Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Query results for : November 2015

Checklist for Smartcloud Notes Hybrid Configuration- 12 November 2015 - (0) Comments

Thomas Hampel
 12 November 2015

Your first step towards the cloud is to build a hybrid environment e.g. to support a proof of concept in your environment.
In most cases customers would like to move a few users to the cloud to experience the onboarding process, confirm seamless coexistence of on-premises and cloud environments, and explore new features of the cloud such as IBM Verse.

Although IBM provides a full training course for setting up a hybrid environment, I still would like to (with friendly support of Hagen Bauer) provide a checklist for customers to support this process and getting started as quickly as possible.

Warning:

This checklist may not be perfect, you should still read the documentation and talk to your certified IBM expert of choice.
It is supposed to be a checklist for customers, not for certified onboarding specialists that will move your IBM Notes mail to IBM Cloud.
Suggestions and ideas for further improvement are always welcome.

Overview

This is a graphical overview of a hybrid environment. On top are your (On-Premises) servers, at the bottom are cloud servers and in between (red) the internet.
Image:Checklist for Smartcloud Notes Hybrid Configuration

Steps
  • Check your inventory! Are current servers available? Are they accessible? Are they placed in the network zone they are expected to be?
    See graphic above and verify positioning of:
    #1 = Domino Administrator Client
    #2 = On-Premises Mail Server
    #3 = On-Premises Directory Mail Server
    #4 = Passthru Server in DMZ
  • Complete this table with data from your environment. Make its correct and complete.
  • Configure your Firewall for inbound and outbound traffic.
    Check twice, and verify Firewall settings once again before claiming to be done. A mistake at this point will cause headaches later on.
  • Make sure your passthru server is using the same root certificate as your HUB and MAIL server?
    Can the Admin client (see #1 in the graphic above) access the passthru server?
  • Create a new OrgUnit based on your current Domino certificate. This certificate will be used later on for all your Domino servers in the cloud.
    Example: "/SCN/Company" or "/Cloud/SRV/Company"
  • In your current environment, does your Global Domain Document meet those requirements?
  • Make sure you still have the SmartCloud activation email available. The one that contains the SmartCloud activation link.
    Oh, and make sure the link has not expired.
  • In the SmartCloud Notes account initial setup, did you choose "Hybrid Account" ?
    If not you need to request a full reset of your account by contacting support@collabserv.com
  • Define a name prefix for your cloud mail servers. Choose a short but remarkable prefix and dont pick something too fancy.
    Example: **Cloud-**/SCN/Company
  • Are you prepared to create new and modify existing DNS records for your company domain?
    Make sure you have control over your DNS records.

Conclusion

All of the above steps are part of the documentation, but not in a single place. I hope you can make use of this reference in your SmartCloud onboarding project.
Feedback is very welcome, so drop me a mail or send a tweet

References:

Domino Security - Disable HTTPEnableConnectorHeaders NOW- 9 November 2015 - (0) Comments

Thomas Hampel
 9 November 2015

There is a seucrity issue with Domino which allows anybody to gain access without authentication.
Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.

If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.

So there is a good chance that some people have enable this variable in production.
None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.

Steps to reproduce
  • Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
    Remark: This will make the server insecure.
  • Restart the HTTP task
  • Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
  • Restart Firefox for the plugin to be initialized
  • In Firefox, open the configuration of the new plugin
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
  • Add a new header called $WSRU with the desired username / shortname as available in the target environment
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
    Save + Enable the configuration
  • Start the Plugin
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
  • Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf
Surprise, surprise... you now have access rights of the user name you have specified in the request header, in my case thats PaulSmith.
Just imagine what can be done when using the name of an administrator...

How to fix it?

Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:
set config HTTPEnableConnectorHeaders=0
tell http restart

Of course you would use a configuration document in production to keep your Notes.ini under control.

References:

IBM Stammtisch in Dresden - Thema Business Tools - 6.Nov.2015- 5 November 2015 - (0) Comments

Thomas Hampel
 5 November 2015

Hallo IBM Community!

wir, d.h. Anett Hammerschmidt und ich, laden euch wieder herzlich zum IBM Stammtisch in Dresden ein.
Thema des Abends ist "Business Tools" insbes. im Bereich der IBM Messaging & Collaboration Produkte,
Natürlich steht auch diesmal das Kennenlernen und Pflegen neuer und alter Kontakte im Mittelpunkt. Jeder Teilnehmer ist herzlich willkommen!

Wann?

Datum: 06. November 2015
Zeit: 18 Uhr bis 24 Uhr
Einladung im iCAL format

Wo?

Augustiner an der Frauenkirche
An der Frauenkirche 16/17
01067 Dresden
Image:IBM Stammtisch in Dresden - Thema Business Tools - 6.Nov.2015
Webgeschreibung siehe Google Maps, parken ggf. bei QPark Frauenkirche / Neumarkt

Anmeldung:

Bitte tragt euch in diese Liste ein, so können wir die Plätze im Lokal besser planen und ggf. mehr Tische reservieren.

Ablauf:

18:00 Uhr - Welcome Reception
19:00 Uhr - Sessions
Session Sprecher
Virtualisierung mit Docker Veit Weber
DIM - Tool Kit Domino Administration Markus Petzold
Making the Command Line Your Best Friend,  SCM (Git),
alles wofür man eine Command Line braucht, Node.js, Bower etc.
Oliver Busse
Ytria Tool Kit Domino Administration and Development Overview) Kjeld Gosselke
Was ist Neu in Domino Navigator 1.9 Erik Schmalz
Professionale Grafiken schnell und effektiv Anett Hammerschmidt
Domino Administrations Tools
Troubleshooting, Standardization, Visualization and more
Thomas Hampel





Kurzentschlossene können auch ohne Anmeldung einfach vorbeikommen, bitte direkt bei Anett ( +49-176-10315855 ) anrufen

Wir freuen uns auf Euch!
Anett Hammerschmidt und Thomas Hampel
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.