Mandating level of port encryption
Starting in 14.0.1, when setting up clients or servers, NRPC port encryption is enabled for increased security level.
Mandated port encryption works in the following ways:
- Enables and enforces NRPC port encryption on both the client and server. If configured by an administrator, encryption needs to be enforced even if the other side does not want to use encryption.
- Allows the administrator to manage the enablement state of NRPC port encryption.
- Enforces mandated NRPC port encryption level for all authenticated NRPC sessions.
Prerequisites
To enable and use this feature, the primary administration server needs to be 14.0.1. Note that NRPC encryption is mandated on 14.0.1 or later client/servers only.
Configuring server ports
- An administrator can update the following ini settings on the server:
Setting Description TCPIP =TCP,0,15,0,,45056 encryption TCPIP =TCP,0,15,0,,12320 compression TCPIP =TCP,0,15,0,,45088 encryption + compression TCPIP =TCP,0,15,0,,12288 no encryption, no compression
- The "Port_ENC_ADV" ini is used to configure newer settings. There is no user
interface for this configuration. If the ini is not defined, the following
defaults apply based on version:
#define fPortEnc_Integ_SHA2 0x0001 // Only used with old RC4 transport enc.
#define fPortEnc_Trans_AESCBC_128 0x0002 // 128-bit AES-CBC mode for transport enc// Always uses SHA2 for integrity.
#define fPortEnc_Trans_AESGCM_128 0x0004 // 128-bit AES in GCM mode for trans enc// GCM mode provides integrity.
#define fPortEnc_Trans_AESGCM_256 0x0008 // 256-bit AES in GCM mode for trans enc// GCM mode provides integrity// Downgrades to 128 bit AES-GCM without FS.
#define fPortEnc_FS_FFDHE_2048 0x0010 // Use 2048 bit FFDHE for forward secrecy.
#define fPortEnc_FS_ECDHE_X25519 0x0020 // Use X25519 ECDHE for forward secrecy.
#define fPortEnc_Ticket_AES 0x0040 // Use AES for tickets instead of RC2.Refer to Table 1 in Configuring the level of port encryption and authentication.static DS SEC_ENVVAR_CTX_INT PortEncAdv = {"PORT_ENC_ADV", ( fPortEnc_Trans_AESGCM_256 | fPortEnc_FS_ECDHE_X25519 | fPortEnc_Ticket_AES ), SEC_envvar_scope_Always};
- Client settings can be controlled via policy in
- A Notes client user can change port settings from .
Configuring ini settings
The following ini settings are available for the new mandated port encryption:
Setting | Description |
---|---|
DEBUG_MANDATED_ENCRYPTION=1 | Enables debug logging, which is useful for troubleshooting. |
ENABLE_MANDATED_ENCRYPTION=1 | Enables mandated port encryption checking for inbound NRPC connections. |
ENABLE_OUTBOUND_MANDATED_ENCRYPTION=1 | Enables mandated port encryption checking for outbound NRPC connections. |
MANDATEDENC_ACTIVE_REFRESH_TIME=<# of seconds> | Defines how often mandated port encryption configuration is refreshed on server. The default is every 24 hours, and server polls are every 60 minutes. |
DEBUG_PORT_ENC_ADV=1 | Enables port encryption debug, which is useful for troubleshooting. |
Configuring mandated NRPC port encryption settings
New Directory Profile optionThe DirectoryProfile form in the server address book allows Domino administrators to manage mandated NRPC port encryption settings. The following image shows the default values.
Administrators can enable logging through Mandated port encryption logging level, only to check and fix any configuration issues prior to enforcing port encryption mandate.
Modifications to any of these mandated encryption settings will set the configuration state to "Pending".
New scheduled agentAdministrators can choose to do this manually on all servers, if
needed, by executing the server command mndenc refreshconfig
on the
primary admin server. Alternatively, you can just wait until the next configuration
refresh. The server poll thread refreshes configuration every 24
hours.