Security features

Domino 14.0 EA1 provides the following features and enhancements related to security.

Updated default TLS ciphers

Domino 14 has updated the default TLS ciphers to include only ciphers with PFS, AEAD, and SHA-2 according to current security best practices. That leaves six default ciphers, which are now also the only ciphers that can be used without setting USE_WEAK_SSL_CIPHERS=1:
  • ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • DHE_RSA_WITH_AES_256_GCM_SHA384
  • ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • DHE_RSA_WITH_AES_128_GCM_SHA256

Updated security policies for ID file encryption

Notes/Domino 9 added the ability to upgrade the algorithm used to encrypt the ID File to AES-128 with SHA-256, or AES-256 with SHA-512, when changing the password. In 12.0.1, these two algorithms were added to the security policy template, but were not added to the back-end policy code. In 14.0 Early Access Drop 1, those policy settings now work correctly.

We are in the process of broadly updating default ID file encryption algorithms, but this work is still in progress as of 14.0 EAP1.

Global OpenID Connect (OIDC) enhancements:

Domino 12.0.2's per-process JWK Cache and JWKCacheMgrThread have been combined into a global, cross-process OIDC provider cache. The notes.ini variables used to tune this cache have changed accordingly:
  • DEBUG_JWK_CACHE, DEBUG_JWK_CACHE_MGR was replaced with DEBUG_OIDC_CACHE=(1,2,3,4,5,6)
  • DEBUG_JWS, DEBUG_OIDC_CURL_APIS, and DEBUG_OIDC_JSON_PARSER notes.ini variables are unchanged from 12.0.2
  • OIDC_PROVIDER_CACHE_POLLING_INTERVAL was removed; the server task currently checks for updates every minute.
  • OIDC_PROVIDER_CACHE_ADVANCE_RENEWAL has a new default of 10 minutes (600 seconds).
  • OIDC_PROVIDER_CACHE_DEFAULT_EXPIRATION has a new default of 30 minutes (1800 seconds).
  • OIDC_JWK_CACHE_PURGE_INTERVAL and OIDC_JWK_CACHE_PURGE_EXPIRED_SEC are unchanged from 12.0.2, retaining their 12 and 24 hour defaults, respectively.

The OIDC Provider document in idpcat.nsf has been expanded to include additional per-provider configuration information that was configured globally with notes.ini variables in 12.0.2. The old notes.ini variables have been removed; for details, see the section that follows this one. Tracing for this functionality can be enabled with DEBUG_OIDC_CONFIG=(1,2,3)

The server stats for OIDC-related functionality have been consolidated:
  • Security.OIDC.Providers.Configured
  • Security.OIDC.Providers.Initialized
  • Security.OIDC.Providers.BearerCapable
  • Security.OIDC.Providers.LoginCapable
  • Security.OIDC.Providers.LastChecked
  • Security.OIDC.JWKs.Cached
  • Security.OIDC.JWKs.Cache.Hits
  • Security.OIDC.JWKs.Cache.Misses
  • Security.OIDC.JWKs.Cache.Expired
  • Security.OIDC.Bearer.Success
  • Security.OIDC.Bearer.Failures
  • Security.OIDC.Auth.Login.Success
  • Security.OIDC.Auth.Login.Failures
  • Security.OIDC.Auth.Logout.Success
  • Security.OIDC.Auth.Logout.Failures

Web user login with OIDC enhancements

OIDC back-channel logout is supported starting in 14.0 Early Access Drop 1. Back-channel logout requests are accepted on the Domino server's callback URL -- either /names.nsf?OIDCLogin or /auth/protocol/oidc. This functionality has only been tested to date with KeyCloak.

In Domino 14, the client_id and client_secret are now configured by using fields in idpcat.nsf instead of the OIDC_LOGIN_CLIENT_ID and OIDC_LOGIN_CLIENT_SECRET notes.ini variables. Those notes.inis have been removed.

In Domino 14, the authentication technique used to connect to the OIDC provider's token endpoint can be configured by using a drop-down menu in idpcat.nsf. The default setting is client_secret_basic. Select "none" for public clients that lack a secret. client_secret_post is also supported in 14.0 EAP1. The template shows private_key_jwk authentication, but that functionality is not available in 14.0 EAP1.

The OIDC_LOGIN_CLOCK_SKEW_SEC, OIDC_LOGIN_COOKIE_DURATION_SEC, and DEBUG_OIDCLogin notes.ini variables still exist and work as they did in 12.0.2.

HTTP Bearer authentication enhancements

Select Enable Microsoft Workarounds in idpcat.nsf when configuring bearer authentication with Azure AD or ADFS 2019. These OIDC providers do not follow the standard as closely as most other providers, so special workarounds are needed in order to support then. This replaces the HTTP_BEARER_ENABLE_MS_WORKAROUNDS notes.ini from 12.0.2 FP1, which has been removed.

When using a provider that sends the user's email or name in a Claim that is not named "email," set the Custom Email Claim Name field to the name of that custom claim. This replaces the HTTP_CUSTOM_EMAIL_CLAIM_NAME notes.ini from 12.0.2, which has been removed.

By default, the Domino HTTP server expects to receive an "aud" (audience) Claim containing the base resource being accessed, such as https://dominoserver.example.com. If your provider sends a nonstandard value in the audience claim, such as Azure AD, configure one or more alternative audience values in the Alternate Audiences field. This replaces the HTTP_BEARER_ALTERNATE_AUD_COUNT and HTTP_BEARER_ALTERNATE_AUD_X notes.ini variables which have been removed.

Administrators who wish to restrict bearer authentication to specific applications by client_id sent in the "azp" Claim can configure one or more client_id values in the Allowed Client IDs field. This replaces the HTTP_BEARER_ALLOWED_ID_COUNT and HTTP_BEARER_ALLOWED_ID_X notes.ini variables from 12.0.2, which have been removed.

The DEBUG_HTTP_BEARER_AUTH notes.ini still exists and works as it did in 12.0.2.

Enhanced OpenID Connect 1.0 (OIDC) provider support

Domino 14 improves our support for Microsoft's less-than-standard OIDC providers, as detailed in the following whitepapers published on the HCL Support site.

Support SHA256 for Internet password in Domino directory

With Domino 14.0 Early Access Drop 1, users' password hashes will be now be updated to SHA256 when they change their Internet passwords in the Person Document.

The option Yes - Password verification compatible with Notes/Domino release 8.0.1 or greater in the appropriate Person document must be selected for this feature to be enabled. For more information, see Using more secure password format.