This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~John Opjipychekoni
Feb 12, 2018, 10:33 AM
14 Posts

Vulnerability problem (SSL)

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role:
  • Tags:
  • Replies: 4

My vulnerability software (Nessus) is showing me two problems with certificate for Domino Console on port 2050.

 

The problem is that I can't find how to fix this. There is no certificate in Windows Server Certificate repository and there is no keyfile.kyr file on the server (this server is now web server).

Where this certificate is located or how to fix this issue? Domino is 8.5.3 FP6 (I know that this forum is for v9). Thanks!

 

SSL Certificate Cannot Be Trusted and SSL Self-Signed Certificate

The following certificate was found at the top of the certificate
chain sent by the remote host, but is self-signed and was not
found in the list of known certificate authorities :

|-Subject : C=US/ST=Massachusetts/L=Westford/O=Lotus Development Corporation/OU=Iris/CN=DominoConsole

|-Issuer  : C=US/ST=Massachusetts/L=Westford/O=Lotus Development Corporation/OU=Iris/CN=DominoConsole
Port Hosts
2050 / tcp

hostname.domain.com
~Michelle Elhipilitli
Feb 12, 2018, 10:51 AM
103 Posts
Options..

Port 2050 is the Domino console and IBM use a self signed cert to secure remote connections which you cannot change.

A quick fix would be to block connections on port 2050 from the Internet.

Or you could also segregate traffic for internal/external connections and configure two IPs on the Domino server and bind the console to the internal IP

http://www-01.ibm.com/support/docview.wss?uid=swg21200803

Or you can use a reverse proxy and expose just ports 80 & 443.

~John Opjipychekoni
Feb 12, 2018, 11:54 AM
14 Posts
New reply to: Vulnerability problem (SSL)

Thank you DPorter, but it is strange that I have several servers (same setup, Windows 2012R2, Domino 8.5.3 FP6 IF18) and some of them don't have this security issue...

~Michelle Elhipilitli
Feb 12, 2018, 12:20 PM
103 Posts
Telnet

Try a telnet on port 2050 from the internet to a a server which does not have the issue and the one that does.  It could be that the port is blocked on the servers which are not showing up with the issue.

~John Opjipychekoni
Feb 13, 2018, 12:48 PM
14 Posts
It's something else

I have disabled Telnet on all of my servers, it must be something else... Only thing that I've done is Domino reinstall on those server. After Domino reinstall, same FP, IF and JVM are installed.

But to be sure:

Connecting To xx.xx.xx.xx...Could not open connection to the host, on port [2050]: Connect failed
Connecting To xy.xy.xy.xy...Could not open connection to the host, on port [2050]: Connect failed

Thank you for your help!


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal