Notes 9.0.1 FP7 / 9.0.1.7 AES Session Encryption Upgrade

Mindwatering Incorporated

Author: Tripp W Black

Created: 01/06/2017 at 05:06 PM

 

Category:
Domino Upgrades / Installations
Software Installation

Objective:
Increase session encryption for Notes Clients to Domino server using new AES session tickets.

Instructions:
There are two notes.ini settings that enable increased encryption support via Notes clients.
PORT_ENC_ADV (default is not used/enabled - nothing new)
and
TICKET_ALG_SHA (default is HMAC-SHA 256)


PORT_ENC_ADV:
For PORT_ENC_ADV, enter the sum of the options to enable.
1 = Enable HMAC-SHA256 integrity protection against tampering only, for legacy RC4 clients.
2 = Enable AES-128 CBC instead of #1 above, and also enable HMAC-SHA256 integrity protection against tampering.
4 = Enable AES-128 GCM for integrity protection and add'l confidentiality.
8 = Enable AES-256 GCM for integrity protection and add'l confidentiality.
16 = Enable FFDHE-2048 encryption w/port Forward Security (Diffie-Hellman 2048 bit).
64 = Enable AES tickets from RC2-128 bit to AES-128 bit.

Most backward compatibility and minimal performance cost:
64 + 1 = 65 - Gives basically just the ability for AES tickets and tampering protection.

Best security along with backward compatibility:
1 + 2 + 4 + 8 + 16 + 64 = 127
With FP7 clients and servers, they will use option 8, 16, and 64. For older clients, they will use option 1, 2, 4, and 64.


TICKET_ALG_SHA:
For TICKET_ALG_SHA, you can omit this parameter for the default HMAC-SHA 256. Otherwise, the options are:
1 = Enable HMAC-SHA 1
256 = Enable HMAC-SHA 256 (default)
384 = Enable HMAC-SHA 384
512 = Enable HMAC-SHA 512

For logging and testing, use the debugging parameters, DEBUG_PORT_ENC_ADV=1 and LOG_AUTHENTICATION=1.
See technote: SWG21990283 on the IBM site for more information on the new T, S, and FS flags.





previous page