Wednesday, 20 June 2018

Using the Domino Configuration Tuner to Evaluate Server Settings

In my recent role as Domino Administrator I picked up a number of tasks including monitoring our Domino Servers. Yesterday I watched episode 5 of the great #Perfect10 webcast by Gabriella Davis. In this webcast Gabriella mentioned the use of the Domino Configuration Tuner which is shipped with the Administrator Client. Until now we did not use this Configuration Turner. The Domino Configuration Tuner (DCT) evaluates server settings according to a growing catalog of best practices. All servers in a single domain can be evaluated together. DCT generates reports that explain the issues DCT uncovers, suggests mitigations, and provides references to supporting publications.
DCT comes with easy-to-use, self-service configuration analysis so that installations are more robust and experience improved performance. A single Domino server includes thousands of configuration options. DCT provides best practice analysis as well as worst practice disclosure, and helps reduce total cost of ownership by assisting users in identifying configuration problems. DCT looks at settings in the Domino Server documents, the NOTES.INI file, and advanced database properties. Configuration settings are flagged when their values are known to cause problems based on prior customer experience. Out-of-range and unexpected values are reported so that undefined behavior can be prevented. Suggested adjustments help you achieve known server performance improvements.

I followed the steps below to enable / use the Domino Configuration Tuner on our Domino servers.
1. Open the Domino Administrator Client.
2. Open the Tab Server - Analysis
3. Select Domino Configuration Tuner

4. The openings screen of the Domino Configuration Turner will appear.
5. After the update and the deployment of the updated files the local application will be created.

The final result are generated reports that explain the issues DCT uncovers, suggests mitigations and provides references to supporting publications.

After selecting the option Domino Configuration Tuner the message below appeared continuously (even after the restart of the Notes Client).

During the first update 6 files were successfully deployed. In the Status Bar the error message 'Unable to deploy one updated file (probably locked and in use)' is shown.
The solution for this problem is to run the Notes Client in Administrator mode after selecting Domino Configuration Tuner in the Domino Administrator Client. The Notes Client can then deploy the dct.jar file into its destination folder: %notes%/jvm/lib/ext.

For more information: Domino Configuration Tuner (DCT)

Sunday, 17 June 2018

Excellent Course Integrate IBM Domino with Node.js

As already indicated, a large part of the Notes Domino XPages community already lives in the Domino 10 bubble. And that's a very good thing. One of the new features in Domino 10 is the introduction of Node.js in Domino. As indicated in my previous blog post, a webinar will be hosted by IBM on June 28, Node.js and Domino V10 Essentials - What You Need to Know.
Yesterday I came across this message from Mark Barton on Twitter.

In order to get a good idea of how to use Node.js in Domino, this is a more than excellent starting point. It is an excellent course that gave me a good insight regarding Node.js in Domino. You can find the course on this website.

For more information about Node.js and Node-Red, see the blog series of John Jardin, Node-RED Blog Series.

Thursday, 14 June 2018

Upcoming Webinar Node.js and Domino V10 Essentials – What You Need to Know

At the moment, a large part of the Domino community is already living in the V10 bubble. A few days ago, the IBM Domino V10 Beta Program was announced by Andrew Manby and Richard Jefts. For more information see my previous blog post IBM Domino V10 Beta Program - Domino Applications on iPad Beta Program. In addition, numerous blog posts have been written and webinars have been organized about this new era for IBM Domino. In line with all the latest developments a next webinar for IBM Domino 10 will be organized by IBM on 28 June, Node.js and Domino V10 Essentials – What You Need to Know.

Content Webinar
Spend this session with some of the Domino community's application development experts, Paul Withers and John Jardin, to learn how they are approaching the creation of new Domino applications using the latest frameworks and languages such as node.js and JavaScript. Also, how this approach works for application modernization too.

What you will learn is:
An introduction to node.js, JavaScript, and
The use cases, best practices and how best to get started.
How Domino V10 and Node.js deliver unique value to developers.
What this means for your existing Domino application investments.

Speakers are Andrew Manby, Director of Product Management IBM Collaboration Solutions, Paul Withers, IBM Collaboration Solutions Consultant Intec Systems Ltd and John Jardin, Integration & Cloud Architect Agilit-e.

Registration for the webinar is open on this website.
As indicated by IBM this is just the beginning! There will be more information on this exciting innovation in the coming months.

Tuesday, 12 June 2018

IBM Domino V10 Beta Program - Domino Applications on iPad Beta Program

It is testing season! Yesterday Andrew Manby and Richard Jefts announced the IBM Domino V10 Beta Program. The beta program will be rolled out in two phases. Beta 1 - We will form an initial group of beta participants, based on the submissions received and then qualify and approve for beta program enrollment. Beta 1 will begin on June 25th, 2018. Beta 2- We will extend the initial group of Beta 1 participants as we get further along in the development cycle for Domino V10, by including additional participants at the Beta 2 stage. We expect the Beta 2 phase to begin the second half of July 2018.  Submissions received up to July 15th, for those not included in the Beta 1 group, will be considered for inclusion in the Beta 2 phase.
To participate in the IBM Domino V10 Portfolio Beta simply fill-in and submit this signup sheet.
For more information about the Beta Program: Announcing the IBM Domino V10 portfolio beta program.

Next to the Domino Beta 10 program HCL is running a separate beta program for the Domino Apps on iPad offering called HCL Nomad. You can sign up for this program on the following page. The HCL Nomad beta program starts on June 13th and is being managed by HCL.

Fingers crossed and let's hope we will be selected for the Beta Programs for Domino V10 and Domino Application on iPad.

Tuesday, 22 May 2018

Using the Internet Password Lockout Feature on a Domino Web Server

In my recent role as Domino Administrator I picked up a number of tasks including the Internet Password Lockout feature on our Domino Web Server. Internet Password Lockout gives the Domino Administrators the opportunity to set a threshold value for Internet Password authentication failures for users of Lotus Domino applications including Lotus Domino Web Access. This lockout helps to prevent brute force and dictionary attacks on user Internet accounts by locking out any user who fails to log in within a preset number of attempts. Information about authentication failures and lockouts is maintained in the Internet Lockout application where the administrator can clear failures and unlock user accounts.
It should be noted that this feature is subject to Denial of Service (DoS) attacks. A DoS attack is one in which malicious users explicitly prevent legitimate users of a service from using that service. In the case of Internet password lockout, legitimate Internet users could be prevented from logging in to a Domino server by attackers who intentionally make failed log in attempts. Internet password lockout has no affect on Domino Off-Line Services (DOLS).

Below a brief description of the configuration and activation of the Internet Password Locket feature on a Domino server.

Configuring Internet Password Lockout on a Domino Server
Internet Password Lockout is not enabled by default on a Lotus Domino server. To enable the Internet Password Lockout using the configuration settings document you can follow the steps below.

Open Lotus Domino Directory with the Lotus Notes client.
Click Configuration - Servers - Configuration.
Edit the default server configuration document or an individual server configuration document.
Click the security tab.
Change the option Enforce Internet password lockout to yes.

Set the log settings. Log both lockouts and failures.
Set the default maximum tries.
Specify the maximum number of bad password attempts allowed before users are locked out. The default value is 5. After a user is locked out, the user account must be unlocked before any new values for this setting are in effect for that user.
Set the default lockout expiration.
Specify the period of time for which a lockout is enforced. After the specified time period expires, the user account is automatically unlocked when the user next tries to authenticate. In addition, all failure attempts are cleared.

NOTE: If this value is 0, the lockout does not expire automatically. The account must be unlocked manually.
Set the default maximum tries interval.

Specify the length of time failed password attempts are retained in the lockout database before they can be cleared by a successful authentication. The default value is 24 hours.
NOTE: If this value is 0, every successful login, for a given user who is not locked out, clears all failed password attempts by that user.
Save and close.
Restart the Lotus Domino server.

After these settings are configured, an inetlockout.nsf database is created. This database records and tracks locked-out users and failed logins. Replicate this database between Web-enabled servers to ensure that locked-out users remain locked out for the entire infrastructure. The inetlockout.nsf database is created from the inetlockout.ntf database template. All users should be listed as having no access to the database. By default, the Internet Lockout database ACL allows manager access only to the Admin Group. Default and anonymous are denied access. However, the database ACL can be modified to provide users and groups access to view and unlock users. Only Internet password administrators should be able to access this database.
The inetlockout.nsf database also allows administrators to track which users have been locked out. Administrators have the option of unlocking the users as well. Figure 4 shows the information available in the Internet lockout database. This database can also record all user login failures. This fact can be useful when security administrators try to detect password hacking attempts.

For more information see Securing an IBM Lotus Domino Web server: Using the new Internet lockout feature.

Sunday, 13 May 2018

IBM Domino 9.0.1 Feature Pack 10 Interim Fix 2 Available for Download on IBM Fix Central

IBM released IBM Domino Feature Pack 10 Interim Fix 2 on IBM Fix Central. Below the Fix List for Domino 9.0.1 Feature Pack 10 Interim Fix 2.

Download Links for Domino 9.0.1 Feature Pack Interim Fixes.

See also my previous blog post IBM Notes Domino 9.0.1 Feature Pack 10 Interim Fix 3 Available for Download on IBM Fix Central.

Wednesday, 9 May 2018

Upgrade Notes Domino HTTP Passwords Domino Directory to Version 3 (V3)

During the past period, in addition to my developer tasks, I have also been assigned the administrator tasks for Notes Domino. For some of these tasks I use the Ytria EZ Suite Complete tools, like scanEZ. One of the tasks that I recently performed is the upgrade of the HTTP Passwords in the Domino Directory to version 3 (V3). I was made aware of this point by following the the Ytria Webcast Your Guide to Modern Defense Tactics and Risk Mitigation for a Secure IBM Domino Environment. First I used Ytria scanEZ to make an inventory of the current HTTP Password versions in the Domino Directory. In my case the HTTP Passwords where all Version 2, introduced in Domino version 6. You can view a great demo by Ben Menesi in the Ytria Webcast. Currently there are 3 versions.

Version 1 (V1), (SEC_pwddigest_V1)
Used in Domino versions prior to version 6. The hash attributes for version 1 are as follows:
Character set: 34 characters long, hexadecimal character set (A-F, 0-9), starts and ends in parentheses.
Running the algorithm against the same plain text always results in the same cipher text.
Can be invoked using the formula @Password(“PlainTextValue”) or, in LotusScript, Evaluate(“Password(PlainTextValue)”).
Can be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”) or, in LotusScript, @Password(“PlainTextValue”)=”CipherTextValue”.

Version 2 (V2), (SEC_pwddigest_V2)
Introduced in Domino version 6, this is significantly more secure than version 1, primarily because it produces a salted hash value. The hash attributes for version 2 are as follows:

Character set: 22 characters long, extended character set (A-Z including upper and lower case, 0-9 plus special characters), starts with “(G” and ends in “)”.
Can be invoked using the formula @Hashpassword(“PlainTextValue”).
$SecurePassword item with value of “1” present in documents with upgraded V2 hashes.
Can only be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”).

Version 3 (V3), (SEC_pwddigest_V3)
This is the current, and latest, hashing algorithm that was made available for use as of Domino 8.0. The hash attributes for version 3 are as follows:
Character set: 51 characters long, same character set as version 2 (A-Z including upper and lowercase, 0-9 plus special characters) starts with “(H” and ends in “)”.
Can only be invoked using the SECHashPassword3() API call.
$SecurePassword item with value of “2” present in documents with upgraded V3 hashes.
Can only be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”).

The following steps can be followed for updating the HTTP Passwords in the Domino Directory to Version 3. Note: the HTTP Passwords themselves are not changed by the upgrade.
- Open the Domino Directory (names.nsf) application
- Select Menu Actions - Edit Directory Profile

- Select the Field 'Use more secure Internet Passwords'.
- Next select the option 'Yes, Password verification release 8.01 or greater'

- Next select Save and Close to save the change.

To actually upgrade the HTTP Passwords to Version 3 select all Person Document in the View People in the Domino Directory.

- Select Menu Actions - Upgrade to More Secure Internet Password

- Select the Option Yes - Password verification release 7.01 or greater

The HTTP Passwords have now been upgraded to Version 3 (V3).

For more information see also the blog post Deep Dive into IBM Domino Security Part 1: Password Hashes by Ytria.