Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : Administration

Admin Client - custom icons for each domain?- 10 June 2023 - (0) Comments

Thomas Hampel
 10 June 2023

When you have to manage multiple Domains in your Admin client, finding the right domain
This example here is just showing two Domino Domains, but there are admins out there with 100+ domains to manage.
Maybe you want some custom icons then?


Image:Admin Client - custom icons for each domain?  Image:Admin Client - custom icons for each domain?

Those icons displayed on the left side are nothing else than an Outline stored in the bookmark.nsf application on your client.
Of course you could edit the design manually:

First you need to upload the preferred icon image as an image resource, then you can edit  the Outline called "AdminBookmarkOrder"


Image:Admin Client - custom icons for each domain?

to select the image of your choice

Image:Admin Client - custom icons for each domain?
Even better if you can do this with a small script:




%REM

     Created Jun 10, 2023 by Thomas Hampel

     Description: Comments for Agent

%END REM

Option
Public
Option
Declare

Sub
Initialize
     
Dim s As New NotesSession
     
Call SetAdminBookmarkImage ("INTERN", "HCL Domino_Color_Icon_32.png")
End
Sub



%REM

     Function AdminBookmark

     Description: Comments for Function

%END REM

Function
SetAdminBookmarkImage (DomainName As String, ImageName As String) As Boolean
     
Dim outline As NotesOutline
     
Dim oe As NotesOutlineEntry
     SetAdminBookmarkImage =
False
     
     
'# open Bookmarks.nsf locally
     
Dim db As New NotesDatabase ("", "bookmark.nsf")
     
     
If Not db.isopen Then
             
Print "Unable to open bookmark.nsf"
             
Exit function
     
End If
     
     
'# get Outline
     
Set outline = db.GetOutline("AdminBookmarkOrder")
     
Set oe = outline.GetFirst()

     
'# first Outline entry level (must) have label "($Admin)"
     
If oe.Label = "($Admin)" Then
             
'# step one level down
             
Set oe = outline.Getchild(oe)
             
             
'# loop all children
             
While Not oe Is Nothing

                     
If (oe.Label = DomainName$) Then
                             
'# set imageName
                             
Print "Changing bookmark icon image of " & oe.label & " to " & ImageName$
                             oe.Imagestext = ImageName$
                             
Call Outline.Save()
                     
End If
                     
                     
Set oe = outline.Getnextsibling(oe)
             
Wend
             
     
End If
     
     SetAdminBookmarkImage =
true
End
Function


The Bad News:

Your customizations will disappear when you refresh the list of servers.

Good news:

1. In Domino V14 you'll have
Admin Central, a new Domino application to manage your environment, where each Domain will be one database icon on your workspace
2. After refreshing the list of servers you could just run the script again.


References:

AdminClientDomainBookmarkIcon.lss

- 18 April 2023 - (0) Comments

Thomas Hampel
 18 April 2023

Hey Domino Administrators out there,

HCL is looking for your input regarding how you are managing your environment.

Can you please help by answering this small survey?

It is completely anonymous and consists of a few questions to gather information on how Domino is used and how software updates are handled by Domino customers.

It should take less than 3min. to complete.


If you are managing more than one Domino environment please submit a survey for each one.

https://hclsw.co/domino-admin-survey

Image:We need your input - Domino Admin Survey

How to run HCL Domino on a QNAP NAS- 21 March 2023 - (0) Comments

Thomas Hampel
 21 March 2023

Image:How to run HCL Domino on a QNAP NAS

Some time ago I've done a demo running Domino on a QNAP network attached storage device.
Thanks to Docker and the Domino Container project which Daniel and I are maintaining, running a fully a featured Domino environment incl. Verse, Nomad, Rest API, Traveler and Leap is not a problem even on entry level hardware.

Datails and step-by-step instructions have been published here in the Domino container project documentation.
Enjoy reading!

Help! DAOS files have been removed - the impact of a misconfigured backup job- 22 February 2023 - (0) Comments

Thomas Hampel
 22 February 2023

Recently a customer approached me with a request for help. I'd like to briefly share the story here because it was an interesting case.

On a Friday, the Domino team noticed severe problems with loading attachments, users reported they are no longer able to open attachments.

It seems like no single DAOS object can be opened anymore by the server.

Domino servers are reporting: Error 0x80070780: The file cannot be acessed by the system.


Checking the DAOS repository on the Domino server's disk revealed those files are displaying with a file size of XX MByte but actually have a size of ZERO BYTES (!!!)

Image:Help! DAOS files have been removed - the impact of a misconfigured backup job

Potential cause? Maybe a broken hard disc or filesystem? People even assumed Domino itself would be responsible for destroying DAOS objects on disk.

To mitigate the issue, a full restore of all DAOS objects was initaited which took a couple of hours. Afterwards it seemed the situation was resolved.

However just one day later the same problem appeared. All DAOS objects again had a size of 0 byte again with millions of DAOS objects being affected.


Root cause:

It turned out the backup software ( Commvault ) was misconfigured - instead of taking a backup of DAOS objects it was configured for >archiving< them.

Archiving in this case means that files will be moved to the backup environment but a 0 byte place holder will remain.

One could claim the user interface of Commvault backup easily allows for clicking the wrong option as both of them are listed next to each other.
There is no visible difference between the configuration screens later on, so unfortunately it was a human error/mistake to click on the wrong option.

Image:Help! DAOS files have been removed - the impact of a misconfigured backup job

Solution:

Initiate a restore job of files that were archived to the commvault envioronment.

https://documentation.commvault.com/v11/essential/134649_restoring_archived_data.html

Lessons learned:

Dont blame the top level application for a failure just because it is most impacted.
Open a support ticket at HCL and work together as a team to investigate and resolve the issue.

Domino on Docker Project Updates- 23 July 2019 - (0) Comments

Thomas Hampel
 23 July 2019

Domino on Docker Project Updates
Daniel and me are working on the Domino on Docker project which has been around for a while. We are constantly updating it with more functionality.
Beside the main functionality of providing an automated installation we have a management script that can help to build custom Domino docker images for (e.g.) including applications.
We are working on making the resulting image more flexible. The first version allowed only to automatically setup a first server in a new Domain, but customers already have an environment and either want to setup an additional server in an existing domain or at least have a cross certified environment.

Whats new:
1. Additional server setup
You can now specify an existing server.id and existing server to get the system databases from. You still need to register the second server.id manually in your Domino Directory, however the ID file does not need to be copied anymore.
Just specify the environment variable
ServerIDfile to point to a location (local or http/https) from where the server.id file can be downloaded and the container startup routine will take care of automatically setting up your second server.

2. Add your own data into a container at initial startup
The big challenge is how to bring in data into a new container automatically. Distributing server.id files, templates, or even full applications.
We looked at different approaches which included "Docker secrets", shared volumes and other options.
For improving flexibility we decided to use configurable http/https download links which can be used to download a server.id or an additional data-directory.zip which is automatically expanded at first server start.
This would be for example a way for business partners to deploy their software on top of the image. Or for a customer to deploy their applications or specific adoptions.
All you have to do is to specify an environment variable CustomNotesdataZip (attention, case sensitive!) pointing to a zip file that will be downloaded and extracted into the container at runtime.

3. Scriptable configuration
Now that you have provided your own templates - how do you turn them into an application, how do you change ACLs, or server settings at runtime?
We have added a method to automatically configure a server based on a config JSON file. This can be used to create databases, change groups, change server settings etc.
The configuration is applied before starting up the (new) Domino server for the first time and also allows to sign applications, change the ACL of databases.
...there is even more configuration options to come.


4. More flexible deployment options
In previews versions there was image specific data in the /local directory.
So we moved that data to a separate directory to optionally allow /local to be mapped to a volume instead of having multiple volumes for /local/notesdata, /local/translog and /local/daos.
Mounting /local to a single volume will work fine, but if you want to build a high performance Domino server we are recommending to have separate volumes for those different parts. We even added directories for nif and ft to allow separate volumes for those parts as well.
The Docker volume mapping is comparable to creating mount points. It's about providing most flexibility with best practices in mind.

5. Preparation for new binary location
The project now now includes a new start script version 3.3.0 which is already prepared for changing the program directory default location ( /opt/ibm/domino ) with Domino 11.
The start script and all docker image script files have been prepared to support a different binary location in future. All places in the scripts use standard variables. And we will keep the LOTUS variable to point to the binary location.

Feedback & Future planning
One of the next features will be to allow cross certification with existing IDs. The certifier.id is currently staying on the first installed machine. So the idea is to cross certify a provided safe.id.
This is specially helpful to create test environments. A small servertask will take care of creating cross certifying a safe.id and adding it to the LocalDomainAdmin group.
Another idea is to integrate this functionality into the toolchain which sets up the server, we have not decided yet.
We are looking for your feedback so leave a comment with your suggestions for improvement or create an issue in our domino-docker project

Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS- 20 February 2017 - (0) Comments

Thomas Hampel
 20 February 2017

This is the fifth post our of a series of blog posts describing how to move from password based to seamless authentication.
In previous posts I've been discussing LDAP and SPNEGO configurations which is okay for Windows environments, but not sufficient enough for mixed or very distributed environments.
Next stage is to enter the 21st century by using SAML authentication for your on premises servers.

Level 5 - SAML Federated Authentication for Browser Clients

SAML authentication - Security Assertion Markup Language - allows Browser clients to authenticate against Domino without submitting credentials to the Domino server.
When a browser client is trying to access a Domino resource (=Web site) where SAML is enabled, Domino will refer the browser to the SAML Identity Provider configured for this web site.
The Identity Provider (e.g. IBM Federated Identity Manager or Microsoft Active Directory Federation Services server) will authenticate a user either by prompting for username & password, or by using seamless authentication such as Windows integrated authentication / Kerberos. In both cases the authentication authority remains with the Identity Provider so thats where you define how a user is authenticated (WIA, 2FactorAuth, etc.).

Default scenario for an identity provider initiated logon is a web page proided by the ADFS server where users can select what resource they want to sign in to.
Image:Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS
it is also possible to initiate the authentication from the service provider. When Domino needs to authenticate a browser user, it will redirect the user to the identity provider.
Using ADFS it is possible to add an URL parameter that will redirect the authenticated user to another site.
https://your-adfs-server.company.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.company.com/names.nsf

Pros and Cons

+ Seamless authentication for browser clients
+ Independent from operating system of server
- Does'nt work for Traveler
- This blog post only handles browser clients, but not the Notes client.

Idea and Concept

For a better understanding of the SingleSignOn SPNEGO and SAML please see Gabriella's presentation Simplifying The S's: Single Sign-On, SPNEGO and SAML

Prerequisites
  • You have completed Level 1 - LDAP Authentication
  • Domino Server must be running version 9.0.1 or above and -to be on the safe side- should have a current fix / feature pack applied
  • Microsoft ADFS 2.0 or 3.0 server (or any other supported SAML Identity Provider)
  • SSL is enabled on Domino and the ADFS server
  • Active Directory User Object must have an attribute (e.g. internet address) in common with the Domino Directory person document of the Notes user.
  • All servers involved in SAML authentication must use time synchronization because SAML depends on time stamps to be correct.

How to configure SAML for Domino

Andy Pedisich did a great job in pulling together all required information in his IBM Connect presentation SHOW100 - AD + SAML + Kerberos + IBM Notes and Domino = SSO!
Since the presentation already covers all the details, I'm only going to highlight the main actions
  • Set up and Configure a SAML Identity provider, e.g. Microsoft ADFS Server or a free alternative  
  • Create and configure the IDP Catalog (idpcat.nsf) - slide #32
  • Create a Relying Party Trust in ADFS
  • Update Internet Site Configuration to use SAML for session authentication instead of Multi Servers (SSO)
    Image:Domino SingleSignOn - Level 5 - SAML Federated Authentication for Browser Clients using ADFS
Although Andy's presentation includes more details on using SAML for the Notes client, I am keeping this blog post limited to browser clients as I will be publishing a blog post just for SAML authentication in the Notes client shortly.

Result:

Seamless authentication works fine as before but now using ADFS as identity provider.
Domino servers will never get the username/password of the users - your security folks will like that.
This is the foundation for establishing Multi-Factor Authentication based on ADFS / SAML by your ADFS admin.

References:

Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option- 16 February 2017 - (0) Comments

Thomas Hampel
 16 February 2017

This is the fourth post our of a series of blog posts describing how to move from password based to seamless authentication.
In Level 3 - SPNEGO I have explained how to configure SPNEGO authentication for providing seamless authentication. A drawback of this method was that users can only log in with the current OS user, switching to a different context was not possible. In this level I am providing a solution to switch the user without switching the OS user.

Level 3 - SPNEGO with fallback option

The SPNEGO configuration from Level 3 - SPNEGO alone will automatically log in the user with his OS credentials. There are cases where the machine is used by multiple users which -for whatever reason- share the same OS user, or when the OS user is not member of the ActiveDirectory, or the current OS user does'nt have the required Notes name listed in LDAP..... However, think of kiosk machines, etc. where the OS user has little to no access rights in corporate applications. So we would like to provide them with an option to authenticate with credentials other than the OS user.

Pros and Cons

+ Seamless authentication for browser clients on Windows
+ Ability to switch user without logging off/on from OS
- It's Windows only
- Does'nt work for Traveler and Sametime

Prerequisites
  • You have successfully completed Level 3 - SPNEGO
  • You have (at least) two IP addresses on your Domino server or have at least two Domino servers in your environment

Idea and Concept

Main idea is to handle to handle login and not authenticated errors and redirect user sessions to a fallback authentication page hosted on a Domino server that does not use SPNEGO.
This brief workflow diagram describes how its done:
Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option
The first part of the authentication flow is shown in the "Conceptual Overview" graphic in this article where the sequence is as follows
1
The user is trying to access a protected resource (e.g. “serviceurl.company.com”) by using a web browser. The browser is establishing an SSL session on Port 443 and sends HTTP GET / Post request.
2
Domino returns HTTP401 WWW-Authenticate:Negotiate
3
The Client sends HTTP GET / Post request via SSL with an authorization SPNEGO Token
4
Domino verifies if the token format received from the Browser is SPNEGO
5
Domino validates the ticket against Kerberos Domain Controller to authenticate the user
6
With the Kerberos name is returned, Domino will make an outbound call in order to find the Domino distinguished name (e.g. attribute “mailNickname” ) within ActiveDirectory by looking up the Kerberos name. For successful authentication the result is a Notes User name which will be used for this session, continue with 7a. For unsuccessful authentication the result is HTTP Not Authorized, continue with 7b
7a
Domino returns an LTPAToken to the client and proceeds to the requested resource by verifying access rights in the ACL. At this point the user is authenticated and the process will end here.
7b
Domino returns HTTP403 Not Authorized, The user will be redirected to a custom logon page for non-SPNEGO users, continue with step #9 in the next chapter.



For a concept with a fallback option you'll need at least two internet sites or two Domino servers with a different configuration for each.
Users trying to access a protected resource (e.g. application) that they are not authorized to use, will get a custom error page returned with a javascript that will redirect to a non-SPNEGO site.
This graphic shows two Domino servers where one is using internet sites and one is using an old style web configuration - both use a web SSO configuration document called "LtpaToken".
Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option
8
The user was trying to access a protected resource (e.g. “authenticationURL.company.com”) by using a web browser. The browser is establishing an SSL session on Port 443 and sends HTTP GET / Post request.

Internally Domino is returning HTTP 403 – Not Authorized, which causes Domino to check if a custom error handler has been configured for the requested URL.

9
Domino returns the custom error page configured for this URL. If no custom error handler has been configured only the browser default error message for HTTP403 Not Authorized will be displayed.
10
The browser will render the custom error page, which contains a JavaScript to redirect the client to a fallback authentication page.



Depending on the type of resource, a custom login page will be displayed, either the iNotes login page or a custom one.
Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option

More details:
11
The user is trying to access a protected resource by using a web browser.The browser is establishing an SSL session on Port 443 and sends HTTP GET / Post request
12
Domino returns a username password dialog box which has been configured for this URL. The layout of this form depends on the URL requested. See Domcfg.nsf
13
The user is entering his ActiveDirectory- or DominoHTTP username / password.Credentials are sent via SSL to the server for verification.
14
Domino is verifying credentials against the Directories configured in its directory assitence database. Multiple directories can be specified, Domino will process all of them.

The connection to an Active Directory server is established via LDAP / SSL using its own credentials configured in the directory assistance database.

15
For successfully authenticated users, the AD user object is returned to Domino. Domino will read the attribute “mailNickname” from the user object and will use this as Notes user name for the user session.
16
Domino returns an LTPAToken to the client and will verify access rights in the ACL of the requested resource or will redirect the user back to the URL he wanted to access in the beginning
17
The browser will receive the LTPAToken in form of a cookie which is valid for the DNS Domain defined in the WebSSO key. At this point the user is authenticated. The browser can now present this cookie to any server which is member of this DNS domain to identify himself.



How to...

Assuming LDAP authentication + SPNEGO have been configured already + domcfg.nsf exists, here is what to do:

1. Create a Web SSO Configuration for SPNEGO Enabled

In this example I'm using "DominoSPNEGOEnabled" as the configuration name.
Organization yourCompany
DNS Domain .yourdomain.com
Map names in LTPA tokens Enabled
Require SSL protected communication (HTTPS) Disabled
Restrict use of the SSO token to HTTP/HTTPS Disabled
Configuration Name DominoSPNEGOEnabled
Participating Server Names List of all servers in the Domain
Windows single sign-on integration (if available) Enabled
Token Expiration 180 minutes



2. Create a Web SSO Configuration for SPNEGO Disabled

Copy and paste the document for the SPNEGO enabled configuration, and change the following elements:
  • Configuration Name: DominoSPNEGODisabled
  • Windows single sign-on integration (if available): Disabled
Key is to have the same WebSSO key for both configurations, which is a value computed when creating a new document. So make sure to copy/paste the existing Web SSO Configuration document to obtain the same key. In case the key will be changed, make sure to update the document which you copied accordingly.

3. Create Internet Site Documents

Prerequisite for the configuration is to use internet site documents for Domino servers providing HTTP services.
Each of the Internet Sites configured should be configured to use the Web SSO configuration created before
  • Web SSO Configuration: DominoSPNEGOEnabled
    This is the name of the Web SSO Key created in the previous step.
  • Force login on SSL: Yes
Then create another Internet Site document to be used as authentication URL, which will be using the DominoSPNEGODisabled

Note that you should use an SSL certificate for each domain. When both internet site documents are located on the same server, you'll need one IP addresses for each domain to properly handle the SSL certificate binding
If you only have one IP address per server, you need two servers where one is using internet sites and one is using web configurations.
Hint: To use the same SSO Key for both types you need to copy/paste the WebSSO document and remove (or add) the company field in one of them

4. Create a Custom Login Form Mapping

This will provide a nice looking a new A username/password dialog box is displayed when SPNEGO can not be used,as alternative for authenticating via username / password.
This form can be customized according to your needs, I'm using the iNotes login form here
Target Database : Domcfg.nsf
Target Form : iNotesLoginForm

5. Create a Custom ‘Not Authorized’ Error Form

This form will be displayed to users who have successfully authenticated against Domino/Active Directory but are not allowed to access the application.
Open the file “domcfg.nsf” in your Domino Designer client, and create a new form called “NotAuthorized”
  • Set the Window Title to “Not Authorized”
  • Set the HTML Head Content to client/formula:
Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option
  • Add one new field “database” of type text/computed for display
    Formula : @UrlQueryString( "database" )
  • Add some HTML code to the body of the form indicating that there is no access to this resource, and mark it as passthru-html using the menu “Text\Passthru-HTML”
    Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option
  • Add the following HTML code to the body of the form, note it contains two computed text blocks
    Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option

    where the formula for is : @Name([CN];@UserName)
    and the formula for is : @LowerCase(@RightBack( @LeftBack( @UpperCase(@UrlQueryString( "database" ));".NSF"); "/")) + ".nsf"
  • Enable the flag “Available to Public Access users” in the form properties
    Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option

6. Create a Custom Redirect Form

This form is used for redirecting anonymous users to a different site than users who have authenticated already.
Open the file “domcfg.nsf” in your Domino Designer client, and create a new form called “AnonymousRedirect”
  • Set the Window Title to “Redirecting”
  • Add the following HTML code to the body of the form, and mark it as passthru-html using the menu “Text\Passthru-HTML”
    Where 'Authentication URL' is the defined DNS name of the Domino server which is hosting the nonSPNEGO Web SSO Configuration.
Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option
  • Type the (non-passthru-html) text “Redirecting…” into the body of the form.
    This text will be displayed to users while the redirect is in progress.
  • Add one new field “RedirectTo” of type text/editable with a default value of “/” at the bottom of the form

Note: There are different options to redirect users, this method is based on a simple JavaScript which will redirect anonymous users to another place than users who have already authenticated but are not authorized to access the resource.

7. Custom Error Handler

Within “domcfg.nsf”, a custom error handler for authorization failures will need to be created in order to redirect users who can not participate in SPNEGO.
Use the view “Error and Response Mapping” and click the "Add Mapping" button.
Applies To  : All Web Sites/Entire Server
For Authentication failures and for Authorization failures, use the same mapping:
Target Database : Domcfg.nsf
Target Form : AnonymousRedirect
Image:Domino SingleSignOn - Level 4 - Seamless Kerberos authentication via SPNEGO with fallback option

Result:

Seamless authentication works fine as before but in addition you get propper error handling.
If users are not authenticated, or not allowed to access the resource, they will be redirected to a page that will allow them to log in as different user.

Troubleshooting
  • The following Notes.ini variables will help to analyze problems:
  • Technote 1394592 - Troubleshooting Windows single sign-on for Web clients (SPNEGO)
  • Make sure the LDAP attribute used for name mapping contains the Notes Name of the user in DN format.
    This is the fully canonical name but slash “/” replaced by a comma “,”
    e.g. for “Peter Mueller/Department/Org” this would be: “CN=Peter Mueller,OU=Department,O=Org”
  • Use the developer tools in your internet browser to display your cookies. You should have a LtpaToken Cookie set.
  • Last but not least: drop a mail or call the author of this blog post.

Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO- 15 February 2017 - (0) Comments

Thomas Hampel
 15 February 2017

This is the third post our of a series of blog posts describing how to move from password based to seamless authentication.
In level one and two I explained how to configure Domino for LDAP / Active Directory authentication. Although there is no need to remember the Domino HTTP password anymore, users still have to provide username/password when they log into (e.g.) iNotes. The next level is to automatically authenticate users - this is what I am going to describe in this article.

Level 3 - SPNEGO

At first, some basic information:
SPNEGO is a standard specification defined in RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism, allowing authentication of browser clients.
It can be used for seamless browser authentication aka Windows Integrated Authentication (WIA). It can not be used for Notes clients, Traveler or Sametime.

Pros and Cons

+ Seamless authentication for browser clients on Windows
- It's Windows only
- Does'nt work for Traveler and Sametime
- You can not really log off or switch users anymore.

Warning:
  • SPNEGO will only work for clients and Domino servers running on Windows and are member of a Windows Domain
  • Each URL must have exactly ONE ActiveDirectory object to match the Service Principle Name.
  • If you plan to run multiple internet sites on the same Domino server, you MUST run the Domino server task using a Domain user account. Image:Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO
  • For clustered internet sites, you MUST run the Domino server task using THE VERY SAME user account.
  • Running Domino with credentials other than the local system account will make your server fully dependent on this user account.
    If its locked out, has expired, or is removed by accident, your Domino servers wont run. All of them... at once!

Prerequisites
How to...
Remarks:
  • Using SPNEGO you can not really log off anymore, nor switch to another user other than by logging off/on at OS level.
    However there is a trick using a custom login form to get this done which I will describe in the next level.
  • Although highly recommended SPNEGO does not require SSL, it works with plain HTTP as well this might be useful for debugging purposes.

Frequently Asked Questions

What to do in a mixed environment?

You can use one machine on Windows as your authentication server and configure Domino Multi-Server-SSO.
Experienced admins will take a look at this OpenNTF project : SSO for Web for non Windows Servers

What to do in Non-Windows environment like Linux, AIX, or what if there is no Windows Domain?

Set up a Domino server on Windows (who wants that?) or skip this level and wait for my blog post desribing SAML authentication.

References and further reading

Domino SingleSignOn - Level 2 - Self Service Password Reset Application - 14 February 2017 - (0) Comments

Thomas Hampel
 14 February 2017

Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the second post our of a series of blog posts describing how to move from password based to seamless authentication.
Once you have established LDAP Authentication you can approach the next stage:

Level 2 - Self Service Password Reset Application

Combined with a Self Service Password Request HTTP application (or this fancy one ) users can reset Notes password without the help of an administrator just by using a web browser.
Users must be authenticated in order to reset their own password, but due to the configuration done in level 1 they can use Active Directory credentials to log in.
Once authenitcated a user can just define a new password which is applied immediately in the IDVault. And just seconds later the password can be used to log into the Notes Client.
Image:Domino SingleSignOn - Level 2 - Self Service Password Reset Application

Pros and Cons

+ Lost/forgotten passwords on a monday morning are no longer your problem. Users can handle this problem alone.
+ You don't need to distribute NotesID passwords for newly created users.
- There still is a NotesID password to remember
- There still is a password prompt every time you start the Notes client and/or every time you open an encrypted mail in iNotes
- The Self Service Password Request HTTP application does not apply any feedback on password quality or strength.

Prerequisites:
  • Notes ID Vault has been established and contains the NotesID’s of all users
  • User must be authenticated, preferably using Active Directory authentication as described in the previous post level 1
  • Custom Password Reset application template,
    Please note the template provided by IBM as part of the Domino server is not officially supported and is provided as example only. See Technote 1330905

Configuration

Setup instructions have already been provided by IBM, so I'm not describing those steps again.
Once completed you should have a functioning PW reset application. However, I would like to highlight a few important details
  • The agent and the form needs to be signed with an ID which has IDVault Password Reset authority
  • The ACL of this database must have an Administration server defined, the Admin server specified there must be the one that hosts the IDVault.

For improved usability I do recommend a little tuning:
  • Create a URL which users can remember, e.g. by creating a web redirect rule
    http://yourserver.domain.com/passwordreset ==> /pwreset.nsf
  • Modify the form “fmPasswordReset” to display your corporate password rules, e.g.
    “The new password must have a minimum of 8 characters. It must contain a mixture of lowercase alphabetic, uppercase alphabetic, numbers and special characters. Three of these four conditions must be met.”
  • Modify the source code to confirm the password change request has been submitted and to verify if password rules have been followed.
    Without this modification users will not get any feedback if the new password has been applied or not.
    so update the source code of the Form “Password Change” , Sub “OnSubmit” as follows:
var i = 0;
var k = 0;
var h = 0;
var have = [0, 0, 0, 0];
var characters = ["abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "0123456789"];
var minLen = 8;
var minDif = 3;
var pw1 = document.forms[0].pw1.value;
var pw2 = document.forms[0].pw2.value;
for (i=0; i {
       h = 3;
       for (k=0; k        {
               if(characters[k].indexOf(pw1.substr(i,1)) >= 0)
               {
                       h = k;
               }
       }
       have[h] = 1;
}

if ( pw1.length < minLen )
{
       alert("You must enter a password with at least " + minLen + " characters");
       return false
}
else if( pw1 != pw2 )
{
       alert("Entered password don't match");
       return false
}
else if( have[0] + have[1] + have[2] + have[3] < minDif )
{
       alert("Password must be more complex,  use Numbers, Lower-, Upper-, Special-Characters");
       return false
}
else
{
       alert("Thank you, your request has been submitted. The new password can be used now.");
       return true
}
  • In order to support clustered environments the source code of the agent “User Password Reset” needs to be updated as follows:
Set Doc = Session.DocumentContext
Call
Session.ResetUserPassword( session.Currentdatabase.Acl .Administrationserver,"",Doc.GetItemValue("pw1")(0))


Conclusion

Self Service Password Reset application combined with LDAP authentication will eliminate the need to distribute Notes ID passwords to end users.
Administrators can register new NotesID's with completely random passwords that they do not need to remember nor need to distribute to end users.
Notes client setup instructions can be simplified so that end users have to define the password themselfes before they can start Notes for the first time.

References:

Domino SingleSignOn - Level 1 - LDAP Authentication- 13 February 2017 - (1) Comments

Thomas Hampel
 13 February 2017

Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.

Level 1 – LDAP Authentication

Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
When using a web browser to access a Domino server, users will be prompted for username and password.
This authentication dialog looks like one of the following examples:
Image:Domino SingleSignOn - Level 1 - LDAP AuthenticationImage:Domino SingleSignOn - Level 1 - LDAP Authentication
Credentials entered here will be forwarded to Active Directory for authentication.
Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.

Pros and Cons

+ Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
+ No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
- All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.

Prerequisites:

In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.
  • Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
  • The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
    This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid.
  • Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
  • A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.
How to...
reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
If not already done:
  • Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
    Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
  • Create a Directory Assistence (DA) database
  • Add the DA to your Domino server document
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication

okay, whats next:
  1. Within the Directory Assistance database, add a new document and configure it like shown below:
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
    Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin.
  2. Set "Trusted for Credentials" to Yes
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  3. Configure how to connect to the LDAP (­) server.
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  4. Save & close

Now restart the Domino server and check if LDAP is being shown in the list of directories.
Issue the command "Show xdir" at the server console for details.

Troubleshooting:

Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
Some more hints:
  • You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
  • Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
  • Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
    If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
    The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  • Thes Notes.ini variables will increase the log level for further debugging
    debug_directory_assistance=1
    debug_namelookup=1

Result:

When prompted for username/Password you can now use your Active Directory username and AD Password.
Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
Once the transition is completed you should clear the HTTP password field from the person document.

Out of Office - Send Full Copy to deputy- 9 August 2015 - (3) Comments

Thomas Hampel
 9 August 2015

Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.

Delegating Access
A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:
Image:Out of Office - Send Full Copy to deputy
This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
It might not even be an option as some organizations do not allow users to edit the person document.

Mail Rules
Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...
Image:Out of Office - Send Full Copy to deputy
and defining a recipient of your choice --- in this example its "firstname.lastname@domain.com"
Image:Out of Office - Send Full Copy to deputy
Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?
Image:Out of Office - Send Full Copy to deputy
...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?

Agents
You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"
Image:Out of Office - Send Full Copy to deputy

Duplicate Mails (with help of your Domino Administrator)
Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:

What you need to do:
1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
Make sure the Mail-in name is unique and does not resolve name lookup conflicts
Image:Out of Office - Send Full Copy to deputy

2.) Create a Group of type "Mail only",
members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
You can define one or multiple recipients using internet mail addresses or Notes user names.
Image:Out of Office - Send Full Copy to deputy

3.) Edit the person document and put the Group name created above to be the forwarding address
Image:Out of Office - Send Full Copy to deputy

4.) Testing
Wait for replication to finish within your Domain and send a test mail to the user.
This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.

Remarks:
Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
If this is an issue either purge your recent contacts or disable it completely

References:

Monitoring IBM Domino Server on Linux via SNMPv3- 5 January 2015 - (0) Comments

Thomas Hampel
 5 January 2015

Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
There are quite a few blog posts out there on the internet such as
this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.

Background

Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
Vendors of a device are providing a definition of values which can be read or modified in form of a
MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.

MIB definitions for Domino can be found online
http://www.oidview.com/mibs/334/NOTES-MIB.html
A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"

On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib


Step-by-step Instructions

For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux.
Instructions for Windows are available here
Examples below are based on
CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.

Step 1 - SNMP Master Agent

Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7
.
Currently version 5.7.3 is the latest version available. Check the
net-snmp change log to see what has changed between versions.
Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
If not already installed, you can install the package net-snmp with the following command.

# yum install net-snmp

The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality
# yum install net-snmp-utils

To check the version you are running...

$ snmpwalk --version

Image:Monitoring IBM Domino Server on Linux via SNMPv3
Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.


Option B - NET-SNMPD v5.0.7 provided by Domino

Domino provides net-snmpd in version 5.0.7  - again, I do not recommend using this version.

However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.

# cp /opt/ibm/domino/notes/latest/linux/net-snmpd* /etc
# ln –f –s /etc/net-snmpd.sh /etc/init.d/net-snmpd

# chkconfig --add net-snmpd

# chkconfig net-snmpd on

Note that in this type of configuration your settings are stoed in the file  /etc/net-snmpd.conf

Step 2 - Update Configuration

Back up the original config file to a location of your choice

cp /etc/snmp/snmpd.conf /root

Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.

# nano /etc/snmp/snmpd.conf

1.) Search for sysLocation and update it according to your needs as shown here:
sysLocation    YourDataCenterLocation
sysContact     email@yourdomain.com


2.) define a username/password combination for SNMP v3 authentication
Of course the user name and password used in this example are to be changed to fit your needs

createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES


3.) At the end of the same file, add this line:
smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd

Dont forget to save the file


Step 3 - SNMP Startup Script

Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.

Domino already provides such a script - you just need to modify the configuration so that it can be used.


# cp /data/ibm/domino/notes/latest/linux/net-snmpd.sh /etc/init.d/net-snmpd

# nano /etc/init.d/net-snmpd


Update the configuration (starting in line 31) as follows:

INSTDIR=/usr/sbin
PROGNAME=snmpd

PROGPATH=$INSTDIR/$PROGNAME

CONFNAME=snmpd.conf

CONFPATH=/etc/snmp/$CONFNAME

LOGPATH=/var/log/snmpd.log

PROGARGS="-C -c $CONFPATH -l $LOGPATH"

Make sure the startup script runs at next boot

# chkconfig --add net-snmpd
# chkconfig net-snmpd on


Step 4 - Update Firewall Rules

SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server
# iptables -I INPUT -p udp --dport 161 -j ACCEPT


Step 3 - Testing basic functions

Test basic SNMP functionality
from the local host and also from a remote server.
# snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0

As a result you should get the version number of the SMTP master agent

Image:Monitoring IBM Domino Server on Linux via SNMPv3

Step 5 - Enable Domino SNMP Agent

Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!
)
# ln -f -s /opt/ibm/domino/notes/latest/linux/lnsnmp.sh /etc/rc.d/init.d/lnsnmp
# chkconfig --add lnsnmp

# chkconfig lnsnmp on
# service lnsnmp start

In case you get the error  "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino


if everything has worked out, starting the lnsnmp should provide the following output

New sub-agent on server is registering a sub-tree with branch ID:
1.3.6.1.4.1.334.72.3

Sending SNMP "Server Up" trap for server .

service lnsnmp startNew sub-agent on server is registering a sub-tree with branch ID:

1.3.6.1.4.1.334.72.1


Step 6 - Domino Tasks

Start the following tasks from the Domino server console

load quryset
load intrcpt
load collect

"quryset" is required to support SNMP queries

"intrcpt" is required to support SNMP traps for Domino events

"Collect" is required to support statistic threasold traps

Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.

Step 7 - Testing Domino SNMP agent response

Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.

$ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0

Should return the fully qualified Domino Server name as a string

Image:Monitoring IBM Domino Server on Linux via SNMPv3

Ok, you're done... the Domino SNMP Agent is configured and can be used.

However, there still is some work to be done on your SNMP management console e.g.
Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).

Next Actions:

If you like this post, please let me know via Twitter
@ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.


Troublshooting
  • Check snmpd.log for errors
    # cat /var/log/snmpd.log
  • Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
    see
    IBM Technote 1313318
  • Error - Unknown User
    Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
    createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
  • Error in packet. Reason: authorizationError (access denied to that object)
    The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
    rouser SNMPv3UserName

Tools:

Take a look at
Paessler SMTP Tester (Freeware / Windows)
Image:Monitoring IBM Domino Server on Linux via SNMPv3

Further reading:

RSS Feed Reader - Error: Unable to download a feed from host- 18 December 2014 - (1) Comments

Thomas Hampel
 18 December 2014

Some time ago a user started to claim his Notes Sidebar would no longer display latest RSS news feeds.
Asking for details we checked functionality by subscribing to a new feed....which did not work either. The Notes client was throwing an error:

Image:RSS Feed Reader - Error: Unable to download a feed from host

Analysis:

At first one might think this is caused by the RSS feed itself, but since I'm a subscriber of the same feed I knew the root cause must be something different.

Within the corporate network Notes clients must be configured to use an HTTP proxy in order to access the internet, testing revealed outside of the customers network it is working fine when HTTP Proxy settings are disabled,

Feed reader components itself are running on the latest version, so
Michael Urspringer's hint (= SPR # IFAY7CTHAR ) seems not to apply
Image:RSS Feed Reader - Error: Unable to download a feed from host

Opening a PMR was followed with the usual request for logs and a
Wireshark network trace.
After some investigation and
discussions it turned out the network team changed some settings on the HTTP proxy server to block all HTTP traffic from web browsers where the user agent string includes "Windows NT 5.1" (which is Windows XP) because WinXP being out of support.

Wireshark showed the default setting for the feed reader in Notes 9.0.1 is user agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

...but how can you change this default??


A small hint can be found in the release notes of a previous
Notes client (8.5.2FP1) fix list
Take a closer look to SPR# MWER88NFWT which outlines the settings required for modifying the useragent.:


"Added an option to allow customers to override the "User Agent" value for Notes Client Feedreader. By default, Feed Reader authenticates itself as "MSIE 7.0" even on Linux and Mac.  
Customers can optionally add the following 2 lines to the /framework/rcp/plugin_customization.ini:

com.ibm.rcp.feedreader.providers/network.useragent.override=true

com.ibm.rcp.feedreader.providers/network.useragent=CUSTOMER SPECIFIED VALUE (<-replace CUSTOMER SPECIFIED VALUE with the value of your choosing)"



Solution:
  • Change the useragent string of the feed reader to anything else. (You can find a long list of user agents to choose from as part of a Firefox Plugin.)
    Modify the file /framework/rcp/plugin_customization.ini and add the following lines for testing
    com.ibm.rcp.feedreader.providers/network.useragent.override=true
    com.ibm.rcp.feedreader.providers/network.useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0
  • After successful testing, deploy this parameter to all users by using Desktop Policies / Managed Settings:
    Image:RSS Feed Reader - Error: Unable to download a feed from host

Conclusion:

The HTTP proxy was configured according to
RFC 3314 but mistakenly assuming WinXP in a useragent string is evil
....and of course...
whatever is wrong, it must have been the network guy!

Mail Rules Analyzer has been published- 29 September 2014 - (1) Comments

Thomas Hampel
 29 September 2014

Today OpenNTF published one of my contributions Mail Rules Analyzer
It is a small tool for Domino Administrators to scan mail files on one many servers to find out if any mail rule has been set up for external forwarding of mails.

Main use case is to analyze an environment to notify users who have such mail rules configured before preventing users from forwarding mails to external recipients
Results can be grouped/sorted/analyzed later on. At present the tool will only scan for rules that will forward a mail to external recipients but certainly there is room for further improvement...
Here are a few screenshot of the user interface:

Image:Mail Rules Analyzer has been published

Image:Mail Rules Analyzer has been published
Please post your comments and ideas in the feature requests section of the project
This is just the first publication out of a number of tools which our team has developed over time, we expect to publish them one by one in the near future.

Special thanks to Julian Robichaux for allowing the design reuse of the OpenLog template.

References:

Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0 - 11 February 2014 - (1) Comments

Thomas Hampel
 11 February 2014

Two weeks ago at IBM Connect 2014 attendees were able to test their knowledge in the IBM Certification Lab.
Most of the IBM Certification tests were offered, so I decided to sign up and give it a try without any preparation.


For updating my existing Advanced System Administrator certificate to version 9.0 level, the following two tests were required

Both tests were simple, for Traveler you need to know how to configure Traveler in high availability mode and for the Upgrade examn most questions were about SAML & OpenSocial.

Having passed the upgrade examn and the IBM Traveler exam, this certificate was sent to me as an official statement that I have qualified as IBM Certified Advanced System Administrator for Notes & Domino 9.0


Image:Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0

Next action: updating my Certified Advanced Development Certificate to version 9.0 and signing up for Connections & Sametime tests.

IDVault - ID file upload fails with Error 03:11- 16 August 2013 - (1) Comments

Thomas Hampel
 16 August 2013

Problem
A Notes ID is not uploaded to an IDVault although the configuration of the Client itself as well as the IDVault incl. its trust certificates seem to be correct.


Analysis

The administrator wanted to force the Notes client to upload his ID file to the server, since there already was an (old) IDfile stored in the vault, it has been deleted manually.
However, the client still doesnt upload its local userID.

Looking at the servers log file / Security Events....

Image:IDVault - ID file upload fails with Error 03:11
provided a few hints about the problem:


> Unable to find ID for 'dummy username/OU/O' in vault 'O=IDVault'.  Error: 03:11
> ID failed to authenticate in vault 'O=IDVault'.  'dummy username/OU/O' (IP address 10.10.10.10:57739) made request.  Error: 03:11


and further down other user names:

> Error: Entry not found in index

Indicating a view isnt updated...


Resolution

1.) Update the view index for the hidden view $IDFile in the IDVault database by using the following command
load updall -R IBM_ID_VAULT\IDvault.nsf

2.) Remove the pending name change as described in my previous blog post id-vault-error-0311.htm


Hint: Although this has fixed the problem in my case, there's more to know.

IDVault does not honor view updates made directly in the database, maybe for performance reasons.
There is a DEBUG parameter for the IDVault which can override this behaviour so that VIEWUPDATES are being reflected/enabled.

Create a replica without having direct server access- 5 July 2013 - (0) Comments

Thomas Hampel
 5 July 2013

Here the problem:
You want to create a new replica of an existing database on a server which you are responsible for, you are not allowed to access the remote server.
Not having access means your user ID is e.g. in an access deny group, or in a more simple scenario a firewall is blocking direct access.

However, how would you pull a new replica from the remote server down to yours?
The answer is simple - you can set up a replica stub on your server without the need of accessing the remote server.

Step by step instructions

1. Switch to your workspace, make sure you have no database selected.
2. Use File\Replication\New Replica
3. Type the Servername + Filename >from< which you want to pull the replica.

Image:Create a replica without having direct server access
4. Click "Select"
Now your client will try to connect to the remote server, which of course wont work.

Image:Create a replica without having direct server access
5. A dialog box will display, showing an incomplete question

Image:Create a replica without having direct server access
Here you have to select "Yes" without knowing what the question actually means.
Note: Obviously thats a bug, but it seems that it has not been fixed yet.
6. Choose to which server you want to put the replica, also define a file name of your choice.
7. Disable "Create Immediately"

Image:Create a replica without having direct server access
8. Hit okay to create an uninitialized replica stub
9. Last and final step is to replicate this database on console level using the command:

    >pull remoteserver/ou/o localpath/filename.nsf

A note for beginners:
Your server also must be allowed to read from the remote server and the target server needs to know how to reach the source server...so make sure you have propper name resolution or connection documents in place.  

Domino Program documents and schedule- 6 September 2012 - (1) Comments

Thomas Hampel
 6 September 2012

Problem: A customer reported Domino would not be responding at a specific point in time, but servers dont crash - they are unresponsive.

Analysis
: Looking into the Domino server logs at about the time when the problem reported showed that some scheduled tasks were running.
While scrolling down the logs it became clear that the compact task was blocking access to the server's system databases - in this case log.nsf - which caused the server to ignore incomming requests.

From the end users point of view the server came to an halt while from the servers point of view all was okay.


Action:
Getting Domino program documents scheduled perfect could be a long journey. Here is my recommendation on how to do it right.
Program Command Line Schedule Comments
convert -l mailprimary.ind 18:50 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Generates a list of mail files by reading people's mail files from the Domino Directory and writes the list into an IND file.
compact -A mailprimary.ind 19:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Archive data but dont reduce the mail file size, thats because compacting will be done thru another program document.
compact -B -S 20 -w 23:00 each day
Repeat interval of: 0 minutes
Days of week: Fri
Once per week, reduce the file size if there are at least 20% whitespace in the file
Exclude system DB's with option -w , for servers before 8.5.4 this requires the variable DEBUG_ENABLE_COMPACT_8_5=1

Note: Reducing the file size for every file every day will just increase the level of fragmentation and will reduce performance.
compact -b -w 23:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Sat
Make sure the white space is located at the end of the NSF file for better performance when creating new documents
Note : Do not run on Friday, due to backup.
compact -b log.nsf 04:30 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Special schedule for log.nsf after 04:00 when purge has been completed.
To make sure the white space is located at the end of the NSF file for better performance when creating new documents.
catalog 01:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Updates information in catalog.nsf
updall 02:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Updates existing views
statlog 05:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Record statistics
daosmgr resync 23:30 each day
Repeat interval of: 0 minutes
Days of week: Mon, Wed, Fri
Every second day resync the DAOS repository
collect At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
http At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
rnrmgr At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
(n)server -c "tell sched validate" 02:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Rebuilds the clubusy/busytime
(n)server -c "tell mtc purge 7" 00:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Purge data older than 7 days from the message tracking store





Optional Program Documents for Specific Server Types
Program Command Line Schedule Comments
(n)server -c “tell router compact” 18:00 each day
Repeat interval of: 0 minutes
Days of week: Sun
This will reduce the file size of the mail.box'es, but will increase fragmentation on disk. Not recommended for servers with high mail volume.




Of course noone is perfect, so any comments and suggestions for improvements are very welcome !

Signing and deploying Eclipse Plugins into Notes Clients- 26 June 2012 - (2) Comments

Thomas Hampel
 26 June 2012

Installing Eclipse plugins in a Notes client is a simple task. I'm sure users would be even more happy if admins would sign them properly before rolling them out.
Otherwise, meaning when they are not signed, or if signed with an invalid signature, users will see messages like this:
Image:Signing and deploying Eclipse Plugins into Notes Clients

For a quick and dirty solution it would be possible set some preferences in the plugin_customization.ini or in the Notes client so that it will not show these warnings at all.
Unfortunately this will lower the security of the entire environment and therefore is not recommended.

The better method is to sign the plugin properly with a self signed certificate and then create a trust relationship with a Domino root certificate.
So these are the actions that need to be performed:
1.) Extract the Eclipse update site you want to sign to a temporary location on your hard disk
2.) Detach this command file to the same folder location where the file "site.xml" is located
signupdatesite.cmd
3.) Edit the file and customize the settings according to your needs - see remarks within the file.
4.) Run the .cmd file
5.) Save a copy of the .keystore, .cer and sign_.cer files, they can be used to sign new release plugin if required.
6.) Import the new certificate (.cer) into the Domino server
7.) Create a cross-certificate from the internet certificate
8.) Publish the certificate to clients through security policy settings
9.) Create a new NSF based Eclipse update site and import the local update site from the temporary location (see step 1)
10.) Create a widget catalog
11.) Create a new widget using the Toolbar icon "Getting started with Widgets"  Image:Signing and deploying Eclipse Plugins into Notes Clients and choose "Features and Plugins"
Image:Signing and deploying Eclipse Plugins into Notes Clients

12.) Add the widget created to the widget catalog created in step 10 and don't forget to define a meaningful title and category. (e.g. Autoinstall) if you want the widget to be applied automatically. See next step for details.
13.) In the Domino Directory update the Desktop policy settings to include the newly created Widget catalog
Image:Signing and deploying Eclipse Plugins into Notes Clients

All together it will allow automatically distributing plugins in the Notes client without error messages and without overall lowering security.
Well, one prompt remains....
Image:Signing and deploying Eclipse Plugins into Notes Clients
Thomas Hampel, All rights reserved.