Blog

Notes Domino Security Certificate call (my transcript live)


Tags :


If you have no idea what this is about go read my posting right here, this is big for users people

  • Starting on Tuesday the 19th 2009, web browser users who access various applets hitting a Domino/Sametime/Quickr server may receive a message that the certificate associated with the applet has expired
  • This doesn't affect functionality, just the warning error unless the user trusts IBM
  • The certificate was unable to be renewed until they got close to the expiration.  They were limited in time to renew earlier.  Then there was testing to do and prep for posting
  • -----> Open Q&A begins here by pressing *1 and recording your name<--------------
  • Shawn asks - due to time sensitivity there is not much testing time on the new fixes.  Answer: you can test it via java/applet API's to see how it is signed and when it will expire.  Since this is a browser that is impacted you can actually on a test machine try it but setting your clock into the future.
  • Irv asks - on a test server he has overwritten the files.  In the java section of the browser will that date be automatically updated on the next connect?  Will the people with the older expired certificate get the update automatically or will they have to delete and reinstall soemthing?  Answer from Scott Vrusho: The technote will be updated to clarify the this.  The user will be prompted to accept the new certificate in the browser just as they were 3 years ago
  • Ray asks - the remediation effort is just a file swap?  Answer - yes
  • Steve asks -  the new applets on Sametime will force the user to be accepted on a prompt if they previously trusted IBM?  Answer from Scott - yes even if the user trusted IBM previously they will be prompted
  • Rob asks - will this affect BES?  Answer from Scott - nope
  • Scott asks - I just shut down HTTP on the Domino server and it would not allow me to replace some jar files due to them being locked  Answer from Scott - in testing they could just shut down HTTP but you might have to shut the Domino server down
  • Steve asks - they are using the Sametime Limited client, is there anything to do?  Answer - there shouldn't be since this is meetings and HTTP , not chat
  • Tim asks - they are using 7.0.3 with Sametime integrated but they use webmail.  Will they get the prompt to accept certificates?  Answer from Scott - DWA and iNotes shouldn't.  all other stock templates have applets
  • John asks - why the NCSO jar file (sorry missed some of it)  Answer they will update the technote to see why that NCSO file is included
  • ?? asks - On sametime server there is both Domino and Sametime fixes to be applied? they did a test and moved server to later date to see behavior and is that it? Are instant meeting users affected?  Answer - yes to all parts
  • Mark asks - on the technote for Sametime it states version 7 and above yet they run 6.5.1.  Is it the same of a different patch?  Answer - that version is EOL so there is no signed applets for that version.  So get to upgrading or you will get prompts
  • ?? asks - Domino and Sametime with EMS in front.  Do these jars impact/work with the FIPS encryption?  In preliminary testing they did not get into meetings with the new jars.  Are they compatible?  Could they grab the certs and move them into the jar files  Answer - they are not sure and will research.  A FIPS version was not ready
  • Tino asks - specific question for version 7.5 of Sametime and they do not see a fix for that version.  Answer - they were suggested to move to 7.5.1 and the CF1 and CF2.  While it may not be possible, it would be encouraged.  Yet this didnt answer the question.
  • Mike asks - they have 6.5.6 servers with iNotes 6 template.  Is it affected? They loaded a test on a Domino 8,.5 server with the patch.  They had no change for the trust question.   Answer from Scott - they are not affected.  DWA/iNotes is not impacted and no applets on any version
  • Wayne asks - Quickr on Domino, no Sametime.  They use ActiveX verus java for drag and drop is there any concern?  Answer from Jennifer - no concern in either case
  • Lisa asks - running Domino 7.0.3 server with mixed R6 clients and R7 clients on both versions of iNotes/DWA templates. Sametime Connect for browsers are in use, are they affected?  Answer from Scott - iNotes/DWA no impact. Sametime Connect is affected and is in the patches
  • Alan asks - are the expirations time zone related? What about chat functionality through DWA?  Answer from Scott - they aren't totally sure but there is an hour associated with the expiration that will adjust based on timezone.  Yes the chat for stlinks files used in DWA for awareness are affected and should be checked to see if they are unsigned or signed.
  • Ian asks - are there any updates for jar files in the client distribution?  Answer from Scott  - this is fairly niche case where you run and develop web apps to preview in web browser.  The applets would show then with the prompt.  They are not advertising for normal use case to update the client yet it could affect those "rare" instances.  Fixes will be in the later normal later release and fixes for clients.  The 8.0.2 FP2 and 8.5 FP1 will have these updates.  Later when these expire in 2012 this wont cause the same issue due to timestamping in signing so no future prompts they are rolling into future products
  • Lisa asks - Domino 7.0.3 in house and they had to bring the server down to replace the one program file directory file.  She got a prompt for an applet to choose to always run for it not to come up anymore.  Is that normal? Answer from Scott - he questioned which one to see if it was a normal prompt or about the date.  It was about accepting to run the software entirely.
  • Jeff asks - they have Quickplace 7, is there an order to apply with Quickr/Sametime/Domino. Answer - there is no order and no Quickplace patch unless you have Sametime integration with Quickplace.  They will update technotes more on how to verify dates.
  • Mark asks - on all the products they have applied the fix and the user gets prompted, will they also get prompted when they hit Sametime for a meeting the first time or will one acceptance work across? What about our Sametime 6.5.1 servers?  Answer from Scott - one acceptance will take care of all of it.  There is nothing to do for Sametime 6.5.1 servers since there is no patch for them.  Those users will get the security  warning.
  • Rich asks - for Quickplace 6.5.1 there was a patch listed but what about domino? What about the downloadable gold code that is out there now, will these be updated or will I apply fixpacks? Answer from Scott - there is a Domino 6.5.x patch for all versions.  You have to download fixpacks, they will not upload fixed gold code.
  • ?? asks - they have a lot of products running on Domino with multiple patches.  Portal is the front end..  they exported the SSO key and will this affect it.  Answer from Scott - any application relying on the Domino applets will be corrected when replacing the applets. These are just applet certificates, no application or SSO certificates.  No issue there.
  • Tim asks - Their Domino has legacy web apps (over 100)on a 5.0.11 server.  Any recourse?  Answer from Scott - no.
  • Bob asks - They tried pushing the clock forward but cant recreate the popup.  Answer - going into Java settings in the browser to remove the IBM trust will then show the popup again.
  • me - are the files the same for Domino 8.0 and Domino 8,5.  Sizes and everything else matches  Answer from Scott - they should be as they built the Domino 8.5 o n the same codset and no other changes were really made.
  • Andy asks - Domino 7.0.3 with DWA 6.5.3 template.  Answer - no problem

I had to drop off the call at this point, so I missed a handful.  The call went almost 30 minutes late.