Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : Error

IBM Mail Onboarding Manager - Failed to get delegate list.- 11 September 2016 - (0) Comments

Thomas Hampel
 11 September 2016

Moving users from Exchange to Domino is called 'migration' , and moving from an on-premises Domino environment to the cloud is called "onboarding".
IBM provides the Mail Onboarding Manager (MOM) for moving users to the cloud.

While MOM worked fine for all other users, I've been running into a problem with one specific user.
An error was reported when I was trying to move this account to the cloud. The error message was "Delegate is not in service"

Image:IBM Mail Onboarding Manager - Failed to get delegate list.
In my specific case, MOM was looping between "Completed quality check" and "Replicating mail file".
Replication from the mail server to the MOM server worked fine, but then MOM did not succeed in uploading the mail file to Connections Cloud.

The MOM log file showed error "4005: Replication is disabled".

Root cause:

The mail server or its cluster partner contains a database with exactly the same replicaID as the mail file you are trying to move to the cloud.
Possibly it is a restore of the mail file where replication is disabled for this NSF file.

Solution:

Delete the other database or change the replicaID of the other NSF file using this code.
change-replicaid.htm

Root Cause for ’Type mismatch in method OP_UNARY’- 21 March 2016 - (0) Comments

Thomas Hampel
 21 March 2016

Quickly creating a mail with Buttons containing LotusScript can cause headaches.
It just takes a few lines of code for running into undocumented error messages here is a small example:
Image:Root Cause for ’Type mismatch in method OP_UNARY’
will result in:
Image:Root Cause for ’Type mismatch in method OP_UNARY’

Changing "if not ..." to "is ..." like shown here
Image:Root Cause for ’Type mismatch in method OP_UNARY’
will result in a slightly different error message "Type mismatch in method IfCoerceBool: Unknown found, Uknown expected"
Image:Root Cause for ’Type mismatch in method OP_UNARY’
Do you spot the problem???

What is the root cause?

The property "IsNewDoc" acutally is a property of NotesUIDocument but is not a valid property of the NotesDocument class.
For testing if a NotesDocument is a new document, use the property IsNewNote
When creating a new button within the body of a new mail, Option Declare is not enabled by default like it is in the Designer client, so the error was not detected when saving the source code.
with Option Declare enabled its easier to spot the problem...
Image:Root Cause for ’Type mismatch in method OP_UNARY’

Reminder:

Domino CA Process ’Error processing CCS Mod Request’- 3 June 2015 - (0) Comments

Thomas Hampel
 3 June 2015

The CA process in Domino is a server task to manage and process certificate requests. It is very helpful if you want support staff to register new users without knowing the password to your Domino Certificate.
As employees join or leave the support team you'll have to add / remove people from the list of Registration Authorities by using "Modify Certifier" from the Administrator Client tools menu.
Image:Domino CA Process ’Error processing CCS Mod Request’

Granting access for a new team member as usual...
Image:Domino CA Process ’Error processing CCS Mod Request’

and submitted the request
Image:Domino CA Process ’Error processing CCS Mod Request’

seemed to be successful
Image:Domino CA Process ’Error processing CCS Mod Request’

...but according to the log the Domino CA modification request failed with this error:
CA Process (OU=OU/O=Company): Error processing CCS Mod Request.: There is no certificate in the Address Book.


Root cause
One or more people listed in the first dialog do not have a person document in the Domino Directory or the person document does not have a public key specified.
Image:Domino CA Process ’Error processing CCS Mod Request’

Solution
First remove users which dont have a corresponding person document, and save + submit the request before adding new names.

Notes Widgets disappear from Catalog- 1 June 2015 - (0) Comments

Thomas Hampel
 1 June 2015

You are wondering why your beloved Notes widget all of a sudden is no longer available in the Widget catalog?
Of course the administrator of trust did not do anything - so what happened?

Here is a small hint:
Take a quick look into the widget catalog, there is a scheduled agent...
Image:Notes Widgets disappear from Catalog

and the brief description
%REM *********************** Agent Notes **************************
This agent checks all new/modified documents to make sure that the
user created the document properly. It checks to make sure the proper
items are in place, and it also verifies that the categories that are
set are allowed by the document creator.

*************************** INTERACTIONS ***************************
There are no interactions with this agent. It is a scheduled agent
that is set to work against new/modified documents.

Conclusion:
If anything, such as AdminP, modified the document then this agent will run. In our case it was an AdminP name change request which caused the document to be modified.

Users can create new mails despite being over quota- 29 May 2015 - (0) Comments

Thomas Hampel
 29 May 2015

You have deployed mail quotas in your environment and your Notes Clients are configured to use local replicas or managed replicas.
Still you experience mail files are growing over quota limits without user complaints. How is this possible?

It seems there is a bug in the IBM Domino mail template version 9.0.1 which allows to create and send new mails even when the mail file is over quota.

Reproducing the problem

When working on the server replica:
  • create a new mail and try to save it will correctly display this warning:
    Image:Users can create new mails despite being over quota
When working on the local replica:
  • Create a new mail will display this error message, but clicking OK allows to continue saving & sending the new mail.
    Image:Users can create new mails despite being over quota
    Notes.ini variables have been verified to be set correctly on the client
    Check_Quota_On_Mail_Create=1
    REPL_OBEYS_QUOTAS=1

The problem is known to IBM and is documented as LO83693 "Enforcing Quotas on new mail creation in local based mail files not reliably working in Notes 9.0.1"

How to fix it

As usual there are two options:
a) Wait for IBM to provide a new version of the mail template - maybe this will be done in the next major release.
or
b) fix it yourself by modifying the template with your Domino Designer client as described below:

Within the QueryOpen event of the form(s)  "Memo", "Reply" and "Reply with History" , "To Do", "_Calendar Entry", etc. search for the quota checking code and remove the "Executive" statement incl. its brackets.
Image:Users can create new mails despite being over quota

Interesting to note that special forms do not contain this code so they do not need to be patched
Image:Users can create new mails despite being over quota
Please note that design elements need to be signed properly in order to avoid ECL warnings on the client side.

References
  • LO83693: Enforcing Quotas on new mail creation in local based mail files not reliably working in Notes 9.0.1

Special thanks to Michal Wolczyk for this analysis and Marc for finding this bug.

PANIC Unexpected internal error returned to logger 0x20692010- 27 March 2015 - (0) Comments

Thomas Hampel
 27 March 2015

Tip of the day:
When running Domino server commands on the operating system of a server, make sure to run the command from a console with Admin access rights, otherwise you'll get this:

PANIC: Unexpected internal error returned to logger: 0x20692010

Image:PANIC Unexpected internal error returned to logger 0x20692010

Reference:

SPR # PALL8WA3Y8

Solution

Open a command prompt by right clicking and selecting "Run as Administrator", then run the command(s) again.

Root cause:

Problem in front of keyboard.

Sametime Missing single sign on token - again- 23 March 2015 - (3) Comments

Thomas Hampel
 23 March 2015

Once again a customer ran into an issue with Missing Single Sign On Token - I have blogged about it before

The Problem:

Initial authentication is working fine, but when disconnecting the network cable + reconnecting again, users see "Missing SingleSignOn Token", or authentication does not work at all without any error message.
The problem can be resolved by restarting the client. However, this is not an acceptable solution.

Analysis

As mentioned earlier, authentication via Domino SingleSignOn is working fine at the first Notes Client logon On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token - again

I've enable the following debug parameters as described here in the file rcpinstall.properties which is located in the folder workspace\.config\
com.ibm.rcp.accounts.level=FINEST
org.apache.commons.httpclient.level=FINE
com.ibm.workplace.internal.notes.security.auth.level=FINEST
com.lotus.sametime.community.level=FINEST
com.ibm.collaboration.realtime.community.level=FINEST
com.ibm.collaboration.realtime.im.community.level=FINEST
com.ibm.collaboration.realtime.login.level=FINEST
com.ibm.rcp.internal.security.auth.module.level=FINEST
com.ibm.rcp.internal.security.level=FINEST
com.ibm.rcp.security.level=FINEST


Restarted the Notes client and started testing to reproduce the problem. Looking at the error log
Within the error log file of the client which is located in \workspace\logs\error-log-0.xml ) this error caught my attention => CWPST0306W: An exception occurred while invoking the target method login.
Further down in the log there is even more information about this exception.


             javax.security.auth.login.LoginException: Server Unavailable.
	at com.ibm.workplace.internal.notes.security.auth.LtpaLoginModule.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.ibm.rcp.security.auth.ExtLoginModuleProxy.invokeImpl(Unknown Source)
	at com.ibm.rcp.internal.security.AbstractProxy.invoke(Unknown Source)
	at com.sun.proxy.$Proxy0.login(Unknown Source)
	at com.ibm.rcp.security.auth.ExtLoginModuleProxy.login(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
             
	at java.lang.reflect.Method.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.invoke(Unknown Source)
	at javax.security.auth.login.LoginContext.access$000(Unknown Source)
	at javax.security.auth.login.LoginContext$4.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Unknown Source)
	at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
	at javax.security.auth.login.LoginContext.login(Unknown Source)
	at com.ibm.rcp.security.auth.service.AbstractLoginService.login(Unknown Source)
	at com.ibm.rcp.accounts.internal.AccountsLoginContextServiceImpl.login(Unknown Source)
	at com.ibm.workplace.internal.notes.security.auth.DominoLtpaToken.destroy(Unknown Source)
	at com.ibm.rcp.accounts.internal.auth.module.Utils.destroyTokens(Unknown Source)
	at com.ibm.rcp.accounts.internal.AccountsManagerImpl.clearCredentials(Unknown Sour
             ce)
	at com.ibm.rcp.accounts.internal.AccountsManagerImpl.updateAccount(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.updateAccount(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.handleCommunityUpdate(Unknown Source)
	at com.ibm.collaboration.realtime.im.community.accountstore.internal.CommunityAdapter.handleCommunityLifecycleEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.delegateCommunityEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.handleCommunityEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityListenerProxy.handleCommunityLifecycleEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityMgr.notifyCommunityListeners(Unknown Sourc
             e)
	at com.ibm.collaboration.realtime.community.internal.CommunityMgr.updateCommunity(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.updateCommunity(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.handleLoginSuccess(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr.access$0(Unknown Source)
	at com.ibm.collaboration.realtime.login.LoginMgr$LoginAdapter.handleLoginEvent(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.notifyLoginListeners(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.handleLoginSucceeded(Unknown Source)
	at com.ibm.collaboration.realtime.login.internal.CommunityLoginService.handleCommunityLoginEvent(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityImpl.notifyListener(Unknown Source)
	at com.ibm.collaboratio
             n.realtime.community.internal.CommunityImpl.notifyListeners(Unknown Source)
	at com.ibm.collaboration.realtime.community.internal.CommunityImpl$1.run(Unknown Source)
	at org.eclipse.core.internal.jobs.Worker.run(Unknown Source)

     



Solution

It seems like the LtpaToken requires an hierarchical name of a server in order to be validated correctly. This can be done either by specifying the hierarchical name in the field "Host server" of your connection preferences, but doing so willl show an alert that you should use a fully qualified DNS name in this field.

So better put the hierarchical name in the Authentication server field as shown here:
Image:Sametime Missing single sign on token - again
This can be any server which shares the same LtpaToken with the Sametime server, of course you can also specifiy the Domino name of the Sametime server here.

How to deploy this setting automatically?

Within the managed community settings the parameter "authServerUrl" is used for this setting.

You can use a Desktop Policy setting to push this configuration setting down to all your clients. In the Managed Settings section, just add the following:
Item : authServerUrl
Value : hierarchical name of your Domino server, e.g. DominoServer/OU/Org
Plug-in name : com.ibm.collaboration.realtime.community
Image:Sametime Missing single sign on token - again

And you're done :)

Remarks

AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around- 12 January 2015 - (0) Comments

Thomas Hampel
 12 January 2015

Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.

After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around
Errors:

Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director

Analysis

We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR

SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.

Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
We did a few tests and quickly found a workaround, so here is what you can do about it:

Temporary Solution:

Don't use groups to grant the specific access rights.
In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.

This is what the AdminP Move User reuqest should look like before the user authenticates
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around

Permanent Solution

Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.

Lessons learned:

1.        Always install the latest version of Domino
Note: The destination server in question is not maintained by our team.
2.        What an awsome team we have :)

References

Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected- 7 January 2015 - (2) Comments

Thomas Hampel
 7 January 2015

Problem:
Opening the mail file of another person is causing the message "Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected" to be displayed:
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected
While IBM Technote 1303181 only provides a basic idea of what is wrong, it does not give any idea what can be done to fix it.
So I had to look into details and quickly found the problem.

Steps to reproduce

In order to reproduce the problem, this is what you have to do:
  • Make sure you have the Notes.ini variable CHECK_QUOTA_ON_MAIL_CREATE set to 1
  • Open another person's mail file, this will write the current date at the end of the Notes.ini variable DELEGATED_MAIL_FILEx
  • Close your Notes client
  • Change the date format of your operating system from DD.MM.YYYY to MM/DD/YYYY (or the other way around)
  • Open the same other persons mail file again.

Analysis

Trying to find the root cause with debugging enabled shows a different error "*CE39918+421: Type mismatch"
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected
but at least it indiicates the problem is located in the Database Open script.
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected

What is causing this problem?

Obviously it is a String to Date conversion issue. Storing a Date in a String to convert it back to a date is never a good idea. If you really need to do it you should not rely on the CDat function to work. Write your own function which does ignore the
Regional settings - in specific the date format - of this workstation have been changed.

Resolving the problem

Change the date format of your operating system back to what it should be.
If the date format of your computer is correct and the problem still persists, then manually update your Notes.ini and remove all lines starting with DELEGATED_MAIL_FILE or by updating the date format at the end of this line yourself.

Permanent solution

A perfect solution would require to update the mail template to be updated. in specific the script Library "CheckQuotas" contains a class called "CheckQuota" with the Sub "SetCalMgrINI"
This sub contains several references where a string is being converted to a date. This is where additional verification is required to ensure the string value is a date which can be converted using the current regional settings.
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected

RSS Feed Reader - Error: Unable to download a feed from host- 18 December 2014 - (1) Comments

Thomas Hampel
 18 December 2014

Some time ago a user started to claim his Notes Sidebar would no longer display latest RSS news feeds.
Asking for details we checked functionality by subscribing to a new feed....which did not work either. The Notes client was throwing an error:

Image:RSS Feed Reader - Error: Unable to download a feed from host

Analysis:

At first one might think this is caused by the RSS feed itself, but since I'm a subscriber of the same feed I knew the root cause must be something different.

Within the corporate network Notes clients must be configured to use an HTTP proxy in order to access the internet, testing revealed outside of the customers network it is working fine when HTTP Proxy settings are disabled,

Feed reader components itself are running on the latest version, so
Michael Urspringer's hint (= SPR # IFAY7CTHAR ) seems not to apply
Image:RSS Feed Reader - Error: Unable to download a feed from host

Opening a PMR was followed with the usual request for logs and a
Wireshark network trace.
After some investigation and
discussions it turned out the network team changed some settings on the HTTP proxy server to block all HTTP traffic from web browsers where the user agent string includes "Windows NT 5.1" (which is Windows XP) because WinXP being out of support.

Wireshark showed the default setting for the feed reader in Notes 9.0.1 is user agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

...but how can you change this default??


A small hint can be found in the release notes of a previous
Notes client (8.5.2FP1) fix list
Take a closer look to SPR# MWER88NFWT which outlines the settings required for modifying the useragent.:


"Added an option to allow customers to override the "User Agent" value for Notes Client Feedreader. By default, Feed Reader authenticates itself as "MSIE 7.0" even on Linux and Mac.  
Customers can optionally add the following 2 lines to the /framework/rcp/plugin_customization.ini:

com.ibm.rcp.feedreader.providers/network.useragent.override=true

com.ibm.rcp.feedreader.providers/network.useragent=CUSTOMER SPECIFIED VALUE (<-replace CUSTOMER SPECIFIED VALUE with the value of your choosing)"



Solution:
  • Change the useragent string of the feed reader to anything else. (You can find a long list of user agents to choose from as part of a Firefox Plugin.)
    Modify the file /framework/rcp/plugin_customization.ini and add the following lines for testing
    com.ibm.rcp.feedreader.providers/network.useragent.override=true
    com.ibm.rcp.feedreader.providers/network.useragent=Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0
  • After successful testing, deploy this parameter to all users by using Desktop Policies / Managed Settings:
    Image:RSS Feed Reader - Error: Unable to download a feed from host

Conclusion:

The HTTP proxy was configured according to
RFC 3314 but mistakenly assuming WinXP in a useragent string is evil
....and of course...
whatever is wrong, it must have been the network guy!

IBM HTTP Server - SSL Handshake Failed and why it matters to keep a backup of the key ring file- 20 September 2014 - (0) Comments

Thomas Hampel
 20 September 2014

All of a sudden (as usual) clients started to receive SSL expiration warnings when accessing the customer's Connections environment.

A quick look into the log file  /opt/IBM/HTTPServer/logs/error.log confirmed the SSL certificate has expired.:
[Sat Sep 20 22:21:05 2014] [error] [client 10.175.198.62] [8222a80] [30015] SSL0221E: SSL Handshake Failed, Either the certificate has expired or the system clock is incorrect. [10.175.198.62:40028 -> 10.175.220.11:443] [22:31:05.000019743]


Opening the *.kdb file with the gsktool showed the default certificate had expired.
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file
Ok, nothing easier than that... so lets create a new signing request and get this signed by the certificate authority.
Once that is completed we can import the new certificate incl. any trusted roots quickly.


However when you try to import/receive your signed certificate keep the following in mind:
  • You can only import a signed certificate into >exactly< the same *.kdb file which was used to create the certificate request.

Within the iKeyman utility, switch from "Personal certificates" to "Personal Certificate Requests" (sorry, only got screenshots in German available and hope the translation is correct)
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

normally it would look like this...
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

but if it looks like the following screenshot, then bad luck... you can not import your signed certificate anymore.
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

Instead you'll see "The certificate request created for the certificate is not in the key database"  / "Die für das Zertifikat erstellte Zertifikatsanforderung ist nicht in der Schlüsseldatenbank vorhanden."
Image:IBM HTTP Server -  SSL Handshake Failed and why it matters to keep a backup of the key ring file

Now your options to solve this are:
a) find the original key ring file (*.kdb) which was used to create the certificate request
b) create a new certificate request, but this time make sure to keep the *.kdb file
c) set up a self signed certificate - although this is an option, it should not be considered
d) update the SSL directives on your IBM HTTP Server and set SSLClientAuth to "noverify". This will not fix the problem but will at least allow the server to be up and running with an expired certificate until you have obtained a new one.
(...if there are other options, please let me know)

Lessons learned:
  • Keep the key ring file backed up
  • Track certificate expiration time
  • When expired, take action well in advance
  • Even when delegating simple work, supply detailled instructions on least 250 pages

Off topic:
Why do I need to troubleshoot such a very very basic problem myself on a Saturday night?


Further reading:

AMgr: Console command ’LOG.NSF’ is unknown- 13 May 2014 - (0) Comments

Thomas Hampel
 13 May 2014

After upgrading to Domino 9.0.1 the following messages show up at the console.
It seems the agent manager is trying to send file names as commands to the server's console...


AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
....


It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY

Sametime Missing single sign on token- 2 September 2013 - (1) Comments

Thomas Hampel
 2 September 2013

I've just fixed an authentication issue in a customer environment and wanted to pass along the findings.

The problem:
Sametime users can log on to via username/password, but SingleSign On isnt working as expected.
On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token

Authentication via Domino SingleSignOn is working fine at the first Notes Client logon. Once the client disconnects, e.g. network disconnect, computer went on standby, etc. etc. the Notes client can no longer authenitcate with the server. The error message "Missing single sign on token" is displayed.
Image:Sametime Missing single sign on token
For now, clients had to restart the Notes Client to log back into Sametime.

Root cause:
After successful authentication, the server is handing out a token (LtpaToken) to the client which seems to be bound to the DNS domain specified in this token.
The Sametime community configured at the client must be in the same DNS zone, otherwise users can only log in once but not re-logon without restarting the client.

Solution:
Check the following three places and make sure the DNS domain specified is the same.
  1. The LtpaToken used by the server
    see Domino Directory : Web Configurations\Web SSO Configuration\LtpaToken
    Image:Sametime Missing single sign on token
  2. The Server document
    - Basics \ Fully Qualified Internet Host name
    Image:Sametime Missing single sign on token

    - Internet Protocols \ HTTP \ Host Name
    Image:Sametime Missing single sign on token
  3. Notes Client Preferences \ Sametime Communities
    Image:Sametime Missing single sign on token<< obviously this screenshot shows a different Domain name than the one specified in the LtpaToken

Remarks
  • Without an authentication server specified, Notes will obtain the token directly from the Sametime server configured. If the token is obtained from an authentication server, the secret key within the token of course will have to match the token configured in your Sametime server.
  • A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here

Launchpad - Unable to find supported browser- 30 December 2012 - (1) Comments

Thomas Hampel
 30 December 2012

When installing IBM products based on Launchpad, such as IBM Websphere Application Server, newer Linux distributions might cause "Unable to find supported browser"

The launchpad application cannot start. This error typically occurs when a supported browser cannot be found.

Looking into details, you'll find Firefox v10 or later has been installed in your Linux distribution so you will need to modify the launchpad application to support those.


Two files  need to be modified...
  • browser.sh
    can be found in the installation packet itself at /launchpad/browser.sh
  • fbrowsher.sh
    can be found after the product has been installed at /IBM/WebSphere/AppServer2/firststeps/fbrowser.sh

Modify each file so that it contains the following string in the supportedFirefoxVersion case statement:


*Firefox\ [1-9][0-9].*) return 0;;


The function should then look like this:


supportedFirefoxVersion()

{

case "$*" in

*Firefox\ [1-9].*) return 0;;

*Firefox/[1-9].*) return 0;;

*Firefox\ [1-9][0-9].*) return 0;;


For more details, see
Technote 159598

Just search the folder where you have your installation files using the command
find ./ -iname 'browser.sh'

and modify the each file shown
  • tdi/launchpad/browser.sh
  • WAS/launchpad/browser.sh
  • WASSupp1/launchpad/browser.sh
  • IBM_Connections_Install/launchpad/browser.sh

Thinkpad PC Doctor causing errors- 27 August 2012 - (0) Comments

Thomas Hampel
 27 August 2012

From time to time even desktop users should take a look into the operating system log files, doing so I found this error message in the Windows Application event log of my Thinkpad
Image:Thinkpad PC Doctor causing errors

The PC-Doctor is an application supplied toThinkpad users as part of the operating system toolset for managing the computer. The component which is causing this problem seems to be running regular checks against the storage media.


Since I wanted to get rid of this, the solution was to disable the scheduled task...

In the Windows Task scheduler, find and disable the task named "SystemToolsDailyTest"

Image:Thinkpad PC Doctor causing errors

ID Vault - Error 03:11- 8 June 2012 - (0) Comments

Thomas Hampel
 8 June 2012

When deploying the IDVault, administrators may see the following error in the Log.nsf of the server hosting the IDVault.

06/08/2012 04:54:18 PM  ID failed to upload to vault 'O=XYZ-IDVault'.  'Firstname Lastname/OU/O' (IP Address a.b.c.d:port) made request.  Error: 03:11
06/08/2012 04:59:16 PM  Unable to find ID for 'Firstname Lastname/OU/O' in vault 'O=XYZ-IDVault'.  Error: 03:11


Image:ID Vault - Error 03:11
Root cause for this is a pending name change reuqest which was not applied to the user. Take a look into the person document of this user, especially the tab "Administration",
the Client Information section will display if there are any pending name change requests outstanding.

Technically the name change request is stored in a field called "ChangeRequest", supported by "ChangeRequestDate" which is storing the date/time of when this request was initiated.
In my particular case, the name change request was almost 3 years old and it was not possible to find out what has caused this request to still appear in the system.

Image:ID Vault - Error 03:11
Workaround:

Remove both fields (or set them to an empty value) e..g. by using the
Change Any Field method

A really large Notes application which seems to exceed 100 TeraByte- 1 December 2011 - (0) Comments

Thomas Hampel
 1 December 2011

Another interesting observation in a Notes 8.5.3 client.

This Notes application, shows up in the Admin client with an incredible amount of disk space.

If I am calculating right 1,0*E^14 is 100 TeraByte in a single NSF file, which is located on my local computers disk.

Image:A really large Notes application which seems to exceed 100 TeraByte

Actually the physical disk size on operating system level shows a different value, of just 1.290.240 bytes

While the DB properties show 101 MByte...

Image:A really large Notes application which seems to exceed 100 TeraByte

I guess something is wrong here...

Cleanup Separators- 24 November 2011 - (0) Comments

Thomas Hampel
 24 November 2011

Does anyone know what "Cleanup Separators" are???
This menu appeard today in my Lotus Domino Administrator client version 8.5.3

alt="Image:Cleanup Separators" border="0" src="cleanup-separators.htm/content/M2?OpenElement">

error while loading shared libraries: libnotes.so- 3 May 2011 - (2) Comments

Thomas Hampel
 3 May 2011

Installing Lotus Notes on Linux is rather simple, the UI starts right away without any problems.
However if you happen to run command level operations such as compact or fixup you may run into problems because the following error message may appear:

"error while loading shared libraries: libnotes.so: cannot open shared object file: No such file or directory"

Notes is complaining it can’t find libnotes.so which normally resides in the /usr/lib folder on your machine.
All you have to do is to create some links so that the Notes/Domino code can find this file

To do so you will have to be root or have sudo rights and execute the following commands
sudo ln -s /opt/ibm/lotus/notes/libnotes.so /usr/lib/libnotes.so
sudo ln -s /opt/ibm/lotus/notes/libndgts.so /usr/lib/libndgts.so
sudo ln -s /opt/ibm/lotus/notes/libxmlproc.so /usr/lib/libxmlproc.so

or if you want a more propper solution, use those commands (thanks to Brian for reminding me)

# Create the conf file and put into place
echo “/opt/ibm/lotus/notes” >/tmp/lotus-notes.conf
sudo install -m 644 /tmp/lotus-notes.conf /etc/ld.so.conf.d/

# Tell the linker to use it
sudo ldconfig

Note: Of course all these commands refer the the standard Notes client installation directories, which you may need to adjust to fit your installation.

Error "Field is too large (32k)" importing local Update site- 7 November 2010 - (0) Comments

Thomas Hampel
 7 November 2010

When importing a local update site I still get this error from time to time... it seems to be caused by the number of features within an updatesite.
Image:Error "Field is too large (32k)" importing local Update site

lsclassimportsite: cimportsite::serialize (line 108)

lsclassimportui: cimportui::importsite (line 141)

dlgimportsite: queryclose (line 13)


Up to now I was not able to find the root cause, nor I was able to work around this problem.

When reviewing support forums it seems like I'm not the only one.


Update: Looks like this is caused by a large "feature.xml" file inside of a JAR package. It seems some vendors like to put a full law book inside this XML file which in the end exceeds the 32k limitation of a plain text field in Notes.
Thomas Hampel, All rights reserved.