fighting for truth, justice, and a kick-butt lotus notes experience.

 
alt

Detlev Poettgen

 

Accessing Traveler or Domino HTTP from iOS 9 devices

 23 Juli 2015 15:31:15
Starting with iOS 9 Apple will introduce App Transport Security (ATS).

App Transport Security is a feature that requires secure connections between an app and web services. The default connection requirements conform to the best practices for secure connections. Apps can override the default behavior and turn off App Transport Security.
App Transport Security is available on iOS 9.0 or later, and on OS X 10.11 and later.

Default Behavior
All secure http (https) connection follow the App Transport Security default behavior in apps built for iOS 9.0 or later, and OS X 10.11 or later. Connections that do not follow the requirements will fail. The requirements are:

               TLS requires at least version 1.2.
               Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.)
               The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key.
               Invalid certificates result in a hard failure and no connection.

The accepted ciphers are:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA


https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
 
As you can see all supported default ciphers are using ECDHE, which is not supported by Domino at the moment.

If you are an app developer you can switch on additional ciphers, which are supported by Domino. But you as a developer must do that, in your info.plist of your app or must hope that a third party app developer will do that for you.

As far as we can test it with iOS 9 Beta 3, Apple will do a fallback to this additional ciphers and even down to TLS 1.0 for Traveler using the integrated mail app and for Safari.

So Traveler and your XPages web applications are working. But you need TLS and SHA256, which is only supported together, when you are running 9.0.1 with the latest fixpacks.

We don't know at the moment, if Apple will change this fallback for integrated apps in the final release, but at the moment it works!  

To be safe for the future IBM must support ECDHE ciphers!

The IBM Traveler, IBM Mobile Connect and the IBM Domino Security team is informed by Daniel Nashed and by us.

We all should wait for their answers before we are switching to panic mode.

But all admins out their, which are still running Domino 8.5.3 - you must update to 9.0.1 FP4 or add a reverse proxy in front of your Traveler server before iOS 9 arrives!

ACT NOW!

To get more details, check out:

https://developer.apple.com/library/prerelease/ios/technotes/App-Transport-Security-Technote/
https://blog.winkelmeyer.com/2015/07/update-your-ssl-on-servers-to-support-tls-1-2-before-ios-9-and-os-x-10-11/
http://blog.nashcom.de/nashcomblog.nsf/dx/apple-app-transport-security.htm?opendocument&comments#anc1

Update 23.07.2015:

I just received an answer from the IBM Mobile Connect Dev Team: IBM Mobile Connect in the latest version already support TLS 1.2 and ECDHE ciphers. So IBM Mobile Connect is well prepared for iOS 9!

 

    Anyone else having problems with Traveler 9.0.1.6

     17 Juli 2015 16:15:35
    I would like to ask you:

    Are you having issues with the latest IBM Notes Traveler 9.0.1.6 version, too?

    Two of our customers already updated their Traveler HA systems to 9.0.1.6 and they are having trouble:

    1. Already enrolled devices are getting an new initiale Sync after Update

         As we can see in the Traveler log, some (not all) devices are starting a new initial sync.
         That behaviour starts after the update to 9.0.1.6

    2. Users with mail files on remote servers are no longer getting new mails.


    After upgrading Traveler from 9.0.1.0 IF7 to 9.0.1.6 at customer side, we are facing problems with mail synch that no longer works reliable and we are seeing a lot of 503 / Time+out+waiting+for+thread errors..

    "07/10 12:07:03.539" "10.128.87.206 10.128.143.3" Worker-0940 "CN=Frank Test /OU=ATHU/O=COMPANY/CÞ" "action=syncAS&cmd=Sync&CollectionId=4&SyncKey=34&Comment=(Timed+out+waiting+for+thread+DS-0a10%5B4%5D%5BA5661DA5C6F37131D7602CB660B2EA8D%5D%5B17778858%5D+to+complete.)" dp 503 20311 "Apple-iPhone5C2/1208.143" ApplC9LJMYU71234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0


    After the update endusers are reporting, that they will not receive any new mails.

    We already checked the connection between the Traveler and Domino Mail server, where all looks fine and we think, that there is something going wrong in the new Traveler release.

    We are able to reproduce the behaviour.

    The customer is running three different Traveler environments:

    Test (Traveler 9.0.1.6 & Domino 9.0.1 FP4 )
    Production ( Traveler 9.0.1.6 & Domino 9.0.1 FP4)
    Production Pilot (Traveler 9.0.1.0 IF7 & Domino 9.0.1 FP2 HF384)

    We configured three different mail profiles for the same user on the same device. Every profile is using a different Traveler environment. The device is connected using internal WiFi.

    Test & Production  --> Issues with mail sync
    Production Pilot --> working


    We open for both issues PMR's, but we are still waiting for an answer from IBM.


    So, if you are planing to upgrade to Traveler 9.0.1.6 - At the moment I can not recommend it!  

      10. OpenUserGroup-Westfalen Stammtisch am 13.08.15 in Gütersloh

       7 Juli 2015 20:24:31
      Bitte schon einmal Vormerken:

      Image:10. OpenUserGroup-Westfalen Stammtisch am 13.08.15 in Gütersloh

      Der 10. OpenUserGroup | Westfalen Stammtisch findet am Donnerstag, den 13.08.15 in Gütersloh statt.

      Neben dem "networken" und der Diskussion aktueller Themen in gemütlicher Runde bei einem guten Essen und Kaltengetränken werden zwei kurze Impulsvorträge rund um die IBM Collaboration & Social Produktfamilie gehalten.

      Folgende beiden Vorträge sind geplant:
      1.        Das IBM Notes Browser Plugin im praktischen Einsatz - Martin Garrels
      Erfahrungen nach 6 Monaten im produktiven Einsatz bei inzwischen mehr als 2.600 Benutzern

      2.        DNUG 2015 - aktueller Status - Jörg Rafflenbeul (DNUG Vorstand)
      Wie geht es weiter bei der DNUG und offene Diskussion

      Weiter Details zum Stammtisch, der Lokation und der Agenda findet ihr hier: OpenUserGroup | Westfalen

      Ich werde in den nächsten Tagen auch noch wie gewohnt die Einladungen an die bisherigen Teilnehmer per Mail rausschicken.

      Neue Mitglieder sind gerne Willkommen. Bitte einfach bei mir melden oder kurz das Kontaktformular ausfüllen: OpenUserGroup | Westfalen - Kontakt

      PS: Wie immer:  Die Veranstaltung selbst ist Kostenfrei - Die verzehrten Speisen und Getränke zahlt jeder Teilnehmer aber selbst.

      IBM Notes Traveler 9.0.1.6 available

       30 Juni 2015 22:05:01
      IBM released IBM Notes Traveler 9.0.1.6 today.

      IBM Traveler 9.0.1.6 is a maintenance release that includes APAR fixes for the IBM Traveler server and Android client.

      Some more fixes regarding MIME & attachment handling issues introduced with 9.0.1.3 and 9.0.1.4

      Here is the Fixlist:
      APAR # Component Abstract
      LO84879 Server Calendar notice may be sent multiple times or be sent by the server ID.
      LO85144 Server E-mail containing invalid zero character in WBXML encoding may not sync correctly to mobile device.
      LO85222 Server Attachment with an unknown content type may not download to device.
      LO85237 Server Proxy credentials may not be removed from notes.ini during startup.
      LO85260 Server When Trash sync first enabled, sync only today and later trash items to improve performance.
      LO85283 Server Mime format e-mail may sync to device without the body.
      LO85357 Server Attachment with forward slash in file name may not sync to mobile device.
      LO85444 Server Web Admin may not show data for a user and will recieve "Could not generated devicetype" error message.
      LO85445 Server Attachment with multiple dot characters in file name may not sync to mobile device.
      LO85477 Server On standalone server auto cleanup could impact security records then requiring re-approval if approval is enabled.



      Downloads can be found here

        Who is using Splunk or a similar solution?

         17 Juni 2015 09:11:14
        This is a unusual post for me. This time I have a bunch of questions and would like to get your answers or experiences.

        I would like to know, if you are using solutions like Splunk, GrayLog or a similar already in your enterprise to get central access, view and analytics of your machine generated data like system / application logs and platform statistics.

        The idea behind Splunk:

        Step 1: Collect from all of your systems your application / system logs and platform statistics.  
        Step 2: Throw them into Splunk and let them get indexed by Splunk.

        Image:Who is using Splunk or a similar solution?

        Step 3: Search and drill down across your indexed log files from a central point

        Image:Who is using Splunk or a similar solution?

        Step 4: Use Big Data analytics provided by Splunk to visualize your indexed data to build dashboards or generate alerts.

        Image:Who is using Splunk or a similar solution?

        My questions to you:

        Do you know Splunk?
        Do you use Splunk, GrayLog or a similar solution in your enterprise already?
        How and for what use case do you use Splunk?
        How do you forward Domino, WebSphere, DB2 or your application logs and statistics to Splunk?

        Please add a comment or send me an email.

        I am looking forward to your answers and already thank you very much for participating in the discussion.


        To answer your question before you google it: What the hell is Splunk?

        Splunk is an American multinational corporation based in San Francisco, California, which produces software for searching, monitoring, and analyzing machine-generated big data, via a web-style interface.
        Splunk (the product) captures, indexes and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards and visualizations.
        Splunk has a mission of making machine data accessible across an organization by identifying data patterns, providing metrics, diagnosing problems and providing intelligence for business operations. Splunk is a horizontal technology used for application management, security and compliance, as well as business and web analytics. As of early 2015, Splunk has over 9,000 customers worldwide.
        Splunk is based in San Francisco, with regional operations across EMEA and Asia, and has over 1700 employees.

        Splunk offers products that perform real-time and historical search, as well as reports and statistical analysis. The product can index structured or unstructured textual machine-generated data.


        Source Wikipedia: https://en.wikipedia.org/wiki/Splunk

        If you don't know Splunk - visit the Splunk Website: http://www.splunk.com/en_us/products/splunk-enterprise.html
        If you don't know GrayLog - visit the GrayLog Website: https://www.graylog.com/product/

        Reuters: BlackBerry thinking of launching Android phone

         12 Juni 2015 11:29:41

        BlackBerrry (NASDAQ:BBRY) is thinking of launching its first phone to run on Google's version of Android, 4 sources tell Reuters.
        The decision is reportedly tied to BlackBerry's efforts to "pivot to focus on software and device management.

        "BlackBerry is coming off an FQ4 in which end-user phone sales fell to 1.6M from 1.9M in FQ3 and 3.4M a year earlier; IDC estimates the company's smartphone OS share was down to 0.3% in calendar Q1.

        Meanwhile, BlackBerry has estimated it needs to sell 10M phones/year to break even on its hardware ops.

        As it is, BlackBerry has partnered with Samsung to provide security software/services for Samsung's Android hardware, and has launched plenty of cross-platform security and MDM solutions.
        BB10 phones support Android apps via Amazon's Appstore for Android, but don't have access to Google apps/services that are baked into Google's version of Android or distributed via the Play Store.


        via Reuters: http://seekingalpha.com/news/2576885-reuters-blackberry-thinking-of-launching-android-phone

        My 50 cents: Blackberry will not be able to survice as a hardware manufacturer with their own OS plattfrom. Switching to Android will not solve their issues but will add new. In near future BlackBerry will be "only" one more MDM & MAM vendor in the market.

        What's your opinion?

        IBM Verse for Android app available

         30 Mai 2015 12:18:11
        IBM Verse for Android available via Google Play Store.

        Image:IBM Verse for Android app available

        The Verse app is a replacement/upgrade of  the Traveler app that will be dismissed! The new app will only be available via Play Store at the moment.

        IBM Verse Client for Android only supports Android 4.x and later OS levels. The IBM Traveler client for Android is still available for use for older OS levels. The IBM Traveler client for Android can be obtained from the Traveler Home Page.

        This app is compatible with IBM Traveler server version 8.5.3.3 and later fixpacks, as well as 8.5.3 Upgrade Pack 1, 8.5.3 Upgrade Pack 2, and 9.x.


        This are some of the feature that IBM Verse provide on Android:

        - See mail from people important to you
        - Set people you interact with often as Important
        - Mark mail as Needs Action
        - Manage items that need follow up
        - Track who owes you a response and when
        - Work with your calendar seamlessly
        - Interact with all of your contacts

        https://play.google.com/store/apps/details?id=com.lotus.sync.traveler

        Update 02.06.2015:

        What's New?

        New download link on Traveler home page to download the IBM Verse client for Android from the Google Play store.

        Note the following:

        IBM Verse client for Android users do not need to connect to a 9.0.1.5 server. IBM Verse for Android client supports Traveler server versions 8.5.3.x and later. Some features will be available only if running the latest Traveler server.

        IBM Verse client for Android will be available only via the Google Play store and select MDM providers. The IBM Traveler client will remain available from the Traveler server to support Android devices running 2.x or 3.x OS.


        via http://www-01.ibm.com/support/docview.wss?uid=swg21957932


          IBM Notes Traveler 9.0.1.5 available

           29 Mai 2015 21:48:30
          IBM released IBM Notes Traveler 9.0.1.5 today.

          Hopefully this one will fix the MIME handling issues introduced with 9.0.1.3 and 9.0.1.4

          Here is the Fixlist:

          APAR # Component Abstract
          LO84144 Server Update of appointment instance may not sync to Apple device.
          LO84586 Server Warning message for NTS_PUSH_ENABLE_APNS setting at startup.
          LO84641 Server Push not working for Android devices.
          LO84756 Server Remove last attendee from event on Apple device may not be reflected in Notes client.
          LO84747 Server Some wav files for Mime format document do not sync to mobile device.
          LO84790 Server Parse exception on malformed Mime document may prevent sync of document.
          LO84792 Server Verse client displays zero byte attachment.
          LO84825 Server Chair field with canonical format may get replaced by internet format user name.
          LO84845 Server Large e-mail bodies in Mime format may not display on mobile device.
          LO84846 Server For performance, do not use index hint with enterprise database.
          LO84861 Server Meeting notice deleted from device may not be deleted on server.
          LO84878 Server Calendar description field may loose line feed characters.
          LO84939 Server Immediately after enable Trash sync, device may receive error trying to delete a message.
          LO84941 Server Setting Out of Office from IBM Companion app on iOS 8.x may fail.
          LO84943 Server Out of Office time may display in server time zone instead of end user time zone.
          LO84947 Server Defrag on stand-alone server may display errors.
          LO84957 Server Event acceptance state may not be displayed after accepting a single meeting instance.
          LO84968 Android Security update may not push to Android devices running 4.2 or later OS.
          LO85028 Server Attachment sync error "Could not find file attachment"
          LO85031 Server Traveler server may crash processing a mal formed Mime document.
          LO85057 Server Attachment sync error "Entry not found in index."
          LO85110 Server Syncing Mime format documents may result in exception in logs.


          Downloads can be found here



          Coldplay’s Game of Thrones: The Musical

           26 Mai 2015 17:25:43
          Game of Thrones: The Musical.

          For Red Nose Day on NBC, Coldplay and the cast of Game of Thrones join forces for the band's most important project yet: a musical for HBO’s Game of Thrones





          Made my day :-)


          Updated Apple iOS Security Guide

           20 Mai 2015 09:10:10
          You want to know more details, how Apple iOS security works?

          Check out the updated iOS Security Guide.

          Image:Updated Apple iOS Security Guide

          55 pages worth reading:  Download Apple iOS Security Guide