Thursday, October 27, 2022

How to Enable, or Disable, TOTP for HCL Traveler and Verse

 After a discussion with fellow HCL Ambassador David Hablewitz, I realized I did not fully explain the HCL Traveler/Verse (will just refer to it as Verse) and TOTP  issue in my blog post the other day, 

I intended to explain the pros and cons of using TOTP and Verse, but I neglected to explain how to enable or disable TOTP and what you do if you have one server or separate servers.

The how-to is what this post is about.

It is pretty easy to do in a proper environment where Verse sits on its own server.

You probably see something similar to this in your Internet Sites for the Verse server (ignore the 404 error page I was testing):


If you double-click on the head item on the Web Site, you will see where you turn TOTP on or off. I am presuming you have set TOTP up already. The option is there because of the names.ntf template changes in R12 and R12.0.1.


If you don't want TOTP, change the selected option to "Yes" instead of "Yes with TOTP."

Simple, right? 

What if you are a smaller organization that relies on one Domino server to do anything and everything? What if you don't want Verse to have TOTP, but access to applications, or mail, should have TOTP?

My suggestion from a security perspective is to create a new URL for Verse. It is easier, under R12, for you to create a unique URL for your domain and get a Let's Encrypt SSL certificate for it for free.

Sidenote: I understand that you could leave it set up as it is above and turn TOTP off for the default website. You may do this because you don't want to field tons of help desk calls from users who can't change a URL, but this route would leave your whole server in a less secure mode.

Decide on the new URL, traveler.company.com.Set it up in your internal and outside DNS.

Create the new Internet Site document for the unique domain. It may look something like this:







Don't forget to edit your Traveler URL section of the server document to accommodate this change.

And now you can restart HTTP and Traveler, and you should get prompted for TOTP at your domain, but not with Verse once outside DNS changes go into effect. So I suggest you set it up and wait till the exterior works, then cutover internally.

You will need to create all the docs, so it looks like this:


And users may have to reinstall Verse to change the URL.

Once set up, you can turn on TOTP for Verse down the road if you wish. This also lets you move the Verse server easier in the future because it is no longer tied to your server, just the URL.

Tuesday, October 25, 2022

Customizing the TOTP Login Form and MFA Pages

Continuing the extension of my TOTP session from Collabpshere, I wanted to expand upon modifying the Login Form and MFA page for those who need it and want to know how to do it.

The truth is I covered this in my 2021 Collabsphere presentation but since learned a few things which I want to pass on to all of you.

In 2021, I created this flowchart explaining how to add your corporate logo to the background logo.

Editing TOTP Background with your logo
How to add your company logo to the TOTP Backgroud graphic.

Of course, you could use any graphic, just figure out the scaling side, but I found it easier to just add my logo to the existing MFASetup1.png file.

There is a style.css file (Under Resources-Style Sheets) where if you find this section, you can change the graphic to whatever you want by renaming the png file and, of course, adding your graphic to the Resources-Images section: 

Today I found it was not letting me add a company logo to the .png with the 12.0.1 template. I had previously done it with the 12.0 template. So YMMV.

So how do we let people know it is the company's MFA login page?

I edited the form called $$LoginUserFormMFA in the domcfg5.ntf. If you don't do it in the ntf, you will lose your updates when the design task runs.

I replaced the HCL Domino text with the company name and added MFA Login Page.

While editing the text, I added the details below, which is helpful since the default page tells the user nothing.

MFA Instructions / Help

To set up and start using MFA take the following steps:

Step 1: Enter your Username and Password and press the 'Login' button.

Step 2: Follow the prompts to set up Multiple Factor Authentication, our preferred authenticator app is Duo.

Step 3: Once you have set up the MFA, return to the login page. Enter in your username, password, and MFA Token via your authenticator

Step 4: Click the Login button.


Naturally, you can add whatever text you wish and probably add a popup help window, among other things, but I am just a simple admin.

 Don't forget to save your changes.

While still in this form, if you go to the list of objects below the window and look for the "Window Title" object, you can edit the text there, as I have, so it says "The CompanyName MFA Login Page." And don't forget to save your changes.

I like to minimize helpdesk calls, so I want people to realize it is a legitimate site. I know, hokey, but something is better than nothing.

The hard part, and I don't suggest you do this unless you really want to do it, is to edit the MFA Setup page.

You see, it is not a page, or a form, or a view. It is a small java file.

You would have to unarc/zip it or whatever you do to java files, edit it, recompile it, and put it back on your server.

And if you do a server update, it will wipe it out.

And you would have to do it all over again. You might be able to copy the file, but if HCL makes any changes, you are screwed, so I have decided not to mess with it.

The .ntf would also get overwritten on an update, so why do it there?

To me, it is easier to replicate and maintain a local copy of the .ntf than to do it for the java part, but again, YMMV.

My personal server page looks like this now:


If you previously had a custom login form and now want to add TOTP, I strongly suggest you copy your custom form into the $$LoginUserFormMFA and sort it out from there. 

There are too many parts to TOTP and the domcfg database that will make it hard to do it in reverse,

I am sure my developer friends may make fun of me, but this was the easier(less time involved) of the 2 ways we tried to do it to bring it up and make it work. Again YMMV.

I did not touch on the use of the notes redirector, but that is how we are using it, and of course, if you need to edit the iNotes Redirector, I wrote a few posts about it many years ago, you can click on that section from the top of my blog or use this link: https://blog.vanessabrooks.com/p/inotes-redirector.html.




Friday, October 21, 2022

To TOTP, or NOT To TOTP, Traveler/Verse users, THAT is THE Question

 

Whether 'tis nobler in the mind (of users) to suffer The slings and arrows of outrageous fortune security guidelines, Or to take arms against a sea of (illogical) troubles, And, by opposing, end their tyranny upon us?

Shakespeare will have to live with my edits.

Enjoy the video because it is THE definitive way to say the quote :-)

Now that Collabpshere has finished, it was a great event once again managed by Richard Moy with a supporting cast of dozens of people, I had a follow-up item from my session.

I will post the slides once I find a new home now that Slideshare has gone paywall.

The question continues to arise about using TOTP for Verse(Traveler) users.

If you attended my session, you heard me discuss the pro (not sure if there is anything beyond my insurance/compliance or security people require it) and the many cons. 

If anyone has more PRO reasons, let me know, but for now, this is the slide I used.


Remember that current phones usually require a code, slide design, finger, face, or eye scan just to let you into your phone.

Then the Verse app has a login and password for itself.

Do you still need an MFA after 2 levels? 

Also, if the whole purpose of the MFA is to secure the mail application, what purpose does it serve by being on your phone, if your phone is lost or stolen? Let's say the robber has the initial code(stop using your birthday or kid's birthday or anniversary). Then having the fa there is totally useless. 

So, why do you want to enforce this?

Right, because your insurance company told you.

Oddly enough, they did not tell you to disable SSO(Single Sign On), which negates any aspect of MFA a computer might have to start with. Nor do they expect you to have an MDM solution, which is really what you need for this purpose. 

Traveler/Verse has some aspects of MDM, like remote wipe, but does not verify your device has the appropriate number of digits in your passcode.

So, again, why do you need to do this?

Have you asked for the technical guidance document from your insurance company?

You should let me know if any of them ever produce one. And if they have one, does it make any sense?

TOTP is URL-based, not Server or Domain-based.

You can let Verse users use the usual traveler.company.com URL without TOTP while maintaining TOTP enabled for webmail.company.com see my slide below.



Yes, you can change the TOTP time-out setting (https://help.hcltechsw.com/traveler/12.0.0/auth_timeout_totp.html), which I did on my personal server, so I only log in with TOTP if my phone has been off for more than 18 hours. This happens every weekend, I shut it off an hour before sunset and turn it back on after sunset on Saturday.

The choice is yours, as the Admin, but you will have more help desk tickets every Monday morning and possibly every time a user flies, and they will think they are locked out.

So, in the immortal words of the Bard of Avon,

 "Out of this nettle - danger - we pluck this flower - safety."

'Henry IV, Part 1' (1597) act 2, sc. 3, l. [11]