While no platform is immune to the possibility of hacking, the question I would pose is: Has your Domino infrastructure ever been hacked?  Didn’t think so. It’s probably boring to say that the most straight forward answer is HCL Domino is rock solid on security.   When set up correctly and optimised, HCL Domino is the most secure platform of its type.  It’s true though.  Reliable and secure is a good thing. A very good thing. 

The HCL Domino v12 beta is out now.  If you haven’t already tried it, it’s free for all existing licensed Domino customers.  It’s waiting there in flexnet for you to download and try it out!  It’s the first time a beta of this type is in existence and it has multiple interactions (we’re currently on beta 2; beta 3 is scheduled for the end of March. Register here to join us for the beta 3 webinar.

What I really love about it is the almost instantaneous feedback from the beta forum, from those in charge of development.  Domino v12 is scheduled for full release in Q2 of this year.  (June 2021 timeframe is given at the moment).

Read an overview of what’s coming here.

Here’s is a list of all the NEW NATIVE security features coming in Domino v12 and there’s a whole host of them:

  • Automating certificate management 
  • Time-based one-time password (TOTP) authentication 
  • Enforce internet password lockout based on IP address 
  • TLS 1.0 is disabled by default 
  • Support for PEM-formatted TLS host keys and certificates 
  • Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
  • New template signing ID uses 2048-bit keys
  • NRPC port encryption supports forward secrecy using X25519
  • Import internet certificates that contain unsupported critical extensions
  • Suppress key rollover alerts during ID vault synchronization
  • New Query Vault command options
  • Support for SameSite cookie 

Also note native support for DKIM is planned in the 12.0.x timeline. (Again natively, you can achieve DKIM with third party mail gateways).

We could argue about which are the best and more important ones here, but I’m going to concentrate on the 4 new security features in Domino v12 that you’re going to want to implement straight away:

  1. Automating certificate management 
  2. Time-based one-time password (TOTP) authentication
  3. Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy
  4. NRPC port encryption supports forward secrecy using X25519 

Note: these are all based on current plans at beta 2, some of these will be subject to change (for the better) come beta 3 and GA.

What is it?
Automating certificate management?

What does it give you?

This topic could probably be four killer new features in one on its own, because it includes so much.

The short answer here is it takes something that was a headache to most admins and makes it completely seamless and automatic. It also includes support for ECDSA which is very progressive in terms of offering support for cutting edge security (some browsers don’t even support it yet).

In order to explain the context here, we probably need a short history lesson on cert management in Domino.  Prior to SHA-2 being the supported, Domino managed certs via a Domino database. It did exactly what it said on the tin and was never really updated from the time of release. But it worked. There were only four steps listed in the database. Some customers did find it fiddly.

Then SHA-2 support for Domino came out and admins did not like how this was implemented.  Again, it’s Domino, so it was secure, and it worked, but the process was a headache.  I have to admit for 99 percent of our customers, I just did it for them to save them the hassle so I got used to it.  But you did need a kyrtool, you’d need to install Openssl, you’d have to copy and paste various commands, copy parent and intermediate certs into text files.  It was messy to implement.

Well that’s gone.

What’s in its place is the most straight-forward solution one could imagine.

Let’s Encrypt offers free third-party SSL certs.  They’re currently the most widely used Certificate Authority in the world and work with all major browsers (they’re sponsored by some of them).

You can now get Let’s Encrypt Certs in Domino, by filling in a couple of fields in a form.  In short saying, “I want a cert for my website.  Give me one now.”  And it will give you one straight away. In seconds, your web server will be running with that cert.  A new task called CertMgr manages it all.

“It can’t be that easy,” I hear you say.  Well, in most use cases, it is.

Wildcard certs are slightly different, but again it’s as easy as it can be.  Other third-party certs are still 100 per cent supported, and easier than ever to implement with the Certificate Store.

Another point you might have missed around this is CertMgr supports Elliptic Curve Digital Signature Algorithm (ECDSA) using the NIST P-256 and NIST P-384 curves.  Not all browsers support this yet (most do), but in short it has the potential to give quicker and more secure TLS connections and shows that HCL are ahead of the curve #badnerdpun.

How do you implement it?

There are a lot of options available here but I cannot over emphasise how straight forward this is to implement.

CertMgr runs as a task. The first time you load it builds a back-end Domino database.  The database has intuitive forms but there’s documentation just in case.  You create a free account with Let’s Encrypt with a couple of clicks within the database.

I don’t want to get too bogged down in the detail here, because you don’t actually need to know the back ground details, but there a couple of ways Let’s Encrypt will verify you’re the owner of the domain, either by HTTP response (the most straight forward I think, but requires that the server can initiate outbound HTTPS requests – even temporarily to Lets Encrypt) or via DNS Response.

The HTTP response in particular is VERY easy to setup.

Third party certs are managed via the database, so you won’t have to fiddle about with openssl and the kyrtool.

ECDSA is a more complex subject, but the steps to implement are relatively straight forward here, the main complicating factor here is managing browser support, there’ll be more of this in beta 3 (thanks to Daniel Nashed for answering some of my basic questions on this.  Follow Daniel’s blog for more expanded detail on these subjects).

What is it?

Time-based one time password (TOTP) authentication

What does it give you?

Firstly, the obvious point here is you’ve been able to do TOTP in Domino for a long time, but it required third party software or appliances.  Here we get TOTP natively within Domino.

What is TOTP? Well, it’s two factor authentication based on a time based password that changes.   You put an app on your device that manages a six figure pin that changes every 60 seconds and it associated with a specific account.

Here you can deploy here with any number of apps (I’ve used Google Authenticator and OpenATP with Domino12 extensively for a couple of months and both have worked perfectly).

How do you implement it?

It’s easy.

You set up a trust relationship with your ID Vault and TOTP.

You enable it on the configuration settings document and then either web site, server or virtual server document.

You’ve to do a once off configure on the login form (but there’s a template for you to use, so it’s two minutes work for a non-developer).

Restart Domino and you’re ready to go.

Each user does a self-enrolment process the first time they connect which is intuitive, and takes no more than a couple of minutes.

There’s more functionality coming on this with Directory Assistance and managing multiple domains so watch this space.

What is it? 

Two new curves supported for TLS 1.2 ciphers that use ECDHE for forward secrecy

What does it give you?

Better performance on Perfect Forward Secrecy.

Perfect Forward Secrecy has been available since Domino 9.0.1 FP3 IF2.  It gives assurances session keys will not be compromised.

This new set of two new elliptical curves (once forward secrecy is set up) can offer better performance.  The two new curves are X25519 and X448. 

How do you implement it?

You do nothing. If you don’t want it you need to actively turn it off with a notes.ini setting. Domino 12 will attempt to use supporting curves in the following order

  1. X25519 
  2. NIST P-256
  3. X448
  4. NIST P-384
  5. NIST P-521 

What is it?

NRPC port encryption supports forward secrecy using X25519

What does it give you?

This sounds very similar to the last one, but there’s a whole lot more to unpack here.  These are for Domino to Domino connections over port 1352 or Notes client to Domino connections over port 1352.

So if you’ve ports with encryption turned on (which nowadays we are recommending to everyone), with Domino 12 the level of encryption increases from:

  • 128 bit AES-GCM for network encryption and integrity protection and 128 bit AES tickets 

 To: 

  • 256 bit AES-GCM for network encryption and integrity protection, X25519 for forward secrecy, and 128 bit AES tickets.

Basically stronger, encryption, better protection for sessions with forward secrecy and a curve that gives the best performance.

How do you implement it?

This is one of those points of different between Domino and Notes clients and ANY other technology.  (i.e. as opposed to the Office365 hacks, which are being put down to weakness in how Microsoft authenticates out of box).  Certs are baked in.  Basically if you have port encryption turned on, this will turn on by default.  If you don’t have them, turned on you can just enable encryption on the ports (for all inter server traffic), and via a policy for Notes clients.

In any other technology this would be so much more complex to do.  You’d need multiple devices to manage the connections, you’d have to change the port numbers, probably have to allow that port in a firewall plus you’d need to manage certs with third parties.  With NRPC, you’re already using certs to connect in so it’s just saying encrypt the port.  The same port (1352) is in use whether encrypted or not encrypted, so no further changes are required on the network or firewalls etc.

Oh and that’s only NEW and NATIVE features in Domino 12.  I just have to mention one more briefly that is no-charge to all entitled CCB customers. It’s HCL SafeLinx.  It is already available and in the wild.  It supports both HTTP and Notes port connections out of the box as a reverse proxy.  If you already user HCL Nomad you’ll probably know about it.  Later this in 2021, HCL Nomad Web will be out and you’ll look into this more then. (It can also be used for Sametime, Traveler and Verse – there’ a webinar on this coming up).  It builds upon the layers of native Domino security and gives you flexibility to add extra layers of security, particularly for external connections.  The main advantage is that it’s got baked in functionality for Domino so you don’t have to reinvent the wheel to do a basic set up.

I hope you enjoyed my first blog for HCL.

As always please provide feedback if you found anything interesting here.

Cormac McCarthy – Domino People Ltd

Comment wrap
Further Reading
article-img
Digital Solutions | June 11, 2021
Announcing the Domino REST API Beta Program  
Today, we’re announcing the start of the beta program for our new Domino REST API, formerly known as “Project Keep.” This is the latest addition to our ongoing Domino Early Access Program. The Domino REST API will introduce hundreds of new APIs that aperture to information on Domino — further extending access to your Domino data. It’s a modern take on the REST API for opening Domino access to a world of standards — and API-first developers. What is it?   Domino REST API is a new feature that runs alongside the server and allows you to expose your Domino data in the form of standardized Open-API-based methods securely and easily. Using a browser-based admin UI, application owners can define which data will be made available for view or update on a REST API. It extends the Domino principles of reader/author document access definitions into the world of Internet protocols.  It also includes Swagger UI which allows the visualization and interaction with APIs without having any of the actual implementation logic in place. The APIs are automatically generated from an OpenAPI (formerly Swagger) specification with visual documentation, making it easier to later implement the back-end code.  What is special about the new Domino REST APIs?  Secure by default, with fine granular controls per form, field and user basis  Implements latest open standards  HTTP/2-ready, for server-to-server or client-to-server communication API-first design with full interactive documentation  Low barrier to entry as it runs on a Domino server and/or your Notes client  Admin UI and Postman samples included  State-of-the-art JWT access token integrated with your existing IdP infrastructure What can be accessed via the Domino REST APIs? You can access content like views, documents, and fields, as well as database design, agents, and ACL settings. And, of course, featuring DQL queries to quickly access the data you are looking for.  Built-in declarative security ensures the API will only allow access to fields the caller is authorized to see or update. This can effectively prevent computed fields to be overwritten and limits participants in a workflow to update their fields only.   How to participate   The Domino REST API is now available as a...
article-img
Digital Solutions | June 7, 2021
HCL SafeLinx 1.2 is Live with Nomad Web
We are pleased to announce the release of HCL SafeLinx 1.2 for general availability. Starting today, customers can try out new features by downloading the package from Flexnet. In the past few months, we have been focusing on providing you a more user-friendly enterprise VPN platform with reverse proxy capabilities which aims to boost your middleware security at work.  SafeLinx and Nomad web  As part of the Domino v12 launch, this version comes with improved functionalities for Nomad Web Proxy:  New resources container specifically for Nomad, inherited from the generic http access service but only providing attributes needed for NWP  Modified initial configuration wizard to streamline NWP creation as part of initial setup  Ability to serve the Nomad web application static files directly from SafeLinx (event driven), without the need for an additional http server  Support for HCL Verse application integration when the Nomad app launches from a mail link  SAML as an authentication option  Configurable buffer size for NRPC flow  Configurable attribute for querying the User CN to use in Nomad client configuration.  Nomad-branded login screens  Other new features of this release include support for Mac OS administrator, MS-SQL Linux, and My SQL (Linux and Windows), and a new splash screen. To see the full list, please refer to SafeLinx 1.2 release notes.  Getting started: pricing and licensing For Notes/Domino Complete Collaboration (CCB) customers, SafeLinx is now available as a FREE entitlement and will be listed under supporting programs. CCB customers can use SafeLinx’s server component without the need for an additional VPN client to securely access their Domino apps from mobile. With this release, we’d like to provide our customers the opportunity to evaluate SafeLinx VPN for broader usage. Please contact your HCL Software representative or HCL Business Partner for more information on how to get SafeLinx 1.2.  SafeLinx is also available as a standalone to non-Notes-Domino Complete Collaboration customers. Contact us for more details. Our team has put in many hours turning your ideas into reality and we’d love for our customers to continue submitting ideas and improvements in our Ideas Portal. (Make sure you select “SafeLinx” under the Workspace before submission.)  Domino v12 Launch Missed the v12 live event yesterday? The launch is not over! We’ve just started rolling out the Domino Dozen which includes 12 days of...
article-img
Digital Solutions | June 3, 2021
Making a Smooth Upgrade to HCL Notes v12
The big day is coming soon! HCL Notes / Domino v12 will be launched  globally on June 7th (it’s already available for download on HCL FlexNet since May 27th). For those customers planning to upgrade, we have some great news. Whether you have been keeping pace with the rollouts of new HCL Notes client versions, or are WAY behind, there is a path for a seamless and smooth transition to v12. The MarvelClient Upgrade solution empowers organizations to optimize their HCL Notes client management and standardize all client versions with a consistent configuration during the automated upgrade process.  Common Upgrade Challenges What we have heard consistently from organizations around the world is that they want to reduce the complexity of their HCL Notes client installations and lessen the administration support tasks required. It is an ongoing challenge for IT support groups to keep pace with the upgrade cycles provided by their vendors. The following list is a showcase of some challenges that organizations face during an upgrade process:  Creation of Notes Client Install Package (with standard configurations)  Upgrade Package Deployment for Remote Users (with or without VPN)  Installation / Upgrade Process Execution Trigger for Automation  Migration of Notes Data Folder  Automated Upgrades for Different Deployment Models (Laptops, Desktops, Citrix, VDI, different OS versions, etc.)   The MarvelClient Upgrade solution handles all those requirements and more. The centralized tracking and reporting environment allows administrators to monitor the client deployments for all employees. And if any modifications are made through user error, they will be rectified and reset to the standard, supported settings on the next restart of the HCL Notes client. These automated, self-healing functions enable any organization to ensure a consistent environment for their users and reduce the number of IT support calls from HCL Notes client installation issues.  In addition, the MarvelClient Upgrade automates the entire process. This makes it easy to perform regular upgrades in the future as new software versions become available. If your organization is preparing to upgrade HCL Notes/Domino in the near future, please access this best practices list to avoid common project pitfalls.  Review of HCL Notes / Domino v12 We recently hosted a co-webinar with an expert from HCL on April...
Close