SlideShare a Scribd company logo

Implementing Certificate Based Authentication for HCL Traveler Access - EngageUG 2020

M
Milan Matejic

The document discusses the implementation of certificate-based authentication for HCL Traveler, emphasizing its advantages over basic authentication, such as mutual authentication and increased user comfort. It outlines the necessary components, the step-by-step implementation process, and considerations for production use, while also addressing potential issues and sources for further reference. The presentation aims to enhance security and address the challenges associated with user authentication.

Technology
1 of 32
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Most read
20
21
Most read
22
23
24
25
26
27
28
29
Most read
30
31
32
Implementing Certificate Based Authentication For HCL Traveler Access Because Basic Is LAME! 1#engageug
About Me • Milan Matejic • First contact with Notes → 2012 • Thinks he knows something about • HCL Collaboration portfolio • DeskCenter • Mail migrations 2#engageug
About Me 3#engageug
About Me 4#engageug
About Us • Axians ICT Austria GmbH 5#engageug
Table Of Contents • Why is this interesting? • How does it work? • What do we need? • Implementation • Demo 6#engageug
Table Of Contents (Cont.) • General thoughts for production use • Some issues • Sources • Any questions? • Bonus! 7#engageug
Why Is This Interesting? • Lazy users • Bad passwords • Close to SSO • Comfort • Mutual authentication • MDM & Windows CA 8#engageug
9#engageug
How Does It Actually Work? • CA (Certificate authority) • User certificate • Device certificate • Authentication confirms identity of both parties 10#engageug 1. User enters private-key password. 2. Client retrieves private key and creates digital signature. 3. Client sends certificate and digital signature. SSL Connection 4. Server uses the data received to authenticate the user. 5. Server authorizes the user to access the requested data.
11#engageug 1. User enters private-key password. 2. Client retrieves private key and creates digital signature. 3. Client sends certificate and digital signature. SSLConnection 4. Server uses the data received to authenticate the user. 5. Server authorizes the user to access the requested data.
What Do We Need? • Traveler server (requires SSL) • Basic knowledge about certificates • OpenSSL or a CA 12#engageug
What Do We Need? (Cont.) • KeyTool / Key Store Explorer or similar • KYRTool • Access to Domino Directory • Android device 13#engageug
Implementation • Create CA & user certificates • Import CA certificate • In the Domino Directory • In the Keyring File • In the Java „cacerts“ 14#engageug
Implementation (Cont.) • Import user certificate to the person document • Push the user certificate to the mobile device • Switch to certificate-based authentication 15#engageug
Create CA & User Certificates • Windows CA • OpenSSL • „make_certs.cmd“ from AppDev Pack • Still using OpenSSL 16#engageug
17#engageug
Import CA Certificate To The Domino Directory • Via Notes/Administrator client „Actions“ ➔ „Import internet certificates“ 18#engageug
Import User Certificate In The Person Document • Via Notes/Administrator Client „Actions“ ➔ „Import internet certificates“ • Or via Proton task: load proton --importcert c:certsuser.crt 19#engageug
Import CA Certificate In The Keyring File • Existing keyring file • kyrtool import roots -i C:root.crt -k "C:HCLnotesdatakeyring.kyr„ • Very well documented! • Do this on a client! 20#engageug
Import the CA To The Java CACerts • Default PW „changeit“ • <Domino_program_directo ry>jvmlibsecurity 21#engageug
Import The CA To The Java CACerts (Cont.) • Java Keytool • C:IBMNotesjvmbin • keytool -import -trustcacerts - keystore $JAVA_HOME/jre/lib/security/ cacerts -storepass changeit - alias Root -import -file Trustedcaroot.txt • KeyStore Explorer • Do this on a client! 22#engageug
Push the User Certificate To The Mobile Device • P12 file • CA & personal certificate • Including private key • MDM • Not part of Domino • Use e-mail for testing 23#engageug
Switch To Certificate-Based Authentication • Change the security settings • Restart • Test using browser 24#engageug
Demo 25#engageug
26#engageug
What Happens If We Enable… • „Name & password“ & „Client certificate“ • Multi-factor!? • Additional authentication option • Product ideas • DOMINO-I-1172 27#engageug
General Thoughts For Production Use • Automation • Create • Import • Rollout • Renew 28#engageug
Some Issues • iOS App doesn´t supports certificate-based a. • Product ideas (VRSIOS-I-18) • No automated way for importing user certificates in Domino • Dependent on MDM 29#engageug
Sources • HCL Domino official documentation • HCL Domino AppDev Pack • knowledge.digicert.com • Pixabay, Unsplash • keystore-explorer.org • imgflip.com 30#engageug
Any Questions? 31#engageug
Remember Paul!? • Protect your server IDs with a PW… • Paul is still killing puppies… • Don´t let Paul kill puppies… 32#engageug

More Related Content

What's hot (20)

PPTX
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Jean-Paul Azar
 
PDF
Engage2022 - Domino Admin Tips
Gabriella Davis
 
PDF
Monitoring with Prometheus
Richard Langlois P. Eng.
 
PDF
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안
SANG WON PARK
 
PDF
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
PDF
[245] presto 내부구조 파헤치기
NAVER D2
 
PDF
HTTP - The Other Face Of Domino
Gabriella Davis
 
PDF
Ansible - Introduction
Stephane Manciot
 
PDF
Infrastructure & System Monitoring using Prometheus
Marco Pas
 
PDF
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
OpenStack Korea Community
 
PDF
Best Practices of Infrastructure as Code with Terraform
DevOps.com
 
PDF
Prometheus Overview
Brian Brazil
 
DOCX
DominoMigrationProposal
Lynn Levash
 
POTX
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
PDF
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
PDF
Scouter와 influx db – grafana 연동 가이드
Ji-Woong Choi
 
PDF
Prometheus – a next-gen Monitoring System
Fabian Reinartz
 
PPTX
Domino Fitness. Time for a Health Check
Jared Roberts
 
PPTX
Introduction to Storm
Chandler Huang
 
PDF
Kubernetes Observability with Prometheus by Example
Thomas Riley
 
Kafka Tutorial - Introduction to Apache Kafka (Part 1)
Jean-Paul Azar
 
Engage2022 - Domino Admin Tips
Gabriella Davis
 
Monitoring with Prometheus
Richard Langlois P. Eng.
 
Apache kafka 모니터링을 위한 Metrics 이해 및 최적화 방안
SANG WON PARK
 
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
[245] presto 내부구조 파헤치기
NAVER D2
 
HTTP - The Other Face Of Domino
Gabriella Davis
 
Ansible - Introduction
Stephane Manciot
 
Infrastructure & System Monitoring using Prometheus
Marco Pas
 
[OpenStack Days Korea 2016] Track1 - 카카오는 오픈스택 기반으로 어떻게 5000VM을 운영하고 있을까?
OpenStack Korea Community
 
Best Practices of Infrastructure as Code with Terraform
DevOps.com
 
Prometheus Overview
Brian Brazil
 
DominoMigrationProposal
Lynn Levash
 
IBM Domino / IBM Notes Performance Tuning
Vladislav Tatarincev
 
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
Scouter와 influx db – grafana 연동 가이드
Ji-Woong Choi
 
Prometheus – a next-gen Monitoring System
Fabian Reinartz
 
Domino Fitness. Time for a Health Check
Jared Roberts
 
Introduction to Storm
Chandler Huang
 
Kubernetes Observability with Prometheus by Example
Thomas Riley
 

Similar to Implementing Certificate Based Authentication for HCL Traveler Access - EngageUG 2020 (20)

PDF
SSL Everywhere!
Simon Haslam
 
PDF
WebLogic in Practice: SSL Configuration
Simon Haslam
 
PDF
Fun With SHA2 Certificates
Gabriella Davis
 
ODP
Lotusphere 2011 SHOW104
WorkFlowStudios
 
PDF
EuSecWest 2008 - Abusing X509 Certificate Features (Alexander Klink, Cynops G...
gueste37130
 
PDF
SSL/TLS for Mortals (JavaOne 2017)
Maarten Mulders
 
PDF
Java security
Bart Blommaerts
 
PDF
SSL/TLS for Mortals (DevNexus)
Maarten Mulders
 
PPT
PKI_Applications digital certificate.ppt
ubaidullah75790
 
ODP
SSL certificates
Kevin OBrien
 
PPTX
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
PPT
Session 10 Tp 10
githe26200
 
PPT
PKI and Applications
Svetlin Nakov
 
PDF
SSL/TLS for Mortals (Devoxx FR 2018)
Maarten Mulders
 
PPT
Public Key Infrastructure and Application_Applications.ppt
lanhuongvernon
 
PDF
Steam Learn: HTTPS and certificates explained
inovia
 
PPTX
Kumkum digital certificate
Kumkum Sharma
 
PDF
PKI Interoperability
Conferencias FIST
 
PDF
Poodle sha2 open mic
Rahul Kumar
 
SSL Everywhere!
Simon Haslam
 
WebLogic in Practice: SSL Configuration
Simon Haslam
 
Fun With SHA2 Certificates
Gabriella Davis
 
Lotusphere 2011 SHOW104
WorkFlowStudios
 
EuSecWest 2008 - Abusing X509 Certificate Features (Alexander Klink, Cynops G...
gueste37130
 
SSL/TLS for Mortals (JavaOne 2017)
Maarten Mulders
 
Java security
Bart Blommaerts
 
SSL/TLS for Mortals (DevNexus)
Maarten Mulders
 
PKI_Applications digital certificate.ppt
ubaidullah75790
 
SSL certificates
Kevin OBrien
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Richard Bullington-McGuire
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
Information Technology
 
Session 10 Tp 10
githe26200
 
PKI and Applications
Svetlin Nakov
 
SSL/TLS for Mortals (Devoxx FR 2018)
Maarten Mulders
 
Public Key Infrastructure and Application_Applications.ppt
lanhuongvernon
 
Steam Learn: HTTPS and certificates explained
inovia
 
Kumkum digital certificate
Kumkum Sharma
 
PKI Interoperability
Conferencias FIST
 
Poodle sha2 open mic
Rahul Kumar
 
Ad

Recently uploaded (20)

PPTX
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PPTX
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PPTX
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
UiPath Academic Alliance Educator Panels: Session 2 - Business Analyst Content
DianaGray10
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
OpenID AuthZEN - Analyst Briefing July 2025
David Brossard
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
MSP360 Backup Scheduling and Retention Best Practices.pptx
MSP360
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
July Patch Tuesday
Ivanti
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Ad

Implementing Certificate Based Authentication for HCL Traveler Access - EngageUG 2020

  • 1. Implementing Certificate Based Authentication For HCL Traveler Access Because Basic Is LAME! 1#engageug
  • 2. About Me • Milan Matejic • First contact with Notes → 2012 • Thinks he knows something about • HCL Collaboration portfolio • DeskCenter • Mail migrations 2#engageug
  • 5. About Us • Axians ICT Austria GmbH 5#engageug
  • 6. Table Of Contents • Why is this interesting? • How does it work? • What do we need? • Implementation • Demo 6#engageug
  • 7. Table Of Contents (Cont.) • General thoughts for production use • Some issues • Sources • Any questions? • Bonus! 7#engageug
  • 8. Why Is This Interesting? • Lazy users • Bad passwords • Close to SSO • Comfort • Mutual authentication • MDM & Windows CA 8#engageug
  • 10. How Does It Actually Work? • CA (Certificate authority) • User certificate • Device certificate • Authentication confirms identity of both parties 10#engageug 1. User enters private-key password. 2. Client retrieves private key and creates digital signature. 3. Client sends certificate and digital signature. SSL Connection 4. Server uses the data received to authenticate the user. 5. Server authorizes the user to access the requested data.
  • 11. 11#engageug 1. User enters private-key password. 2. Client retrieves private key and creates digital signature. 3. Client sends certificate and digital signature. SSLConnection 4. Server uses the data received to authenticate the user. 5. Server authorizes the user to access the requested data.
  • 12. What Do We Need? • Traveler server (requires SSL) • Basic knowledge about certificates • OpenSSL or a CA 12#engageug
  • 13. What Do We Need? (Cont.) • KeyTool / Key Store Explorer or similar • KYRTool • Access to Domino Directory • Android device 13#engageug
  • 14. Implementation • Create CA & user certificates • Import CA certificate • In the Domino Directory • In the Keyring File • In the Java „cacerts“ 14#engageug
  • 15. Implementation (Cont.) • Import user certificate to the person document • Push the user certificate to the mobile device • Switch to certificate-based authentication 15#engageug
  • 16. Create CA & User Certificates • Windows CA • OpenSSL • „make_certs.cmd“ from AppDev Pack • Still using OpenSSL 16#engageug
  • 18. Import CA Certificate To The Domino Directory • Via Notes/Administrator client „Actions“ ➔ „Import internet certificates“ 18#engageug
  • 19. Import User Certificate In The Person Document • Via Notes/Administrator Client „Actions“ ➔ „Import internet certificates“ • Or via Proton task: load proton --importcert c:certsuser.crt 19#engageug
  • 20. Import CA Certificate In The Keyring File • Existing keyring file • kyrtool import roots -i C:root.crt -k "C:HCLnotesdatakeyring.kyr„ • Very well documented! • Do this on a client! 20#engageug
  • 21. Import the CA To The Java CACerts • Default PW „changeit“ • <Domino_program_directo ry>jvmlibsecurity 21#engageug
  • 22. Import The CA To The Java CACerts (Cont.) • Java Keytool • C:IBMNotesjvmbin • keytool -import -trustcacerts - keystore $JAVA_HOME/jre/lib/security/ cacerts -storepass changeit - alias Root -import -file Trustedcaroot.txt • KeyStore Explorer • Do this on a client! 22#engageug
  • 23. Push the User Certificate To The Mobile Device • P12 file • CA & personal certificate • Including private key • MDM • Not part of Domino • Use e-mail for testing 23#engageug
  • 24. Switch To Certificate-Based Authentication • Change the security settings • Restart • Test using browser 24#engageug
  • 27. What Happens If We Enable… • „Name & password“ & „Client certificate“ • Multi-factor!? • Additional authentication option • Product ideas • DOMINO-I-1172 27#engageug
  • 28. General Thoughts For Production Use • Automation • Create • Import • Rollout • Renew 28#engageug
  • 29. Some Issues • iOS App doesn´t supports certificate-based a. • Product ideas (VRSIOS-I-18) • No automated way for importing user certificates in Domino • Dependent on MDM 29#engageug
  • 30. Sources • HCL Domino official documentation • HCL Domino AppDev Pack • knowledge.digicert.com • Pixabay, Unsplash • keystore-explorer.org • imgflip.com 30#engageug
  • 32. Remember Paul!? • Protect your server IDs with a PW… • Paul is still killing puppies… • Don´t let Paul kill puppies… 32#engageug