Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : May 2014

AMgr: Console command ’LOG.NSF’ is unknown- 13 May 2014 - (0) Comments

Thomas Hampel
 13 May 2014

After upgrading to Domino 9.0.1 the following messages show up at the console.
It seems the agent manager is trying to send file names as commands to the server's console...


AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
....


It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY

Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments

Thomas Hampel
 9 May 2014

I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:

1. Create a key ring file
that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino

Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA

Just read and follow
instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users

Follow instructions for
Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.

Done!

Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?

Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know
how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?

When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

at the very bottom there's a small check box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.


Further reading
:

The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino- 7 May 2014 - (3) Comments

Thomas Hampel
 7 May 2014

Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see
http://technet.microsoft.com/en-us/security/advisory/2661254
Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »

Product codes for Notes 9.0.1 Multilingual User Interface (MUI) packs- 6 May 2014 - (0) Comments

Thomas Hampel
 6 May 2014

Customers were demanding for it and here they are - the Multilingual User Interface (MUI) kits for the Notes Client V9.0.1
Those kits allow switching between different languages without the need to reinstall a new client software each time.

For further reference, the table below provides the part numbers to download the packages from
Passport Advantage
Notes V9..0.1 Standard Basic Browser Plugin
IBM Notes 9.0.1 Client Windows English ( Announcement Letter ) CIQ7REN CIQ7QEN Full = CIQ90EN
Lite = CIQ96EN
IBM Notes XTAF Dictionaries V9.0 for Windows Multilingual
(Mac=CIF0DML , Linux=CIF6BML)
CIF0EML
Multilingual User Interface for ...
Group 1 - Catalan, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Portuguese, Brazilian, Spanish ( Announcement Letter ) CIV5HML CIT8TML  CIT9GML
Group 2A - Danish, Dutch, Finnish, Norwegian, Swedish  ( Announcement Letter ) CIUZ6ML CIUZ7ML CIUZ8ML
Group 2B - Arabic, Czech, Greek, Hebrew, Hungarian, Polish, Portuguese, Russian, Turkish CIVY2ML CIVY5ML CIVY6ML
Group 3 -  Kazakh, Slovakian, Slovenian, Thai CIVY3ML CIVY4ML CIVY7ML




Remarks:
Thomas Hampel, All rights reserved.