Domino Consulting - HCL Domino Administrator 11.0.1 Help

CONFIGURING

PORT_ENC_ADV

Controls the level of port encryption and enables the use of AES tickets. Requires IBM® Domino® 9.0.1 Fix Pack 7 or later.

Description: The advanced port encryption algorithms available for use when connecting to this Domino server.

Syntax:PORT_ENC_ADV=sum where sum is the sum of the values in the following table that represents the options to enable:

Table 1. Advanced port encryption algorithm options

Value Option Additional information

1 Enable HMAC-SHA256 integrity protection for the legacy RC4 port encryption. Only useful for resource constrained servers that cannot handle AES encryption.

2 Enable AES-128 CBC rather than RC4 for confidentiality and HMAC-SHA256 for integrity. At this time, we recommend using AES-GCM rather than AES-CBC.

4 Enable AES-128 GCM for confidentiality and integrity. Current industry best practices indicate that 128 bit symmetric keys are strong enough to guard against attacks based on the classical laws of physics.

8 Enable AES-256 GCM for confidentiality and integrity. 256 bit keys are expected to provide "128-bit level" protection against attacks based on quantum computing. If AES-256 GCM is enabled without Forward Secrecy, AES-128 GCM is used instead.

16 Enable Forward Secrecy for port encryption using 2048 bit ephemeral Diffie-Hellman (FFDHE-2048) Wikipedia page: https://en.wikipedia.org/wiki/Forward_secrecy

64 Enable AES tickets Upgrades tickets from RC2-128 to AES-128. Best practice is to enable. Performance impact is minimal.

The client side of the network connection advertises which algorithms it supports, and the server selects the most secure combination that both client and server support based on the service-side notes.ini setting. The most secure set of options that are supported by client and server are used. For example, if you enable all options (PORT_ENC_ADV=127), then the options that correspond to 8, 16, and 64 are used and 1, 2, and 4 are not used. When an older client connects to an upgraded server, the older algorithms are used.

Table 2. Description of terms

Term Description

AES The Advanced Encryption Standard (AES) is a symmetric encryption algorithm.

Confidentiality Provides protection against eavesdropping.

GCM Galois/Counter Mode (GCM) provides data authenticity (integrity) and confidentiality.

Forward Secrecy A property of communications protocols that prevents recorded encrypted communications from being decrypted in the future even if long-term keys (Notes® ID files) are later compromised.

integrity Provides protection against tampering.

port encryption The NRPC equivalent of SSL/TLS, port encryption provides integrity and confidentiality for NRPC data in motion.

ticket A cryptographically generated secret used to improve the performance of NRPC authentication.

Applies to: Servers

Default: No new options enabled.

UI equivalent: None.

Examples

Table 3. Examples

Goal Enabled options notes.ini value

Current security best practices

(4) Enable AES-128 GCM for port encryption and transport integrity
(16) Forward Secrecy
(64) Enable AES tickets
PORT_ENC_ADV=84
Note: If this setting causes server performance problems, disable Forward Secrecy by changing to the following value:PORT_ENC_ADV=68

Maximum security

(8) AES-256 GCM for port encryption and transport integrity
(16) Forward Secrecy
(64) AES tickets
PORT_ENC_ADV=88

Minimum performance impact

(1) HMAC-SHA256 for transport integrity and continue to use 128-bit RC4 for network traffic.
(64) AES tickets
PORT_ENC_ADV=65

Parent topic: NOTES.INI Settings

Related reference
TICKET_ALG_SHA

Related information
Download Options for Notes & Domino 9.0.1 Fix Packs

Help on Help

All Help Contents

Help on Help

All Help Contents

Value	Option	Additional information
1	Enable HMAC-SHA256 integrity protection for the legacy RC4 port encryption.	Only useful for resource constrained servers that cannot handle AES encryption.
2	Enable AES-128 CBC rather than RC4 for confidentiality and HMAC-SHA256 for integrity.	At this time, we recommend using AES-GCM rather than AES-CBC.
4	Enable AES-128 GCM for confidentiality and integrity.	Current industry best practices indicate that 128 bit symmetric keys are strong enough to guard against attacks based on the classical laws of physics.
8	Enable AES-256 GCM for confidentiality and integrity.	256 bit keys are expected to provide "128-bit level" protection against attacks based on quantum computing. If AES-256 GCM is enabled without Forward Secrecy, AES-128 GCM is used instead.
16	Enable Forward Secrecy for port encryption using 2048 bit ephemeral Diffie-Hellman (FFDHE-2048)	Wikipedia page: https://en.wikipedia.org/wiki/Forward_secrecy
64	Enable AES tickets	Upgrades tickets from RC2-128 to AES-128. Best practice is to enable. Performance impact is minimal.

Term	Description
AES	The Advanced Encryption Standard (AES) is a symmetric encryption algorithm.
Confidentiality	Provides protection against eavesdropping.
GCM	Galois/Counter Mode (GCM) provides data authenticity (integrity) and confidentiality.
Forward Secrecy	A property of communications protocols that prevents recorded encrypted communications from being decrypted in the future even if long-term keys (Notes® ID files) are later compromised.
integrity	Provides protection against tampering.
port encryption	The NRPC equivalent of SSL/TLS, port encryption provides integrity and confidentiality for NRPC data in motion.
ticket	A cryptographically generated secret used to improve the performance of NRPC authentication.

Goal	Enabled options	`notes.ini` value
Current security best practices	(4) Enable AES-128 GCM for port encryption and transport integrity (16) Forward Secrecy (64) Enable AES tickets	`PORT_ENC_ADV=84` Note: If this setting causes server performance problems, disable Forward Secrecy by changing to the following value:`PORT_ENC_ADV=68`
Maximum security	(8) AES-256 GCM for port encryption and transport integrity (16) Forward Secrecy (64) AES tickets	`PORT_ENC_ADV=88`
Minimum performance impact	(1) HMAC-SHA256 for transport integrity and continue to use 128-bit RC4 for network traffic. (64) AES tickets	`PORT_ENC_ADV=65`