Wednesday, 21 September 2016

Securing Connections for IBM Traveler Mobile Applications - IBM Verse - IBM Notes Traveler

Yesterday I retweeted the message below, Securing connections for IBM Traveler mobile applications. Below is a summary of the IBM Flash Alert.


In the coming months, IBM will be enhancing the IBM Verse for iOS, IBM Verse for Android, IBM Notes Traveler Companion and IBM Notes Traveler To Do mobile apps to require that a secure connection is used between the mobile app and the endpoint used for connecting to the IBM Traveler server. This article provides the security requirements and step by step instructions for ensuring that your on-premises IBM Traveler environment has adequate connection security in place in order to support these updated apps. If your mobile users connect to IBM SmartCloud Notes for Traveler and the Verse Mobile service, these steps do not apply, since this environment is already prepared for these updates. If you have deployed an IBM Traveler server on your own premises, then please continue reading.
IMPORTANT: You must ensure that your IBM Verse Mobile and Traveler connections are secure and compliant with these requirements by January 1, 2017.

These requirements only apply to the server to which the Verse mobile apps are directly connecting. This may be the IBM Traveler server running on a Domino instance, or some other intermediate reverse proxy, such as an F5 or IBM Mobile Connect. When you enter the host name into your Verse mobile application to connect to your Traveler service, this host name represents the server with which the mobile app is directly connecting, and this is the connection that must be secured.

Requirements
Mobile apps must connect using HTTPS and not the unsecured HTTP protocol.
The server certificate cannot be expired or invalid.
The server certificate common name (CN) or a name from the server certificate’s Subject Alternate Name (SAN) list must match the hostname of the server. A wildcard certificate is allowed but the domain from the wildcard must match the server’s domain.
The negotiated Transport Layer Security version must be TLS 1.2. Since devices running Android prior to version 4.1 do not support TLS 1.2, they can no longer be supported.
The server certificate must be trusted and either issued by a certificate authority (CA) whose root certificate is incorporated into the device operating system or is a trusted root CA that has been installed by the user or a system administrator on the device.
The negotiated TLS connections cipher suite must support forward secrecy and be one of the following:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

The leaf server certificate must be signed with one of the following types of keys:
- Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
- Elliptic-Curve Cryptography (ECC/ECDSA) key with a size of at least 256 bits
The leaf certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length of at least 256 (SHA-256 or greater).

Failure to meet all of these requirements may result in your Verse for iOS, Verse for Android, IBM Notes Traveler Companion and IBM Notes Traveler To Do apps being unable to connect to your Traveler servers.

For detailed information: Securing Connections for IBM Traveler Mobile Applications

No comments:

Post a Comment