HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Add a new idea Subscribe
Status Needs Review
Workspace Domino
Categories Administration
Created by Guest
Created on Aug 22, 2023

RELATED IDEAS

When will Domino HTTP be able to handle a standard SSL Cert in a standard format? And handle server cipher Suites?

When will domino HTTP be able to handle a standard .pfx SSL Cert?

When will domino abondon their own cipher suites and use the ciphers on the server (like IIS does)?

The whole .kyr file is incredibly difficult to deal with. Hard to explain to security and auditors? Cannot be handled by an Enterprise Certificate Management team (per Enterprise Policy).

Cipher vulnerabilities cannot be handled by Enterprise vulnerability teams. They handle all weak ciphers for all my other web sites (IIS, etc.). But I cannot get them to automatically handle and Domino weak ciphers.

Both of these are a real burden and makes Domino seem to be a White Elephant at the Enterprise level.


  • Attach files
  • Guest
    Reply
    |     Sep 23, 2023

    Domino 12.0 introduced CertMgr as linked already below.

    CertMgr comes with the certstore.nsf -- A domain wide database to securely manage all your server certificates and trusted roots.

    CertMgr, certstore.nsf and the new TLS cache are designed from ground up using standard key and certificate formats.

    The mostly common and easiest to use standard is PEM, which is used as the standard format for all keys and certificates in certstore.nsf. But the import functionality also supports PKCS12 (aka P12 -- which Microsoft calls PFX by the way).


    Ciphers are currently configured in the server document or by internet site. Domino comes with it's own security stack and is a cross platform application, which cannot use the "platform configured ciphers".


    Domino updates the weak cipher list in every dot release. Weaks ciphers are disabled by default if you keep your Domino servers updated.

    What should be improved is the management if cipher management for internet sites. There should be a more global way to configure ciphers server or even domain wide. Managing them per internet site isn't really transparent.

    Domino 12+ fully supports ECDSA in addition to RSA keys. Switching to ECDSA keys (which all modern applications support), override the cipher settings and use the following two ciphers:


    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xC02B)

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC02C)

    https://help.hcltechsw.com/domino/12.0.2/admin/wn_ECDSA_cryptography.html

    ECDSA keys are also better performing would solve your cipher management and there is no cipher management needed once you switch to ECDSA.



  • Guest
    Reply
    |     Aug 24, 2023

    I followed the link. I couldn't find information on

    1. take .pfx file you get from your certificate people.

    2. Put it on the server, right mouse click and install

    3. Go to server doc (or other doc). Hit the drop down list to see all certificates in the Cert Store.

    4. Select it from the list.

    5. Restart HTTP.

    This is what we essentially do for IIS, why does it have to be so hard for Domino? This assumes of course that the ROOT cert is already in Windows' Cert Manager.

  • Guest
    Reply
    |     Aug 24, 2023

    Did you take a look at https://help.hcltechsw.com/domino/12.0.2/admin/secu_le_using_certificate_manager.html ?

Copyright © 2023 HCL Technologies Limited