Dennis' Domino Blog

Category: "Netscaler"

Security enhancements in iNotes 8.5.2 may require configuration changes in environments with reverse proxies

  06/17/11 10:27 am, by , Categories: Administration, IBM, Lotus, security, Netscaler
I was playing with the application firewall in the citrix netscaler and I found a cookie I had never seen before to get blocked.

Some quick googling gave me this Technote swg21453878. Please read it if you are using firewall/reverse proxy products in from of iNotes (or webadmin for that matter).

Technote (troubleshooting)


Some security enhancements were introduced in iNotes 8.5.2 to prevent potential Cross Site Request Forgery (CSRF) attacks, and as part of these security enhancements, there are special considerations that should be made in environments that utilize reverse proxies. Upon sending POST requests to Domino, users may encounter 400 errors on the iNotes console, and administrators may see messages similar to the following on the console:

"iNotes XSS Security: Invalid Request, missing expected nonce value; with Referer: '%s'. Request not processed, throwing exception." "iNotes XSS Security: Invalid Request, unexpected nonce value; with Referer: '%s'. Request not processed, throwing exception."

To mitigate these issues, the following two changes should be noted and accounted for:

1) When using basic authentication (Disabled session authentication), we now will utilize the ShimmerS cookie. Previously, this cookie was only used when Domino was set up for session authentication, but now, it is used no matter what authentication scheme is used.

2) There is a new extended header field that iNotes utilizes named "X-IBM-INOTES-NONCE". This header field must be allowed to pass freely between the client and server for iNotes to function properly.

In addition to these considerations, please note that some products (including Juniper VPNs) utilize mechanisms that cache or obfuscate cookies so that they are not held in their original form in the browser. Exceptions need to be made for the ShimmerS cookie for iNotes to function properly.

Resolving the problem

Take steps to allow the ShimmerS cookie and the "X-IBM-INOTES-NONCE" field to pass freely and untouched between the browser and Domino.

©2017 by Dennis van Remortel

Contact | Help | Blog theme by Asevo | multiple blogs | webhosting