fighting for truth, justice, and a kick-butt lotus notes experience.

 
alt

Detlev Poettgen

 

IBM Mobile Connect - New Interims Fix available to get POODLE safe

 25 Oktober 2014 11:44:26
Today IBM released a new IBM Mobile Connect Fix. You should install this fix to get "POODLE safe".

With this fix the external facing connections will have SSLv3 disabled by default. The internal connections (from IMC to back-end) can still use SSL 3, so that your internal Domino/Traveler Servers can still be accessed using SSL 3. When IBM released the "POODLE Fix" for Domino, too, you should and can switch off SSL 3 for the internal connections.    

You will have to update your Connection Manager and please check if your Gatekeeper is already running the latest Gatekeeper release (6.1.5.1 from March 2014).

Check out Technote SWG2188204 for more details: here

Get the downloads via Fix Central: here

    IBM Technote regarding POODLE and SHA-2 - We have a fix for it

     21 Oktober 2014 18:17:36
    Today IBM published two Technotes, in which IBM announced two new Interims Fixes.

    The first one will bring native SHA-2 support to Domino for HTTP, SMTP, IMAP, POP3 and LDAP.
    The other one will take care for the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack issue:


    IBM intends to release Domino server Interim Fixes over the next several weeks that implement TLS 1.0 with TLS_FALLBACK_SCSV for HTTP to mitigate against POODLE. Implementing TLS 1.0 will allow browsers to still connect to Domino after they have been changed to address the POODLE attack, and Domino will protect against browsers that have been compromised by POODLE.


    The POODLE Fix will be available in the next few days for 8.5.3 and 9.0.x. The SHA-2 fix will be available in the next few weeks for Domino 9.0.x only.

    Many thanks to Dave Kern for make this possible!

    Details here:

    Technote for (POODLE )TLS: http://www-01.ibm.com/support/docview.wss?uid=swg21687167
    Technote for SHA-2: http://www.ibm.com/support/docview.wss?uid=swg21418982

    Mac OS 10.10 - Yosemite running Notes 9.0.1

     17 Oktober 2014 14:35:55
    Apple hat gestern Mac OS 10.10 (Yosemite) freigegeben.

    Die IBM hat heute eine spezielle Version des IBM Notes Clients (9.0.1 Slipstream) veröffentlicht, da der IBM Installer von 9.0.1 Yosemite nicht richtig erkennt:


    "IBM Notes 9.0.1 Social Edition can't be installed on this computer. This can only be installed on Mac OS X 10.6 or above. Current OS Version is too low."


    Der sogenannte Slipstream Client ermöglicht die Neuinstallation eines Notes Clients unter Yosemite.

    Falls vor dem Update auf Yosemite bereits ein Notes Client auf dem Mac installiert war, ist keine Neuinstallation notwendig. Es sollte allerdings entweder vor oder direkt nach dem Yosemite-Update der Notes Client auf 9.0.1 FP2 aktualisiert werden.

    Generell muß nach dem Yosemite Update die Java Runtime neu installiert werden:

    Installationsreihenfolge:


    Step 1: Install the legacy Java SE 6 runtime from Apple: http://support.apple.com/kb/DL1572
    Step 2:
    Download and install the Mac IBM Notes 9.0.1 slipstream,
                which will be released by end of day on Thursday, October 16, 2014  
    Step 3
    : Install Notes 9.0.1 Fix Pack 2 or higher


    Partnumbers des IBM Notes 9.0.1 Slipstream Clients:
    IBM Notes 9.0.1 Mac English
    CN15IEN
    IBM Notes 9.0.1 Mac Simplified Chinese and Traditional Chinese
    CN150ML
    IBM Notes 9.0.1 Mac Japanese and Korean  
    CN151ML
    IBM Notes 9.0.1 Mac French, Brazilian Portuguese and Spanish
    CN152ML
    IBM Notes 9.0.1 Mac Italian and German
    CN153ML
    IBM Notes 9.0.1 Mac Danish and Dutch
    CN154ML
    IBM Notes 9.0.1 Mac Finnish, Norwegian and Swedish
    CN155ML
    IBM Notes 9.0.1 Mac Polish and Russian
    CN156ML
    IBM Notes 9.0.1 Mac Portuguese and Turkish
    CN157ML



     

    Siehe auch IBM Technote: 21682510


    IBM Mobile Connect - Fix for 6.1.5.1 available

     2 Oktober 2014 20:13:36
    Today IBM released a new Interims Fix for IBM Mobile Connect 6.1.5.1.

    From the APAR list, which can be found here: List of APAR fixes for IBM Mobile Connect 6.1.5.1
    IV61919 Memory leak, http access services error path handler for badly formatted method requests.
    20140626
    IV62062 Gatekeeper shows empty mobile device container in the System - Users
    container.
    20140630
    IV62408 HTTP Access Services, add configuration option for maintaining session affinity to back end server after initial assignment.
    20140714
    IV63410 HTTP Access Services, SSL disabled. On redirects and rewrites, use the service URL as configured, dont change protocols or add the service port.
    20140812
    IV63934 HTTP Access Services, new function. Allow LTPA tokens generated by
    third parties to be accepted by IMC. Default behavior is to reject and force a new login.
    20140826
    IV64821 Upgrading to a new Windows Connection Manager build is unsuccessfull even though the installer reported success. Symptoms seen are GK will not launch after an upgrade and/or the IMC build version did not change.
    20140916





    IBM Notes Traveler 9.0.1 IF6: Technote - Attachments containing PLUS sign in file name not synced

     26 September 2014 14:28:09
    After installing Notes Traveler 9.0.1 IF6 attachments with '+' in the name are not able to synch to the device. There is no work around for the issue.  Will need to apply this APAR.

    Is available in hot fix APAR LO82085 "Attachments with '+" in the name are not able to synch to device", is now available in hot fix 901_IF6_20140924_1713_Server.

    via IBM Technote: https://www-304.ibm.com/support/entdocview.wss?uid=swg1LO82085&myns=swglotus&mynp=OCSSYRPW&mync=R




    Issues regarding Attachment Handling for IBM Notes Traveler 9.0.1 IF6

     19 September 2014 11:46:21
    Yesterday and today customers contacted me, that there are some issues regarding IBM Notes Traveler and iOS8/Android after upgrading to Traveler 9.0.1 IF6.

    It looks like Attachements with special characters like Space, '+' or '&' in the file name can not be loaded by the Device
    and the CPU load on the Traveler server is unnormal high.

    You will see this log entries:


    [0100:0017-08F0] 19.09.2014 10:20:37 Notes Traveler: SEVERE Frank Tester
    Action(0)=Stream, userCN=CN=Frank Tester/O=Company, deviceId=CN=Frank Tester/O=Company, database=mail/dev.nsf,
    server=CN=LNTEST01/O=Company, refid=mac mde.pdf@4022208FD320E3A3C1257D58002C42C7,
    hookId=null, file_sz=-1, file_name=null, contentType=null

    [0100:0017-08F0] 19.09.2014 10:20:38 Notes Traveler: SEVERE Frank Tester[3T94T2HKBL2PDDGT6JB2R8QIVC]
    Internal Error: Debug Data: Could not find file attachment w/ UNID=4022208FD320E3A3C1257D58002C42C7
    Error(404)=Entry not found in index

    The original file name is: mac+mde.pdf



    We opened PMRs and are waiting for a response from IBM.
    Will post an update here.

    Update 26.09.2014 I:


    Got feedback from IBM:

    "We have PMRs open and some APARs in the works for the attachments already.  People should continue to open PMRs   ...  It will be at least a few weeks, but probably mid-October ...."

    So-  If you have issues, open a PMR, please. You will get a Hotfix.


    Update 26.09.2014 II:


    IBM published an official Technote. You can get a special hotfix via PMR by request!


    https://www-304.ibm.com/support/entdocview.wss?uid=swg1LO82085&myns=swglotus&mynp=OCSSYRPW&mync=R

    Traveler & iOS 8 - Why should you have to update your servers?

     15 September 2014 20:08:37
    As I posted this morning (Details  here), IBM released a new Interims Fix for Traveler. This Interim Fix for 9.0.1 / 9.0.0.1 / 8.53 UP2 will prepare Traveler for iOS8 and it is important that you update your servers as soon as possible. Apple will release iOS8 in two days and there are some issues that will be get fixed with this IF.

    The reason is simple:

    The iOS integrated native Apple Mail App, which is used via ActiveSync by Traveler, is submiting up to now a unique Device ID to the ActiveSync Server. Traveler is using this Device ID together with the User name to "define" and "find" the Device record in Traveler. The IBM Companion and IBM Todo App are using this Device ID for matching the Traveler Device with the App installed on these device.
    This Device ID can be viewed by the User on the Device under Settings / General / Info / Device ID and it is the ID that is printed on the back of any iPhone or iPad.

    A Device ID looks like this:
    F4KJQ456F19J
    Submitted via ActiveSync it looks like this: ApplF4KJQ456F19J


    The Device ID is device specific and can be used to track a Device. That's the reason why Apple decided last year with iOS7 to define a new so called EASDeviceIdentifier, which will be a random generated number, which should be used in a future release instead of the Device ID. This EAS Identifier will only be used for ActiveSync and cannot be viewed by the user.


    Starting last week with the iOS8 Gold Master release the iOS ActiveSync client is sending the EAS Identifier and no longer the Device ID to the Traveler server.  

    The EAS Identifier is looking like this: KUSTI1BCOD06VCNOF10EQGNV2G


    IBM had to do some fixes on the server backend and the related Companion and ToDo App to handle this new EAS Identifier.

    So what will happen when you update your already configured iOS device from 7 to 8?

    What I could already test: Nothing - because Apple takes care, that when under iOS 7 there had been already a Traveler profile; the EAS Identifier was set equal to the Device ID. So all will be fine.

    But when you setup a new iOS 8 device without restoring a backup, Apple will create a new EAS Identifier and will use it from then on. Without updating to the new Interims Fix Companion and the ToDo App will no longer work and you will find an additional Device document in your Traveler inventory, which you may be have to approve.

    If you are using a MDM solution like our midpoints mobile.profiler, you will be able to query, collect and view the EAS Identifier together with other device information.  

    To sum it: To prevent any trouble - update to the Interims Fix until iOS 8 will be in the wild in your environment.


    IBM published so far this information:


    With Apple changing the iOS8 DeviceId to no longer start with

    "Appl", some Companion and To Do flows are not functioning

    properly as the device is not longer recognized as an iOS8

    device in the Companion and To Do flows with the new DeviceId.

    This causes issues in handling prevent copy mails, attachments

    being limited to the max admin setting when they should not be,

    out of office not being recognized as supported, and possibly

    other issues.  This change will fix the recognition of iOS8 with

    the new DeviceId such that the existing functions work as they

    did before.




    https://www-304.ibm.com/support/entdocview.wss?uid=swg1LO81842



     

    IBM Notes Traveler 9.0.1 IF6 and 9.0.0.1 IF7 available

     15 September 2014 10:18:03
    Admins start your engines to be prepared for iOS8:

    IBM shipped today a new Interim Fix for Traveler 9.0.1 IF6 and for older versions (9.0.0.1 IF7 / 8.5.3 UP2 IF7) too.

    If you are already on 9.0.1 feel free to update and as always keep your Traveler server up-to-date!

    APAR List for 9.0.1 IF6:
    APAR # Component Abstract
    LO81050 Server Too many instances of a calendar event may prevent Notes Client from displaying the event.
    LO81078 Server Reply to meeting notice may get delivery failure if lookup fails for canonical name.
    LO81115 Android Rotating device during corporate lookup may result in two progress bars.
    LO81121 Android Compose mail on Android may display as double spaced for the recipient.
    LO81174 Android Corporate lookup from Contacts app not showing all fields available.
    LO81208 Android Auto sync may be disabled after upgrade of Android client.
    LO81358 Android Wipe command for Android shows as pending even though it was executed on device.
    LO81446 Server Newly registered user may fail to sync all folders with Apple device.
    LO81493 Server Very large plain text e-mail could impact server performance.
    LO81514 Server Some attachments may not download to Mobile device.
    LO81546 Server Approval pending devices may not show up in the device security view of web administrator.
    LO81574 Server Drifting OS Clock could result in one or more Traveler HA servers being marked as offline.
    LO81611 Server Device may resync data if sync requests received out of order.
    LO81640 Android Sound notification on Android for new mail may play more then necessary.
    LO81602 Android Device approval for Android device may not be sent in the device language.
    LO81628 Server Defrag of derby database should rebuild constraint indexes.
    LO81659 Server Attachment may not download when name includes iso-2002-jp encoded special characters.
    LO81719 Server iOS8: Support Out of Office departure and returning dates for ActiveSync devices.
    LO81732 Server Cleanup orphan user and device entries from web administration views.
    LO81743 Server Attachment may not download when has Ampersand in the name.
    LO81748 Server Apple device may get stuck in a Calendar sync loop.
    LO81757 Server User listener registration may fail if Traveler database is not reachable.
    LO81815 Server Send mail from older Windows Phone device may have corrupt UTF-8 characters.
    LO81842 Server iOS8: Support registering new Traveler Companion and ToDo applications on Apple iOS 8.x devices.
    LO81898 Server Update the Apple Push Network (APNs) certificates.
    LO81908 Server Device may stop receiving updates if MIME parse error encountered.
    LO81909 Server iOS8: Accepting an unprocessed reschedule on Apple device may result in two copies of event on the device.
    LO81910 Server iOS8: Delete instance of a repeating event on Apple device may send recipients multiple update notices.
    LO81913 Server iOS8: Traveler Companion and ToDo applications may not be able to utilize full capabilities on Apple iOS 8.x devices.
    LO81914 Server Send mail cache could miss a duplicate mail send instance in an HA environment.
    LO81916 Server Call to getLocalHost could impact sync performance.
    LO81919 Server Send e-mail to self may not sync to Inbox on mobile device.




    Goto to Fix Central to download the Fixes: Fix Central  

    IBM Notes Traveler and Apple iOS8

     9 September 2014 10:59:57
    Today IBM published a Technote regarding a statement, if IBM Notes Traveler will work and will be supported together with iOS8.

    UPDATE 15.08.2014: You should update your Traveler Servers to 9.0.1 IF6 / 9.0.0.1 IF7 / 8.5.3 UP IF7 details here


    To sum it up, if you are running Traveler with the latest Traveler Interim Fix (9.0.1 IF5 or 9.0.0.1 IF6 or 8.5.3 UP2 IF6 ) you are save. But it looks like, that there will be a new Interims Fix available in near future after the final release of iOS8.

    The good use for customers still running 8.5.3 UP2, you will get iOS8 support, too.

    There is one new iOS8 feature that you should be aware of and may be force IBM to provide a new Interims Fix for the Traveler Server.

    iOS8 will support to enable and disable the Out of Office Service from within the Active Sync Account Settings. So far I tested it, it works together with Traveler 9.0.1 IF5 and iOS8 Beta. But Apple lets the User to enable Out of Office without a set End Date. So that OoO runs forever.
    It works, but in that case the generated Out of Office notification send out to the sender will contain "I am out of office until NULL"

    IBM should handle this Null value and will have to ship a new Interim Fix.

    From the Technote:


    Q1. Is support for Apple iOS 8.x devices planned for Notes Traveler?

    Yes. Notes Traveler 8.5.3 Upgrade Pack 2 and later versions will support iOS 8.x devices when they become available.

    ....

    Q3. Will Notes Traveler Companion & To Do applications support iOS 8.x?

    Yes, we are expecting to very soon push to iTunes new versions of Notes Traveler Companion and To Do applications that will support iOS 8.x devices. This Technote will be updated with specific version information once the new versions are posted.

    Q4. What Notes Traveler functionality will be supported on devices running iOS 8.x?
    Functionality and features comparable with those in previously supported releases. New features added in iOS 8.x will not immediately be supported with Notes Traveler; however, support for new features may be introduced over time. This technote will be updated to reflect any new feature limitations or statements of support.


    Q5. Should I upgrade my Notes Traveler server now in preparation for iOS 8.x devices?

    Notes Traveler server versions 9.0.1 Interim Fix 5 and 9.0.0.1 Interim Fix 6 include an update to correctly recognize and handle iOS 8.x devices (per APAR LO81825). Prior to this update, iOS 8.x devices may not have been able to connect to the Notes Traveler server if security settings prohibit unsecure devices or if restricting access by device type or user agent. For additional information on these releases, see the Index of Recommended Maintenance.


    Q6. Will there be any Notes Traveler server updates for iOS 8x?

    Yes, most likely. We are currently testing Notes Traveler with iOS 8 devices. And although most functions should work without issue from day one, closely after the release of iOS 8 it is very likely that we will release a Notes Traveler Interim Fix to address any issues that we find during testing. This technote will updated to indicate any recommended Interim Fixes should and when they become available.


    Details can be found here: Q&A about IBM Notes Traveler support for Apple iOS 8.x

    If you want SHA-2 Support for Domino HTTP add yourself to Enhancement Request ABAI7SASE6

     22 August 2014 20:41:23
    "IBM Domino support has received several questions and PMRs recently regarding SHA-2 support within Domino. SHA-2 is currently supported with x.509 certificate for s/mime in the Domino environment.
    At this time, the Domino kyr file does not provide native support for SHA-2 certificates for protocols such as LDAPS, HTTPS, DIIOPS, etc.

    We are aware that Certificate Authorities are no longer offering SHA1 certs by default, and many browsers will soon depreciate their trust of SHA1.

    For HTTP requests (on the Windows server platform), we currently recommend using the IHS proxy server, available starting with Domino 9.0:

    *Link to presentation on Implementing TLS support with IBM Domino 9.x and IBM HTTP Server (IHS)
    *Link to IHS reference: http://publib.boulder.ibm.com/httpserv/ihsdiag/ssl_questions.html


    At this time, the request to provide full native support for SHA-2 is currently under investigation by the Domino Development team:

    Enhancement Request Number: ABAI7SASE6

    Technote reference: http://www-01.ibm.com/support/docview.wss?uid=swg21418982  
    APAR reference: http://www-01.ibm.com/support/docview.wss?uid=swg1LO48388  

    If you also desire this functionality in your environment, we encourage you to open a PMR and add your company to the enhancement request . This alerts our development team to the continued interest for this feature, which is not a guarantee of a solution or fix, just an inclusion to this existing enhancement request for this feature to be considered for a future release
    ."

    Please add yourself to the Enhancement Request or participate in the discussion started by Amy Knox (IBM):

    http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=0BBA1D75D92075FC85257D3B006FABB8

    Update 21.10.2014:

    Check out the latest Technote:
    http://www-01.ibm.com/support/docview.wss?uid=swg21418982