Most of the LDAP connections from IBM WebSphere Application Server are configured with TLS. So you need to have the root certificate in the WebSphere truststore to connect.

Some time back, I stumbled upon a flaw in HCL Connections 7 and 8 that allowed for user enumeration. This flaw could be exploited by anonymous users.

Elasticsearch in HCL Connections Componentpack is secured with Searchguard and needs certificates to work properly. These certificates are generated by bootstrap during the initial container deployment with helm.

These certificates are valid for 10 years (chain_ca.pem) or 2 years (elasticsearch*.pem) and stored in the Kubernetes secrets elasticsearch-secret, elasticsearch-7-secret. So when your HCL Connections deployment is running for 2 years, the certficates stop working.

In late 2021 I had an HCL Connections environment starting swapping, because the AppCluster used more than 30 GB of memory.

The system has

• two nodes
• is installed with the medium-sized deployment option
• About 7500 users with a high adoption rate, because Connections is also used as intranet

A long time ago, I wrote about the new implementation of allowlists in HCL Connections and that the documentation on customization and adding new rules was an absolute miracle for me.

And the second linkdump with contents I read that week.

• I don’t like the idea, sounds very 1984:

So up to IBM Connections 6.0 everything was allowed until it was not excluded in one of the blocklist files. This files are stored within the Deployment Manager profile/config/cells/<cellname>/LotusConnections-config/extern. Now with Connections 6.0CR1 everything is forbidden, until it is enabled in the allowlist. This concept is rolled out for widgets (homepage and communities) and active content. Active content means HTML content too. So everything you or your users add to Connections (blog-posts, wiki pages) gets filtered during the save procedure. This removes all HTML tags and attributes which are not explicitly allowed!

Since years i think that the Internet Lockout Feature of IBM Domino is not enough. The function is documented here: IBM Domino Administrator Help

Cite of this document:

There are some usage restrictions for Internet password lockout: You can only use Internet password lockout with Web access. Other Internet protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM® Lotus® Quickr®, and IBM Sametime® are not currently supported. However, Internet password lockout can be used for Web access if the password that is used for authentication is stored on an LDAP server

So documentation tells us, that only HTTP can be secured through inetlockout.nsf and over years the documentation was right. So protocols like LDAP, SMTP or POP3 are prone to dictionary attacks.

I started a new project on OpenNTF for the collection of scripts we created to speed up and simplify WebSphere and Connections Administration.

Link to this project: Administration Scripts for WebSphere

In the moment most of documentation is only as comment in these scripts. Descriptions can be found in Github and Scripting101 .

Highlights

• J2EE Security Role Backup and Restore

• Set initial Security Roles for Connections Applications (Author: Klaus Bild )

Documentation

When you want to start with this collection, copy the jython script to your Deployment Manager bin-folder ($WAS_HOME/profiles/Dmgr01/bin) and call the scripts with wsadmin.sh -f scriptname

Preamble

Before i begin with my securing article, i want to say something on security on IBM Connections. Mainly i don’t like the thing, that IBM only support very special versions of software.

So we must use WebSphere 7.0.0.21, DB2 9.7.0.5, IHS 7.0.0.11 and so on. Each product had updates the last months and i think we won’t get support when we use other versions.

So i have to chances. On the first side i can update my software to limit vulnerabilities and get perhaps no support, or i will have vulerable software with support.

Just my 2 cent and i hope i will get answer, if i will get support with higher program versions.