IdoNotes (and sleep)

Notes Domino Security Certificate call (my transcript live)

by Chris Miller at 10:07:15 AM on Wednesday, May 13th, 2009

If you have no idea what this is about go read my posting right here, this is big for users people

Starting on Tuesday the 19th 2009, web browser users who access various applets hitting a Domino/Sametime/Quickr server may receive a message that the certificate associated with the applet has expired
This doesn't affect functionality, just the warning error unless the user trusts IBM
The certificate was unable to be renewed until they got close to the expiration. They were limited in time to renew earlier. Then there was testing to do and prep for posting
-----> Open Q&A begins here by pressing *1 and recording your name<--------------
Shawn asks - due to time sensitivity there is not much testing time on the new fixes. Answer: you can test it via java/applet API's to see how it is signed and when it will expire. Since this is a browser that is impacted you can actually on a test machine try it but setting your clock into the future.
Irv asks - on a test server he has overwritten the files. In the java section of the browser will that date be automatically updated on the next connect? Will the people with the older expired certificate get the update automatically or will they have to delete and reinstall soemthing? Answer from Scott Vrusho: The technote will be updated to clarify the this. The user will be prompted to accept the new certificate in the browser just as they were 3 years ago
Ray asks - the remediation effort is just a file swap? Answer - yes
Steve asks - the new applets on Sametime will force the user to be accepted on a prompt if they previously trusted IBM? Answer from Scott - yes even if the user trusted IBM previously they will be prompted
Rob asks - will this affect BES? Answer from Scott - nope
Scott asks - I just shut down HTTP on the Domino server and it would not allow me to replace some jar files due to them being locked Answer from Scott - in testing they could just shut down HTTP but you might have to shut the Domino server down
Steve asks - they are using the Sametime Limited client, is there anything to do? Answer - there shouldn't be since this is meetings and HTTP , not chat
Tim asks - they are using 7.0.3 with Sametime integrated but they use webmail. Will they get the prompt to accept certificates? Answer from Scott - DWA and iNotes shouldn't. all other stock templates have applets
John asks - why the NCSO jar file (sorry missed some of it) Answer they will update the technote to see why that NCSO file is included
?? asks - On sametime server there is both Domino and Sametime fixes to be applied? they did a test and moved server to later date to see behavior and is that it? Are instant meeting users affected? Answer - yes to all parts
Mark asks - on the technote for Sametime it states version 7 and above yet they run 6.5.1. Is it the same of a different patch? Answer - that version is EOL so there is no signed applets for that version. So get to upgrading or you will get prompts
?? asks - Domino and Sametime with EMS in front. Do these jars impact/work with the FIPS encryption? In preliminary testing they did not get into meetings with the new jars. Are they compatible? Could they grab the certs and move them into the jar files Answer - they are not sure and will research. A FIPS version was not ready
Tino asks - specific question for version 7.5 of Sametime and they do not see a fix for that version. Answer - they were suggested to move to 7.5.1 and the CF1 and CF2. While it may not be possible, it would be encouraged. Yet this didnt answer the question.
Mike asks - they have 6.5.6 servers with iNotes 6 template. Is it affected? They loaded a test on a Domino 8,.5 server with the patch. They had no change for the trust question. Answer from Scott - they are not affected. DWA/iNotes is not impacted and no applets on any version
Wayne asks - Quickr on Domino, no Sametime. They use ActiveX verus java for drag and drop is there any concern? Answer from Jennifer - no concern in either case
Lisa asks - running Domino 7.0.3 server with mixed R6 clients and R7 clients on both versions of iNotes/DWA templates. Sametime Connect for browsers are in use, are they affected? Answer from Scott - iNotes/DWA no impact. Sametime Connect is affected and is in the patches
Alan asks - are the expirations time zone related? What about chat functionality through DWA? Answer from Scott - they aren't totally sure but there is an hour associated with the expiration that will adjust based on timezone. Yes the chat for stlinks files used in DWA for awareness are affected and should be checked to see if they are unsigned or signed.
Ian asks - are there any updates for jar files in the client distribution? Answer from Scott - this is fairly niche case where you run and develop web apps to preview in web browser. The applets would show then with the prompt. They are not advertising for normal use case to update the client yet it could affect those "rare" instances. Fixes will be in the later normal later release and fixes for clients. The 8.0.2 FP2 and 8.5 FP1 will have these updates. Later when these expire in 2012 this wont cause the same issue due to timestamping in signing so no future prompts they are rolling into future products
Lisa asks - Domino 7.0.3 in house and they had to bring the server down to replace the one program file directory file. She got a prompt for an applet to choose to always run for it not to come up anymore. Is that normal? Answer from Scott - he questioned which one to see if it was a normal prompt or about the date. It was about accepting to run the software entirely.
Jeff asks - they have Quickplace 7, is there an order to apply with Quickr/Sametime/Domino. Answer - there is no order and no Quickplace patch unless you have Sametime integration with Quickplace. They will update technotes more on how to verify dates.
Mark asks - on all the products they have applied the fix and the user gets prompted, will they also get prompted when they hit Sametime for a meeting the first time or will one acceptance work across? What about our Sametime 6.5.1 servers? Answer from Scott - one acceptance will take care of all of it. There is nothing to do for Sametime 6.5.1 servers since there is no patch for them. Those users will get the security warning.
Rich asks - for Quickplace 6.5.1 there was a patch listed but what about domino? What about the downloadable gold code that is out there now, will these be updated or will I apply fixpacks? Answer from Scott - there is a Domino 6.5.x patch for all versions. You have to download fixpacks, they will not upload fixed gold code.
?? asks - they have a lot of products running on Domino with multiple patches. Portal is the front end.. they exported the SSO key and will this affect it. Answer from Scott - any application relying on the Domino applets will be corrected when replacing the applets. These are just applet certificates, no application or SSO certificates. No issue there.
Tim asks - Their Domino has legacy web apps (over 100)on a 5.0.11 server. Any recourse? Answer from Scott - no.
Bob asks - They tried pushing the clock forward but cant recreate the popup. Answer - going into Java settings in the browser to remove the IBM trust will then show the popup again.
me - are the files the same for Domino 8.0 and Domino 8,5. Sizes and everything else matches Answer from Scott - they should be as they built the Domino 8.5 o n the same codset and no other changes were really made.
Andy asks - Domino 7.0.3 with DWA 6.5.3 template. Answer - no problem

I had to drop off the call at this point, so I missed a handful. The call went almost 30 minutes late.

Location: St. Louis, MO

Category: Domino 8 Sametime
Tags :Domino 8 Sametime View blog reactions

1) Notes Domino Security Certificate call (my notes live)
Created by JYR at 5/13/2009 11:00:17 AM email | website

I was there, great resume!! :-)

JYR

2) Notes Domino Security Certificate call (my transcript live)
Created by Keith Brooks at 5/13/2009 7:37:35 PM email | website

Funny they say there is no quickplace patch, then admit there is.

There is a patch for quickplace, quickr, sametime and domino, some as hot fixes, others as patches and still others as ftp files.

Not very good planning from IBM and I do not look forward to Tuesday.

3) Notes Domino Security Certificate call (my transcript live)
Created by Stuart McIntyre at 5/13/2009 11:33:45 PM email | website

Thanks for the transcript, Chris.

The MP3 recording of this session has now been posted at ftp://ftp.software.ibm.com/software/lotus/info/Domino/OpenMic-2009-05-13-am-ND-ST-QR-QP-Security-Certificate.mp3

blog comments powered by Disqus

Title	Duration	Size	Flash Player
IdoNotes Episode 80 - Lotusphere Abstract Creation with Paul and Gab	00:25:23	23.25 Mb
IdoNotes Episode 79 - Ed Brill on IBM at IamLUG	00:12:53	17.72 Mb
IdoNotes Episode 78 - Admin2010 with Bill Malchisky	00:13:45	18.89 Mb
IdoNotes Episode 77 - Nerd Girls Strike Back at Admin2010	00:31:32	43.32 Mb
IdoNotes Episode 76 - Lotus Protector Mail Encryption	00:17:50	16.33 Mb
IdoNotes Episode 75 - Exclusive with FewClix	00:25:04	22.96 Mb
IdoNotes Episode 74 - Doodle Around	00:24:33	22.64 Mb
IdoNotes Episode 73 - SnappFiles launch	00:19:51	27.46 Mb
IdoNotes Episode 72 - EXCLUSIVE Gist launch from Lotusphere #ls10	00:34:31	47.41 Mb
IdoNotes Episode 71 - EXCLUSIVE Tungle launch live from Lotusphere2010 #ls10	00:15:09	13.88 Mb
IdoNotes Episode 70 - FewClix and the Mac oops	00:03:04	6.60 Mb
IdoNotes Episode 69 - Lotus Protector 2.5 announcements	00:31:22	28.72 Mb
IdoNotes Episode 68 - Sametime Unyte widget screencast	00:03:51	8.97 Mb	Listen Up! IdoNotes Episode 68 - Sametime Unyte widget screencast
IdoNotes Episode 67 - LotusLive iNotes screencast	00:17:25	432.01 Mb
IdoNotes Episode 66 - Quickr on the iPhone launch with Jonathan	00:07:30	10.45 Mb

Entries by Month

Conference/Article Materials

My Files

Not My Files

Blog Hosting Agreement

Links by Category

Connectria Hosted Blogs

Notes Tip Sites

Notes Tips (of course)

Just for Fun

Possible Dead Blogs

Exchange Crap Blogs

Tools

Music Sites

FineTune

Also Known As: Chris Miller (when awake)

Boring Certifications: (only because someone asked twice)

Domino 7 Certified Security Administrator

PCLP ND8

PCLP ND7

PCLP ND6

PCLP R5

PCLP R4

Workplace Collaboration Services 2.5 - Team Collab and Messaging (retired)

CLP Collaboration (soon to be retired Aug 2006)

random former R4 exams

CLI for numerous admin areas including Domino, Sametime and Workplace

CLP Insane

Yes, I write some of those dreaded admin cert exams you take. I won't say which ones so you don't come looking for me, but I will say they are the real good recent ones that have been coming out.

Weapons/Equipment:

At work an IBM thing
At home a plethera of 6 machines with various Windows versions and Red Hat on a wired/wireless LAN
A Wii
An 8830 Blackberry
A Toshiba E740 with 802.11b (yes geek toy)
An Apple 40GB iPod that is filled to the brim
I cannot even list all of the items I carry I found
Compaq RioPort MP3 player (now in storage)
An EBook (REB1100) also for travel (Love that darn thing)
Verizon and they always seem to know how to find me, damn cell

Animals:

One dog, a Puggle. He eats anything that includes stuffing. Anything

Music:

Non-stop. At my desk, in my car, walking to work and back to my car downtown. In the house there is a crazy zoned set-up for you home automation geeks.

I am a self-proclaimed MP3 fiend, to which I have tried rehab 4 billion times to no avail. Next is the MP3 hard-drive for the car that I found. Now what kind of music you ask? I will never tell.

Languages:

Incredibly fast English
Very slow Spanish
Emoticon-ese
Learning Korean
HTML
Advanced Sarcasm

Geek class special abilities:

Notes/Domino overdrive
Workplace
Sametime
Active Directory (huh? kidding)
Quickplace
LMS, LVC and the other L's of elearning
Windoze junk
MS Exchange versions
LAN
TCPIP
Server Iron
Yeah, yeah it goes on some

Skills:

Get back to you here

Spells:

Hershey’s Stomach of Holding: Jess and I are fighting over who eats more chocolate.

Character Bio:

This will take far more time than I have today. I will start with I was born and still live in St. Louis, MO. Even though for a couple years I was never, ever here and always on the road, this is smack in the middle of the US. Everything is just a few hour flight. That part is nice. No beach/ocean/coast isn't the best. But with the travel I make up for it.