Monday, December 29, 2014

A little more on the Poodle (IBM Domino 9.0.1 and the Poodle Vulnerability)

In my last post, I discussed the steps required to get your Domino 9.0.1 server patched against the poodle bug which exists in both SSL 3.0 and TLS.  At the end of the post, I mentioned that I still had one server which was refusing to apply the patch.

This is how I got around the problem. 


The Server that Wouldn't
After taking the patches all the way back to Fix Pack 1 and slowly patching forward one-by-one with reboots in between, I realised that whatever was affecting my server had been installed for a long time.

There was no easy way to resolve the problem and obviously I couldn't roll back forever.  I just had to accept the fact that the server would not take the patch and take some more drastic measures.



Backup First
Of course, before taking any drastic measures, you should always backup first. Personally, I like to have a proper backup as well as a local copy of the main domino files.  That way I don't have to worry about streaming and tapes.

I manually took a copy of the D:\Lotus\Domino folder on the server (but not sub-folders) and saved it elsewhere.  Then, being careful to overwrite only obvious program and library files, EXE, DLL plus any other non-data files, I copied the files from a server which was otherwise at the same level (64 bit Domino 9.0.1) but had been successfully patched.

After the copy, I restarted the server and retested for the poodle problem. Luckily, the file-copy procedure had resolved it.

Yet again, I'm thankful for the low tech nature of domino and the fact that it doesn't go crazy with registry entries. 


What if I don't have a working Server?
So, if you don't have a working poodle-proof server and you're faced with a similar issue to mine, then one of the simplest options is to install a brand new Domino 9.0.1 server and patch it, then try copying the files across.  There's a pretty good chance that it will do the job.

Wednesday, December 24, 2014

Taming the Poodle in IBM Domino 9.0.1


There's been a lot of talk lately about the Poodle Vulnerability and IBM have provided a rather slow and confusing response full of similarly named files across multiple web pages. We've mostly gotten our systems sorted now but as it was a difficult process, I thought I'd share some of the things I've learned.  If nothing else, I'm sure that other people could benefit from the fix lists being in the one place.  Huge thanks to the guys in the IBM Notes groups on LinkedIn who provided most of the best insights here.

The poodle vulnerability isn't a new thing (it's 15 years old) but recently browser vendors, particularly Mozilla (and soon Google) have have issued upgrades which block access to vulnerable sites by default. I guess that means it's time to deal with it. 

This is what the Firefox error message looks like.

One more thing.... In case you've already dealt with poodle and you think that your system is safe because Mozilla Firefox is no longer complaining, here's a good test; 

https://www.ssllabs.com/ssltest/


Just enter your server domain in the box (and make sure that you tick the box about NOT showing up on the boards. If you're safe, you'll get an A or a B.  If you're still vulnerable to poodle, you'll get an F.


Being on the Latest IBM Domino server
So, the first port of call is to be on the latest IBM server if possible.  That's Release 9.0.1.

IBM has actually provided fixes for a few other versions of domino, so it's not the end of the world if you're not on the latest, provided that you're on one of these.

  • 9.0.1 Fix Pack 2
  • 9.0
  • 8.5.3 Fix Pack 6
  • 8.5.2 Fix Pack 4
  • 8.5.1 Fix Pack 5

However, I've heard that the 8.5 releases don't include the full fix (I could be wrong). So, a 9.x release is a better bet.

Working out what version/patch your Server is
There are a bunch of different ways to do this but my favourite is to simply fire up the Notes admin client and connect to the server.  You'll see the patch level  in the top left.


Release 9.0.1FP2HF590 is the first version of Domino (for 64 bit Windows) which is fully patched against Poodle.   If your server has a higher number (eg: 9.0.2 or 9.0.1FP3 or 9.0.1FP2HF700) then you should be fine. If it's a lower number, then you probably have work to do.


Patching
The patches are actually quite simple to install provided that you download all of them and install them in the right order.  It's best to make folders (and copy them all to an install folder on your server) before starting anything.

The patches you'll need for a basic unpatched Windows 64 bit Domino 9.0.1 installation are as follows (in this order);

Domino 9.0.1 Fix Pack 2
http://www-01.ibm.com/support/docview.wss?uid=swg24037141

You don't have to install Fix Pack 1 because fix packs are cumulative (they contain the earlier fixes too).

Interim Fixes 1, 2 and 3

Unlike the fix packs, interim fixes are not cumulative, you need to install them all and in the exact order.

  • Domino 9.0.1 Fix Pack 2 Interim Fix 1 (This was released twice, so make sure that you have the version from Nov 5, not Nov 3)
  • Domino 9.0.1 Fix Pack 2 Interim Fix 2 (released December 12, 2014)
  • Domino 9.0.1 Fix Pack 2 Interim Fix 3 (released December 19, 2014)

You should be able to find most of the patches here;
http://www-01.ibm.com/support/docview.wss?uid=swg21657963

Once you've got all your patches in the right place, you'll need to find an outage window to shut down your server. It's strongly recommended that you do a backup before proceeding.

To install the fixes, simply run the EXE files and follow the prompts, they should take only a few minutes each.  It's not always necessary for a server reboot between fixes but I've had variable results trying to cheat, so it's worth the extra time on important production servers.

Be careful because some of the fixes look like they're done (with graphs sitting at 100% and a thank you message and a close button).  It's not finished until the bar graphs disappear.

Before you do your final reboot, there's an INI File setting that you need to change.


The INI File Setting
Use Notepad to edit your system's Notes.ini file.
Add a line (pretty much anywhere in the file), which says;

DISABLE_SSLV3=1

I'm fairly certain that this overrides the unsupported command;

DEBUG_UNSUPPORTED_DISABLE_SSLV3=17

So if you see that setting you can probably remove it.
After this you can reboot your server, do your testing and redo the Qualys test.
https://www.ssllabs.com/ssltest/


Other Fears and Concerns.
I've tested this on servers running Traveler, Domino and iNotes.  It seems to work. I haven't tested on the current version of Sametime.

There's some discussion around suggesting that this affects mail,  I didn't see any impact on mail.

You don't need to get a new SSL certificate. The old ones should still work with TLS.


Other things to Consider
There seems to be a patch for Traveler too, so this is probably worth applying.
I haven't gotten around to testing that one yet.

https://www-304.ibm.com/support/docview.wss?uid=swg1LO82423


Problems.
The main problem I found was this message;

From what I can tell, it's indicating that you're installing fixes either in the wrong order (or that Interim  Fix 1 is the wrong dated version).

One time when I received this, I just had to go back to the beginning and install Fixpack 2 and then the hotfixes carefully.  On another server, I can't get past this message (and suspect that a certain amount of uninstalling or rollback will be required).


Like I said, backup before you do this and best of luck Taming your poodle.

Friday, November 28, 2014

IBM Notes: 25 Years and Counting...


Today marks 25 Years of IBM (Lotus) Notes. It's a pretty impressive lifespan for a product. Sure, Windows has been going 29 years and there are many older systems out there but few I suspect have retained the incredible levels of compatibility that Notes has. Can you still run Windows 1.0, 2.0, 3.0 or even 95 programs on the latest Windows? Sometimes, but not really. Not without emulation. Notes applications however still run fine on the newer notes platforms. 

What is Notes?
For so many years, people thought that Notes was email - in fact, they still do today.  I have no idea why they have that impression, after all, IBM/Lotus sold a separate product, CC:Mail for years before finally deciding that Notes handled mail well enough to not require it any more. 

Nevertheless, Notes always drew comparisons with outlook and lots of companies moved away from Notes mail because it was fashionable (and a safe bet) to use Microsoft and because they figured that the new versions of Outlook did mail better than their Notes (which usually hadn't been upgraded in years). Many of the companies which "moved away" still run conveniently forgotten back-room Notes installations for their applications. Mail is moved but the applications are still there. 

I mostly blame IBM for this, for failing to answer the simple question - what is notes? 

Notes is a rapid development and runtime environment with built-in collaboration, security and replication. 

That's what Notes is. 


Where to from here?
I picked the screen shot at the top of this post deliberately to show that the current version of Notes still has the workspace that the original has. I don't use the workspace, I haven't for about a decade. We have our own nice front end. 

The future of Notes is the web. 

Most of our in-house applications operate equally well in the Notes client and on the web. At the moment our users are still using the client and our customers use the web. The plan is for the development/admin team to continue using the client and for everyone else to use the web. 

IBM have a web offering for Notes/Domino apps but the beauty of having your own domino server is that you own your own cloud. Also, if our customer base want a new system,we can simply and easily develop, test and deploy it, without having to worry about extra runtime requirements. 


What I want from IBM
  • Clear Messages
    Stop muddying the waters with name changes, Connections, Sametime, WebSphere, Cognos and the web versions of these and all your other products. Make a clear statement of what the product does, why it is different to the other products, how it connects and how it adds real business value. Stop treating Notes like it's mail product.
  • Rapid Application Development
    Sort out the XPages mess. Yes, they're good but they take the R out of RAD.
  • Mobilize
    We want a compiler that will wrap up basic android, iOS and Windows functionality into APPs that work with a web-based domino server.
  • Be Proactive not Reactive
    The poodle attack vector was uncovered about 18 years ago. IBM was informed (apparently) 5 years ago. We (the customer base) had to fight way too hard to get a fix delivered -- and even then, I haven't installed it yet because I've heard too many horror stories about the installation.
  • Use OpenNTF Wisely
    OpenNTF is a great resource. All of the standard Notes templates should be developed there with the collaboration of the global notes resources. This would allow real users to provide instant feedback and suggestions for mail and calendar improvements. 


Here's to another 25 years of Notes/Domino - I want to retire before it does.  




Monday, August 11, 2014

Using your Operating System Login for IBM Notes can "Poison" your IDs (and how to fix it)

For years, we've had it easy with Notes. We've had our ID files stored safely on a secure drive and whenever a user moved to a new desktop, we could simply copy their original ID over to their new machine and do most of the setup without them.

All that changed somewhere between Windows 7, Notes 9 and getting Notes to use the Operating System login. It's a good change, don't get me wrong and it certainly protects the users privacy and makes things more secure. Unfortunately it also renders all of our ID's "Poisonous" and now we can't reuse them.

Instead when opening an ID file on a new client installation, just after agreeing to "copy the file to the Notes data directory", we get messages telling us that Notes cannot open the ID File.   Eventually I tried other ID files only to find the same problem.

Fixing the Problem
As it turns out, there's a surprisingly easy fix for this. Simply generate a password protected copy of the ID from the existing installation.

  1. On the working version of the Notes Client for your user that is moving, select File, Security, User Security.
  2. You'll be prompted to enter their Windows Password, get  them to do this and click Ok.
  3. On the User Security screen, click Copy ID...


  4. Choose a location to save your ID.
  5. You will be prompted to enter a password for this new ID



  6. Once your ID is saved, you'll be able to use it on new installations.


What happens when you don't have an existing installation to pick from?
So this procedure works very well if you're moving an existing user but what if their hard disk got corrupted and they're forced to move without their ID?

I haven't tried this method but I've read about it in several forums...

Apparently you can delete the user from the NAB (using the delete key not the Domino delete user function).
I've also heard it said that you can do this by updating rather than deleting the NAB Entry.

Next, create a new user with the same name, same short name and same internet address.
Make sure that you choose a different mailbox name though or things could get ugly when it gets overwritten.

Choose to store the ID on disk and complete the registration process.


Go into the NAB record and change the person's mail file back to the desired location.

You should now have a working ID.


One thing to remember though, creating a new ID will allow you to set up a user and access mail but it won't let you get to any encrypted mail. Those are linked more closely with the original ID.

Monday, June 23, 2014

Reusing Text in Word 2010 via Bookmarks - Part 2 Getting your formatting right


In my last post on reusing text via bookmarks in Word, I mentioned that there was a problem with the reused text retaining formatting. 

Sure, you can reformat the text to look how you want but when you update it, then new text takes on characteristics of the old.  You end up with text that looks like this....


There's an easy (but not obvious) way to fix this;


Getting into Reveal Codes Mode on Field
So, first we need to know exactly what makes our fields tick.  So, click on one of your fields and then press Alt+F9.  The field will change to show the code.

In my case, the code is;

{REF Title \h \* MERGEFORMAT }

This is more or less the default setting (the word title is the name of the bookmark I inserted).  Mergeformat means that the format of the original text is being merged.

To change this option, simply click on the code and overtype it.
In this case, we're going to change MERGEFORMAT to CHARFORMAT.

Once this is done, Press Alt+F9 to turn reveal codes off and then update your field.  (Remember that print preview is probably the fastest way to do this).

If you apply formatting to your field, it will now update with the rest of the field.


If you're still having trouble, it's worth remembering that Charformat applies the formatting of the first character (in this case, the R in REF), to the rest of the code.  You might want to reveal codes and then apply formatting directly to the word REF.

Thursday, June 19, 2014

How to Reuse Text via Bookmarks in Word 2010 (Update once and have it auto-update throughout the document)

I guess this is a bit of an oldie but I was surprised how many people didn't know about it. 

Why would you do this?
If you find yourself opening old documents and then doing a search and replace to change a name, a date or a version number, then this is the tip for you.  It allows you to write your key information down once and then have it auto-update.

If you do a lot of contracts or quotes - or basically any kind of document based on a template, then you'll find this very handy.

Getting Started (Bookmarking the Original Text).
Open a Word document and type in some useful repeating text;

eg:
Customer Name:  MyCompany Limited

1. Highlight that text

2. Select the Insert Tab on the Ribbon.

3. Click the Bookmark Button



A dialog box will appear.

4. Type a name for your bookmark.  
This can be any name but it should be something that you'll recognise when you see it.

5. Click Add.


Inserting the Bookmarked Text
So, now that you have bookmarked some text, it's time to reuse that text in other places in your document.

1. Go to a place in your document where you would like to insert the text.

2. Click on the Tab marked Insert

3. Click on the button marked Cross-reference.


4. In the dialog box, set the reference type to Bookmark.

5. In the big white section, choose the bookmark name that you typed earlier.

6. Click Insert.


Note that the dialog box will not close until you click Cancel.  This is actually quite useful behaviour because it means that if you want to reference the company throughout your document, you can just move the cursor to the next place and press Insert again.  When you've finished, click Cancel.

Updating Text
So, now you have your original text and the reused text.
Try changing your original text.
You can update individual samples of your text by clicking on them and pressing F9 but the best way to update everything in one go is to print preview.  Just Press Ctrl+P and then press ESC.  Your document will be updated.




Drawbacks
There are two drawbacks to this method.

1. Fields don't update automatically.
Strangely, this behaviour is by design.  If you find it annoying, you can add a macro to do it for you.  See this article for instructions.

2. Text inserted this way carries the original source formatting. In my experience this is the more annoying problem. In my next post, I'll show you how to change this.

For more on bookmarks, including how to add bookmarks from other documents, see this site.

Wednesday, February 05, 2014

How to do Bullets and Numbering in IBM Notes

I forgot the F8 shortcut key today and I looked it up via google. On the way I found a post about colouring text white to hide bullets in notes.  Crazy.  In any case, I wrote these instructions for my people and thought it was worth sharing on the blog;

How to Do Bullets and Numbering in IBM Notes

There are lots of cool things you can do with bullets in IBM Notes.

To turn them on and off, click the bullets or numbering icons on the toolbar


Getting Spacing in Bullets

  • If you're in the middle of a bulleted or numbered paragraph and you want a few lines to yourself.

    Press Shift+Enter
    This gives you a new line inside the bullet.
  • When you press ENTER again without holding down shift, then your bullets will start again.
BTW: That trick works in Notes and Word and blogger and nearly every other application I can think of.



Getting Indentation in Bullets
If you're wanting to do sub-bullets;

  • For example
    • Just below and indented from the main bullet
    • Like a sub-point.
      • Just press F8
      • If you want yet another level, press F8 again.
      • When you've finished,
      • Simply end the bullets or 
    • Press Shift+F8 to get back.

In word and blogger, the F8 is simply the tab and shift-tab keys.


Using Different kinds of Bullets

  • To change your style of bullet, press ALT+ENTER to bring up the properties box.
  • Click on the second tab (it has a paragraph icon on it).
  • The new bullet will take effect immediately. 
  • You don't need to close the box (in fact, it's quite useful when left open).
  • Choose a new bullet type from the list.
  • You can mix and match bullets as you please.


Re-ordering Bullets
  • To re-order items in a bulleted list,
  • Simply hold down the CTRL key and press the up arrow (to move things up)
  • and hold down the CTRL key and press the down arrow (to move things down)
  • That's it.