Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


    Higher Crypt-Standards with Notes/Domino and updated JVM 1.6

    Daniel Nashed  2 October 2015 18:46:52
    There is a brand new new TN describing how to enable higher security for the updated JVM 1.6 in Notes/Domino.

    The IBM 1.6 JVM does support TLS 1.2 and also some modern ciphers.

    Sadly by default they cannot be used because they use higher encryption levels (AES 256) which are disabled by default in the IBM and even in the current Oracle JVM 1.8.

    The TN describes a download for something that is called "Java Cryptography Extension" which is nothing new and is around with descriptions for other products and JVM versions.

    But now that Notes/Domino has updated crypto standards in the JVM in some of the last updates and also Domino supports (EC)DHE with higher encryption levels looking into those higher encryption levels in the JVM makes sense.

    When you download the install files you basically get two jars that replace your JVM security files (in notes\jvm\lib\security).

    The two jar files local_policy.jar and US_export_policy.jar contain two files

    - default_local.policy
    - default_US_export.policy

    I have done some testing with the feed reader which started to use DHE_RSA_WITH_AES_256_CBC_SHA with 2048 bit key and TLS 1.2  which is already great.
    That provides PFS via DHE cipher and also AES 256 with a CBC cipher. Sadly it still uses SHA and no GCM cipher.

    With the new Mac 64bit client using the Oracle 8 JVM you still need the same type of patches.

    My tests using the feed-reader and embedded browser on the new Mac Notes 9.0.1 64bit resulted in a ECDHE_RSA_WITH_AES_128_GCM_SHA256 connection!
    So now the Mac is using higher encryption levels for Java then the current Notes/Domino 9.0.1 release with current JVM patches (1.6.0 SR16 FP7).

    I would wish that IBM would update the JVM in Windows and Linux as well in the 9.0.1 code stream!!

    To give you some additional background about the changed settings.
    You can see that the old files contained restrictions (probably because some countries still don't allow higher crypto).
    The replaced files remove all the restrictions.

    Have a great weekend!!!

    -- Daniel

    -- Old Content --

    // Some countries have import limits on crypto strength. This policy file is worldwide importable.

    grant {

       permission javax.crypto.CryptoPermission "DES", 64;

       permission javax.crypto.CryptoPermission "DESede", *;

       permission javax.crypto.CryptoPermission "RC2", 128,
                                        "javax.crypto.spec.RC2ParameterSpec", 128;

       permission javax.crypto.CryptoPermission "RC4", 128;

       permission javax.crypto.CryptoPermission "RC5", 128,
             "javax.crypto.spec.RC5ParameterSpec", *, 12, *;

       permission javax.crypto.CryptoPermission "RSA", 2048;

       permission javax.crypto.CryptoPermission *, 128;


    -- New Content --

    // Manufacturing policy file.

    grant {

       // There is no restriction to any algorithms.

       permission javax.crypto.CryptoAllPermission;

    No Comments Found



      • [HCL Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]