Notes 9.0.1 FP7 / AES Session Encryption Upgrade

Mindwatering Incorporated

Author: Tripp W Black

Created: 01/06/2017 at 05:06 PM


Domino Upgrades / Installations
Software Installation

Increase session encryption for Notes Clients to Domino server using new AES session tickets.

There are two notes.ini settings that enable increased encryption support via Notes clients.
PORT_ENC_ADV (default is not used/enabled - nothing new)
TICKET_ALG_SHA (default is HMAC-SHA 256)

For PORT_ENC_ADV, enter the sum of the options to enable.
1 = Enable HMAC-SHA256 integrity protection against tampering only, for legacy RC4 clients.
2 = Enable AES-128 CBC instead of #1 above, and also enable HMAC-SHA256 integrity protection against tampering.
4 = Enable AES-128 GCM for integrity protection and add'l confidentiality.
8 = Enable AES-256 GCM for integrity protection and add'l confidentiality.
16 = Enable FFDHE-2048 encryption w/port Forward Security (Diffie-Hellman 2048 bit).
64 = Enable AES tickets from RC2-128 bit to AES-128 bit.

Most backward compatibility and minimal performance cost:
64 + 1 = 65 - Gives basically just the ability for AES tickets and tampering protection.

Best security along with backward compatibility:
1 + 2 + 4 + 8 + 16 + 64 = 127
With FP7 clients and servers, they will use option 8, 16, and 64. For older clients, they will use option 1, 2, 4, and 64.

For TICKET_ALG_SHA, you can omit this parameter for the default HMAC-SHA 256. Otherwise, the options are:
1 = Enable HMAC-SHA 1
256 = Enable HMAC-SHA 256 (default)
384 = Enable HMAC-SHA 384
512 = Enable HMAC-SHA 512

For logging and testing, use the debugging parameters, DEBUG_PORT_ENC_ADV=1 and LOG_AUTHENTICATION=1.
See technote: SWG21990283 on the IBM site for more information on the new T, S, and FS flags.

previous page
