_Lotus_Notes_Traveler_9.dita Fixlist: http://www.ibm.com/support/docview.wss?uid=swg21700212
Daniel Nashed 1 April 2015 12:24:03Yesterday at engage conference in Ghent (http://www.engage.ug/) I gave an updated presentation based on the ConnectED 2015 presentation.
I added most of the new notes.ini parameter and also information how to enable those new ciphers and rewrote/reordered a bunch of slides and added more information after the latest IF has been shipped.
During the conference I got the question what I would recommend .
Here is what I would recommend for the latest fix -- which is sort of a short summary of the presentation.
By the default some of the new ciphers are already enabled. And all other security functionality introduced is enabled by default. I would recommend not to disable them if you don't really need to.
There are a couple of options that you might still want to consider based on your environment. Note: The current IF does completely ignore all SSL settings in the server/internet site doc.
With previous fixes you have been able to specify the ciphers still in the server/internet site doc but it was recommended to already make changes using the SSLCipherSpec described in the presentation.
-- Disable SSLv3 --
I think it is time to completely disable SSLv3 on Domino because almost all applications and browsers support at least TLS 1.0
-- Re-Enable SSL V2 HELLO if you really have to --
If you are running a public SMTP Server you don't control what you customers, partners and other do with their SMTP servers.
In some cases they are still using an older version which still tries an old SSL V2 HELLO.
By default Domino has this old version of the handshake disabled.
As blogged before you can re-enable it since the previous IF with the following notes.ini variable.
-- Enable DHE Ciphers if you need "PFS" --
If you are interested using the new PFS ciphers I mentioned in my last blog post (DHE ciphers which will provide PFS for most clients) you really have think about balancing higher overhead in CPU and maybe slower response time with security.
You could enable it and check what additional CPU overhead you have afterwards.
A good cipher spec to configure in that case would be:
This would give you the currently enabled default ciphers + the new DHE ciphers which are not enabled by default for performance reasons.
9D = RSA_WITH_AES_256_GCM_SHA384
9C = RSA_WITH_AES_128_GCM_SHA256
3D = RSA_WITH_AES_256_CBC_SHA256
3C = RSA_WITH_AES_128_CBC_SHA256
35 = RSA_WITH_AES_256_CBC_SHA
2F = RSA_WITH_AES_128_CBC_SHA
0A = RSA_WITH_3DES_EDE_CBC_SHA
New DHE ciphers (for PFS support) not enabled by default
33 - DHE_RSA_WITH_AES_128_CBC_SHA
39 - DHE_RSA_WITH_AES_256_CBC_SHA
67 - DHE_RSA_WITH_AES_128_CBC_SHA256
6B - DHE_RSA_WITH_AES_256_CBC_SHA256
9E - DHE_RSA_WITH_AES_128_GCM_SHA256
9F – DHE_RSA_WITH_AES_256_GCM_SHA384
-- In case of Java Apps reduce the DHE Key Size used --
In addition if you have Java applications accessing your server they will use the DHE ciphers.
But Java 1.6 and 1.7 do only support key length up to 1024 bit.
So in that case you have to reduce the key length for the DHE ciphers (which will let the DHE ciphers be rated as sort of "weak" by some SSL testing sites).
-- Get a proper SHA-256 based Certificate --
In addition you have to ensure that you are using a proper SHA-256 based certificate.
That's a very short summary or recommendations from my presentation depending on your needs.
You should be careful when you disable some of the default ciphers.
All of them are currently rated as secure. And if you disable cipher you could end up having no cipher in common for one of your SSL clients.
I hope this short summary is helpful.