Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : SSL

Import & Export Internet Certificates Programatically- 18 June 2015 - (0) Comments

Thomas Hampel
 18 June 2015

We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?

S/MIME Import / Export Automation

If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
Even exporting the certificate from the Notes ID is too complicated for most users...
Image:Import & Export Internet Certificates Programatically

Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates
  • @X509Certificates([Subject];UserCertificate;"");
    Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate"
  • @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
    Where "Number" is the element in the list returned by @X509Certificates

In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.

Wrapping both into a small script is easy...

Declare
Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal ExportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Declare
Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal ImportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Const
PKCS12_EXCLUDE_PRIVATEKEYS=&h00000001


Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil

still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.

ImportInternetCertificatesFromOSCredentialStore.lss

ExportnternetCertificatesToOSCredentialStore.lss

As usual mind YMMV and feel free to further optimize the code to fit your needs-
Please use at your own risk and report back any suggestions or improvements!

Special Thanks to Marcus Floeser for providing the screenshot.

IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client- 22 September 2014 - (1) Comments

Thomas Hampel
 22 September 2014

Following up on David's post, here is a WIMP's Guide to get a GUI version of an iKeyman which is supproting the CMS format that is used by the IBM HTTP Server.
iKeyman is actually part of your Notes Client, it is available in "/jvm/bin/ikeyman.exe" but this version does not provide support for CMS keystores unfortunately.
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
So what does it take to add support for the CMS format
There is a (much) longer method to get the same done by downloading a specific version of ikeyman which includes CMS support... but this I'll explain at the end of this post.

Here is the short version:

What you need:
  • Notes Client (which you should already have installed)
  • Text editor of your choice

Actions:
  • Edit the file /jvm/lib/security/java.security
  • Find the list of security providers, e.g. by searching for "security.provider", which should look like this:
    security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
    security.provider.2=com.ibm.crypto.provider.IBMJCE
    security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
    security.provider.4=com.ibm.security.cert.IBMCertPath
    security.provider.5=com.ibm.security.sasl.IBMSASL
    security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
    security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
    security.provider.8=org.apache.harmony.security.provider.PolicyProvider
    security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  • Append one new line at the end of this list, where [X] is the next integer value available
    security.provider.[X]=com.ibm.security.cmskeystore.CMSProvider
  • Save

So it should look like this:
{...}
#
# List of providers and their preference orders (see above):
#
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
security.provider.10=com.ibm.security.cmskeystore.CMSProvider
{...}

Result:
Voila: CMS support is ready
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client

This blog post could end here but I'd like to share what someone would have to do without using the method above:

The (very) long route:
  1. Try downloading IBM HTTP Server from www.ibm.com/software/webservers/httpservers/download or here
  2. Recognize this website only offers version:  7.0.0.0 dated from 15 May 2009
  3. Try anyway and download and install v7.0.0
  4. Notice iKeyman in this version does not Subject Alternate Support
    Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
  5. Read Technote 1444027
    Notice it clearly describes "later versions of IBM HTTP Server (IHS), after v7.0, do not require these special steps to enable SAN functionality."
  6. Conclude the Technote 1444027 is wrong or needs update
  7. Try downloading t he IBM HTTP Server trial 8.0 or 8.5
  8. Notice the web site does not offer a download link and only shows a blank page (why?)
  9. Get IBM HTTP Server in the latest version, (which is part of Websphere Application Server 8.5.5 Supplements disks, so its just 3 Gbyte to download)
  10. Install the IBM Installation Manager v1.8  and add the WAS Supplements folder location as a new repository
  11. Install IBM HTTP Server
  12. Launch iKeyman with CMS support and Subject Alternative Support
    Image:IBM HTTP Server - iKeyman with support for CMS is already part of your Notes Client
  13. Notice that iKeyman is actually part of the Notes Client anyway and the same could have been done without all those actions before: priceless

For reference:
Creating a certificate request incl. Subject Alternate Names can be done by using the GSKTool command line version
/opt/IBM/HTTPServer/bin/gskcapicmd -certreq -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -pw passw0rd -label foobar -dn "cn=www.foobar.ibm.com" -size 2048 -file /tmp/foobar.csr -san_dnsname "www.foobar.ibm.com" -san_emailaddr "admin@us.ibm.com" -san_ipaddr "192.168.1.221"

Further reading:

Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments

Thomas Hampel
 9 May 2014

I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:

1. Create a key ring file
that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino

Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA

Just read and follow
instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users

Follow instructions for
Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.

Done!

Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?

Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know
how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?

When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

at the very bottom there's a small check box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.


Further reading
:

The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino- 7 May 2014 - (3) Comments

Thomas Hampel
 7 May 2014

Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see
http://technet.microsoft.com/en-us/security/advisory/2661254
Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »

HTTP/SSL in Domino 9.0 - more Notes.ini variables to be removed after upgrade- 12 March 2014 - (0) Comments

Thomas Hampel
 12 March 2014

After upgrading to Domino 9.0 some users (but not all) claimed they are unable to access a server via HTTP, in specific it was iNotes access to one server while access was okay on other servers.

Quick check:
  • Domino HTTP task was running fine
  • TCP port 80 was responding
  • Redirect to SSL seemed not to work (Error "The connection was interrupted")
With the help of my colleagues we were looking at the console and found a number of errors showing up:

HTTP Server: SSL handshake failure, no website found for IP address [123.123.123.123]
[...]
New SSL session data length of 5132 bytes is larger than the current size of 5000 bytes.

Especially the second error message cause me to start thinking... Yes! I did remember there was an issue with earlier releases of Domino, where Technote 1220425 suggested setting two Notes.ini variables to fix a crash related to SSL
SSL_SESSION_SIZE
SSL_USE_ADDSESSION2

Of course these Notes.ini variables were still in place and still work -- they are not obsolete as such (see list of obsolete Notes.ini variables)
However, after upgrading to Domino 9.0 they are no longer required and as we have seen even cause problems if set too small.

Resolution:
1.) Remove these two variables as  (Reference : IBM Technote 1657588)
2.) Restart the HTTP task
...and iNotes with SSL is working again.
Thomas Hampel, All rights reserved.