Revisit: Wildcard SSL certificate from P12/PFX file into Domino

Original document is here: http://www.infoware.eu/?p=7226
The objective of this article is to provide an example on how to  do this with hopefully no discussions and no questions unanswered. Of course this example is based on a particular situation with a special certificate provider but can hopefully be translated to any other situation with other certificate authorities.
Wrote an earlier article, this is an update

Contents
1. Assumptions
2. What do I need
3. OpenSSL
4. Kyrtool
5. Syntax
6. Example
7. Implement the files on the server
8. Check out if it works
9. Important note
10. Conclusion

Assumptions:
Running Windows 64 bits (directory separator = \)
PFX file contains both certificate, intermediate and root certificates
Domino server running 9.0.1 FP3

What do I need:
1. An exported P12/PFX file from in my case IIS, containing the wildcard certificate private key as well as the certification path to it.

2. OpenSSL:
Homepage: https://www.openssl.org/source/
Easy precompiled: https://slproweb.com/products/Win32OpenSSL.html
The one I used: http://slproweb.com/download/Win64OpenSSL-1_0_2g.exe

3. Kyrtool:
Fixcentral short: http://ibm.co/1SAYX5E
Fixcentral long: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

Syntax:
<ossldir> = Where you installed OpenSSL eg. C:\OpenSSL-Win64
<pfxdir> = Where you have placed your pfxfile
<pfxfile> = Name of your pfxfile eg. wildcard_acme_com.pfx
<pfxpassword> = Password to your pfxfile
<pemdir> = Where you have placed your pfxfile
<pemfile> = Name of your pfxfile eg. wildcard_acme_com.pem
<notespgmdir> = Notes or Domino program directory, minimum 9.0.1 FP3
(assumes that notes program directory is in your path, if not execute from program directory)
<kyrdir> = Directory where you want to put your kyrfile
<kyrfile> = Name of your kyrfile eg. wildcard_acme_com.kyr
<kyrpassword> = Password to your kyrfile

Check your pfx file:
<ossldir>\bin\openssl pkcs12 -info -in <pfxdir>\<pfxfile>
use <pfxpassword> when asked (nothing on PEM)

In general:
1. <ossldir>\bin\openssl pkcs12 -in <pfxdir>\<pfxfile> -out <pemdir>\<pemfile> -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. <notespgmdir>\kyrtool create -k <kyrdir>\<kyrfile> -p <kyrpassword>
3. <notespgmdir>\kyrtool import all -k <kyrdir>\<kyrfile> -i <pemdir>\<pemfile>
Check in general:
1. <notespgmdir>\kyrtool show certs -k <kyrdir>\<kyrfile> >kyrcerts.txt
2. <notespgmdir>\kyrtool show keys -k <kyrdir>\<kyrfile> >kyrkeys.txt
3. <notespgmdir>\kyrtool show roots -k <kyrdir>\<kyrfile> >kyrroots.txt

Example:
1. C:\OpenSSL-Win64\bin\openssl pkcs12 -in C:\mypfxfiles\wildcard_acme_com.pfx -out C:\mypemfiles\wildcard_acme_com.pem -nodes -chain
use <pfxpassword> when asked (nothing on PEM)
2. C:\IBM\Lotus\Domino\kyrtool create -k C:\mykyrfiles\wildcard_acme_com.kyr -p password
3. C:\IBM\Lotus\Domino\kyrtool import all -k C:\mykyrfiles\wildcard_acme_com.kyr -i C:\mypemfiles\wildcard_acme_com.pem
Check sample:
1. C:\IBM\Lotus\Domino\kyrtool show certs -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrcerts.txt
2. C:\IBM\Lotus\Domino\kyrtool show keys -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrkeys.txt
3. C:\IBM\Lotus\Domino\kyrtool show roots -k C:\mykyrfiles\wildcard_acme_com.kyr >wildcard_acme_com_kyrroots.txt

Implement the files on the server
1. Copy kyr file and the associated sth file to the server
2. Add the kyrfile name to your internet sites document or server document depending how your server is configured
3. Modify the cipher part
4. Make sure the SSL port is enabled in the Internet Ports.. section
5. Restart your http task on the server, use sh ta onl and check that http listens to both 80 and 443

Check out if it works
1. Use your browser and connect to your server via https
2. Look at your certificate information
3. Congratulations

Important note:
Following this means that especially the pem file is unprotected, therefore make sure that keep it in a safe place during this and maybe deleting it afterwards. Same goes for kyrfile (you can not delete them but keep them as safe as you can) as they contain private key.

Conclusion
Doing this task is not more complicated than any other task that involves certificates using any other platform.

Link to this document: http://www.infoware.eu/?p=7226

IBM Connections using Active Directory and Nested Groups

Original blogpost here: http://www.infoware.eu/?p=7180

Case:
Customer wants to use nested groups in Access control for Communities, also it should be reflected in I’m a Member when user is looking for their communities and so on. Connections was 4.5CRx

Google search Links that where tried, but did not work for me (for some reason unknown).
http://www.lbenitez.com/2015/11/how-to-enable-nested-ldap-groups-in-ibm.html
http://www-01.ibm.com/support/docview.wss?uid=swg21321308
http://www-10.lotus.com/ldd/lcforum.nsf/869c7412fe5d56b7852569fa007826e3/4aa9a40d4818785f85257b3b004e3240?OpenDocument
http://www.communardo.de/home/techblog/2014/06/04/nested-groups-ibm-connections/

Found something that worked for me (seems logical looking at the description).
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
coming from thread
https://social.technet.microsoft.com/Forums/scriptcenter/en-US/f238d2b0-a1d7-48e8-8a60-542e7ccfa2e8/recursive-retrieval-of-all-ad-group-memberships-of-a-user?forum=ITCG

Description:
All groups specified user belongs to, including due to group nesting (Notes 10, 19)
eg. (member:1.2.840.113556.1.4.1941:=cn=Jim Smith,ou=West,dc=Domain,dc=com)
All members of specified group, including  due to group nesting (Note 10)
eg. (memberOf:1.2.840.113556.1.4.1941:=  cn=Test,ou=East,dc=Domain,dc=com)
Note 10.
The string 1.2.840.113556.1.4.1941 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).

NOTE:
All of this is of course done in the context of Deployment Manager.
After doing the changes a full resynch needs to be done with all nodes in the cluster (sometimes also take down node and use synchNode from the node) and restart the node.

Solution is to change my setting in Websphere to reflect this:
nestgroup1
nestgroup2
nestgroup3

Also changed for performance reasons the following (optional):
Reason:
http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.wim.doc/disablingnestedgroupsearches.html
Solution is to change according to instructions

How does it look in the files before and after the change, here are snippets of this:

wimconfig.xml before the change:
<config:groupConfiguration>
<config:memberAttributes name=”member” objectClass=”group” scope=”nested”/>
<config:membershipAttribute name=”memberof” scope=”nested”/>
</config:groupConfiguration>

wimconfig.xml after the change:
<config:groupConfiguration>
<config:memberAttributes name=”member:1.2.840.113556.1.4.1941:” objectClass=”group” scope=”nested”/>
<config:membershipAttribute name=”memberOf:1.2.840.113556.1.4.1941:” scope=”nested”/>
</config:groupConfiguration>

security.xml before the change (you can not cut and paste any of these because some parameters are unique to your environment):
<userRegistries xmi:type=”security:WIMUserRegistry” xmi:id=”WIMUserRegistry_1″ serverId=”” serverPassword=”{xor}” realm=”defaultWIMFileBasedRealm” ignoreCase=”true” useRegistryServerId=”false” primaryAdminId=”wasadmin” registryClassName=”com.ibm.ws.wim.registry.WIMUserRegistry”/>

security.xml after the change (you can not cut and paste any of these because some parameters are unique to your environment):
<userRegistries xmi:type=”security:WIMUserRegistry” xmi:id=”WIMUserRegistry_1″ serverId=”” serverPassword=”{xor}” realm=”defaultWIMFileBasedRealm” ignoreCase=”true” useRegistryServerId=”false” primaryAdminId=”wasadmin” registryClassName=”com.ibm.ws.wim.registry.WIMUserRegistry”>
<properties xmi:id=”VMMURProperty_1″ name=”com.ibm.ws.wim.registry.grouplevel” value=”1″/>
</userRegistries>

Shortcut to this document: http:// http://www.infoware.eu/?p=7180
Thats all folks

AD108: The grand tour of IBM Lotus Notes and Domino 8.5.3 upgrade pack XPages capabilities.

Very informative session with lots of demos of the components available in Upgrade Pack 1. No information how skinnable the components are, but since they’re probably based on One UI v2.1 this shouldn’t be a problem. I would definitely look into this before implementing any components in an external site as they look… Well… Very much like Domino web based apps. Not brilliant, to be nice. ;-)

With UP1 (Upgrade Pack 1) we now have access to using REST services. There are three different kinds, depending on where you wish to utilize them.

  • Domino Data Service
    When you’re not using XPages to access Domino data.
  • XPages REST Services Control
    When you ARE using XPages. This is more flexible then the above, so it’s preferred.
  • Custom Database Servlet
    When you need complete control! Requires Java skills.

There is a Kitchen Sink/Demo application that allows you to test all these new features and of course have a look at the source code. The application is automatically installed with the UP1.

The differences from the Extension Library are:

  • UP1 IS supported by IBM, where ExtLib is not.
  • UP1 shows the design element instead of just a computed text – enhanced Designer experience.
  • UP1 is fully accessibility compliant, where ExtLib may not be.
  • UP1 comes with an installer/uninstaller. ExtLib comes in a .ZIP-file.
However, UP1 are missing two things from ExtLib:
This may or may not be a deal braker for you.

You can find the documentation for UP1 here

You can find the slides here

Infoware Kick Ass experience

Some fantastic days Infoware has been having in our booth. The response for DomainPatrol Social has been absolutely FANTASTIC.  Our crew – Maria and Fredrik did a splendid job in The Kick Ass Booth 206! Not only that – they invented our successful concept. The show is over for Lotusphere 2012!

CCS111 – Electrolux delivers a more social, engaging intranet

Ralf Larsson, Electrolux and Ulf Stider Infoware presented Egate – the intranet at Electrolux. There is IBM Connections integrated with Epi-server and Sharepoint and the user could not care less. They get their job done!  Ralf shared his experiences starting slowly with their social intranet until now when Egate rocks and has more active users than ever.  Ulf shared the Infoware technical experiences implementing IBM Connections at Electrolux. Our job is to solve our clients difficult technical issues. Already in that room, after the session, a new business opportunity appeared.

This session was very appreciated and the room was full and a overflow room with about 30 persons had to be added.  We have received so many positive comments on this presentation. Congratulations Ralf and Ulf for an excellent performance.

AD110 – IBM Lotus Domino XPages Go Zoom!

This session talked briefly about suitable tools that you may use the debug and/or get a glimpse behind the sceen regarding frontend peformance:

Firebug
Chrome Developer Tools
Speed Tracer
Page Speed
Yslow
IE Developer Toolbar
Opera Dragonfly
Weinre
Fiddler
XPages Toolbox

Most of them should you be fairly familiar with. Firebug, at the very least. Personally I prefer Chrome Developer Tools, because I prefer Chrome and I find their Dev tools less prone to crashing.

For IE Development the IE Developer Toolbar is a must.

Fiddler is great across everything that uses HTTP/S. It sits in the middle as a proxy and record a lots of useful information as well as the ability to simulate modem speeds.

XPages a toolbox is also a welcome addition to be able to get a backstage view of what takes up most of the time in you XPages application.

The session went on and talked, in great detail, about the differences between the execution modes. To summarize:

Full refresh – Is the most expensive. Recalculates and sends the entire page.
Partial refresh – Recalculates the entire page, but just sends the part of the page you specify.
Partial execution + Partial refresh – Just computes the requested area and returns that.

For best performance, use the last combination specified above where ever possible.

Other suggestions are:
Use get requests instead of post. This skips a lot of steps in the life cycle and as such reduces the load on the server and calculates quicker.
Set all containers, that don’t require input, to read only. Again, saves computing power.
Use the dataCache-property on every Domino view source you can.
Use the viewsScope/Request scope to cache objects and variable. Caching reduces CPU utilization and using short lived scoped variables reduces the memory footprint.

Can’t remember if they mentioned this, but in reality modern web applications main bottleneck isn’t the server, it’s the number of http requests the page does. There for you will get the biggest performance boost if you enable Application Preferences / XPages-tab / “Use runtime optimized JavaScript and CSS resources”. (Domino 8.5.3 only) This merges most (not all) JavaScript and CSS external references you might have into one request per type.

Combine all of the above and your XPage applications will be screaming!

20120123-190448.jpg

BP103 – IBM Lotus Domino XPages Blast!

A good session for the not so seasoned XPages developer. If you’ve been doing this for a while then maybe they’re weren’t so many new things revealed, or it shouldn’t be anyway. ;-)

But something’s are worth repeating so here we go:

Thomas Gums have written a CGI Scriptlibrary that is worth checking out if you’re working with CGI variables like REMOTE_ADDR and the like.

Use resource bundles instead of profile document for better functionallity and performance. Include bundle on the XPage then you can use SSJS like .getString(“key”) to retire information from it.
Another cool thing with using bundles for keywords and/or language files is that you can easily export them using LotusScript to DXL that anyone can read and edit without having Designer access.

XPages agents are much faster then any LS or java agent, so use that when possible.

Here’s a neat trick to export Notes data to a formatted Excel file: create the Excel file and format it the way you normally would, save it as XML and paste that into your XPages agent. That way you get all the formatting done for you and you can concentrate on injecting just the dynamic parts. (Just don’t forget to set the correct content-type in XPages).

There are a couple of SSJS functions available for working with JSON that may not be apparent at first:
isJson
fromJson
toJson

Ju also have the equivalent on CSJS in Dojo, except the isJson-method.

20120119-093536.jpg

AD107 – IBM Lotus Domino XPages Meets Enterprise Data – Relational++

A good session with lots of examples combined with thorough walkthrus.

Using the Extension Library (not available using Upgrade Pack 1).

You Can get data from any db, just provide the jdbc driver.
Add JDBC query and rowset as a data source so you can use it as any other view data source with repeats and so on.

@jdbcDbColumn queries a RDBMS like @dbColumn() does a .NSF, but without the 32k limit.
You need a data source as a JDBC connection and a .jdbc file under Package Explorer WebContent/WEB-INF/jdbc. The file describes the connection, like the driver, url and login. This catalog is NOT accessible from an URL, so the info is secure.

You can compute the SQL queries, making them very flexible.

They even support stored procedures and batch changes of the RDBMS.

New SSJS functions
jdbcDbColumn
jdbcInsert
jdbcUpdate
jdbcDelete
jdbcExecuteQuery
jdbcGetConnection

20120119-094216.jpg