APNs Certificate used for Traveler 9.0.1.21 Expires soon!

The APNs certificate implemented in IBM Notes Traveler 9.0.1.21,will expire on 30th March and therefore the Push Notifications for Apple iOS devices will not be possible with the “default” certificate.

The easiest way to make sure that the Push Notifications functions properly is to update your Traveler Server to 10.0.0.0 or newer release. Index of all IBM Notes Traveler Releases:

http://www-01.ibm.com/support/docview.wss?uid=swg21700212#10011

In order to upgrade Traveler, there is no need to update Domino to the Version 10, although I would strongly recommend it. Traveler 10.0.X System Requirements:

https://www-01.ibm.com/support/docview.wss?uid=ibm10729949

Advertisements

IBM Connections Docs – Issue with File Preview in Google Chrome

I recently deployed a new Connections Environment, together with IBM Connections Docs Applications. After the installation I have encountered an issue with a File Preview, some files cannot be viewed in a Google Chrome Browser. Screenshot of the issue:

We could reproduce this issue only with “.doc” and “.docx” files and only in Google Chrome, version 72, where the Preview still works well with other office files like “.ppt” and “.xlsx”. In other Browsers like the newest version of Firefox (65.0.2) and IE, there are no such issues.

It turns out that issue lies with Code in the current Version of Google Chrome, Version 72.0.x, so if you have the possibility, try to delay or stop the update in your environment until there is a solution for this issue. IBM is currently working on a Fix for this Bug, and it may be available as a Fix for IBM Connections Files rather than a IBM Docs Fix, so read the Release notices carefully.

As a workaround you can open the problematic files in “Edit” mode, if you have sufficient access rights, here the contents will be displayed without any issue.

I have deployed IBM Connections 6.0 CR4 and IBM Docs 2.0 CR3 iFix006, but some folks have the same issue also with older Version of IBM Connections and IBM Docs.

Upgrading Notes 9.0.1 client to Notes 10.0.1 on Mac

Yesterday, an Article was published by IBM Support about Upgrading Notes 9.0.1 to Notes 10.0.1 when a User has Sametime embedded add-on installed. Make sure to read it, in order to avoid problems.

https://www-01.ibm.com/support/docview.wss?uid=ibm10872660&myns=swglotus&mynp=OCSSKTXQ&mync=E&cm_sp=swglotus–OCSSKTXQ–E

From my understanding, (no to much familiar with Mac Clients), you need to uninstall Notes 9.0.1, prior to 10.0.1 installation.

Domino Tech School

Domino Tech School is a series of webinars concentrated around Domino V10. It has been announced on January 8th this year. Since than there were two sessions, “Domino Query Language” and “Upgrading to Domino V10: Best Practices”. If you have missed one of these two Sessions, don´t worry, you can still watch the recording, but you still have to register.

All of the Sessions were great so far, I like how fast the recording is available, minutes after the Webcast is finished. And it contains useful Information for everyone, Developers and Administrators. So make sure you check it out.

Make sure that the “Names.nsf” cannot be accessed via Internet!

Important Notice: If you are using your Domino Server as an LDAP Directory for Connections and/or Sametime do not continue with the steps described further down.


If your Domino Server is exposed to the Internet, make sure that the Domino Directory or the “Names.nsf” database cannot be accessed via Web Browser, or at least certain fields which can be used to get the hash values of the Internet Passwords.

A while ago, we got contacted by a customer who found out that his Domino Servers are vulnerable to a certain exploit which allows an attacker to extract the hash values of HTTP Passwords, of every user in the Domino Directory. The mentioned vulnerability is documented as “CVE-2005-2428”, you can read all the details of the exploit in the article bellow:

https://www.exploit-db.com/exploits/39495

EDIT: In a response to my post, Sven Hasselbach also wrote a post on his blog. It is very informative and detailed, he added Information I missed, so I would strongly urge you to read it. Furthermore the I would also like to add the comment from Christoph Stöttner:

I haven’t checked the authentication, but you can’t use LDAP any more (Softerra will present: The user has insufficient access rights!)! So even when Connections or Sametime User can authenticate (please double check), TDI will not read or update any user account, even worse with default settings in Connections TDISOL all your profiles get deactivated!

The mentioned vulnerability is from 2016! So nothing new. To get the hashes the attacker already need to have a valid login (or allowed anonymous access to your names)! Then he can grab the hashes. Afaik with “Use more secure internet passwords” and “Yes – Password verification compatible with Notes/Domino release 8.01 or greater” it’s not that easy to decrypt the hashes.

I think a way more important is proper ACL, a well-configured security tab in the server document and “Enforce server access settings: Yes” for all used protocols.

As described in the article, you could remedy this by hiding $dspHTTPPassword and HTTPPassword or, you could “block” the access to names.nsf via Web Browser completely. The only reliable way I could find, with the help of Roberto Boccadoro, to do this on Domino would be to set the following property:

I tested this in few environments, with SPNEGO and Web Federated Login enabled, and I could find no issues.