Native SSL / TLS with Domino – Looking Good

Last year IBM got into a bit of a pickle when the Poodle Exploits hit and there was no support for SSLV3 in domino. At the time we moved to putting Apache Proxy Servers in front off all of our web facing servers.
I needed to deploy a new XWorks server for a customer or our “Knowledge Directory” product and we wanted to do some LDAP integration. As the Apache Proxy servers only do HTTP traffic and not LDAP or SMTP I though that I would try the native Domino SSL / TLS functionality again.
My impressions were pretty good. I was able to take an existing Apache SSL certificate and change it into a Domino KYR format certificate without too much hassle. It did take time ( about 2 hours ) but the next time around it would only take 30 minutes.
The KYRtool is a command line tool but following my experiences of doing it for the Apache servers last year it was no more difficult than that platform.
There is a very good Wiki article from IBM.

The Gotchas were as follows

=> when working on your PC you need the 32 bit KYRtool utility even if your PC is 64 bit. Otherwise you get an error
=> when using OpenSSL you need the 64 bit Visual C++ 2008 Redistributables if you have a 64 bit machine ( doh )
=> you need to run openssl as administrator otherwise you get the “error unable to write ‘random state'”
=> if you move the kyr file you MUST also move the .sth file as this contains the password for the kyr file – otherwise you get the error “Access to data denied”
=> You can disable SSLV3 using DISABLE_SSLV3=1 in the notes.ini settings ( please use the configuration document 🙂 )

My Command Lines

The wiki article is very good and you should refer there but my commands ( I already had a certificate ) were :
cd c:\ssl
“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “C:\SSL\keyring.kyr” -p somepassowrd
type unencrypted_star.focul.net.key focul_net_2015.crt gsalphasha2g2r1.cer Root-R1.crt > server3.txt
“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” verify “C:\SSL\server3.txt”
“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” import all -k “C:\SSL\keyring.kyr” -i “C:\SSL\server3.txt”
“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” show keys -k c:\SSL\keyring.kyr