Tuesday, 22 May 2018

Using the Internet Password Lockout Feature on a Domino Web Server

In my recent role as Domino Administrator I picked up a number of tasks including the Internet Password Lockout feature on our Domino Web Server. Internet Password Lockout gives the Domino Administrators the opportunity to set a threshold value for Internet Password authentication failures for users of Lotus Domino applications including Lotus Domino Web Access. This lockout helps to prevent brute force and dictionary attacks on user Internet accounts by locking out any user who fails to log in within a preset number of attempts. Information about authentication failures and lockouts is maintained in the Internet Lockout application where the administrator can clear failures and unlock user accounts.
It should be noted that this feature is subject to Denial of Service (DoS) attacks. A DoS attack is one in which malicious users explicitly prevent legitimate users of a service from using that service. In the case of Internet password lockout, legitimate Internet users could be prevented from logging in to a Domino server by attackers who intentionally make failed log in attempts. Internet password lockout has no affect on Domino Off-Line Services (DOLS).

Below a brief description of the configuration and activation of the Internet Password Locket feature on a Domino server.

Configuring Internet Password Lockout on a Domino Server
Internet Password Lockout is not enabled by default on a Lotus Domino server. To enable the Internet Password Lockout using the configuration settings document you can follow the steps below.

Open Lotus Domino Directory with the Lotus Notes client.
Click Configuration - Servers - Configuration.
Edit the default server configuration document or an individual server configuration document.
Click the security tab.
Change the option Enforce Internet password lockout to yes.

Set the log settings. Log both lockouts and failures.
Set the default maximum tries.
Specify the maximum number of bad password attempts allowed before users are locked out. The default value is 5. After a user is locked out, the user account must be unlocked before any new values for this setting are in effect for that user.
Set the default lockout expiration.
Specify the period of time for which a lockout is enforced. After the specified time period expires, the user account is automatically unlocked when the user next tries to authenticate. In addition, all failure attempts are cleared.

NOTE: If this value is 0, the lockout does not expire automatically. The account must be unlocked manually.
Set the default maximum tries interval.

Specify the length of time failed password attempts are retained in the lockout database before they can be cleared by a successful authentication. The default value is 24 hours.
NOTE: If this value is 0, every successful login, for a given user who is not locked out, clears all failed password attempts by that user.
Save and close.
Restart the Lotus Domino server.

After these settings are configured, an inetlockout.nsf database is created. This database records and tracks locked-out users and failed logins. Replicate this database between Web-enabled servers to ensure that locked-out users remain locked out for the entire infrastructure. The inetlockout.nsf database is created from the inetlockout.ntf database template. All users should be listed as having no access to the database. By default, the Internet Lockout database ACL allows manager access only to the Admin Group. Default and anonymous are denied access. However, the database ACL can be modified to provide users and groups access to view and unlock users. Only Internet password administrators should be able to access this database.
The inetlockout.nsf database also allows administrators to track which users have been locked out. Administrators have the option of unlocking the users as well. Figure 4 shows the information available in the Internet lockout database. This database can also record all user login failures. This fact can be useful when security administrators try to detect password hacking attempts.

For more information see Securing an IBM Lotus Domino Web server: Using the new Internet lockout feature.

Sunday, 13 May 2018

IBM Domino 9.0.1 Feature Pack 10 Interim Fix 2 Available for Download on IBM Fix Central

IBM released IBM Domino Feature Pack 10 Interim Fix 2 on IBM Fix Central. Below the Fix List for Domino 9.0.1 Feature Pack 10 Interim Fix 2.

Download Links for Domino 9.0.1 Feature Pack Interim Fixes.

See also my previous blog post IBM Notes Domino 9.0.1 Feature Pack 10 Interim Fix 3 Available for Download on IBM Fix Central.

Wednesday, 9 May 2018

Upgrade Notes Domino HTTP Passwords Domino Directory to Version 3 (V3)

During the past period, in addition to my developer tasks, I have also been assigned the administrator tasks for Notes Domino. For some of these tasks I use the Ytria EZ Suite Complete tools, like scanEZ. One of the tasks that I recently performed is the upgrade of the HTTP Passwords in the Domino Directory to version 3 (V3). I was made aware of this point by following the the Ytria Webcast Your Guide to Modern Defense Tactics and Risk Mitigation for a Secure IBM Domino Environment. First I used Ytria scanEZ to make an inventory of the current HTTP Password versions in the Domino Directory. In my case the HTTP Passwords where all Version 2, introduced in Domino version 6. You can view a great demo by Ben Menesi in the Ytria Webcast. Currently there are 3 versions.

Version 1 (V1), (SEC_pwddigest_V1)
Used in Domino versions prior to version 6. The hash attributes for version 1 are as follows:
Character set: 34 characters long, hexadecimal character set (A-F, 0-9), starts and ends in parentheses.
Running the algorithm against the same plain text always results in the same cipher text.
Can be invoked using the formula @Password(“PlainTextValue”) or, in LotusScript, Evaluate(“Password(PlainTextValue)”).
Can be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”) or, in LotusScript, @Password(“PlainTextValue”)=”CipherTextValue”.

Version 2 (V2), (SEC_pwddigest_V2)
Introduced in Domino version 6, this is significantly more secure than version 1, primarily because it produces a salted hash value. The hash attributes for version 2 are as follows:

Character set: 22 characters long, extended character set (A-Z including upper and lower case, 0-9 plus special characters), starts with “(G” and ends in “)”.
Can be invoked using the formula @Hashpassword(“PlainTextValue”).
$SecurePassword item with value of “1” present in documents with upgraded V2 hashes.
Can only be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”).

Version 3 (V3), (SEC_pwddigest_V3)
This is the current, and latest, hashing algorithm that was made available for use as of Domino 8.0. The hash attributes for version 3 are as follows:
Character set: 51 characters long, same character set as version 2 (A-Z including upper and lowercase, 0-9 plus special characters) starts with “(H” and ends in “)”.
Can only be invoked using the SECHashPassword3() API call.
$SecurePassword item with value of “2” present in documents with upgraded V3 hashes.
Can only be verified using the formula @VerifyPassword(“PlainTextValue”;”CipherTextValue”).

The following steps can be followed for updating the HTTP Passwords in the Domino Directory to Version 3. Note: the HTTP Passwords themselves are not changed by the upgrade.
- Open the Domino Directory (names.nsf) application
- Select Menu Actions - Edit Directory Profile

- Select the Field 'Use more secure Internet Passwords'.
- Next select the option 'Yes, Password verification release 8.01 or greater'

- Next select Save and Close to save the change.

To actually upgrade the HTTP Passwords to Version 3 select all Person Document in the View People in the Domino Directory.

- Select Menu Actions - Upgrade to More Secure Internet Password

- Select the Option Yes - Password verification release 7.01 or greater

The HTTP Passwords have now been upgraded to Version 3 (V3).

For more information see also the blog post Deep Dive into IBM Domino Security Part 1: Password Hashes by Ytria.

Monday, 7 May 2018

Installing Domino Feature Packs Part II - Solution Error A Notes Domino Related Process is Still Running

In continuation of my blog post from last week, Installing Domino Feature Packs,  I upgraded the Domino Server in the production environment today. During the upgrade process, unlike to the test upgrade in the test environment, we encountered a problem when starting up the incremental installer. The following error message appeared: Error: "Lotus Notes/Domino or a Notes/Domino related process is still running. Please close it before pressing OK to continue." when installing hot fix or fix pack.

The corresponding IBM Technote indicates that this issue can occur in Microsoft Windows Server 2008 when User Account Control (UAC) blocks access to .dll files that require file to read / modify.
Possible solution: Right click on the hot fix or fix pack executable and select 'Run as Administrator' .Alternatively you can disable UAC while running the installation. This will allow the upgrade to apply the upgrade. We tried both possible solutions however without success!

In response to my previous blog post I received the following response today from Jay Marme: I disable the Windows Management Instrumentation Service before patching Domino and re-enable it after patching has been completed since WMIS can cause issues.
We tried this possible solution and the installation of the Fix Pack started without any problem. Thanks very much Jay!
This solution is also described in Daniel Nashed's blogpost Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix.
Ultimately, the upgrade of the Domino Server was successful.

Friday, 4 May 2018

Quick Tip: Edit the NOTES.INI File Using a Configuration Settings Document

In the past period I have had to edit the NOTES.INI file a number of times. On the one hand in the context of Domino Security and on the other hand for using an UpdateSite application. There are different ways to adjust the NOTES.INI file. Open the NOTES.INI file and edit it, create a Configuration Settings document and edit the settings or use the Set Configuration server command. However, because editing the NOTES.INI file is unsafe it's best to use a Configuration Settings document to modify server settings. Be aware that the NOTES.INI file contains many settings that IBM Domino and IBM Notes rely on to work properly. An accidental or incorrect change may cause Domino or Notes to run unpredictably. Below a short description of my approach using a Configuration Settings document based on the IBM documentation.
From the Domino Administrator, open the Domino Directory and click Configuration in the left-hand navigation pane.

To edit an existing Configuration Settings document, highlight it and then click Edit Configuration. To create a new configuration document, highlight the server for which the Configuration Settings document will apply, then click Add Configuration.

To modify NOTES.INI settings on the server, click the NOTES.INI Settings tab. This tab lists a number of current settings in the server's NOTES.INI file.
To add a setting, click Set/Modify Parameters to display all settings that you can set in the Configuration Settings document. Select the setting(s) you want to add from the list. Type the value for the variable in the Value field. If the value is not in the list you can add it yourself, for example the setting HTTPDisableServerHeader=1.

To modify or clear a setting, highlight a NOTES.INI variable in the list and click Clear. In the Clear Parameter or Value, choose Clear parameter or Clear value. If you are clearing a parameter, be sure to clear the value before clearing the parameter. If you choose to clear a value, you can type in a new value.

Finally the new value is added to the NOTES.INI settings. The last step is to Save and close the Configuration Settings document and restart the Domino Server.

Remark: The Current parameters field displays the NOTES.INI settings that have been configured for the server. You can also see historical information about the last NOTES.INI setting that was configured on the server, including the name of the setting, the value to which it was set, the name of the person who configured it, and the time and date on which it was configured.

Installing Domino Feature Packs

Recently I have been assigned a number of tasks as Domino Administrator. One of these tasks involves upgrading the Domino Server to a more recent Feature Pack (Fix Pack). In my specific case it was an upgrade to Fix Pack 7.
Given that it has not been a regular task for me since the last few years, I searched the Internet for a good step-by-step plan. Unfortunately, I did not find much information except an IBM document, Basics steps to upgrade the Domino server. For the upgrade I also asked some advice from lifttime IBM Champion Gabriella Davis (@gabturtle). Thanks very much for your time and help! With this advice and the information in the IBM document I carried out the upgrade in the test environment. Below the steps that I have followed. If someone has additions and / or comments I would like to hear this as I want to do the upgrade on Monday in our production environment.

A. Domino Fix Pack 7 Files
Initially, the Domino Fix Pack 7 Files downloaded from IBM Fix Central.
Next I placed the downloaded files on the Domino Server in the Temp Directory.

B. Maintenance System Databases
The next step I performed was the maintenance on the system databases names.nsf and admin.nsf.

1. Shut down the Domino Server
2. Navigate to the folder where the Domino server is installed
3. In the directory above perform the maintenance on the system databases
4. Fixup names.nsf en admin.nsf
C:\Program Files\IBM\Lotus\Domino\nfixup names.nsf -F
C:\Program Files\IBM\Lotus\Domino\nfixup admin4.nsf -F

5. Compact names.nsf en admin4.nsf
 C:\Program Files\IBM\Lotus\Domino\ncompact names.nsf -c 
C:\Program Files\IBM\Lotus\Domino\ncompact admin4.nsf -c 

6. Updall names.nsf en admin4.nsf
C:\Program Files\IBM\Lotus\Domino\nupdall names.nsf -R
C:\Program Files\IBM\Lotus\Domino\nupdall admin4.nsf -R

C. Run Fix Pack Executable
After the above maintenance steps, the executable of the Fix Pack can be executed (run the installer and follow the screens for the installation. Note: it will take the Domino program and Data directory paths of the already installed server. ). The following screens appear consecutively.

The last screen that appears finally indicates that the upgrade has been successfully completed. For me it is not entirely clear what exactly happens in screens 2 and 3 but I assume this is correct and is part of the upgrade.

For me it is not entirely clear what exactly happens in screens 2 and 3 but I assume this is correct and is part of the upgrade.

D. Windows services - Restart Server
Start the windows services with services.msc
For the "IBM Domino Server" Service, this service must be set as "Manual" at this stage. Later it can be reset to Automatic.
Restart the Windows server.

E. Start Domino Server
After the restart of the Windows Server, the Services 'IBM Domino Server' can be reset to Automatic in the Windows Services. Next the Domino Server can be started. Using sh stat server you can see with which version the Domino Server is running now. In my case this is Release 9.0.1 FP7 so the upgrade of the server has been successful.

Remark: If the upgraded server is Administration server then at the server starts up it will prompt with the message. "Do you want to upgrade the design of your address book? This replaces the standard forms and views with the ones from the template.(Yes/No).
Type Yes or Y and enter and it will upgrade the design of the names.nsf with the latest template.
This completes the upgrade of the Domino server.

Tuesday, 1 May 2018

IBM Notes Domino 9.0.1 Feature Pack 10 Interim Fix 3 Available for Download on IBM Fix Central

Yesterday IBM released IBM Notes Domino Feature Pack 10 Interim Fix 3 on IBM Fix Central (About shows 9.0.1FP10 SHF81).
Download: IBM Notes 9.0.1 Feature Pack 10 Interim Fix 3

Notes Domino 9.0.1 Feature Pack 10 addresses defects in the Client, Server, and the Domino OpenSocial component. All Feature Packs are language independent and may be applied on any language version of Notes Domino 9.0.1. See Download Options for Notes Domino 9.0.1 Fix Packs and Feature Packs for all Notes and Domino Feature Pack 10 Download Links and Part Numbers. For more information see also IBM Notes Domino 9.0.1 Feature Pack 10 Release Notice.

The JVM was upgraded to Java 1.8 SR4 FP10 (with tzdata17c) (SPR #HYUEAQ2JUQ).
Notes/Domino - Java 1.8 SR4 FP10 (with tzdata17b).
For information on NBP (Notes Browser Plugin), Notes Client on Linux, or Domino Server on Linux32 and AIX32, please refer to the 9.0.1 FP8 release notice.
Templates – There are no template updates for FP10; use templates from FP9.
Pre-Req for Traveler Server: If are upgrading the version of Domino to 9.0.1 FP10 on your Traveler serve, for server compatibility use Traveler or higher.

New Features in IBM Notes Domino 9.0.1 Social Edition Feature Pack 10
1. The JVM in Designer is Upgraded to use 1.8 at compile time
2. Eclipse Platform Upgraded to 4.6.2
3. Embedded Sametime Upgraded To 901 By Default
4. The GSKit libraries are upgraded to Version for both client & server.
5. Japanese User Interface Update
6. Add-on Installer for Notes CCM (Connections Content Manager)