Moving Android devices from unsecure to secure communication with IBM Notes Traveler
IBM released a very smart way to switch Android devices to HTTPS communication with IBM Notes Traveler servers:
Your IBM Verse for Android applications connect to your on-premises IBM Traveler server using an unencrypted HTTP connection instead of an encrypted HTTPS connection. Since the IBM Traveler server can use unencrypted HTTP connections immediately without any additional setup, some installations may have skipped the HTTPS setup procedures prior to deploying Verse for Android to users. To ensure that all your communications are encrypted, first enable HTTPS either on your IBM Traveler server or on an edge proxy. Then ensure the IBM Verse for Android app begins using the encrypted connection without requiring any manual intervention from your users.
Resolving the problem
This feature requires the following components at the specified minimum version levels:
· IBM Traveler server, version 18.104.22.168 (or later)
· IBM Verse for Android app, version 22.214.171.124 (or later)
If all the IBM Verse for Android apps have not yet upgraded to the required minimum level prior to the completion of these steps, then it is recommended you keep HTTP port 80 enabled until you can ensure all apps have been upgraded. It is not required that all users upgrade at the same time.
1. Enable your IBM Traveler server to use HTTPS. Typically, this will be the Domino server that hosts your Traveler server, but it could also be an edge proxy. If this is a Domino server, Domino 9.0.1 fp5 or later is recommended. See the following for more information on this task:
Also reference the article Securing connections for IBM Traveler mobile applications for the latest updates on security requirements for IBM Traveler servers and mobile apps.
2. Update the "External Server URL" field on the Traveler server to change the current server URL to start with “https://” instead of "http://". This can be done either through the current configuration document, by updating notes.ini, or by using the domino console. For more information, see:
3. Before forcing all IBM Verse for Android apps to use the new URL, test the HTTPS connection to ensure that it works properly. The first test is to ensure that the HTTPS port is working properly and routing to the IBM Traveler server. You can use a web browser to easily validate this. Open a browser page, connect to your Traveler Server External URL, and login using an ID. For example, if your Traveler server External URL is https://traveler.example.com/traveler, use a web browser to connect to that page and validate that you do not see any errors.
4. Test the setup with a few devices that are connected to your IBM Traveler server using the HTTP connection. To do this, issue these commands at the domino console:
tell traveler policy setdevice tsExternalURLEnforced=1 <deviceId> <user>
tell traveler push flagsadd serviceability configGet <deviceId> <user>
Where <deviceId> and <user> are the device ID and user you are testing.You can obtain the <deviceId> of a user that has previously connected to the Traveler server using the command:
tell traveler show <userid>
5. Sync the test devices to ensure that the sync is working properly. From within the Verse for Android app, open Settings > Server and validate that the field called Use Secure Protocol is checked.
NOTE: Ensure that everything syncs normally and shows as secure. If you push an incorrect server URL to the mobile app, the only way to recover is to remove and reinstall the Verse app on the device.
6. After you have verified that the External Server URL is correct and your migrated device can sync, set the IBM Traveler server to enforce this property for all devices by entering the following command into the Domino server console:
set config NTS_EXTERNAL_URL_ENFORCED=true
This command migrates the rest of your IBM Verse for Android apps (that meet the minimum level) to use your secure server URL.
7. Restart the IBM Traveler server to have the settings take effect.
8. Once all your IBM Verse for Android apps have been updated, you can disable the HTTP port on your Domino server, assuming it is not required for other applications that are using the same server.