IBM Collaboration Solutions
Open Mic
Date: 12 January 2017
IBM Traveler and New Security Changes
1
Ask the Experts Team
Ranjit Rai - IBM ICS SWAT
Focusing on entire Notes/Domino
Narendra Nesarikar – IBM ICS Support Facilitator for Open
Mics
IBM Collaboration Solutions
2
Shrikant Ahire - IBM L2 Support
Manish Jha - IBM L2 Support
Agenda
Upcoming Security changes with IBM Traveler
Importance of these restrictions
Making your environment ready for these changes
Key changes and challenges
References
Q &A
IBM Collaboration Solutions
3
Upcoming Security changes with IBM Traveler
Minimum HTTPS / TLS connection and certificate security requirements for IBM Verse for iOS, IBM Verse for Android, IBM Traveler Companion and IBM Traveler To Do mobile apps.
Mobile devices configured over HTTP will not be able to sync emails
You must ensure that your IBM Verse Mobile and Traveler connections are secure and compliant with these requirements by tentative Mid of March
Devices running Android prior to version 4.1 do not support TLS 1.2, they can no longer be supported.
IBM Collaboration Solutions
4
Importance of these restrictions
• Cyber attacks are increasing, always searching for vulnerabilities to expose your private data
• Data transmitted and received over the internet over unencrypted or weakly encrypted connections is extremely vulnerable to compromise
• IBM does regular application scanning of our mobile apps, penetration testing of our Traveler server code and Ethical Hacking testing of our product
• Strongly encrypted connections using valid certificates is required to ensure security for data traveling over the Internet
• Mobile OS vendors are removing support for vulnerable ciphers and protocols
• Apple is requiring ATS for all public app store app submissions in 2017. Android recently removed the RC4 cipher when Android 7 was released
• IBM will be modifying our mobile apps in the future to require a secure connection that meets these minimum security requirements
IBM Collaboration Solutions
5
What is the context of the ‘connection’ here?
• Communications link between the mobile app and the TLS session endpoint• TLS session endpoint may be the Traveler server if connecting directly• Very often it is an edge proxy (reverse proxy)– IBM Mobile Connect– F5– Citrix Netscalar– MobileIron Sentry– Many others
IBM Collaboration Solutions
6
Making your environment ready for these changes
• Mobile apps must connect over HTTPS and not unencrypted HTTP
• Server certificate cannot be expired or invalid
• Server certificate Common Name (CN) or Subject Alternate Names (SAN) list must contain hostname which the mobile app is using to connect
• Negotiated Transport Layer Security version must be TLS 1.2Domino hosting Traveler should be on version 901 FP5 or higher
• Server certificate must be trusted
• TLS cipher suite must support forward secrecy (see article for list)
• Server leaf certificate must be signed with RSA 2048 bit or ECC 256 bit key (or higher)
• Server leaf certificate hashing algorithm must be SHA256 (or higher)
IBM Collaboration Solutions
7
Key changes and challenges
• Setting up SHA 2 certificate on server if already not deployed
• External URL needs to be reconfigured to use HTTPS if not already set
• Migrating existing devices configured with HTTP URL
• Android devices configured with HTTP using hostname can be forced to use HTTPS without user intervention. Refer below document
URL : http://www-01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E
IBM Collaboration Solutions
8
How do I check my environment?
• Most browsers provide a mechanism to examine your certificate• Connect your browser to Traveler URL and check the certificate section to verify
your certificate• You can use any SSL certificate checker such as QUERY SSL LABS to verify if
certificate is valid for Apple ATS Connections
IBM Collaboration Solutions
9
References
Securing connections for IBM Traveler mobile applicationshttps://www-01.ibm.com/support/docview.wss?uid=swg21989980
Download Options for Notes & Domino 9.0.1 Fix Packshttp://www-01.ibm.com/support/docview.wss?uid=swg24037141
How to set up SSL using a third-party Certificate Authority (CA)http://www-01.ibm.com/support/docview.wss?uid=swg21268695
Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstationhttps://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open
Android devices configured with HTTP using hostname can be forced to use HTTPS without user interventionhttp://www-01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E
IBM Collaboration Solutions
10
IBM Corporation ©2015
Questions?
Visit our Support Technical Exchange page or our Facebook page for details on future events.
To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2
IBM Collaboration Solutions Support page
http://www.facebook.com/IBMLotusSupport
IBM Collaboration Solutions Support
http://twitter.com/IBM_ICSSupport
11
IBM Corporation ©2015
Thank You
12