Domino 11.01 SNI Configuration Exploration / Tips

Mindwatering Incorporated

Author: Tripp W Black

Created: 03/09/2020 at 07:56 PM

 

Category:
Domino Upgrades / Installations
Software (Re)Configuration

Task:
Test the SNI (multiple TLS/SSL web sites on single IP) feature.

Image:
VM with CentOS 7, and Domino 11.0


Upgrade and Post Upgrade Configuration Steps:
1. Upgrade the Domino server from HCL Domino 11.0 to HCL Domino 11.0.1 (Beta or "gold").

2. Update the notes.ini by adding the following new parameter:
ENABLE_SNI=1

If you have SSL_DISABLE_RENEGOTIATE=1, for compliance audit reasons, it seems to break SNI. We removed it.


3. Check your Internet Site documents.
You either need a "default" Internet Site document, the primary IP of the server along with the "default" web site names. The servers can be specified with the server names listed, or an * in the server names field.
< or >
You need an Internet Site doc, with the default radio button selected, with the server names specified, or an * in the server names field.

You need to configure your Internet Site documents with the appropriate keyring (kyr and sth) files for each domain(s) set-up for Internet Site doc.


Internet Site Notes:
- If we have an Internet Site (and a domain) tied to a secondary IP, it does NOT pick that secondary Internet Site doc. That Internet Site doc is tied to the secondary IP exclusively. Therefore, we receive the scary "connection not private" impersonation, because the Domino server used the default Internet Site doc with it's keyring (kyr) rather than the correct Internet Site doc. If you take out that secondary IP from the Internet Site document, restart HTTP, Domino then does pick up the Internet Site's doc, with its domain and kyr properly.

- Wilcarding servers or specifying them individually both work as expected. The Internet Sites loaded w/SNI if the servers field contained "*" or the name of the server in a list.

- Old SSL/TLS Internet Site docs with IP listed with the domains would continue to use the secondary IP address site.

- Old Internet Site docs w/o an IP address, with SNI enabled, will use the default IP of the Domino server (HTTP stack), and switch to whatever keyring (kyr) specified for that Internet Site document.

- In our tests, we have a both multi-domain SAN keyrings (kyrs) and individual domain (www and base domain) keyrings (kyrs).
- - We tested domains and Internet sites that shared the same multi-domain (SAN) kyr file, successfully.
- - We tested domains and Internet Site docs which each had its own keyring (kyr) file. They also worked,

IMPORTANT:
- As mentioned above, SNI didn't work with the main IP or default site until WHEN we removed the secondary IP from the Internet Site doc.
. . . UNLESS . . .
- SNI does work on the main IP as well as the secondary IP, if both Internet Site documents share the same keyring as the primary IP's domain name. (e.g. multi-domain SAN used inside the keyring kyr file.)

- We tested CentOS 7. We tested the current versions of Firefox and and Safari for these initial tests on MacOS, and we tested Firefox on Win10, as well.


Other Testing Notes:
We also tried other images. CentOS 6.7, and Ubuntu 18.04.
CentOS 6.7 with HCL Domino 10.0.1 was also upgraded to HCL Domino 11 and then upgraded to HCL Domino 11.0.1 beta. This configuration also performed the SNI testing, as well. We didn't extensively test this configuration. As all of our Domino servers are running CentOS 7 now. We did not try CentOS 8.

UBUNTU WORKS -- BUT CAUTION:
- For curiosity sake, we also tested Ubuntu 18.04 with Domino 11.0.1 beta, with SNI enabled and it performed the same. CRITICAL: Ubuntu is not a supported OS. Use at your own RISK. In our case, we use it only w/in own internal/non public environments.







previous page