Domino server rating from F to A+ in seconds

Posted by:

Requirements:
Server running 9.0.1 FP4 and up

Background:
Running SSL Labs test on https://www.ssllabs.com/ssltest/index.html
Gives You low rating

Mission:
Increase rating

Step1:
Gather OCSP information
Goto Site and View certificate

Go to Intermediate certificate next to Your own and View Certificate

Go to Details and Authority Information and under Alternative name write down the URL.
In our case it is http://ocsp.starfield.com/

Step2:
Update notes.ini from console with the following, remember to replace the value of OCSP_RESPONDER with Your value from Step1.!!

set config DISABLE_SSLV3=1
set config HTTP_HSTS_MAX_AGE=17280000
set config HTTP_HSTS_INCLUDE_SUBDOMAINS=1
set config SSL_ENABLE_OCSP_STAPLING=1
set config OCSP_RESPONDER=http://ocsp.starfield.com/
set config OCSP_CLOCKSKEW=10
set config OCSP_LOGLEVEL=31
set config SSLCipherSpec=C030009FC02F009EC028006BC0140039C0270067C013

In Release 10 the last notes.ini SSLCipherSpec is not respected it must be set in Internet Sites\Security

a. Is most secure

b. If You have with a. You can use this and get a good rating anyway

Step3:
Restart HTTP task with following command:
restart task http

Now You can test Your server again and everything should be running fine

0

Välkommen till GDPR Meetup – vad hinner du egentligen med på 72 timmar?

Posted by:

Välkommen på GDPR-frukost Meetup!

Den nya Data Protection Regulation från EU säger att ett dataintrång måste rapporteras inom 72 timmar. Så långt är allt klart. Utmaningen vi nu står inför är att vara redo med rutiner på vad som ska hinnas med på de 72 timmarna.

– Var upptäcktes intrånget?
– Vilka delar av verksamheten drabbas och kan skadas?
– Kan intrånget spridas till andra delar?
– Har vi någon action plan för att täppa till säkerhetshålet?

Utan ett loggverktyg eller en SIEM-lösning som samlar in information om säkerhetshändelser i din miljö data är det i princip omöjligt att formulera en överblick över intrånget och rapportera det. Än mindre sätta in åtgärder för att lösa problemet.

Under mötet berättar och diskuterar vi om hur du kan upptäcka händelser i realtid och förbereda dig för ett eventuellt intrång.

Spendera dina 72 timmar på omedelbar avhjälpning och snabb rapportering till de drabbade.

Michael Albek har arbetat inom SIEM området i mer än tio år och han kommer att krydda presentationsdelen med flera verkliga intrång som han arbetat med.

Infoware bjuder på frukost!

Talare: Ulf Stider, Infoware och Michael Albek, SecureDevice

Tisdag 8 maj 2018
8:30 – 1
0:00

Se mer information här!

0

Did you know that we are experts in Security Solutions

Posted by:

Together with our partner SecureDevice, who is leading in IT security in the Nordic region, we offer services and tools to help you protect your business.

Today, it is unavoidable that business critical infrastructure is exposed to attacks. You are most certainly attacked daily and probably without knowing it. The solution is to make the attacks visible to have a chance to protect yourself from intrusion and theft of business-critical business information.

What does the new data protection regulation (GDPR) entail in May 2018?

GDPR will affect all industries, companies and organizations which handle personal data. In addition to a more stringent security responsibility in your daily work, GDPR entails that detailed data on all detected data violations should be reported within 72 hours. This means that your IT department needs to establish security solutions to prevent, monitor and handle potential data violations.

Contact us to find out more about how our solutions in Identity & Access Management and Security Information and Event Management (SIEM) can help you meet the new requirements.

 

0

Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Posted by:

The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates 
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: http://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: http://ibm.co/1SAYX5E
Fixcentral long: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:

1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: http://www.infoware.eu/?p=7226

 

0

How to: Patch OS X / MAC against the Shellshock vulnerability

Posted by:

It may sound complicated when you read the online descriptions, but it's actually very easy!

The latest version, as of this writing, for OS X is 10.9.5 and that is susceptible to the Shellshock vulnerability.

To check your version of Bash, open a Terminal window and run: bash –version

This will probably return this: GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)

 

I just performed the following on my own machines and it works perfectly.

Make sure you copy everything below – easiest is to click the "view raw" link to the bottom right of this Gist-box.

$ # If you want to disable auto-imported functions, uncomment the following
$ # export ADD_IMPORT_FUNCTIONS_PATCH=YES
$ mkdir bash-fix
$ cd bash-fix
$ curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -
$ cd bash-92/bash-3.2
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052 | patch -p0    
$ curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053 | patch -p0  
$ # See note above about ADD_IMPORT_FUNCTIONS_PATCH
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] && curl http://alblue.bandlem.com/import_functions.patch | patch -p0
$ [ "$ADD_IMPORT_FUNCTIONS_PATCH" == "YES" ] || curl https://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054 | patch -p0
$ cd ..
$ # Note: DO NOT ADD SUDO TO XCODEBUILD HERE
$ xcodebuild
$ build/Release/bash --version # GNU bash, version 3.2.54(1)-release
$ build/Release/sh --version   # GNU bash, version 3.2.54(1)-release
$ sudo cp /bin/bash /bin/bash.old
$ sudo cp /bin/sh /bin/sh.old
$ sudo cp build/Release/bash /bin
$ sudo cp build/Release/sh /bin

Open a terminal window and paste the following: pbpaste | cut -c 2- | sh

Now you should see it working thru the instructions and eventually you will need to input your password.

 

To verify that everything went according to plan you can verify your bash version again, like above.

This should now return: GNU bash, version 3.2.54(1)-release (x86_64-apple-darwin13)

 

Now you beloved Mac is all safe and sound again, but just to be on the safe side you should also prevent use of the previous bash version by issuing the following command in the terminal: sudo chmod a-x /bin/bash.old /bin/sh.old

Done!

 

For more details you can read the following post where I got the above instructions from.

0