Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

Similar documents
Updating the Client Access URL using IBM Traveler Server. OPEN MIC WEBCAST March 22, 2017 Alvin John Marron L2 Software Engineer IBM Traveler

GENOA Transformer Pre-Install Checklist

Best Practices of IBM Notes Traveler Deployment. Date: 27 Aug 2015

SECURING DOMINO LDAP. Open Mic June 10th 2015

AirWatch Mobile Device Management

Your Apps and Evolving Network Security Standards

How to Configure SSL Interception in the Firewall

SSL Report: ( )

SSL Report: printware.co.uk ( )

SSL Report: sharplesgroup.com ( )

But where'd that extra "s" come from, and what does it mean?

SSL Report: bourdiol.xyz ( )

SSL Report: cartridgeworld.co.uk ( )

Salesforce1 Mobile Security White Paper. Revised: April 2014

SSL Visibility and Troubleshooting

Security and Certificates

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):ekk.worldtravelink.com

SSL247 SHA-2 MIGRATION

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Comodo Certificate Manager

Administering Your ArcGIS Enterprise Portal Bill Major Craig Cleveland

How to Configure SSL Interception in the Firewall

Information Security CS 526

SSL247 SHA-2 MIGRATION

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Studying TLS Usage in Android Apps

Best Practices for Security Certificates w/ Connect

Data Security and Privacy. Topic 14: Authentication and Key Establishment

The Cisco HCM-F Administrative Interface

Overview. SSL Cryptography Overview CHAPTER 1

Dashlane Security Whitepaper

Recommendations for Device Provisioning Security

Cisco Spark Tech Ops and Security Frequently Asked Questions (FAQs)

HW/Lab 3: SSL/TLS. CS 336/536: Computer Network Security DUE 11am on Nov 10 (Monday)

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

securing a host Matsuzaki maz Yoshinobu

BlackBerry Dynamics Security White Paper. Version 1.6

Secure Communication in Client-Server Android Apps

Barracuda Firewall Release Notes 6.5.x

SAML-Based SSO Configuration

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

SAML-Based SSO Configuration

Dashlane Security White Paper July 2018

ZENworks Mobile Workspace Installation Guide. September 2017

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Introduction. The Safe-T Solution

TLS 1.1 Security fixes and TLS extensions RFC4346

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

WHITE PAPER. Authentication and Encryption Design

Managing SSL/TLS Traffic Flows

Configuring SSL. SSL Overview CHAPTER

Transport Level Security

SHA-1 to SHA-2. Migration Guide

VMware AirWatch Integration with RSA PKI Guide

Bugzilla ID: Bugzilla Summary:

Proving who you are. Passwords and TLS

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

General System Requirements mymcs Apps

Comodo Certificate Manager Software Version 5.6

SSL/TLS Server Test of

Comodo Certificate Manager Software Version 5.0

IBM Lotus Notes Traveler

AXIS Device Manager HTTPS certificate management

SSL/TLS Security Assessment of e-vo.ru

Configuration Example for Secure SIP Integration Between CUCM and CUC based on Next Generation Encryption (NGE)

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Web Application Penetration Testing

Configuring SSL Security

SonicOS Enhanced Release Notes

Configuring SSL CHAPTER

Securing ArcGIS Services

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

manaba+r Report Examination Manual [For Students]

Man in the Middle Attacks and Secured Communications

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

Scan Report Executive Summary

Table of Contents. Configure and Manage Logging in to the Management Portal Verify and Trust Certificates

Configuring SSL. SSL Overview CHAPTER

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

JUNIPER NETWORKS PRODUCT BULLETIN

Risk Intelligence. Quick Start Guide - Data Breach Risk

The State of TLS in httpd 2.4. William A. Rowe Jr.

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Once all of the features of Intel Active Management Technology (Intel

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year


Configuration Guide. BlackBerry UEM. Version 12.7 Maintenance Release 2

SSL Accelerated Services. Feature Description

Installation and usage of SSL certificates: Your guide to getting it right

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

Exposing The Misuse of The Foundation of Online Security

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Introduction to the DANE Protocol

PULSE CONNECT SECURE APPCONNECT

BEST PRACTICES FOR PERSONAL Security

Apple 9L Mac OS X Security and Mobility Download Full Version :

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Google on BeyondCorp: Empowering employees with security for the cloud era

Transcription:

Securing Connections for IBM Traveler Apps Bill Wimer (bwimer@us.ibm.com), STSM for IBM Collaboration Solutions December 13, 2016

IBM Technote Article #21989980 Securing Connections for IBM Traveler mobile applications https://www-01.ibm.com/support/docview.wss?uid=swg21989980 Provides a list of minimum transport layer connection security requirements for the following mobile apps IBM Verse for ios IBM Traveler Companion (ios) IBM Traveler ToDo (ios) IBM Verse for Android Focused on apps, but provides best security practices for any mobile connection Applies to customer running on premises IBM Traveler servers, or IBM SmartCloud customers that are using federated login using an Identity Provider 2

Why is this important? Cyber attacks are increasing, always searching for vulnerabilities to expose your private data Data transmitted and received over the internet over unencrypted or weakly encrypted connections is extremely vulnerable to compromise IBM does regular application scanning of our mobile apps, penetration testing of our Traveler server code and Ethical Hacking testing of our product Strongly encrypted connections using valid certificates is required to ensure security for data traveling over the Internet Mobile OS vendors are removing support for vulnerable ciphers and protocols Apple is requiring ATS for all public app store app submissions in 2017 Android recently removed the RC4 cipher when Android 7 was released IBM will be modifying our mobile apps in the future to require a secure connection that meets these minimum security requirements 3

What is the context of the connection here? Communications link between the mobile app and the TLS session endpoint TLS session endpoint may be the Traveler server if connecting directly Very often it is an edge proxy (reverse proxy) IBM Mobile Connect F5 Citrix Netscalar MobileIron Sentry Many others Traveler Server 4 Reverse proxy Traveler Server

Minimum transport layer security requirements 1. Mobile apps must connect over HTTPS and not unencrypted HTTP 2. Server certificate cannot be expired or invalid 3. Server certificate Common Name (CN) or Subject Alternate Names (SAN) list must contain hostname which the mobile app is using to connect 4. Negotiated Transport Layer Security version must be TLS 1.2 5. Server certificate must be trusted 6. TLS cipher suite must support forward secrecy (see article for list) 7. Server leaf certificate must be signed with RSA 2048 bit or ECC 256 bit key (or higher) 8. Server leaf certificate hashing algorithm must be SHA256 (or higher) 5

How do I check my environment? Most browsers provide a mechanism to examine your certificate Connect your browser to the Traveler URL in your environment https://www.example.org/traveler Technote provides step by step procedures using the FireFox browser Use an SSL Certificate checker, such as Qualsys SSL Labs Note if the certificate and site are valid for Apple ATS connections 6

When do we have to implement these changes? Originally IBM was saying January 1, 2017 to match a similar deadline from Apple IBM now extending this deadline to ensure that customers have enough time to review their environments and ensure that beta apps with enforcement enabled can be validated. IBM will work with Apple to get the ATS requirement extended Expect only a short term extension, likely end of 1Q 2017, so validate that your environment is secure! 7

I found problems, how do I fix them? Mobile Apps connecting to an edge proxy? Contact the edge proxy provider for assistance on mitigating the issue. Typically this means installing a new certificate or enabling TLS 1.2. Mobile Apps connecting directly to IBM Traveler server? Depending on the problem, see related technote articles on how to mitigate The Domino server which is hosting Traveler MUST be running Domino 9.0.1 Fix Pack 5 or later. This is the version which provides a secure TLS stack. See Download options for Notes & Domino 9.0.1 Fix Packs http://www-01.ibm.com/support/docview.wss?uid=swg24037141 8

Fixing Problems HTTPS is not enabled #1 Mobile apps must connect over HTTPS and not unencrypted HTTP Enable SSL (TLS) on your Domino web server See How to set up SSL using a third-party Certificate Authority (CA) and follow the section called Steps for Configuring SSL http://www-01.ibm.com/support/docview.wss?uid=swg21268695 You will need to create a Domino keyring file containing a valid certificate prior to turning on SSL Both HTTP and HTTPS can run on your Domino server at the same time 9

Fixing Problems Certificate is invalid or weak #2 Server certificate cannot be expired or invalid #3 Server certificate Common Name or Alternate Names list must contain hostname which the mobile app is using to connect #7 Server leaf certificate must be signed with RSA 2048 bit or ECC 256 bit key (or higher) #8 Server leaf certificate hashing algorithm must be SHA256 (or higher) Create and deploy a valid, strong certificate See Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool https://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_party_sha- 2_with_OpenSSL_and_kyrtool?open Install the keyring on your Traveler server(s) How to set up SSL using a third-party Certificate Authority (CA) http://www-01.ibm.com/support/docview.wss?uid=swg21268695 10

Fixing Problems TLS 1.2 and ciphers #4 Negotiated Transport Layer Security version must be TLS 1.2 #6 TLS cipher suite must support forward secrecy Upgrade the Domino server which is hosting Traveler to run Domino 9.0.1 Fix Pack 5 or later See Download options for Notes & Domino 9.0.1 Fix Packs http://www-01.ibm.com/support/docview.wss?uid=swg24037141 This version automatically enables TLS and the required ciphers which support forwarding secrecy No additional configuration is required 11

Fixing Problems Certificate is not trusted #5 Server certificate must be trusted IBM recommends using a certificate from an external Certificate Authority Validate with the 3 rd party CA that their certificate is compatible and preinstalled on ios and Android devices These certificates are automatically trusted on the device Can I use a self signed certificate or one signed by my local certificate authority? Technically possible, but requires some additional steps Must distribute the certificate (or root and intermediate certificate) to the mobile devices MDMs can provision certificates to mobile devices End users can manually install by clicking the certificate in an email or website See Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool https://www-10.lotus.com/ldd/dominowiki.nsf/dx/self-signed_sha- 2_with_OpenSSL_and_kyrtool?open 12

Do I need to make any changes if I am using an AppTunnel with a MobileIron Sentry? The MobileIron Sentry has a feature called AppTunnel Allows app level VPN connections from Verse, ToDo, and Companion to an internal Traveler server It is same topology as a reverse proxy environment Connection between app and Sentry must be secured It is NOT mandatory that the connection between the Sentry and the internal Traveler server is secured 13

Beta testing try out any changes before they go live Best way to validate that your environment meets requirements Verse for Android Anyone can signup by logging into Google Play, find the Verse for Android app and click Become a Tester Verse for ios, ToDo and Companion Testing is done through the Apple TestFlight app Available via invitation only, so send an email to heyibm@us.ibm.com requesting access For each individual tester, provide IBM with: Company Name Tester Name Tester s email address associated with their Apple ID Application to test (Any or all of Verse for ios, ToDo and Companion) Look for announcements mid January 2017, expected to release beta updates with changes 14

Questions? Please contact us using email to heyibm@us.ibm.com if we cannot get your question answered today!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback