PORT_ENC_ADV
Controls the level of port encryption and enables the use of AES tickets. Requires IBM® Domino® 9.0.1 Fix Pack 7 or later.
Description: The advanced port encryption algorithms available for use when connecting to this Domino® server.
PORT_ENC_ADV=sum
where sum is the sum of the
values in the following table that represents the options to enable:Value | Option | Additional information |
---|---|---|
1 | Enable HMAC-SHA256 integrity protection for the legacy RC4 port encryption. | Only useful for resource constrained servers that cannot handle AES encryption. |
2 | Enable AES-128 CBC rather than RC4 for confidentiality and HMAC-SHA256 for integrity. | At this time, we recommend using AES-GCM rather than AES-CBC. |
4 | Enable AES-128 GCM for confidentiality and integrity. | Current industry best practices indicate that 128 bit symmetric keys are strong enough to guard against attacks based on the classical laws of physics. |
8 | Enable AES-256 GCM for confidentiality and integrity. | 256 bit keys are expected to provide 128-bit levelprotection against attacks based on quantum computing. If AES-256 GCM is enabled without Forward Secrecy, AES-128 GCM is used instead. |
16 | Enable Forward Secrecy for port encryption using 2048 bit ephemeral Diffie-Hellman (FFDHE-2048) | Wikipedia page: https://en.wikipedia.org/wiki/Forward_secrecy |
64 | Enable AES tickets | Upgrades tickets from RC2-128 to AES-128. Best practice is to enable. Performance impact is minimal. |
The client side of the network connection advertises which algorithms it supports, and the server selects the most secure combination that both client and server support based on the service-side notes.ini setting. The most secure set of options that are supported by client and server are used. For example, if you enable all options (PORT_ENC_ADV=127), then the options that correspond to 8, 16, and 64 are used and 1, 2, and 4 are not used. When an older client connects to an upgraded server, the older algorithms are used.
Term | Description |
---|---|
AES | The Advanced Encryption Standard (AES) is a symmetric encryption algorithm. |
Confidentiality | Provides protection against eavesdropping. |
GCM | Galois/Counter Mode (GCM) provides data authenticity (integrity) and confidentiality. |
Forward Secrecy | A property of communications protocols that prevents recorded encrypted communications from being decrypted in the future even if long-term keys (Notes® ID files) are later compromised. |
integrity | Provides protection against tampering. |
port encryption | The NRPC equivalent of SSL/TLS, port encryption provides integrity and confidentiality for NRPC data in motion. |
ticket | A cryptographically generated secret used to improve the performance of NRPC authentication. |
Applies to: Servers
Default: No new options enabled.
UI equivalent: None.
Goal | Enabled options | notes.ini value |
---|---|---|
Current security best practices |
|
PORT_ENC_ADV=84 Note: If this setting causes server performance problems,
disable Forward Secrecy by changing to the following value:
PORT_ENC_ADV=68 |
Maximum security |
|
PORT_ENC_ADV=88 |
Minimum performance impact |
|
PORT_ENC_ADV=65 |