Writings mostly about Lotus Notes/Domino...by me :
Jesper Kiaer,Espergærde, Denmark

Looking for a Notes/Domino developer? an Apache Solr Expert? ..'m available


RSS 2.0 Feed
Bookmark and Share
The non-existing Fix Pack 7 for IBM Domino - Notes is to be released in September
The Fix Pack 7 for IBM Notes/Domino is to be released i September 2016.


However is seems to be non-existing..?

If you look at the actual fixlist with the list of fixes, it does not contain anything for FP7.



So is IBM transferring the fixes from 9.0.2. to FP7 ..or what is going on?

We will see in September....(but still strange).

Published by: Jesper B. Kiær at 01-08-2016 Full Post

From IBM Support a warning ...load compact -replica may cause loss of data
From IBM Support "LO83730: COMPACT -REPLICA CAUSE LOSS OF DATA IF USER MODIFY DURING COMPACT"


http://www-01.ibm.com/support/docview.wss?uid=swg1LO83730&myns=swglotus&mynp=OCSSKTMJ&mync=E&cm_sp=swglotus-_-OCSSKTMJ-_-E

Modifying documents while compacting with -replica may lead to data loss.

Quite serious since the hole point of using the -replica option is that the database should be accessible while compacting...well it is accessible ....but you may loose your data it you modify data...

IBM Solution: Don't use Compact -Replica while the server is online ...(??)

Published by: Jesper B. Kiær at 31-07-2016 17:38:00 Full Post

Read and write to the MS Windows Registry from Java
Sometimes you need to read or write to the MS Windows Registry (be careful!).

This can normally not be done from Java, but by using JNA you can access the MS Windows API.
In JNA a lot of the MS Windows API has already been mapped so it is ready for use.

This is a short simple example on how the get the installed Flash version:

	root=HKEY_LOCAL_MACHINE;
	keyStr="SOFTWARE\\Macromedia\\FlashPlayer";
	valueStr="CurrentVersion";
		
	if (Advapi32Util.registryKeyExists(root,keyStr)) {
		System.out.println(Advapi32Util.registryGetStringValue(root,keyStr,valueStr));
	}else {
		System.out.println("Could not find " + keyStr +"\\"+valueStr);
	}


This will print: 21,0,0,213

Take a look here for the other methods for handling the Windows Registry:

https://java-native-access.github.io/jna/4.2.1/com/sun/jna/platform/win32/Advapi32.html

Published by: Jesper B. Kiær at 15-04-2016 16:50:00 Full Post

Don't install the IBM Notes 9.0.1FP5 SHF106 - it will break your OpenNFT Extlib installation
The other day I upgraded my IBM Notes client with 9.0.1FP5 SHF106 and all went well.


However when I open my designer the OpenNTF ExtLib was gone..??

So I tried to install it again from my update site NSF, but all I got was this error



So I then tried to upgrade another PC with the fixpack.

Unfortunately with the same result and it too broke the OpenNTF Extlib with the exact same error when tried to install it again.

I have no idea how to fix it .

Sometimes I really just hate the IBM Domino Designer...

Published by: Jesper B. Kiær at 26-12-2015 0:17:45 Full Post

Security hole leaves IBM Domino server wide open - Part Two
The Security Issue


In Part One I wrote that is recommended by IBM to set "HTTPEnableConnectorHeaders=1" in the notes.ini file when having a Reverse Proxy, IBM HTTP server etc in front of a IBM Domino server
This makes the Domino accept and understand some predefined HTTP request header fields.
One of the predefined HTTP Header fields is:

$WSRU: "The remote user specified for the given request"

When IBM decided that the IBM Websphere server and the IBM Domino server should work together, (meaning access "old" Domino data via the Websphere server) they chose to do it in a "convenient" way, but from a security standpoint .. a horrible way .
You would most likely authenticate and log in at the Websphere server and if needed you could then access a Domino server by the Websphere server adding some predefined data to HTTP headers when sending the the request to the Domino server.
However IBM thought that since you had already authenticated on the Websphere server, you should not need to authenticate again on the Domino server.
Instead of making a proper secure solution they decided that just by adding the username to the $WSRU HTTP header field in the request to the Domino server, it should accept this as the user and give the user access to the server.

What do this mean?
It means that if "HTTPEnableConnectorHeaders=1" is set in the notes.ini file

ANYONE can impersonate who ever they want in the Domino Directory!! ...why not go for an administrator with full access? :-)

All you need is a username or maybe even just a shortname, ....NO password is needed !!
You just need to set the HTTP header field $WSRU in the HTTP request to Domino server
You can do that in one line in Javascript, Java ...even in Formula language in Notes/Domino

The simplest way to test this elevated access is to use an "add on" your browser which adds HTTP header fields to your requests to the IBM Domino server.

This is not a bug
This is not a security bug and anything like it.
It is (in IBM lingo) "working as intended" .. just in this case a horrible design and implementation.
To show you that is in fact true what I am claiming ...I have made this short video showing the security issues in IBM Domino.


So you think you can lock down you Domino anyway?
Well you could do something like

- setting a Firewall to only accept HTTP from the Reverse Proxy
- locking down network interface to Localhost
etc.

but it is not going to seal off your Domino server.

Anything on the server with HTTP capabilities still have full elevated access with no need for password. This could be Agents, XPages, server scripts..you name it
One tiny error in you trying to seal every HTTP hole and.....

Believe me this not the route you want to go.

Setting "HTTPEnableConnectorHeaders=0" in the Administrator
You should always use the administrator to set notes.ini variables via Configurations documents.
In case someone changes values directly in the notes.ini file it will get overridden and corrected again when the server is restarted from the values in the Configuration documents .

Go to the Configurations tab.
If there is no Configuration document for all servers (*) consider creating one. Otherwise you must edit the configuration documents for each server.

for all servers


Goto to the NOTES.INI tab

Click the Set/Modify button

Either select the present setting for HTTPEnableConnectorHeaders if you have one or create a new one.


set it to 0 and save.

Restart the servers when appropriate

Published by: Jesper B. Kiær at 29-10-2015 0:21:00 Full Post

Security hole leaves IBM Domino server wide open - Part One
Background

IBM has lately been playing a "catch up" game in regards to security with IBM Domino. With Poodle, Heartbleed etc. IBM has been busy with fixes for IBM Domino, but it is mess for Administrators to fix issues and only version 9 of IBM Domino is being fully fixed.
This means that many have been using a Reverse Proxy, like Nginx, HAProxy or the included IBM HTTP Web Server in front of the IBM Domino server as a fix.
A proxy server connecting the Internet to an internal network.
There are lots of good guides how to setup a Reverse Proxy in front of IBM Domino.
Jesse Gallagher has written several good guides like this guide on how to use Nginx with IBM Domino.
IBM has several guides how to install the IBM HTTP Server with Domino
All the guides refer to the setting in the Notes.ini you must set on the IBM Domino server

HTTPEnableConnectorHeaders=1

The setting comes from "way back when" (R6) IBM decided to ditch IBM Domino for IBM Websphere.
IBM wanted to customers to buy IBM Webphere servers instead of Lotus Domino servers, but customers had of course still Domino servers around for years so IBM decided that the users should be able to connect to the Domino server via the Webphere servers.
Like sort of a Reverse Proxy.
IBM then defined several special fields to be sent in the HTTP headers from the Websphere server to the Domino server to make them work together.

$WSAT: The Auth Type that is being used to make this request.
$WSCC: The Client Certificate used for this request. If the value is not base64 encoded for us by the Web server, then the plug-in will base64 encode it before sending it across to the application server.
Restriction: If you enable this, it is assumed you know what you’re doing, and how to protect direct access to the port at which the embedded http is listening.
Note: If you set the LogLevel to TRACE in the plugin XML config file, it is possible to see what headers are actually added for a given request. Appendix C. Domino 6 HTTP plug-in hints and tips 659

$WSCS
: The cipher suite that the Web server negotiated with the client. This is not necessarily the cipher suite that the plug-in will use to send the request across to the application server.
$WSIS: This header will be set to either True or False depending on whether or not the request is secure (came in over SSL/TLS).
$WSSC: The scheme being used for the request. This header will normally be set to either http or https.
$WSPR: The HTTP protocol level being used for this request. The plug-in currently has support for up to HTTP/1.1 requests.
$WSRA
: The remote IP address of the machine the client is running on.
$WSRH: The remote host name of the machine the client is running on. If the hostname can't be resolved, this header should be set to the IP address.
$WSRU: The remote user specified for the given request.
$WSSN: The server name used for this request. This should be the value that was specified in the HOST header of the incoming request.
$WSSP: The server port that the request was received on. This will be the port value that is used in route determination.
$WSSI: The SSL Session ID being used for this request. If the value is not base64 encoded for us by the Web server, the plug-in will base64 encode it before sending it across to the application server.
If HTTPEnableConnectorHeaders=1 was set in notes.ini the Domino server would then read these headers when accessing the Domino server via HTTP
In my next blogentry I will tell you why this was a horrible idea and it leaves Domino wide open.

I can tell you already that you should go and set HTTPEnableConnectorHeaders=0 on all your servers now.

Lastly ....I will in another blogentry show that you actually don't need to have this setting enabled in Domino to have a fully functional Reverse Proxy server in front of a IBM Domino server.

Published by: Jesper B. Kiær at 28-10-2015 10:35:00 Full Post