EngageUG – Implementing Certificate Based Authentication for HCL Traveler Access

I am proud and honored that I was allowed to present this year at Engage in Arnhem. To be frank, I still can’t believe it. 🙂 I held a 25-Minute Session about implementing certificate based authentication for HCL Notes Traveler authentication. If anyone is interested, the Slides is embedded below:

I also took a video of my presentation, I wanted to make sure I didn’t miss any errors I have made, so that I can improve my overall presentation skills. Apart from the viewing angle, the video has not turned out to bad. 🙂

HCL Domino AppDev Pack – IAM System Requirements

As of now, there are no separate System Requirements listed for IAM component, of the Domino AppDev Pack, in the official documentation.

I opened a support case regarding this and got the information that the IAM component will run on any OS where the Node.js, version which is mentioned in the official documentation, will run.

Live from Tokyo – In Vienna

My employer, Axians ICT Austria GmbH, is sponsoring “HCL Tokyo Live Viewing Party” and hereby you are invited.

In Addition to the Live Stream from Tokyo, the Agenda is stacked with sessions about HCL Digital Solutions software, which will be held by Axians and other event sponsors. We also have a special guest, Cornelius Granig, the author of “The Darknet”.

If you are still not convinced, check out the cool location we have reserved.

Make sure not to miss the Live Stream from Tokyo, we will be especially delighted if you would watch it together with us in Vienna, to do so, make sure to register.

HCL Domino v11, Connections v6.5 and more – Live Keynote

It’s that beautiful time of the year again, we get to play with the new Software. The HCL has announced a Live Keynote, this time from Tokyo. The keynote is going to be streamed live, and we will be able to see the version 11 of Domino/Notes, Connections and Sametime. This event is rather short, set to last for one and a half hour, during which we are going to hear about the most important facts of the new Software Version and how to start using it right away. Take a look at the Agenda below:

9–9:15 a.m.: Live from Tokyo Keynote: A Major HCL Milestone.
Presenter: Richard Jefts, General Manger, HCL Digital Solutions

9:15–9:30 a.m.: Domino V11: Why Modernizing Beats Migrating.
Presenter: Andrew Manby, Vice President of Product Management, HCL Domino

9:30–9:45 a.m.: Domino V11 Demo: One Vendor, One Solution, One Stack. The Only Stack You Need.
Presenter: Andrew Manby, Vice President of Product Management, HCL Domino

9:45–10 a.m.: We Hear You: HCL Connections 6.5 = More Value from Your Investment.
Presenter: Danielle Baptiste, Vice President of Product Management, HCL Connections

10–10:15 a.m.: Boost Engagement with HCL Connections 6.5: We’ll Show You How.
Presenter: Danielle Baptiste, Vice President of Product Management, HCL Connections

10:15–10:30 a.m.: Get Started with Domino V11 and Connections 6.5 Today.
Presenter: François Nasser, Global Sales Leader, HCL Digital Solutions

You can register for the Keynote using a GoToWebinar.

So what’s my take on this? HCL has proven that they are all about getting work done. Maybe even more important, they focus on doing the work that matters most for the customers, delivering much awaited Features. This shows in the Agenda, it is short and fully “packed”. I like this, this is a most welcome change.

I have been working with Notes V11 Beta 1 for two months or so, although this is the first beta Version, which is not publicly available, it is stable and looks very promising.

I can’t wait to see Connections 6.5, the IU should be cleaner, and along new features, we will get a lot of complementary software, free of charge. Like HCL Connections Invite and Connections Toolbar.

By the way, the new Digital Solutions Product Branding looks awesome!

Notes Shared Login/Notes Federated Login and Smart Card Support

One of our customers wants to implement Single-Sign-On for Notes Clients on Windows Operating Systems and in the future they plan to implement Smart Cards as a Login mechanism on Windows PCs.

Due to some misleading official articles, I was not sure if Smart Cards are supported with NSL or NFL. After a check with IBM Support, it turns out that Smart Cards are supported with Notes Shared Login and Notes Federated Login, as long as you do not use “Smart Card Protected ID” Feature.

So, as long you use Smart Cards solely for OS access/login you are good to go to use NSL or NFL for Notes SSO.

Engage 2019 – Part Two – Notes 11, Future of Connections and more!

After the exciting first two days, we continued at the same pace, the first sessions started at 8 o´clock. So after grabbing a few cafe cups and making some hard decisions on which Sessions to visit, I started going toward the presentation rooms. Just like in the previous post, I will list the Sessions I have visited and add some Information, which from my perspective is most important.

IBM Engagement Center Quickstart: Get your first Intranet pages up and running in minutes – by Martti Garden

In this Session, Martti unleashed the full power of ICEC and showed some tips and tricks, like resizing YouTube videos automatically, in order to “rock” any Connections Environment.

Notes 11 – by Ram Krishnamurthy

This got pretty interesting, by the way, as you can imagine, the room was completely full. Ram presented us the new Notes 11 Client. The Session consisted from three parts, first we got to see what HCL is striving to Achieve with the new release. We basically got a glimpse of how it should look at the end.

After that, we got to see the current state of the pre Beta release.

After the Design was presented, Ram explained us some technical differences and improvements which are going to be available on the new Notes 11 client.


IBM Connections: The Future is Bright – by Danielle Baptiste and Martti Garden

In this Session Danielle confirmed that HCL is going to continue to invest into Connections Platform, because of a strategic importance for HCL. Martti also showed us some new features which are going to come with the new CR Releases, like Integration with Slack! We also got to see what is coming with Connections 6.0 CR5, which is going to be released in the next two weeks. After the CR5, we should get at least two more CR Updates this year.

Domino on Docker Bootcamp – by Daniel Nashed and Thomas Hampel

Interested in running Domino (including Traveler) on Docker!? If that´s the case, then this was the session to be. Daniel and Thomas explained everything you need to know to “kick-start” your Domino deployment on Docker.

Domino and SSO – New Ways for secure collaboration – Round Table by Daniele Vistalli

In this Round Table Daniele presented his own Application/Solution for generating SSO Tokens, meant for environments or Use Cases where you can’t use SAML. The application is great, it is based on Domino and it shows just how versatile the platform is.

IBM Connections Customizer – Have it Your Way! – by Miki Banatwala

Miki showed us the true power and flexibility of IBM Connections Customizer. What I liked the most was the possibility to show different content based on different user groups.

Sadly could not visit all Sessions, every track had at least two or three sessions which were interesting to me, so it was always a tough call which session to choose.
Like always, the organization of the Conference was brilliant, many thanks to Theo!

Domino SAML & NFL – Changing the ADFS Certificate

Recently we got contacted by a growing number of customers regarding the change of the SSL Certificate on the ADFS Server used for Domino SAML and Notes NFL. Although the process is not overly complicated, there are some “gotchas” you need to keep in mind in order for this process to go smoothly, which I will try to describe before going through the actual process of changing the certificate.

Plan ahead

Keep in mind that, as soon as you change the certificate on the ADFS Server, SAML/NFL on the Domino/Notes side will not work properly. As there is no Configuration Document in the IdP Catalog which corresponds with this certificate, thus Domino will just drop the Requests signed with the new ADFS Certificate. In this case, you will get the following errors:

SECCheckAndParseSAMLResponse> Signature verification check failed : Could not verify cryptographic signature

SECCheckAndParseSAMLResponse> Exiting : Document has been modified or corrupted since signed! (signature)

Needles to say, this will lead to the SSO Process not working and many angry users…

To remedy this, plan the certificate change so that the impact on the client machine is minimal.

For NFL to work, you need to roll-out the new ADFS Certificate (in case if you are using public CA, you need to roll out the Intermediate and the CA certificate). You would do this via Notes Client Policy, Security Settings. This is not a big deal, but keep in mind that after setting the Policy, the Users need to successfully log in, for the Notes Client to pick up the change and get the new Policy together with the new ADFS Certificate. I have seen some environments were the Notes Client needed multiple restarts to pick up the change.

Now, think about this, the certificate is expiring, and you have to change it in the middle of Christmas holidays, meaning most of the Users are on vacation, so you go ahead, do everything perfectly. But as soon as your users get back from the vacation, they try to login and they get the beautiful error message stating that NFL is not possible at this time and their Notes ID Password is requested. Resulting in Helpdesk calls… Only after they enter the ID Password and successfully login, the Client will get the new certificate and in the future the login will be possible.

In order to get around this, I would recommend rolling out the new certificate as soon as possible, before actually changing it on ADFS.

Check the Certificate Requirements

The worst scenario is using the wrong certificate, so make sure that the Certificate you are using meets the Requirements. If you are using a Self-Signed Certificate, then it must have the “keyCertSign” (also know as “Certificate Signer”) and “cRLSign” (also known as “CRL Signer”) in the “Certificate key usage” field. To check this just open the certificate and inspect that field. If the certificate does not contain these fields, than you will get the following error when you try to create a Cross Certificate from it in the Domino Directory:

“A cross certificate will not be made due to key usage restrictions in the input certificate.”

It also needs to be a “SHA2” or higher. For the full list of Certificate Requirements and more, please read the following article:

https://www-01.ibm.com/support/docview.wss?uid=ibm10718435

If you are using a certificate from the public Authority, then the purchased personal certificate will not contain these values, but this is not a problem, because you can just import the CA and all Intermediate Certificates in the Domino Directory and cross-certify them. After that you can roll-out the the Cross-Certificates via Notes Policy Document.

One customer is planning to use their own internal Windows Certificate Services or Windows PKI, I opened a Support Case regarding this, and got a confirmation that in this case you can also use the CA Certificate of that Authority. We still have not tried that and I didn´t have time to test it out in my Test Environment, but as soon as I have done so, I will post the results.

If the CA and Intermediate Certificates do not change, then you can skip the step of importing and cross-certifying these, as the mentioned certificates do not change.

Steps needed to change the ADFS Certificate

  • Check that the new Certificate meets the requirements.
  • Import the Certificate (self-signed), or CA and Intermediate Certificates if you are using a Certificate from a public Authority.
  • Cross-Certify the Certificate(s).
  • Push the newly created Cross Internet Certificates via Notes Policy (Security Settings).
  • Change the ADFS Certificate
    • As mentioned, as soon as you do this, the SAML Assertions will fail until you create a new IdP Configuration Document and restart the participating Domino Servers.
  • Export the new “FederationMetadata.xml” file from the ADFS Server.
  • Deactivate old Configuration Documents in the IdP Catalog Database.
  • Create new IdP Configuration Documents using the new “FederationMetadata.xml” file.
    • After you import the XML File, it will be deleted from the filesystem, so if you need it for another Configuration Document, make a copy of it.
  • Replicate the IdP Catalog Database if needed.
  • Restart all Domino Servers participating in SAML Authentication.
  • Delete the deactivated IdP Configuration Documents after you have made sure that the new Configuration works.