If you are using an Apache Proxy for Domino please check HTTPEnableConnectorHeaders

Jesper Kiær  has posted a very compelling video showing how the HTTPEnableConnectorHeaders = 1 notes.ini parameter can be used to gain access to Domino servers.

We no longer use the Apache proxy scheme as the SSL support in Domino has improved but I tested this on one of our development servers by setting HTTPEnableConnectorHeaders = 1 and using the “Modify Headers for Google Chrome” extension and was able to get access.

As Jesper notes many of the write ups about using Domino behind a proxy ( including mine ) specify using this setting. There are some useful comments to the first post in Jespers series on this issue.

 

 

 

Domino KYRTool and SSL / TLS under Notes 9.01 FP3 IF3 – Positive Impressions

2015-05-20_14-51-26

 

Native SSL / TLS with Domino – Looking Good

Last year IBM got into a bit of a pickle when the Poodle Exploits hit and there was no support for SSLV3 in domino. At the time we moved to putting Apache Proxy Servers in front off all of our web facing servers.

I needed to deploy a new XWorks server for a customer or our “Knowledge Directory” product and we wanted to do some LDAP integration. As the Apache Proxy servers only do HTTP traffic and not LDAP or SMTP I though that I would try the native Domino SSL / TLS functionality again.

My impressions were pretty good. I was able to take an existing Apache SSL certificate and change it into a Domino KYR format certificate without too much hassle. It did take time ( about 2 hours ) but the next time around it would only take 30 minutes.

The KYRtool is a command line tool but following my experiences of doing it for the Apache servers last year it was no more difficult than that platform.

There is a very good Wiki article from IBM.

The Gotchas were as follows

=> when working on your PC you need the 32 bit KYRtool utility even if your PC is 64 bit. Otherwise you get an error

=> when using OpenSSL you need the 64 bit Visual C++ 2008 Redistributables if you have a 64 bit machine ( doh )

=> you need to run openssl as administrator otherwise you get the “error unable to write ‘random state'”

=> if you move the kyr file you MUST also move the .sth file as this contains the password for the kyr file – otherwise you get the error “Access to data denied”

=> You can disable SSLV3 using DISABLE_SSLV3=1 in the notes.ini settings ( please use the configuration document 🙂 )

My Command Lines

The wiki article is very good and you should refer there but my commands ( I already had a certificate ) were :

cd c:\ssl

“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “C:\SSL\keyring.kyr” -p somepassowrd

type unencrypted_star.focul.net.key focul_net_2015.crt gsalphasha2g2r1.cer Root-R1.crt > server3.txt

“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” verify “C:\SSL\server3.txt”

“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” import all -k “C:\SSL\keyring.kyr” -i “C:\SSL\server3.txt”

“C:\Program Files (x86)\IBM\Notes\kyrtool.exe” =”C:\Program Files (x86)\IBM\Notes\notes.ini” show keys -k c:\SSL\keyring.kyr

Thank you to IBM just in the nick of time : SMTP TLS 1.0

Update : XPages has stopped working on the server that I applied this fix to. This may be a total red herring and specific to my server but I though I should mention it. The server was 853 FP3 and I went to FP3 FP6 and then IF4. It is on CentOS and gets hacked about a bit as it is an internal dev server so it may not be typical. i will look at it again tomorrow. For now I have reinstalled 853 and all seems well – apart from no TLS obviously

Just deployed FP6 IF 4 to a production grade system and all went well – < 10 mins down time

=============================================================

IBM has released fix packs to allow SMTP mail to be routed via TLS 1.0 rather than SSL V3 to eliminate the Poodle vulnerability. It is very straight forward to apply. The fix pack also covers HTTP traffic too so no more Apache Reverse Proxy servers unless you want them for other reasons.

This is the 853 FP6 IF4 release – http://www-01.ibm.com/support/docview.wss?uid=swg21663874

Interestingly today we had our first emails that were being rejected by recipients because of SSL V3 so this is very timely.

Many thanks IBM.

When using Apache in front of Domino you need the NE rewrite attribute

Over the last week or so I have been moving to using an Apache server in front of my Domino servers. This has been working really well until I had a problem with Mark Leusink’s Auto Login’s module

The code includes some code that calls a url constructed as
/autoLogins_v113.nsf/rememberMe.xsp?to=/dev/preprodprojectlibrary.nsf

The Apache rewrite engine returns this as
/autoLogins_v113.nsf/rememberMe.xsp?to=%252Fdev%252Fpreprodprojectlibrary.nsf

whereas Domino would normally return
/autoLogins_v113.nsf/rememberMe.xsp?to=%2Fdev%2Fpreprodprojectlibrary.nsf

The solution ( via Tytus Kurek )  is to use the NE attribute in the rewrite rules as shown below.
This attribute preserves special characters such as ? and &

2014-10-23_21-29-59

Interestingly in examining what was going on it does seem as though url is being called using HTTP rather than the HTTPS protocol – I need to look into that further. This does mean that the attribute needs to be added to both the httpd.conf and the /etc/httpd/conf.d/ssl.conf files. I have updated my posts from the weekend.

Hopefully this change will not affect any other functionality – I will post if it does.

Solving the SSL V3 / SHA-2 / TLS / MD5 / Poodle problem on Linux – Part 3 – Converting a Domino SSL certificate / Private Key to Apache

Part 1 – What is the problem
Part 2 – Installing a simple Linux Reverse Proxy on the same box ( 20 mins )
Part 3 – ( This Post ) Converting your Domino SSL Certificate to work with Apache (30 mins )

Thankfully this post is now obsolete – see this IBM article which includes a modern tool to manage the Keyrings

Note that the easiest option to install a verified SSL certificate into the Apache server is to buy a new one. However, if you have a copy of Windows XP handy you can convert your existing Domino SSL certificates to Apache certificates with the following scheme.

Many thanks to Darren Duke who helped get me started with this scheme via a post on his blog about a different but overlapping scenario.

Step 0 – Why do I need to do this

Essentially you need to get your private key because Apache needs it to verify the SSL certificate,

When you originally requested your verified SSL certificate from your SSL vendor you gave them a CSR which was created via the Domino Server Certificate Administration database.

This generated a private key and used that to create the CSR request.

The SSL provider took this and using their own encryption key created the SSL certificate. This certificate will only work in the presence of your original private key and Apache cannot use the Domino .kyr file format where it is buried.

Step 1 – Install IBM ikeyman version gsk5

You need this specific version. You can download it here
It will only run on Windows XP
a) extract the zip contents to the root of the c: drive

b) Run the batch command gskregmod.bat from the command line to set some registry settings

c) Run the batch command runikeyman to open the application.

Step 2 – Extract the Private Key and Cert information from Domino the keyring KYR file

a) open the .kyr file and export it as a P12 file

2014-10-22_20-18-28

Step 3 – Convert the PK12 Format file to a text file

There are two methods here.

The simple one is to use this resource but I am never happy uploading private keys to the web.

The better method is to use the OpenSSL module already stored on your server.

Use WinSCP to copy the .PK12 file to the server and then use the following command in the Linux console

>openssl pkcs12 -in example.p12 -out example.pem

You will need to give the .PK12 password and supply a new one.

2014-10-22_20-20-12

You can now open the pem file as a text file and can see that it has 4 components ( this may vary )

1) Server Certificate Intermediate Certificate

this is the public key for the intermediate certificate and could have been obtained from the SSL certificate issuer’s web site

2) Certification Authority Root Certificate

this is the root public key for the intermediate certificate and could have been obtained from the SSL certificate issuer’s web site

3) KeyPair

This is your SSL certificate and was probably emailed to you when you purchased your SSL certificate ( but it is no good without the private key buried in the Domino kyr file )

4) Encrypted private key

This is what you are after.  I believe that you can use it in its encrypted form but you will need to provide the password every time you start Apache. To avoid this you can store it on the server in its unencrypted form but you need to make sure it is well secured otherwise a anyone who has access to it can compromise your SSL traffic.

Read section 6.6. of this document and apply the security settings recommended

You can unencrypt the key using the following command

>openssl rsa -in example.pem -out unencrypted_example.pem

2014-10-22_20-20-12

Step 5 – Deploying the Private Key and certificates

There are lots of article about how to deploy the files to Apache but this is the scheme that I used. There is another method that chains the root and intermediate into a single chain file.

a) save the intermediate certificate to the /etc/pki/tls/certs folder as a text file called intermediate.pem

You can extract the text from the file generated above or use the one sent to you when you purchased the SSL certificate.

b) save the root certificate to /etc/pki/tls/certs as a text file called root.pem

c) save your domain SSL certificate to /etc/pki/tls/certs as site_cert.crt or similar

d) save your unencrypted private key to /etc/pki/tls/private as site_private_key.pem or similar

e) modify the /etc/httpd/conf.d/ssl.conf file as follows ( allowing for any difference in file names )

SSLCertificateFile /etc/pki/tls/certs/site_cert.crt
SSLCertificateKeyFile /etc/pki/tls/private/site_private_key.pem
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.pem
SSLCACertificateFile /etc/pki/tls/certs/root.pem

If you now issue the command >service hhtpd restart then the new certificates should be used.

If you are using the encrypted private key then you will be challenged for a password as shown below

2014-10-22_20-55-04

That’s it. You have now converted your Domino SSL certificate for use with Apache. Collect $200 and pass Go.