In this technote from IBM you can find the following answers:
Q1: Can I import the SHA-2 cert on a Domino 9.x server and then use that keyring on a Domino 8.5.x server? No. Domino 8.5.x lacks the
cryptographic infrastructure for SHA-2. This means if you import the
cert using 9.x and the Interim Fix and and KYRTool described above,
you can use that keyring on a Domino 9.0 or above server, but not on a
Domino server pre-Domino 9.0.
Q2: Can I get a hotfix on 8.5.x or earlier to support SHA-2? No. This
is not possible since releases prior to Domino 9.0 lack the
cryptographic infrastructure for SHA-2.
Is an update to Domino 9.x the only way the handle this issue? If so, how long it's time, before the relevant web browsers (ie, firefox and chrome) will cancel the support for SHA-1?
Yes, for long-term, upgrade to Domino 9 is the only solution. As a workaround you could use a reverse-proxy solution, (e.g. using Apache Web Server, NGINX or HAProxy), see https://frostillic.us/blog/posts/6AF303DE836BA02D85257D570058B1CA as an example.
Regarding browsers support of SHA-1:
Microsoft:
http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
Google:
http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html
Mozilla:
https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
In order to be able to get SHA-2 certificates with Domino 8.5.3 you could install a reverse- proxy in front of domino and let that one handle encryption. But of course then you have two machines and two different software- environments to maintain. And you still have a "very old" software running.
As of this Link the first to abandon SHA-1 Support will be Microsoft in January 2016. Chrome will show warnings long before that but still accept them.
Firefox will not accept SHA-1 after January 2017.
From that point Chrome will also treat them as "affirmatively insecure".
Best advice: update your servers to 9.0.1 as fast as possible. The effort is minimal and then you can natively handle TLS 1.2
Related
As the title says, I am trying to send files from local directory to a SharePoint online site with BizTalk. I am unable to do so for days and days... read tons of topic about it but nothing is working, I am a bit discouraged to be honest at the moment...
Here is how my send port is currently configured :
The account used has full access granted on the SharePoint site. I can log in with it using a browser without any issue, I can upload files as well.
Here is the error I encounter when trying to send a file :
I am using BizTalk 2016 with SharePoint Online.
If someone has an idea on how I could resolve this, I would be very very grateful.
BizTalk, or rather the .Net layer defaults to using older TLS protocols, namely TLS 1.0, and doesn't then negotiate up.
To address this you need make sure you have CU5 for BizTalk Server 2016 or later (currently CU8) and then follow the steps in "Option 1: Switch to the TLS 1.2 protocol" section of the following article in the Microsoft Knowledge Base:" as per the article Support for TLS 1.2 protocol in BizTalk Server
3155464 MS16-065: Description of the TLS/SSL protocol information disclosure vulnerability (CVE-2016-0149): May 10, 2016
or
Use the scripts from the following Setup Microsoft Windows or IIS for SSL Perfect Forward Secrecy and TLS 1.2
Note: You will have to test to make sure no other system BizTalk connects to still uses TLS 1.0 or 1.1, and if so not to disable those, but to try to default to 1.2.
I am a new Domino XPages developer. Does anyone know of a Two Factor Authentication solution for Xpages.
You don't authenticate with an application on Domino. (That's true whether it's built with XPages or not.) You authenticate with the server. IBM does not support two factor authentication for Domino, but a simple google of "lotus domino two factor authentication" will bring up results that include a few vendors of 3rd party solutions that work with Domino. You will, however, have to approach this as a systems admin issue, not a development problem, so if you have any follow-ups they will belong on ServerFault instead of StackOverflow.
Look at https://www.duosecurity.com/product/applications/api which you could use after user successfully authenticates against Domino server.
We have a single server inside the firewall used for all of our production apps. The server and clients are 8.5.3.
We have a single 'portal' server outside the firewall used by a small set of our customers for read-only access to a few apps via a browser. This server is currently at 8.5.3. Mail isn't implemented on this server; customers log in, see dbs, view docs, and leave. The only admin tasks I perform on this server are to add new users and push new replicas onto the external box (which I do from my Notes client, not the admin client)
Because of POODLE, we're going to be upgrading our portal server to 9.0.1. We have no plan to upgrade our internal server (or clients).
I'm the developer and admin for both servers.
I don't intend to install the 9.0.x designer client on my system.
Do I need to install the 9.0.x admin client or can I just keep using my 8.5.3 version?
Any risks with either scenario?
Thanks for any tips or suggestions.
Mixed versions of domino server and clients can be used and actually have been used for a long time. Certainly only the intersection set of features of these versions can be used.
I'm using Domino servers 9 (including cluster), we are TLS because af Poodle (see question). Most of our Client / Designer are 8.53. I recommand: do not install Client/Designer on the server (especially outside).
We had months a "last server" to upgrade (8.5) and this also didn't made problem. But I suggest to upgrade also the internal server.
Is there a browser that supports all the Confluence features best?
I know that IE doesn' support Drag and Drop, but what about other features?
check https://confluence.atlassian.com/display/DOC/Supported+Platforms
scroll down to "web browsers - desktop"
As webwesen's answer says, all browsers listed on the supported platforms doc should be usable with Confluence.
My personal experience is that using Chrome is a good bet, since most of the Confluence development team uses Chrome day-to-day (or at least they did when I was in the Confluence team). However, Chrome doesn't have a built-in WebDAV client which means that Confluence's Edit-In-Office features do not work. If this is important to you, then I'd suggest Firefox with the Office Connector Add-on installed.
We are having Lotus notes 4.5 database.
We want to upgrade it to IBM Notes 8.0 or 8.5.
Is it possible ?
if yes, can you give the link or reference.
A 4.5 database should work without any changes on a 8.x server or client. Only in rare cases you need something to change. If that is the case then post the issue here on stackoverflow.
Make sure to change ODS version of database so it can use the improvements of 8.x IBM Notes version.
You might want to use new design possibilities to improve the user experience but that is just the next step.
There is no "standalone" 4.5 Database: You need a server or a client to access the data in the database.
If your question is, whether you can update the Client / Server to 8.5 (better use the current version 9), then the answer is already given by Knut: All 4.5 database should (mostly) work on an 8.5 server or in a 8.5 client.
BUT: Updating a Client or Server from 4.5 to a current Version directly is not possible. You either need to take a lot of steps in between or completely reinstall the new Client / Server using existing databases (names.nsf, etc.).
As execution order of Notes Formula Language has significantly changed from 4 to 5 and the formula engine has been completely redone in Version 6 there might be some buttons that do not do in the new version what they where supposed to do in 4.5
So: the short answer is "yes", the long answer is: find someone to help you with this...