02
Sat, Nov
2 New Articles

In the Wheelhouse: IBM, We Have an SSL Problem

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

 

In the spirit of last week's article regarding IBM's on-premises intentions for IBM Mail Next, we need to simplify and fix Domino SSL. It's going to break.

 

 

A few months ago, I renewed my wildcard SSL certificates from GoDaddy.com and began the process of updating both types of HTTP servers in my shop: IBM HTTP Server and IBM Domino. I usually do Domino first and then IBM HTTP Server, the latter of which is a bit of a struggle. I'll get to that.

 

Updating Domino is always a journey as it involves importing a new certificate into the Domino keystore and then updating the existing proprietary *.kyr key file in my primary Domino server's data directory.

 

Then, I have to move the newly minted *.kyr file into the Domino data directories of the other nine Domino servers in my shop and give HTTP a restart or perhaps even a full Domino server reboot if I feel that a server or two needs it. Then all of my Domino HTTPS servers are doing SSL transactions using updated certificates. By now, I've got it down to a science, and it takes only about an hour to get all my servers done. This is usually a once-a-year thing for me. I could buy a certificate with multiple years, but to be bluntly honest, I don't want to let my "replace the Domino SSL certificate" procedure to go dull in my mind, because it's easy to screw it up if you get rusty.

 

Now for the fun part. I have to use the IBM Key Management utility (i.e., IKeyMan) to convert my *.kyr file into a *.p12 file so that IBM HTTP Server can use it. I suppose I could buy certificates for both servers, but I cut my teeth at a paper company for eight years and tend to save money where I can. The amount of web pages referencing "kyr to p12" scenarios gives you an idea of how popular this process is. Many people do it...or at least attempt to do it.

 

To get started, you have to use an antiquated version of IKeyMan because new versions won't do the conversion. How antiquated? Well, it has to run on Windows XP. That means I'm digging into the basement for the old faithful laptop with Windows XP that I boot up religiously every year for this single purpose. I put the new *.kyr file into the magical software and poof! It spits out a magical *.p12 file. Then I import it into IBM Digital Certificate Manager and let my IBM HTTP Servers use it. Getting IBM HTTP Server on IBM i to update a certificate instead of importing a new one and then having the IBM HTTP Servers use the brand new one instead is another issue altogether. I've been meaning to PMR that because I've never had much success with updating a certificate, but I digress.

 

To end the process, I usually gripe on Twitter about the convoluted method with the old version of IKeyMan a little, have people gripe back, and then don't think about it again until next year.

 

This time, the process was different.

 

SHA-2, Where Are You?

 

The certificate I downloaded was encoded by default with the SHA-2 hash function. SSL certificates encrypt communication between a server (HTTP, Telnet, FTP, etc.) and a client (web browser, Telnet client such as a 5250 emulater, FTP client, etc.). This prevents others from eavesdropping on your communications no matter if it's on a public or private network. This encryption is implemented with a hash function. The SHA-1 hash function has been around for about 20 years and is being phased out in favor of SHA-2. Computers are far more powerful now, and the ability to break encryption is more likely with a weaker target such as SHA-1.

 

My problem occurred because SHA-2 is now the standard, and it would not import into Domino because it's not fully supported on that platform within the Domino SSL stack. Only SHA-1, MD5, and DSA are supported. Luckily, when I contacted GoDaddy.com again, they were sympathetic to my needs and supplied me with a less secure but supported SHA-1 SSL certificate. Your mileage may vary with your provider if you've bought and paid for SHA-2 already.

 

According to GoDaddy.com, new certificates with expiration dates after January 1, 2017, can only use SHA-2. Code-signing certificates with expiration dates after December 31, 2015, must also use SHA-2. Microsoft is driving all public Certificate Authorities toward adoption of SHA-2 as their default hash function, so whoever you use for SSL certificates will be affected.

 

Oh, but good news!

 

There's a method to get SHA-2 to work for your Domino HTTP servers. It involves putting an IBM HTTP Server in front of Domino!

 

Ouch.

 

But, my dear friends in the Power Systems community, are you ready for the real rub? The HTTP Server module is available only on 32-bit Windows. Other platforms are "under investigation."

 

In June, there was an IBM Ask The Experts webinar about Domino administration. A bit of Q&A went on, and this SHA-2 question was pretty popular. Here are the bits that matter from the Q&A:

 

Q32. Can someone provide an update what the plans are to have SHA-2 certificate support on Domino for SSL (Microsoft will drop support of older certificates by 31-Dec-2015)? SPR # ABAI7SASE6 Enhancement Request: Support SHA-2 algorithm for SSL on Domino (High triage priority, but no answer).

 

For SHA2 certificate support, we recommend at this time using an HTTP proxy server to handle the inbound HTTPS requests, Domino 9.x provides IHS with the server that is configured to work with the Domino HTTP web server.

 

OK, but this is Windows only. It doesn't help me. Next.

 

Q33. Will Domino support SHA-2? IBM HTTP Server on the front is not ideal.

 

Natively there's limited support for SHA-2 - http://www-12.lotus.com/ldd/doc/domino_notes/9.0/help9_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/05c1271fa301b23485257b19005b4d18?OpenDocument&;Highlight=0,Encryption,standards

 

OK, but this doesn't help me either. It's irrelevant. I need Domino HTTPS with SHA-2. I can't serve secure web pages with SMIME. Next.

 

Q34. Domino support told me to get a SHA-1 certificate because SHA-2 wasn't supported.

 

SHA-2 is not supported for Domino SSL. SHA-2 pretty much is limited to SMIME message encryption.

 

OK. See my previous snarky comment about it not helping me. And question 34 actually answered itself.

 

The next question loops back to the beginning of my article about making exporting *.kyr files in a supported, easy fashion. It's actually pretty easy once you have the XP box and an old version of IKeyMan, but the point still stands to have something supported. I'll give you this question/answer (and solutions provided by Darren Duke of Simplified Technology Solutions) in case you wanted to know how to do it.

 

Q35. What are your plans to resolve wildcard cert setup and import with Domino and related products that run on Domino? It is far too complex a process for 2014, poorly documented, and really a put-off for new customers.

 

You can use wildcard SSL certs on Domino as long as you create the CSR using the Domino server certificate admin database. However, as of today we don't have a supported way to import or export the SSL private key out of a kyr so you wont be able to share the SSL wildcard cert with any non-Domino Web servers.

 

From Darren Duke (STS):

 

it's convoluted but you *can* convert Domino wild cards for other purposes.... http://blog.darrenduke.net/darren/ddbz.nsf/dx/exporting-domino-ssl-keyfiles-to-another-format-for-use-with-ihs-.htm

 

So IBM's answer was to ultimately use IBM HTTP Server on Windows. What you don't get from the published Q&A was the chat when people who are using Linux and IBM i started grumbling pretty hard.

 

Imagine someone with a bunch of Domino on System z being expected to put Windows servers in front of it! I know that Windows is out there in the world, but the world doesn't run on Windows. Support requirements might come out of operating system metrics on PMRs, but in reality, the metrics are screwy if you take Windows being Windows into consideration. Chances are, if it's Domino being wonky on Windows, it's because there's a good chance it's Windows making Domino go wonky. IBM i customers don't call you that much because IBM i doesn't bend, let alone break.

 

Ideally, native Domino SHA-2 support inside the SSL stack should be the solution. Manipulating kyr files in supported versions of IKeyMan should be the solution. Overall, I should be able to import a certificate into Domino easily and export it out of *.kyr format to another easily. It's a very modest goal: simplify the customer SSL experience.

 

Why am I telling you this?

 

A few reasons come to mind.

 

First, IBM has a cross-platform solution "under investigation." I figure if IBM has enough people knocking on their door asking for a proper solution, then they'll investigate harder and faster. It's the squeaky-wheel deal. Talk to your IBM rep about getting SHA-2 hashed certificates supported in the native Domino SSL stack and the ability to use an updated version of IKeyMan to manipulate them or the ability to export a key file right out of Domino into *.p12 or other formats.

 

Second, it's a ticking time bomb for anyone running Domino HTTP servers not on Windows. Of course, my readership will be mostly Power Systems plus System i, iSeries, and maybe some really old AS/400 iron. Eventually, SHA-1 certificates just won't be able to be acquired. Nor should they. We need a better road to being supported and protected. It affects you.

 

Third, and I'll be frank with this, putting an IBM HTTP Server in front of a Domino server is entirely unacceptable. It compromises the relative simplicity that Domino offers a customer. Sticking IBM HTTP Server in front of it isn't going to work for everyone. Even if it were cross-platform, if you've got 20 Domino servers, are you really going to consider putting 20 IBM HTTP Servers in front of them? I'd rather politely decline and ask IBM to do right by their customers.

Steve Pitcher
Steve Pitcher works with iTech Solutions, an IBM Premier Business Partner. He is a specialist in IBM i and IBM Power Systems solutions since 2001. Feel free to contact him directly This email address is being protected from spambots. You need JavaScript enabled to view it..
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: