IBM Collaboration Solutions

Open Mic

Date: 12 January 2017

IBM Traveler and New Security Changes

1

Ask the Experts Team

Ranjit Rai - IBM ICS SWAT

Focusing on entire Notes/Domino

Narendra Nesarikar – IBM ICS Support Facilitator for Open

Mics

IBM Collaboration Solutions

2

Shrikant Ahire - IBM L2 Support

Manish Jha - IBM L2 Support

Agenda

Upcoming Security changes with IBM Traveler

Importance of these restrictions

Making your environment ready for these changes

Key changes and challenges

References

Q &A

IBM Collaboration Solutions

3

Upcoming Security changes with IBM Traveler

Minimum HTTPS / TLS connection and certificate security requirements for IBM Verse for iOS, IBM Verse for Android, IBM Traveler Companion and IBM Traveler To Do mobile apps.

Mobile devices configured over HTTP will not be able to sync emails

You must ensure that your IBM Verse Mobile and Traveler connections are secure and compliant with these requirements by tentative Mid of March

Devices running Android prior to version 4.1 do not support TLS 1.2, they can no longer be supported.

IBM Collaboration Solutions

4

Importance of these restrictions

• Cyber attacks are increasing, always searching for vulnerabilities to expose your private data

• Data transmitted and received over the internet over unencrypted or weakly encrypted connections is extremely vulnerable to compromise

• IBM does regular application scanning of our mobile apps, penetration testing of our Traveler server code and Ethical Hacking testing of our product

• Strongly encrypted connections using valid certificates is required to ensure security for data traveling over the Internet

• Mobile OS vendors are removing support for vulnerable ciphers and protocols

• Apple is requiring ATS for all public app store app submissions in 2017. Android recently removed the RC4 cipher when Android 7 was released

• IBM will be modifying our mobile apps in the future to require a secure connection that meets these minimum security requirements

IBM Collaboration Solutions

5

What is the context of the ‘connection’ here?

• Communications link between the mobile app and the TLS session endpoint• TLS session endpoint may be the Traveler server if connecting directly• Very often it is an edge proxy (reverse proxy)– IBM Mobile Connect– F5– Citrix Netscalar– MobileIron Sentry– Many others

IBM Collaboration Solutions

6

Making your environment ready for these changes

• Mobile apps must connect over HTTPS and not unencrypted HTTP

• Server certificate cannot be expired or invalid

• Server certificate Common Name (CN) or Subject Alternate Names (SAN) list must contain hostname which the mobile app is using to connect

• Negotiated Transport Layer Security version must be TLS 1.2Domino hosting Traveler should be on version 901 FP5 or higher

• Server certificate must be trusted

• TLS cipher suite must support forward secrecy (see article for list)

• Server leaf certificate must be signed with RSA 2048 bit or ECC 256 bit key (or higher)

• Server leaf certificate hashing algorithm must be SHA256 (or higher)

IBM Collaboration Solutions

7

Key changes and challenges

• Setting up SHA 2 certificate on server if already not deployed

• External URL needs to be reconfigured to use HTTPS if not already set

• Migrating existing devices configured with HTTP URL

• Android devices configured with HTTP using hostname can be forced to use HTTPS without user intervention. Refer below document

URL : http://www-01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E

IBM Collaboration Solutions

8

How do I check my environment?

• Most browsers provide a mechanism to examine your certificate• Connect your browser to Traveler URL and check the certificate section to verify

your certificate• You can use any SSL certificate checker such as QUERY SSL LABS to verify if

certificate is valid for Apple ATS Connections

IBM Collaboration Solutions

9

References

Securing connections for IBM Traveler mobile applicationshttps://www-01.ibm.com/support/docview.wss?uid=swg21989980

Download Options for Notes & Domino 9.0.1 Fix Packshttp://www-01.ibm.com/support/docview.wss?uid=swg24037141

How to set up SSL using a third-party Certificate Authority (CA)http://www-01.ibm.com/support/docview.wss?uid=swg21268695

Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstationhttps://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool?open

Android devices configured with HTTP using hostname can be forced to use HTTPS without user interventionhttp://www-01.ibm.com/support/docview.wss?uid=swg21993951&myns=swglotus&mynp=OCSSYRPW&mync=E&cm_sp=swglotus-_-OCSSYRPW-_-E

IBM Collaboration Solutions

10

IBM Corporation ©2015

Questions?

Visit our Support Technical Exchange page or our Facebook page for details on future events.

To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2

IBM Collaboration Solutions Support page

http://www.facebook.com/IBMLotusSupport

IBM Collaboration Solutions Support

http://twitter.com/IBM_ICSSupport

11

IBM Corporation ©2015

Thank You

12