IBM Connections 5.5 CR2 - CCM Upgrade does not complete " the deploy application task has one or more blank passwords "

This week I wanted to install CR2 in my test envoirnment.
IBM Connections upgrade worked perfectly but the CCM upgrade stopped working after around 20 minutes.
Checking the "fn-ce-update.log" actually showed the cause for the problem immediatly:

"C:\IBM\Connections\FileNet\ContentEngine\tools\configure\configmgr_cl" execute -task deployapplication -profile CCM
The Deploy Application task has one or more blank passwords:
Application server administrator password

Do you want to specify these passwords now (passwords will not be saved to disk and will only be used to run the task) (yes/no)? [no]

Wait, what?  I didn't provide this information....
 
Searching on the web, Google directed me to the blog of Nico Meisenzahl . He provided a easy solution for this problem:

• navigate to \FileNet\ContentEngine\tools\configure\profiles\CCM\
• edit "applicationserver.xml"
• look for <property name="ApplicationServerAdminPassword">

• and set the right value for the property -  <value>MYADMINPW</value> 

 You will also have to do this for the CEClient-script (\FNCS\configure\profiles\CCM\applicationserver.xml) if you are performing a update/rollback for this component.

During updates I am always using "baretail" to check the progress of the upgrades. This may spare you much time. Otherwise you will wait more than 1 hour and nothing further will happen.


Hope this will help you.


Happy New Year !

Jan

IBM Traveler 9.0.1.13 server released

IBM just released FP13 for IBM Traveler. You can get it here. 
It will be available on Passport Advantage by August 25th.
The following APAR fixes are included:

LO89772 - Multiple replies sent to meeting chair from invitee using Apple Native Calendar
LO82881 - Domino server may crash if $NTTrack field is corrupted.
LO89471 - Traveler invitee status may be incorrect if using mixed case Internet addresses.
LO89606 - Number of recipients limited to 100 when sending mail from a mobile device.
LO89745 - Traveler server enters constrained state when load balancing a large number of users.
LO89840 - IBM Verse mobile application fails to download entire mail for very large mail documents.
LO89952 - Deleted device still present in the Web Administration UI after the 30 day reap interval.
LO89954 - E-mail not in sent folder on mobile device when user sends and files an e-mail in Notes client

IBM Traveler 9.0.1.13 Release Notes

Traveler FixList

Source: ibm.com

multiple vulnerabilities in IBM Connections

IBM just reported multiple XSS and other vulnerabilities in IBM Connections (all versions).
You will have upgrade your Connections envoirnment to the most recent version & apply the provided IFs to get rid of them.


 CVEID: CVE-2016-0310
DESCRIPTION: IBM Connections 5.5 and earlier is vulnerable to possible host header injection attack that could cause navigation to the attacker's domain.
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111450 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)

VEID: CVE-2016-0305
DESCRIPTION: IBM Connections is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111422 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-0307
DESCRIPTION: IBM Connections 5.5 and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned responses.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111447 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-0308
DESCRIPTION: IBM Connections 5.5 and earlier is vulnerable to possible link manipulation attack that could result in the display of inappropriate background images.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111448 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)


 

IBM Domino and TLS - Part 4 - How To fix your trust & security issues

"The server does not support Forward Secrecy" (PFS)
Ciphers supporting PFS were introduced with Domino 9.0.1 FP3 IF2. The only thing you need to do is to upgrade your Domino to the most recent version. You may also have a look at this article.
Please keep in mind that PFS may significantly raise the CPU usage of your servers in huge envoirnments (8000+ users).


This was my last part of "How to fix your trust & security issues".
I hope I was able to help some of you and I would appreciate any kind of feedback from you !

Regards,
Jan

IBM Domino SMTP, LDAP, IMAP & POP3 over TLS - usefull notes.ini values & best practices

Within the last few months I experienced several issues and interesting behaviour in the TLS communication between Domino servers and other servers - especially for SMTP over TLS.
I just want to share some facts with you - and hopefully you will also add some of your experience.

SSL_ENABLE_INSECURE_SSLV2_HELLO=1
Some customers experienced communication issues with older SMTP clients and also applications that were using ancient OpenSSL version after upgrading there Domino to FP2IF1. This notes.ini parameter were introduced in FP3 IF1 to re-enable the V2 HELO for compatibility reasons.
If you want some more details on this you should visit Daniel Nashed's blog .

RouterFallbackNonTLS=1
Imagine you only enabled the DH-ciphers on your Domino server, enabled STARTTLS and send a mail to a server that is also using TLS but it is only supporting non-DH TLS1.2 ciphers.
What would happen ? Right...the communication will fail and the sender will get a NDR . The console should show some "SSL I/O" error messages:

HTTP Server: SSL handshake failure, IP address [x.x.x.x],
Keyring[keyfile.kyr],[SSL Error: Network IO error], code [4165]

With this .ini-parameter enabled the Domino server won't send a NDR to the sender but instead will fallback to non-TLS communication.
On the one hand this will improve user experience but on the other hand this will also enable MITM attacks & you can't be sure that every communication between you and your partners is encrypted which is why I advise you to not enable this parameter if you want your communication to be secured.


DISABLE_SSLV3=1 & SSL_DISABLE_TLS_10=1
Since SSLV3 and TLS10 were cracked years ago I would definitly advise you to deactivate these protocol versions if you communicate with servers outside of your local network.

IBM Domino and TLS - Part 3 - How To fix your trust & security issues

"The Server accepts the RC4 cipher, which is weak"
You can define the ciphers used/supported by a Domino Server using the .ini - Parameter "SSLCipherSpec=" following hexcodes describing ciphers. Here you will find some examples.
Since 9.0.1.3 you don't have to define specific ciphers. All weak ciphers were deactivated by default.

"There is no Support for secure renegotiation"
Use the .ini-Parameter "SSL_DISABLE_RENEGOTIATE=1"

IBM Domino and TLS - Part 2 - How To fix your trust & security issues

"Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2"
You will only have to request a SHA2 signature the next time you order a certificate from your trusted certificate vendor. In most cases you should also be able to request a change/update of your certificates for no further charge. Please keep in mind that you will have to use the KYR tool to merge SHA2-signed stuff into your keyring.
I recommend reading this article form netcraft.com to get some further Information regarding SHA. Including a cost calculation for cracking SHA1 signed things.

"The server supports only older protocols, but not current best TLS 1.2"
That is a pretty easy one: You will only have to update your Domino Server to the most recent release. Domino supports TLS1.2 starting with 9.0.1.3 IF2.

"The server private key is too small and insecure"
You will have to create a new key with >2048bits and a new certificate/certificate request based on the new key for this. You can use some free tools like XCA or OpenSSL to create this key.
Please keep in mind that the generated keys created by tools like XCA may not be as random as other keys that are created by mouse movement / other random functions.

multiple vulnerabilities in Java SDK affecting Notes and Domino

A few days ago the IBM reported multiple vulnerabilities in the Java SDK that affects all Notes-&Domino Versions - including 9.0.1.5 .
You may find a summary of all(12!) vulnerabilities here and (Notes) here (Domino).

The vulnerabilities reach CVSS Scores  from 4 up to 10(max. value) and should be fixed asap. IBM offers several JVM patches for most Domino/Notes versions. If you can not find what you need you will have to open a PMR and request a custom fix.

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 6 SR16FP15 that is used by IBM Notes Standard Client. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”.

Just two weeks ago I already needed to update all our Domino Servers because of this vulnerability .

Let us hope that it will be the last one in this quarter.