Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Traveler 9.0.1 IF7

Daniel Nashed  7 November 2014 08:48:22
Finally Traveler 9.0.1 IF7 is available.

I don't see a fixlist yet but I got a fixlist from a customer from the latest hotfix he got.


The IF should fix all attachment issues which came up with IF6, includes the latest Android client and should also have an updated certificate for APNS.


So now you can install 9.0.1 IF7 in combination with Domino 9.0.1 FP2 IF1 which introduces TLS 1.0 in one go with just one downtime.

FixCentral Download Link:


http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Notes+Traveler&release=9.0.1&platform=All&function=all


-- Daniel

    Some Additonal TLS 1.0 Information

    Daniel Nashed  6 November 2014 16:28:26
    TLS 1.0 and the removal of SSL 3.0 from browsers that triggered the whole discussion is not just something that needs to be addresses on a Domino server.
    IBM has done a lot of work in quite a short time and now that customers are implementing the fix it shows that also other software is effected.

    Introducing TLS 1.0 for Domino was the first step from IBM to ensure that clients that only support TLS 1.0 and higher can still connect to the Domino server.
    For now IBM still has SSL 3.0 enabled to allow communication with software that does not yet support TLS 1.0 and they are preventing clients from the downgrade attacks as mentioned in the IBM technotes.

    Notes Client Software

    But Domino is not the only server for most customer environments. Many companies completely disable SSL 3.0 and cause issues with other client software.
    And also Notes Clients are affected for example when connecting to other HTTP servers or using secure IMAP, POP3, LDAP or SMTP.

    For example here in Germany GMX one of the larger, well known email-providers disabled SSL 3.0.
    In that case you need a fix for the Notes Client side. IBM did not yet ship the full set of clients because they are waiting for some I think unrelated Java patches.

    But because there is also an enhancement for SHA256 for the cert request database, IBM shipped already the Win32 Standard Client.
    The download is a bit more difficult to find on Fix Central but you should find it using the following link.

    http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Notes&release=9.0.1.2&platform=Windows&function=fixId&fixids=Notes_901FP2IF2_W32_Standard&includeSupersedes=0&source=fc

    If you need a client connection for one of the internet protocols and the server does only support TLS 1.0, you will need to install this IF.

    Other Client Software -- Other Issues


    Notes/Domino is not the only application having an issue with servers that don't support SSL 3.0 any more or servers that changes the way they negotiate SSL versions.
    Domino for example has SSL 2.0 including the SSL 2.0 handshake disabled with 9.0.1 FP2 IF1. Other servers might have done the same or similar.

    This leads to interesting interoperability challenges. For example older OpenSSL versions do not nicely negotiate their SSL level with Domino servers without explicitly specifying TLS 1.0 as Andrew Pollack found out.
    In case of wget in combination with an older OpenSSL version according to IBM the negotiation failed because that OpenSSL version used an V2 handshake, which failed and stopped the negotiation.

    And there might be other application issues where a server does not work nicely with your Java 1.6 application (which supports TLS 1.0 but maybe not the ciphers the server is expecting).
    Java 1.7 does also support TLS 1.1 and 1.2 but not in all cases you can switch to the later Java version.

    I have tested Java 1.6 in Notes with an unpatched Notes client against a server that does have SSL 3.0 completely disabled and the Java agent worked unmodified.
    But there are other parts in Notes that use the native SSL stack. And from what I heard from IBM some parts in Java also seem to use the native Notes/Domino stack instead of the Java stack.


    So when the browser vendors decided to stop supporting SSL 3.0 any more they did not just challenge the server vendors but because of the impact to client software all applications using SSL connections might be affected.
    When introducing new versions of software that support TLS and might not support SSL 3.0 at all or have a changed way to negotiate the session, you really have to test all your applications and see which SSL level they support and which types of ciphers.


    The SSL Test website (https://www.ssllabs.com/ssltest/) tries to test what happens when you access your server with various client software and you should have a look if your server does support a cipher for all of you client access types.

    As I said, this is not just a challenge for Domino but also for other applications -- even if they are totally unrelated -- because many vendors are working on their SSL stack (or administrators disabling SSL 3.0 and below).

    Sometimes you have to specify the right SSL level (currently TLS 1.0 for Domino) to establish a connection and that could be even good from security point of view.

    On the others side you might have to think about updating the software on the client machine itself. For example older versions of OpenSSL should be updated to solve SSL handshake issues.

    There are many parts you should test. And this post should just give you some more background and a heads up what could break now or in the near future when more and more servers are patched/reconfigured. In many cases the solution is to update your software.


    -- Daniel



    Domino TLS 1.0 SHA-2 Support to prevent POODLE has been shipped today

    Daniel Nashed  4 November 2014 01:14:16

    Update 5.11.2014: Before I get more questions about it. The IF has been removed from the download site and will be back soon.

    There was a missing fix that needed to be added that had nothing to do with the TLS changes.


    Update 6.11.2015: the fixes are back on the download site.

    As blogged before IBM was already working on addressing the POODLE attack by finally implementing TLS 1.0 for all internet protocols.


    Today IBM shipped an Interims Fix to introduce TLS 1.0 which is very important because many browsers and other software vendors are about to drop SSL 3.0 support.

    So you need those fixes to continue to use secure protocols like HTTS, secure SMTP, LDAP, IMAP, POP3, DIIOP..


    There are a couple of changes which are described in the following Wiki documents. And there are a couple of additional Wiki documents providing additional information.


    Basically this fix will allow TLS 1.0 and also allows you to use SHA-2 based certificates with a new introduced command-line key-ring tool called "kyrtool".

    The tool is a command line application that can manage your keyring files with SHA-2 support and you don't need the old ikeyman tool that many of us used before with all those limitations.

    I have been testing the tool on Windows and Linux and it is working like a charm. The Wiki contains step by step instructions how to use it in combination with openssl to generate a private key, signing requests and import trusted roots and certficates.


    You find very detailed step by step documentation in the referenced links.


    And you can start downloading the fix and the kyrtool today!
    I have it already running on my production Traveler server on Linux 64.


    Here are the details including download links and detailed descriptions.


    For TLS 1.0 support you just need to install the hotfix and all the defaults should just work fine. You need no additional settings.

    Note: IBM did not disable SSL 3.0 for compatibility reasons in this fist step. The first IF is intended to introduce TLS 1.0 to allow all applications to continue to work with Domino.


    Domino with this fix prevents a downgrade attacks if the client requested TLS 1.0. Some applications will still report that your server is vulnerable to POODLE because Domino still supports SSL 3.0 but this is not completely true. That's just a basic check for SSL 3.0.


    IMHO introducing TLS 1.0 in combination with preventing downgrade protocol attacks is the right first move.

    The fixes are available for  all supported platforms and releases (9.0.1 FP2, 9.0, 8.5.3 FP6, 8.5.2 FP4, 8.5.1 FP5).


    But you should be aware that SHA-2 is only available in Domino 9.0.x because 8.5.x releases "lack the cryptographic infrastructure for SHA-2. "



    Thanks to IBM and specially the security team who did a great job in a very short time!

    They have been already working on TLS and SHA-2 support before but had to change their plans because of the short term move to diable SSL 3.0 in browsers and other software.


    Here is the official quite detailed IBM documentation for TLS, SHA-2, the new key-ring tool "kyrtool" and information about how IBM addressed the "POODLE attack" with this fix.


    -- Daniel



    IBM Domino Interim Fixes to support TLS 1.0 which can be used to prevent the POODLE attack

    http://www.lotus.com/ldd/dominowiki.nsf/dx/IBM_Domino_TLS_1.0

    Generating a SHA-2 Keyring file

    http://www.lotus.com/ldd/dominowiki.nsf/dx/Domino_keyring

    IBM will add more articles in these categories around troubleshooting, tracing, and so on.


    http://www.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=SHA-2
    http://www.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=TLS

    TLS and SHA-2 Support and the POODLE Attack

    Daniel Nashed  21 October 2014 19:20:27

    IBM has officially responded to the POODLE attack and also officially responded to newer crypto standards.

    Very good news for Domino! IBM will introduce TLS 1.0 and SHA-2 support for all protocols soon!

    The current technotes mention a very short timeframe and it looks like we are going to get fixes at least for the current Domino 9.0.1 code stream.

    Some fixes will be also in the 8.5.x code-stream but some of the improvements like SHA-2 support cannot be back ported.


    So you should be prepared with all your internet facing servers to deploy 9.0.1 with current fixpack 2!


    IBM will introduce support for the current standards soon which will also address the POODLE attack.

    IMHO the risk right now is not very high and and most of the HTTPS internet facing servers for larger companies already use Secure Reverse Proxies.
    And you might need to have a closer look into what crypto levels those server currently support! You should disable SSL 3.0 on all servers as far as it is currently possible. This is not just true for Domino.


    IBM is working on improving the crypto "stack" (part of the lower network layer -- "NTI" which is the base for all Internet protocols and this includes in consequence also the keyring file used to store your internet certificates) in Domino in a short timeframe.


    Enclosed you find links for the two new technotes which provide details about what IBM is working on...


    We have been asking for years specially for TLS 1.0 and higher support for SMTP. Now it looks like we are getting it also for all other internet protocols!


    That's really great news!!


    -- Daniel



    How is IBM Domino impacted by the POODLE attack?


    http://www.ibm.com/support/docview.wss?uid=swg21687167


    Planned SHA-2 deliveries for IBM Domino 9.x


    http://www.ibm.com/support/docview.wss?uid=swg21418982

    Traveler Issues with Attachments containing special chars after updating to 9.0.1 IF6

    Daniel Nashed  27 September 2014 12:57:17

    Before leaving for holidays last week the first customer contacted me about issues with attachments that have blanks, umlauts or other characters in the attachment name.

    I could not reproduce it on iOS but on Android but without the error message in the log that he got.


    Meanwhile it is clear that this issue affects all devices types and there is a fix that should hopefully address this problem.


    IBM is working on a new IF to address the issue and also possible other related issues but meanwhile if you need to install IF6 for full iOS 8 support (issues with calendar, companion app) before the new IF is released you should request a fix from IBM by opening a PMR.


    There is a ARPA LO82085 describing the problem but it is just mentioning the "+" sign. But the problem is more general.


    Reference for this ARPA is -->
    https://www.ibm.com/support/entdocview.wss?uid=swg1LO82085

    Here is a sample error message


    19.09.2014 07:14:09   Notes Traveler: WARNING Could not find the StreamedDataInfo: Key(86 bytes)=...√úbersetzungen.doc@547EF898341C988FC1257D58001C6445_48980, RefId=... √úbersetzungen.doc@547EF898341C988FC1257D58001C6445, DataSize=-1, EncodingºSE64, StreamingCompleted=false, so the data was not streamed



    In addition that you cannot open those attachments on mobile devices we noticed a higher CPU utilization which should be related to this problem and can be a lot higher.


    Hopefully we get a new IF soon. I will keep you posted...

    Update 28.9.2014: There are multiple hotfixes for different issues and not all problems are solved.
    If you don't use the companion or todo app you should stay on 9.0.1 IF5 and wait for IF7.

    The problem(s) seem to be more complicated to fix.


    -- Daniel



    My Top 3 Formula Commands for working in the Notes Client

    Daniel Nashed  19 September 2014 06:53:48
    All of those commands are not new at all. They are all round for a very long time. But they make my day easier.
    I am surprised that many still don't know at least the first two.
    The last one is more a convenience when working with replicas.

    @Command([AdminRemoteConsole])

    Before Release 5 there wasn't an admin client and the admin/designer was integrated into the normal client.
    The old live console is still in the client and you don't need an admin client -- just the right permission.
    You can launch it from a smart icon and have a simple admin console without starting the admin client.

    @Command([Execute];"notepad"; @ConfigFile)

    Actually that is a combination of two things.
    @ConfigFile returns the location of your notes.ini. This can be very helpful if you at another user's Notes Client and don't know where the notes.ini is located.
    You can create a new memo (CTRL-M) write the text in the subject and press Shift + F9 to evaluate the formula.
    By the way Shift + F9 works in every field and you could also use it as a calculator.

    In combination with the execute this opens the notes.ini in a notepad for editing.

    @Command( [ReplicatorSendReceiveMail] )

    If you are using local replicas and got a new mail notification but the mail is not yet replicated this command helps to just send and receive mail.

    All three commands are not really new but you might have forgotten about them...


    -- Daniel

      Important Update on Traveler iOS 8 Support -- You have to install an IF!

      Daniel Nashed  15 September 2014 22:23:53


      There are some last minute changes in iOS which are only in the final version.

      Apple changed the EAS Sync ID which used to match the Device ID. There has been planning for that change for a while but Apple should have introduce that change already in the Beta releases.
      However this change causes issues in device mapping for the companion/todo app.

      IBM released a IF for 9.0.1/9.0.0.1/8.5.3 UP2 today to address this issue and added some background logic to map the device ID.

      There is a ARPA describing the issue https://www.ibm.com/support/entdocview.wss?uid=swg1LO81842

      The problem mainly occurs when you register new devices and causes issues with todo and companion app.
      Existing devices with existing profiles should keep their ActiveSync Device ID. But you will run into issues with new registered users and companion/todo app.

      The IF does also address a couple of other issues. Some are also iOS 8 releated.

      You should update your Traveler servers ASAP.

      Detlev put together a nice details description of what happens in the backend.
      See his blog for additional details --> http://www.netzgoetter.net/internet/blogs/netzgoetter.nsf/dx/traveler-ios-8-why-you-should-update-your-servers.htm

      References for fixes for all supported versions.
      You should update even if you are not using the companion/todo app.

      IBM should have sticked with their own rule not announcing support for something that has not yet shipped.
      But we as partners and customers wanted to know in advance what version will support iOS 8.

      Thanks for this very fast response from the Traveler team!
      There are always changes in new software releases and I was surprised that we get a support statement before the release.

      -- Daniel


      9.0.1 IF6
      http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing#901IF6

      9.0.0.1 IF7
      http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing#9001IF7

      8.5.3 UP2 IF7
      http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing#853UP2IF7


      Traveler iOS 8 Support

      Daniel Nashed  10 September 2014 17:23:05
      Update: IBM released and IF to address some last minute fixes required for iOS 8!!

      See this blog post for details
      http://blog.nashcom.de/nashcomblog.nsf/dx/important-update-on-traveler-ios-8-support-you-have-to-install-an-if.htm

      ---

      iOS is released soon (hopefully 17.9 for existing devices) and I already got some customer questions about it.


      There is a technote describing the Traveler support for iOS 8.

      The good news everything should work fine and new app versions for iOS are on their way.

      Traveler supports iOS 8 with 8.5.3 Upgrade Pack 2 and higher but I would highly recommend that you update to the latest and greates release 9.0.1 IF5 anyway.

      Only the latest IFs will recognize iOS 8 correctly because they have the build-in codes for the new OS release.


      See all details in the official support technote


      -- Daniel


      http://www.ibm.com/support/docview.wss?uid=swg21683614&acss=danl_948_email

      Important Platform Support Additions in Notes/Domino 9.0.1 FP2

      Daniel Nashed  21 August 2014 17:59:38
      The new fixpack adds the following platform support:

      9.0.1 FP2 adds support for the following:

          Citrix XenApp 7.5 for Client
          Internet Explorer 11 for xPages
          RHEL7 for Server

      I got the question for RHEL7 already a couple of weeks ago and I think it is great news to have RHEL7 support introduced with a fixpack! That does not always happen!

      The release notes have been updated today and tests are completed.

      http://www.lotus.com/ldd/fixlist.nsf/0/7ff6a78cb16153d085257d2b0062d7b8?OpenDocument


      A big thanks to IBM also for the other two important platform version updates!!

      -- Daniel

      Traveler 9.0.1 IF5 shipped

      Daniel Nashed  30 July 2014 08:06:19
      Traveler 9.0.1 IF5 shipped just in time for updating a customer yesterday -- after we planned the downtime for more than a month -- funny.
      First updated my Linux box before updating the customer server on Windows.

      The Linux silent install on Linux was a lot quicker than the one on Windows.

      There are a couple of important fixes for all devices types and a new version of the Android client.

      http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing#901IF5


      IBM Notes Traveler 9.0.1 Interim Fix 5

      Release Date Component Build Levels Release Documentation
      July 28, 2014 Server
      Android Client
      20140723_0949
      20140717_1527
      9.0.1 IF5 Release Documentation


      APAR # Component Abstract
      LO78514external link Server Accepting meeting reschedule or update on iOS 7 device may not update the server copy.
      LO79236external link Server Exception thrown processing repeating event with empty date time stamp.
      LO79453external link Server Reschedule from BlackBerry device may not show correctly for attendees.
      LO79507external link Server Some calendar entries may be missing on device after issues Traveler reset.
      LO79517external link Server Extra reply notice may be generated for non-repeating event.
      LO79665external link Server Import of Notes Calendar may generate duplicate events.
      LO79714external link Android LED notification not working on some Android devices.
      LO79747external link Android Unable to reply to or forward e-mail to user name that contains an ampersand.
      LO79754external link Android Uncommon file extension may not launch when selected from Notes Traveler client on Android.
      LO79796external link Android Field used to edit Out of Office message doesn't scroll in Notes Traveler client for Android devices.
      LO79811external link Server ActiveSync provision loop may cause resync of all data.
      LO79824external link Server Traveler tracking field may grow to large in mail document.
      LO79933external link Server Device security view may not display all devices in Traveler HA Pool.
      LO79952external link Server BlackBerry device may send incorrect date for event instance.
      LO79960external link Server Third e-mail address for contact created on mobile device may get replaced by first e-mail address when edited by Notes Web.
      LO79975external link Server Plain test mail from Android should use UTF-8 encoding.
      LO79999external link Server Return receipt message not consistent with Notes Client.
      LO80087external link Server Create contact on Apple device and IM Address field may appear unexpectedly.
      LO80092external link Server Event summary data may be too large for document processing.
      LO80163external link Android German translation for ToDo not correct on Android client.
      LO80183external link Server Send mail from Apple device with no text and an image may loose the image.
      LO80296external link Android Tablet view instead of phone view displayed on Sony Xperia T2 Ultra Phone.
      LO80340external link Server Apple devices running iOS 7.1.x may periodically resync folders and other content.
      LO80343external link Server Out of Office formatting error being logged by Traveler Server.
      LO80373external link Server BB 10 device may get stuck in Calendar event sync loop.
      LO80415external link Server Double incompatible with String error message on Traveler server.
      LO80422external link Server Too many unsupported start date warning messages on Traveler server.
      LO80423external link Server Cleanup does not always cleanup all users.
      LO80425external link Server May see field too large to save document error due to presence of BlackBerry fields.
      LO80552external link Android Samsung Galaxy S5 fingerprint scanner is not recognized as valid option when password type is unrestricted.
      LO80595external link Server Deadlock on mail server table.
      LO80777external link Server Change read statice for Calendar notices when processing from mobile device.
      LO80925external link Server Support confirmation notice on Apple devices when changes are included.
      LO81006external link Android Calendar alarm may not dismiss on some Android devices.
      LO81091external link Server Improve event fixup Traveler command.
      LO81158external link Server Handle NTS_BODY_THRESHOLD like normal truncation scenario