Key Rollover vs Certifier rollover

This is probably a topic many admins never really looked into and you might still run with your very old 630 key size.
Key size and certificate key size play an important role in your security and you should be aware of it.

Key Rollover

Rolling over keys is a quite normal operation.
It's a best practice to rotate keys at least when the recommended key strength changed.
Rolling over a key is client side initiated but requires an admin action.

When you rollover a key, the old key remains in your notes.id and you can still use it to decrypt existing data.
So it is important to use a key rollover and not just create a new ID!
The key is created by the user or for a server there are settings in the admin tab of the server document when to create a new key.
Once the key has been created, the key needs to be certified by the according Notes certifier.
The signed key is then added to the server document and is picked up by the Notes client or server and merged into the Notes.ID

For Notes clients the client takes care of updating the Notes.ID in ID Vault if configured.
This flow works well without having any physical ID Notes client or server ID in hand.
The certificate chain remains the same and you are just getting a new certificate issued.



Certifier Rollover

When rolling over certifiers you are creating a new key for your certifier and sign it with the right signing ID.
For your organization certifier this will be the organization certifier itself which signs itself.
Once that operation completes you have to re-sign all OU certifiers, server IDs and Notes.IDs step by step in this order.
You also have to take care of all cross certificates, Vault trust certificates.
The process is quite complex and needs planning:
https://help.hcl-software.com/domino/14.0.0/admin/conf_certificateauthoritykeyrollover_t.html


Don't perform Key rollover and certifier rollover at the same time

The most important part is that you should be aware of is that combining both operations are not a good idea.

You should either perform a key rollover or a certifier rollover at any given time.
Combining both could end up in an undesirable state.

Key rollovers are standard operations which are performed on a single client.id or server.id.
They are client driven and might be spread over weeks to avoid all operations starting at the same time.
The client side is triggered by the security policy. For the server side the trigger is the admin tab of the server document.

I just performed a key rollover last night for all my server keys. Which was a very straight forward process.
But it needed a reboot of the server.

Probably I would perform the key rollover first if you have very old server or client.ids.

Then look at your certifier and OU certifiers if you need to also roll them over.
But this needs planning and you should avoid client and server key rollover during that time.

You might also look into your existing trust like cross certificates.
I just cleaned up many old cross certificates last night as a preparation step.


Notes.ID encryption

Another component in security is also important but separate.
Notes.IDs with a password encrypt IDs locally with an encryption standard and a way to hash the password.

The encryption of a Notes.ID locally can be set when you change your password.
But you can also specify the Notes.ID file encryption and hash algorithm used in the security policy.

The most secure option you can select today in your security policy is:

Mandated encryption standard: 256 bit AES and SHA-512

Once set all your Notes.IDs should be changed step by step to this encryption standard.
This doesn't change the content of the Notes.ID, just the local encryption.

• Comments [0]

Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity

This might help you in some network situations and it came up today in the OpenNTF Discord chat.

TCP/IP keep alive is a functionality in the network stack to tell the server's TCP/IP stack and also the active components like firewalls, VPNs etc, that your session is still alive -- even the application is not sending any data.
The Windows default keep interval is 2 hours. This Windows sends a keep alive for a TCP/IP session only.

Linux and MacOS have a default keep alive interval of 75 seconds, which is a much more reasonable default.

On your Windows client you can change the value by adding a new registry value, specifying a shorter keep alive interval in milliseconds.
A good default value would be 75 seconds like on Linux and MacOS.

This is mainly important for clients, but might apply to servers as well for outbound connections.

Depending on your firewall, VPN and other active components on your way to your Domino server, this could cause those type of issues.

Value to set in registry

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
DWORD KeepAliveTime=75000


Technote describing the background and details.

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0079436


IMHO this should be highlighted more and I would wish Microsoft would come up with a better default after all those years.
I personally did not run into it, because my client always replicates.

Also it is still a good idea to set the Domino server's session timeout as suggested to properly close sessions when idle for a long time.
This resources server and also firewall resources.
The default value is 240 minutes. The recommended value is 30-45 minutes. I would set it to 30 minutes.

notes.ini Server_Session_Timeout=30

Reference: https://help.hcl-software.com/domino/14.0.0/admin/conf_server_session_timeout_r.html

-- Daniel

Historic side note: the XPC mentioned in documentation is for modem not TCP/IP connections that some of you might recall from the early days.

• Comments [1]

Check the minimum client version for your Notes application

Notes provides new functionality in Lotus Script and there also Java classes added to the client.
Lotus Script Named documents have been introduced in Notes/Domino 12.0.1.
I have just written an application which needs a Java class which is introduced in Notes 12.0.2 as it turned out.

So I came up with a simple check I am going to add to all my applications which use more current functionality.
You can drop this code into the PostOpen script of any database and switch to the right constant





Function CheckRequiredVersion As Boolean
       
        Const  BuildVersion1201 = "12.0.1|470"
        Const  BuildVersion1202 = "12.0.2|475"
        Const  BuildVersion1400 = "14.0|485"
        Const  BuildVersion1450 = "14.5|495"
       
        Const RequiredVersion = BuildVersion1202
       
        Const TXT_TITLE = "Please upgrade your Notes Client"
       
        Dim  CR  As String
        CR = Chr(10)
       
        Dim session As New NotesSession
        Dim CurrentBuildVersion As Long
        Dim CurrentNotesReleaseStr As String
        Dim CurrentNotesBuildDateStr As String
       
        Dim RequiredBuildVersion As Long
        Dim RequiredNotesReleaseStr As String
       
        CheckRequiredVersion = False
       
        RequiredNotesReleaseStr = Strtoken (RequiredVersion, "|",1)
        RequiredBuildVersion = Clng(Strtoken (RequiredVersion, "|",2))
       
        CurrentBuildVersion = session.NotesBuildVersion
        CurrentNotesReleaseStr = Strtoken (session.NotesVersion, "|",1)
        CurrentNotesBuildDateStr = Strtoken (session.NotesVersion, "|",2)
       
        If (CurrentBuildVersion >= RequiredBuildVersion) Then
                CheckRequiredVersion = True
                Exit Function
        End If
       
        Messagebox " You are running:  " +  CurrentNotesReleaseStr  + CR + CR + " This application requires:  " +  "Release " + RequiredNotesReleaseStr, 48, TXT_TITLE
       
End Function

• Comments [1]

DAOS Tune 2.0 available for download on MHS

The DAOS Estimator was a separate download to analyze attachments to estimate the size and deduplication of attachments before you enable DAOS.
Starting with Domino 14.5 EA1 HCL provides a new completely rewritten tool which is now also available for Domino 12.0.1 and higher.

The documentation is available as a PDF on MHS download site as well.
You find the latest documentation in the EAP beta here ->https://help.hcl-software.com/domino/14.5.0/admin/admn_daostune_c.html.

The new DAOS Tune can be used to analyze servers before enabling DAOS and also to check if the DAOS settings could be optimized for an existing DAOS configuration.

The new tool provides more detailed information and recommendations.
You can also scan on one server and analyze the result file on another server.
But the most important point is that the new tool is dramatically faster.

If you have feedback or questions you should join the Domino Early Access program --> https://hclsw.co/domino-14-5-eap-forum

Note:
I also had to accept a new license agreement before I was able to download the software.
So if you use the download script, you have to visit the MHS site first.

-- Daniel




Here are the two new binaries for Windows and Linux


--------------------------------------------------------------------------------
WebKit   :  DAOSTune Estimation Tool 2.0 for Linux
Name     :  daostune
Version  :  2.0
Platform :  linux
Size     :  808640
SHA256   :  4b9e7af34f3cbba9a699b4288e0e10088659c5b271b0abb58907630736107793
ID       :  vwWWuh6yyudOuRjutaHnW
--------------------------------------------------------------------------------
WebKit   :  DAOSTune Estimation Tool 2.0 for Windows
Name     :  daostune.exe
Version  :  2.0
Platform :  windows
Size     :  121904
SHA256   :  fd701f71fe9db9e6750ce9d209e12d1f81775b4c87721877e3e8f7a0b605eb73
ID       :  0tKnEMt0jLK0LZhxuWve8
--------------------------------------------------------------------------------

• Comments [0]

Running Linux from USB stick on a machine with secure boot

Booting from USB isn't always easy. My Thinkpad has secure boot enabled.
Even Ubuntu on my USB stick was signed, the boot failed.
The root cause was that only Windows root certificates had been enabled.

Allowing 3rd party boot key signing CAs is tricky

The solution is to allow 3rd part signing certificates.
But you need to be very careful when disabling secure boot or enabling 3rd party signing certificates.

If you have Bitlocker enabled, you will need your recovery key to get Windows working again!

If you don't have your key, you are in real trouble. You should note your recovery key anyhow! Not just for this operation..
In my case it was a new Thinkpad and the setup had synced the recovery key to my Microsoft account already.
Not that I asked for it or allow they sync/backup, but in this case it was great to have it.

Once the secure boot has been updated, I could boot from my Ubuntu Desktop distribution.

Bootable USB sticks with persistent partition size

A bootable USB stick is good to have as a recovery option.
But you can also use it to setup a Linux with a ready to use configuration.

Rufus can add a persistent volume partition to setup a workstation or server which you could run on any kind of hardware without using the local disk.
Provided you get the secure boot working ..

• Comments [0]

Domino 14.0FP2IF1 for Windows has been re-published

A Domino Interimfix (IF) is actually a hotfix with one or multiple fixes built and published for all platforms. Only the IF number in the file really labels it as a IF.
Domino 14 AutoUpdate knows about hotfix and IF numbers per platform and maps them accordingly.

In case of this IF the hotfix build for Windows had Windows VS run-time environment dependencies.
because the hotfix installer is still 32bit this required the 32bit run-time VC libs to be installed.

HCL fixed the issue for future fixpacks. But now also re-published the IF1 for Windows.
The old file is removed and the new file has a new file name, new hash and fileID.

---

If you are using Domino 14.0 AutoUpdate and have not downloaded the file, the old IF will be removed from your autoupdate.nsf.
But if you downloaded it, the file stays in autoupdate.nsf and is marked as a legacy document.
That's because HCL would not want to delete any software you downloaded.

But the document is clearly marked as legacy and you can use the delete action to delete it.

The new IF has a new HF number as you see below. MHS is updated and also the software.jwt data which is the source for autoupdate.nsf has been updated.

WebKit   :  HCL Domino Server 14.0FP2IF1 for Windows 64bit
Name     :  140FP2HF18_W64.exe
Version  :  14.0fp2if1
Platform :  windows
Size     :  32460848
SHA256   :  729fe5e006c0c46701e9e6098c24a573ab4a22f5352eeb8963d21ef088cc6f87
ID       :  dKN8b0rafN5ib3BEEx2Et
Modified :  2024-10-17T00:00:00.000Z

• Comments [0]

DNUG local meet-up 17.10.24 (today) in Monheim - Focus Notes/Domino 14.5

DNUG has local meet-ups in different regions. Today is the next meeting around the corner for me.
It's like the next small town close to me.

https://dnug.de/events/stammtische/rhein-ruhr/

Focus of this meet-up is Notes/Domino 14.5 Early Access Code Drop 1.

The main topics will be the new AutoInstall functionality and the OIDC server.
But we can also discuss other new features available in EA1.

https://help.hcl-software.com/domino/14.5.0/admin/whats_new_in_domino.html

Bring feedback and questions with you ... And if you are not around the corner, you should join the EAP Forum --> https://hclsw.co/domino-14-5-eap-forum

By the way .. the meet-up is organized by DNUG, but is open to anyone!

• Comments [0]

Domino Container image custom add-on support enhancements

There is a custom add-on functionality Matijn and Roberto just blogged about this week.

https://blog.martdj.nl/2024/10/10/building-custom-add-ons-for-your-domino-container-image/
https://www.robertoboccadoro.com/2024/10/10/upgrading-ontime-in-a-container/

This was the missing tigger for me to look into it again.
It's a quite new functionality which wasn't fully documented yet.

Documentation

I have added a new documentation mark down page-->https://opensource.hcltechsw.com/domino-container/concept_custom_addons/

Custom data dir add-on updating
The functionality wasn't complete. There was a small gap.
Templates added via domino-data dir functionality was only added to the full domino data zip, which is only updated for new servers and when the release changes.
Domino add-ons already had a functionality to update those template files.
But this wasn't yet the case for the custom add-ons.
I have added the functionality to create a custom data tar file per custom add-on, which is applied on server update when the add-on version changes.

New image label DominoContainer.custom-addons

ontime=11.5.0,nashcom-software=1.2.3

There is now also a new label for custom add-ons, which is using the file name of the custom add-on file.
For example nashcom.taz or ontime.zip.

The version can be added after another # like this:

ontime.zip#38159360f0fc2098f85fe4af2626e366ebdd02558c9423c5665cf9f702ae7b10#11.5.0


Support for custom-addons in ZIP format

Some business partner applications use ZIP files instead of tar files for installation.
This is probably because tar isn't a popular format on Windows even Windows has tar installed out of the box.

Now  business partners could modify the structure of their ZIP file to automatically install their application.
I took the OnTime ZIP file and moved the templates and binary to the expected directory structure and tested it today.

It would be very cool if partners would use the same structure.

• Comments [0]

NGINX Authentication Based on Subrequest Result

NGINX comes in two different versions. The free open source version and the commerical NGINX Plus.

The free version basically supports:

• Basic authentication
• Client certificate authentication
• Allow access by IP address

NGINX also has a very flexible programming model in C or LUA.

But there is an interesting additional option:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/

You can authenticate against another HTTP server.
When the user is not authenticated NGINX uses a sub request to check for authentication.

If the requests re turns a HTTP 200 OK, the user authentication was successful.
The result can be cached by authorization token (also in combination with the IP).

In my case I am sending the request to a local UNIX Socket instead of a web server.
The socket request is processed by a C++ program.
Using this approach I can implement any type of authentication on NGINX.
In my case I am verifying a JWT via OpenSSL code.

But this opens the door for any type of authentication integration.
The following example shows how it works in general.

Example configuration

• Basic authentication
• IP based authentication
• Sub request integration
• Cache the authentication even in tmpfs
• Use a UNIX socket for the sub request

...
http {

  proxy_cache_path /dev/shm/nginx keys_zone=auth_cache:1m;

 server {
      listen            443 ssl;
      listen       [::]:443 ssl;
      server_name  _;
      root         /usr/share/nginx/html;

      ssl_protocols TLSv1.2 TLSv1.3;
      ssl_prefer_server_ciphers on;

      # Prefer the SSL ciphers for ECDSA:
      ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256';

      # Use multiple curves.
      ssl_ecdh_curve secp521r1:secp384r1;

      ssl_certificate     /etc/nginx/conf.d/cert.pem;
      ssl_certificate_key /etc/nginx/conf.d/key.pem;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

      http2 on;

      location = /auth {
          internal;
          proxy_pass              http://unix:/tmp/auth.sock;
          proxy_pass_request_body off;
          proxy_set_header        Content-Length "";
          proxy_set_header        X-Forwarded-Host $hostname;
          proxy_set_header        X-Forwarded-For  $remote_addr;
          proxy_set_header        X-Orig-URI       $request_uri;
          proxy_set_header        X-Orig-Protocol  $ssl_protocol;
          proxy_set_header        X-Orig-Cipher    $ssl_cipher;

          proxy_cache             auth_cache;
          proxy_cache_valid any   1m;
          # Use the authorization header and IP for cache lookup
          proxy_cache_key         "$http_authorization$remote_addr";
      }

      location / {
          satisfy any;
          allow 127.0.0.1;
          allow 1.2.3.4;
          deny all;

          auth_basic           "Software Download";
          auth_basic_user_file /etc/nginx/conf.d/htpasswd;

          auth_request     /auth;
          auth_request_set $auth_status $upstream_status;

          root   /usr/share/nginx/html;
          index  index.html;
      }
  }
...


Example request passed as a sub request

You can add all type of information to the sub request on top of the request itself.
IP address, hostname and TLS information can be helpful.
This opens the door for many different authentication options.

------
GET /auth HTTP/1.0
X-Forwarded-Host: volt.domino-lab.net
X-Forwarded-For: 91.14.169.18
X-Orig-URI: /software.txt
X-Orig-Protocol: TLSv1.3
X-Orig-Cipher: TLS_AES_256_GCM_SHA384
Host: localhost
Connection: close
user-agent: curl/7.81.0
accept: */*
authorization: Basic ZG9ja2VyOmV...

• Comments [0]

Troubleshooting CertMgr ACME HTTP-01 challenges

Let's Encrypt HTTP-01 challenges can be tricky sometimes.
The server needs inbound port 80 open.

There is a script to help troubleshooting https://letsdebug.net/

The Domino ACME HTTPS-01 challenge troubleshooting guide also references this project and provides additional information.
https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/docs/troubleshooting_acme_challenges.md

I have updated the project to use the same troubleshooting challenge and updated the material.

But the Let's Debug project also provides a REST API for testing.
I looked at the project and came up with a Lotus Script Lib and added a form around it.

This is a true end to end test including a random challenge creation and a local pre-check via Curl.
The script is also a good tutorial for the HTTP Request class and JSON in Lotus Script.

The Script Lib and Class will be also the base for extending automatic setups.

• Comments [0]