Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Query results for : Domino

Notes Domino 9.0.1 Feature Pack 8- 9 March 2017 - (0) Comments

Thomas Hampel
 9 March 2017

Note to self:
In case anyone is asking for new features of the Notes/Domino 9.0.1 Feature Pack 8, refer them to this blog post

and remind them to read Oliver Busse's blog post

Domino SingleSignOn - Level 2 - Self Service Password Reset Application - 14 February 2017 - (0) Comments

Thomas Hampel
 14 February 2017

Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the second post our of a series of blog posts describing how to move from password based to seamless authentication.
Once you have established LDAP Authentication you can approach the next stage:

Level 2 - Self Service Password Reset Application

Combined with a Self Service Password Request HTTP application (or this fancy one ) users can reset Notes password without the help of an administrator just by using a web browser.
Users must be authenticated in order to reset their own password, but due to the configuration done in level 1 they can use Active Directory credentials to log in.
Once authenitcated a user can just define a new password which is applied immediately in the IDVault. And just seconds later the password can be used to log into the Notes Client.
Image:Domino SingleSignOn - Level 2 - Self Service Password Reset Application

Pros and Cons

+ Lost/forgotten passwords on a monday morning are no longer your problem. Users can handle this problem alone.
+ You don't need to distribute NotesID passwords for newly created users.
- There still is a NotesID password to remember
- There still is a password prompt every time you start the Notes client and/or every time you open an encrypted mail in iNotes
- The Self Service Password Request HTTP application does not apply any feedback on password quality or strength.

Prerequisites:
  • Notes ID Vault has been established and contains the NotesID’s of all users
  • User must be authenticated, preferably using Active Directory authentication as described in the previous post level 1
  • Custom Password Reset application template,
    Please note the template provided by IBM as part of the Domino server is not officially supported and is provided as example only. See Technote 1330905

Configuration

Setup instructions have already been provided by IBM, so I'm not describing those steps again.
Once completed you should have a functioning PW reset application. However, I would like to highlight a few important details
  • The agent and the form needs to be signed with an ID which has IDVault Password Reset authority
  • The ACL of this database must have an Administration server defined, the Admin server specified there must be the one that hosts the IDVault.

For improved usability I do recommend a little tuning:
  • Create a URL which users can remember, e.g. by creating a web redirect rule
    http://yourserver.domain.com/passwordreset ==> /pwreset.nsf
  • Modify the form “fmPasswordReset” to display your corporate password rules, e.g.
    “The new password must have a minimum of 8 characters. It must contain a mixture of lowercase alphabetic, uppercase alphabetic, numbers and special characters. Three of these four conditions must be met.”
  • Modify the source code to confirm the password change request has been submitted and to verify if password rules have been followed.
    Without this modification users will not get any feedback if the new password has been applied or not.
    so update the source code of the Form “Password Change” , Sub “OnSubmit” as follows:
var i = 0;
var k = 0;
var h = 0;
var have = [0, 0, 0, 0];
var characters = ["abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "0123456789"];
var minLen = 8;
var minDif = 3;
var pw1 = document.forms[0].pw1.value;
var pw2 = document.forms[0].pw2.value;
for (i=0; i {
       h = 3;
       for (k=0; k        {
               if(characters[k].indexOf(pw1.substr(i,1)) >= 0)
               {
                       h = k;
               }
       }
       have[h] = 1;
}

if ( pw1.length < minLen )
{
       alert("You must enter a password with at least " + minLen + " characters");
       return false
}
else if( pw1 != pw2 )
{
       alert("Entered password don't match");
       return false
}
else if( have[0] + have[1] + have[2] + have[3] < minDif )
{
       alert("Password must be more complex,  use Numbers, Lower-, Upper-, Special-Characters");
       return false
}
else
{
       alert("Thank you, your request has been submitted. The new password can be used now.");
       return true
}
  • In order to support clustered environments the source code of the agent “User Password Reset” needs to be updated as follows:
Set Doc = Session.DocumentContext
Call
Session.ResetUserPassword( session.Currentdatabase.Acl .Administrationserver,"",Doc.GetItemValue("pw1")(0))


Conclusion

Self Service Password Reset application combined with LDAP authentication will eliminate the need to distribute Notes ID passwords to end users.
Administrators can register new NotesID's with completely random passwords that they do not need to remember nor need to distribute to end users.
Notes client setup instructions can be simplified so that end users have to define the password themselfes before they can start Notes for the first time.

References:

Domino SingleSignOn - Level 1 - LDAP Authentication- 13 February 2017 - (0) Comments

Thomas Hampel
 13 February 2017

Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.

Level 1 – LDAP Authentication

Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
When using a web browser to access a Domino server, users will be prompted for username and password.
This authentication dialog looks like one of the following examples:
Image:Domino SingleSignOn - Level 1 - LDAP AuthenticationImage:Domino SingleSignOn - Level 1 - LDAP Authentication
Credentials entered here will be forwarded to Active Directory for authentication.
Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.

Pros and Cons

+ Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
+ No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
- All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.

Prerequisites:

In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.
  • Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
  • The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
    This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid.
  • Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
  • A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.
How to...
reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
If not already done:
  • Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
    Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
  • Create a Directory Assistence (DA) database
  • Add the DA to your Domino server document
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication

okay, whats next:
  1. Within the Directory Assistance database, add a new document and configure it like shown below:
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
    Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin.
  2. Set "Trusted for Credentials" to Yes
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  3. Configure how to connect to the LDAP (­) server.
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  4. Save & close

Now restart the Domino server and check if LDAP is being shown in the list of directories.
Issue the command "Show xdir" at the server console for details.

Troubleshooting:

Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
Some more hints:
  • You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
  • Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
  • Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
    If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
    The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  • Thes Notes.ini variables will increase the log level for further debugging
    debug_directory_assistance=1
    debug_namelookup=1

Result:

When prompted for username/Password you can now use your Active Directory username and AD Password.
Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
Once the transition is completed you should clear the HTTP password field from the person document.

Domino Security - Disable HTTPEnableConnectorHeaders NOW- 9 November 2015 - (0) Comments

Thomas Hampel
 9 November 2015

There is a seucrity issue with Domino which allows anybody to gain access without authentication.
Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.

If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.

So there is a good chance that some people have enable this variable in production.
None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.

Steps to reproduce
  • Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
    Remark: This will make the server insecure.
  • Restart the HTTP task
  • Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
  • Restart Firefox for the plugin to be initialized
  • In Firefox, open the configuration of the new plugin
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
  • Add a new header called $WSRU with the desired username / shortname as available in the target environment
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
    Save + Enable the configuration
  • Start the Plugin
    Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
  • Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf
Surprise, surprise... you now have access rights of the user name you have specified in the request header, in my case thats PaulSmith.
Just imagine what can be done when using the name of an administrator...

How to fix it?

Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:
set config HTTPEnableConnectorHeaders=0
tell http restart

Of course you would use a configuration document in production to keep your Notes.ini under control.

References:

Out of Office - Send Full Copy to deputy- 9 August 2015 - (0) Comments

Thomas Hampel
 9 August 2015

Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.

Delegating Access
A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:
Image:Out of Office - Send Full Copy to deputy
This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
It might not even be an option as some organizations do not allow users to edit the person document.

Mail Rules
Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...
Image:Out of Office - Send Full Copy to deputy
and defining a recipient of your choice --- in this example its "firstname.lastname@domain.com"
Image:Out of Office - Send Full Copy to deputy
Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?
Image:Out of Office - Send Full Copy to deputy
...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?

Agents
You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"
Image:Out of Office - Send Full Copy to deputy

Duplicate Mails (with help of your Domino Administrator)
Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:

What you need to do:
1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
Make sure the Mail-in name is unique and does not resolve name lookup conflicts
Image:Out of Office - Send Full Copy to deputy

2.) Create a Group of type "Mail only",
members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
You can define one or multiple recipients using internet mail addresses or Notes user names.
Image:Out of Office - Send Full Copy to deputy

3.) Edit the person document and put the Group name created above to be the forwarding address
Image:Out of Office - Send Full Copy to deputy

4.) Testing
Wait for replication to finish within your Domain and send a test mail to the user.
This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.

Remarks:
Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
If this is an issue either purge your recent contacts or disable it completely

References:

Mindoo FTP Server stopped running in Domino- 23 July 2015 - (0) Comments

Thomas Hampel
 23 July 2015

The Mindoo FTP Server project provides an FTP server wrapped into an XPages application. It is based on the Apache FtpServer which runs as OSGi plugin on the server side.
One day a customer reported the FTP server would no longer work. A quick check showed that port 21 does not respond any longer.

Restarting the HTTP task showed a JVM Exception
restart task http
...
17.07.2015 18:00:07   HTTP Server: Using Internet Site Configuration View
17.07.2015 18:00:12   JVM: Java Virtual Machine initialized.
17.07.2015 18:00:12   HTTP Server: Java Virtual Machine loaded
17.07.2015 18:00:16   XSP Command Manager initialized
17.07.2015 18:00:17   HTTP JVM: java.lang.reflect.InvocationTargetException


Checking the OSGI bundles showed the required bundle is not even installed.
> tell http osgi diag com.mindoo.ftp
Cannot find bundle com.mindoo.ftp.


Analysis

Check the file [DominoData]\domino\workspace\logs\error-log-0.xml for any problems
the very first warning in this file showed that a plugin was not loaded because the signer does not have the required access rights
CLFAD0331W: NSF Based plugin contribution denied because signer CN=SignerName/OU=Unit2/OU=Unit1/O=OrgEU does not have required access: CN=SignerName/OU=Unit2/OU=Unit1/O=OrgEU:System\UpdateSiteServer.nsf

and further down in the same file:
CLFAD0334W: Feature com.mindoo.ftp_feature_1.0.0.201306221322 skipped


At the first access rights seemed to be ok, but when looking a little closer I have found the user name does not have access to the server any longer because the Organization was renamed from "OrgEU" to "Org"

Solution (Part1)

The signature which is being used here is not a signature of a design element, it is the content of the Eclipse Update site which still had the old signature referenced. So how are we going to fix this?
  • Open the Eclipse UpdateSite and use "Actions\Sign All Content"
    Remark: This will not sign any design elements - it will sign the documents in the application only.
    Image:Mindoo FTP Server stopped running in Domino
  • Restart the HTTP task
    restart task http
  • Watching the server console
    Image:Mindoo FTP Server stopped running in Domino

Image:Mindoo FTP Server stopped running in Domino

Running into another problem

Although the FTP Server was running again, it seems like there still was an issue with the XPages application.
Quickly looking into  [DominoData]\domino\workspace\logs\error-log-0.xml showed a well known problem.
Image:Mindoo FTP Server stopped running in Domino

Solution (Part2)

Obviously someone did open the Application in Domino Designer without disabling the option to recompile xPages automatically.
So make sure this option is set to "Manually recompile Xpages"
Image:Mindoo FTP Server stopped running in Domino

and then open the Mindoo FTP Domino application in Domino Designer and hit "Project\Build Project" in your Designer client.
Image:Mindoo FTP Server stopped running in Domino

Testing results
  • Opening the Mindoo FTP Application from a browser seems to work
    Image:Mindoo FTP Server stopped running in Domino
  • "tell http osgi mftp status" shows that our server is now running on port 21
    Image:Mindoo FTP Server stopped running in Domino
  • Opening an FTP connection from a remote client is working fine

Import & Export Internet Certificates Programatically- 18 June 2015 - (0) Comments

Thomas Hampel
 18 June 2015

We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?

S/MIME Import / Export Automation

If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
Even exporting the certificate from the Notes ID is too complicated for most users...
Image:Import & Export Internet Certificates Programatically

Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates
  • @X509Certificates([Subject];UserCertificate;"");
    Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate"
  • @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
    Where "Number" is the element in the list returned by @X509Certificates

In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.

Wrapping both into a small script is easy...

Declare
Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal ExportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Declare
Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal ImportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Const
PKCS12_EXCLUDE_PRIVATEKEYS=&h00000001


Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil

still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.

ImportInternetCertificatesFromOSCredentialStore.lss

ExportnternetCertificatesToOSCredentialStore.lss

As usual mind YMMV and feel free to further optimize the code to fit your needs-
Please use at your own risk and report back any suggestions or improvements!

Special Thanks to Marcus Floeser for providing the screenshot.

Domino CA Process ’Error processing CCS Mod Request’- 3 June 2015 - (0) Comments

Thomas Hampel
 3 June 2015

The CA process in Domino is a server task to manage and process certificate requests. It is very helpful if you want support staff to register new users without knowing the password to your Domino Certificate.
As employees join or leave the support team you'll have to add / remove people from the list of Registration Authorities by using "Modify Certifier" from the Administrator Client tools menu.
Image:Domino CA Process ’Error processing CCS Mod Request’

Granting access for a new team member as usual...
Image:Domino CA Process ’Error processing CCS Mod Request’

and submitted the request
Image:Domino CA Process ’Error processing CCS Mod Request’

seemed to be successful
Image:Domino CA Process ’Error processing CCS Mod Request’

...but according to the log the Domino CA modification request failed with this error:
CA Process (OU=OU/O=Company): Error processing CCS Mod Request.: There is no certificate in the Address Book.


Root cause
One or more people listed in the first dialog do not have a person document in the Domino Directory or the person document does not have a public key specified.
Image:Domino CA Process ’Error processing CCS Mod Request’

Solution
First remove users which dont have a corresponding person document, and save + submit the request before adding new names.

Notes Widgets disappear from Catalog- 1 June 2015 - (0) Comments

Thomas Hampel
 1 June 2015

You are wondering why your beloved Notes widget all of a sudden is no longer available in the Widget catalog?
Of course the administrator of trust did not do anything - so what happened?

Here is a small hint:
Take a quick look into the widget catalog, there is a scheduled agent...
Image:Notes Widgets disappear from Catalog

and the brief description
%REM *********************** Agent Notes **************************
This agent checks all new/modified documents to make sure that the
user created the document properly. It checks to make sure the proper
items are in place, and it also verifies that the categories that are
set are allowed by the document creator.

*************************** INTERACTIONS ***************************
There are no interactions with this agent. It is a scheduled agent
that is set to work against new/modified documents.

Conclusion:
If anything, such as AdminP, modified the document then this agent will run. In our case it was an AdminP name change request which caused the document to be modified.

PANIC Unexpected internal error returned to logger 0x20692010- 27 March 2015 - (0) Comments

Thomas Hampel
 27 March 2015

Tip of the day:
When running Domino server commands on the operating system of a server, make sure to run the command from a console with Admin access rights, otherwise you'll get this:

PANIC: Unexpected internal error returned to logger: 0x20692010

Image:PANIC Unexpected internal error returned to logger 0x20692010

Reference:

SPR # PALL8WA3Y8

Solution

Open a command prompt by right clicking and selecting "Run as Administrator", then run the command(s) again.

Root cause:

Problem in front of keyboard.

AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around- 12 January 2015 - (0) Comments

Thomas Hampel
 12 January 2015

Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.

After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around
Errors:

Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director

Analysis

We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR

SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.

Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
We did a few tests and quickly found a workaround, so here is what you can do about it:

Temporary Solution:

Don't use groups to grant the specific access rights.
In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.

This is what the AdminP Move User reuqest should look like before the user authenticates
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around

Permanent Solution

Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.

Lessons learned:

1.        Always install the latest version of Domino
Note: The destination server in question is not maintained by our team.
2.        What an awsome team we have :)

References

Monitoring IBM Domino Server on Linux via SNMPv3- 5 January 2015 - (0) Comments

Thomas Hampel
 5 January 2015

Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
There are quite a few blog posts out there on the internet such as
this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.

Background

Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
Vendors of a device are providing a definition of values which can be read or modified in form of a
MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.

MIB definitions for Domino can be found online
http://www.oidview.com/mibs/334/NOTES-MIB.html
A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"

On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib


Step-by-step Instructions

For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux.
Instructions for Windows are available here
Examples below are based on
CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.

Step 1 - SNMP Master Agent

Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7
.
Currently version 5.7.3 is the latest version available. Check the
net-snmp change log to see what has changed between versions.
Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
If not already installed, you can install the package net-snmp with the following command.

# yum install net-snmp

The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality
# yum install net-snmp-utils

To check the version you are running...

$ snmpwalk --version

Image:Monitoring IBM Domino Server on Linux via SNMPv3
Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.


Option B - NET-SNMPD v5.0.7 provided by Domino

Domino provides net-snmpd in version 5.0.7  - again, I do not recommend using this version.

However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.

# cp /opt/ibm/domino/notes/latest/linux/net-snmpd* /etc
# ln –f –s /etc/net-snmpd.sh /etc/init.d/net-snmpd

# chkconfig --add net-snmpd

# chkconfig net-snmpd on

Note that in this type of configuration your settings are stoed in the file  /etc/net-snmpd.conf

Step 2 - Update Configuration

Back up the original config file to a location of your choice

cp /etc/snmp/snmpd.conf /root

Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.

# nano /etc/snmp/snmpd.conf

1.) Search for sysLocation and update it according to your needs as shown here:
sysLocation    YourDataCenterLocation
sysContact     email@yourdomain.com


2.) define a username/password combination for SNMP v3 authentication
Of course the user name and password used in this example are to be changed to fit your needs

createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES


3.) At the end of the same file, add this line:
smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd

Dont forget to save the file


Step 3 - SNMP Startup Script

Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.

Domino already provides such a script - you just need to modify the configuration so that it can be used.


# cp /data/ibm/domino/notes/latest/linux/net-snmpd.sh /etc/init.d/net-snmpd

# nano /etc/init.d/net-snmpd


Update the configuration (starting in line 31) as follows:

INSTDIR=/usr/sbin
PROGNAME=snmpd

PROGPATH=$INSTDIR/$PROGNAME

CONFNAME=snmpd.conf

CONFPATH=/etc/snmp/$CONFNAME

LOGPATH=/var/log/snmpd.log

PROGARGS="-C -c $CONFPATH -l $LOGPATH"

Make sure the startup script runs at next boot

# chkconfig --add net-snmpd
# chkconfig net-snmpd on


Step 4 - Update Firewall Rules

SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server
# iptables -I INPUT -p udp --dport 161 -j ACCEPT


Step 3 - Testing basic functions

Test basic SNMP functionality
from the local host and also from a remote server.
# snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0

As a result you should get the version number of the SMTP master agent

Image:Monitoring IBM Domino Server on Linux via SNMPv3

Step 5 - Enable Domino SNMP Agent

Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!
)
# ln -f -s /opt/ibm/domino/notes/latest/linux/lnsnmp.sh /etc/rc.d/init.d/lnsnmp
# chkconfig --add lnsnmp

# chkconfig lnsnmp on
# service lnsnmp start

In case you get the error  "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino


if everything has worked out, starting the lnsnmp should provide the following output

New sub-agent on server is registering a sub-tree with branch ID:
1.3.6.1.4.1.334.72.3

Sending SNMP "Server Up" trap for server .

service lnsnmp startNew sub-agent on server is registering a sub-tree with branch ID:

1.3.6.1.4.1.334.72.1


Step 6 - Domino Tasks

Start the following tasks from the Domino server console

load quryset
load intrcpt
load collect

"quryset" is required to support SNMP queries

"intrcpt" is required to support SNMP traps for Domino events

"Collect" is required to support statistic threasold traps

Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.

Step 7 - Testing Domino SNMP agent response

Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.

$ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0

Should return the fully qualified Domino Server name as a string

Image:Monitoring IBM Domino Server on Linux via SNMPv3

Ok, you're done... the Domino SNMP Agent is configured and can be used.

However, there still is some work to be done on your SNMP management console e.g.
Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).

Next Actions:

If you like this post, please let me know via Twitter
@ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.


Troublshooting
  • Check snmpd.log for errors
    # cat /var/log/snmpd.log
  • Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
    see
    IBM Technote 1313318
  • Error - Unknown User
    Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
    createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
  • Error in packet. Reason: authorizationError (access denied to that object)
    The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
    rouser SNMPv3UserName

Tools:

Take a look at
Paessler SMTP Tester (Freeware / Windows)
Image:Monitoring IBM Domino Server on Linux via SNMPv3

Further reading:

Import Contacts from GDI Business Line / FirebirdSQL to Domino- 23 September 2014 - (1) Comments

Thomas Hampel
 23 September 2014

GDI Business Line is an ERP & CRM software for the small & medium businesses market. It is developed by the German vendor GDI based in Landau in der Pfalz.
A customer wanted to use the address data from the GDI platform in the Notes/Domino environment. Main purpose was to simplify communication with known customers by synchronizing contact names, addresses, and phone numbers to Domino.

We all know integrating Directory Data with Domino is made easy with TDI, so lets see if we can use it here.
The backend database of GDI is based on
FirebirdSQL , and they provide a JDBC driver which is all we need to make it work.

Here are step-by-step instructions for connecting TDI with the GDI Address table

Part 1 - TDI Installation

Tivoli Directory Integrator V7.1.1 is provided free of charge as an additional entitlement for Notes/Domino customers.
All you need to download from
Passport Advantage is IBM Tivoli Directory Integrator Identity Edition V7.1.1 with the part number that fits you needs
Platform Part Number Size
Windows 32Bit CZUF0ML 555mb
Windows 64Bit CZUF7ML 567mb
Linux 32bit CZUF2ML 547mb
Linux 64bit CZUF3ML 554mb


We are intending to use a local Notes Client connector so we will be using the 32bit version of TDI. In case you're planning to install TDI on a  64bit Domino Server you could also go for that version.
The installation process of version 7.1.1 is not any different than V7.1, so you can just follow instructions for installing Tivoli Directory Integrator on
IBM Infocenter or on Connections101 (Thanks gabturtle & Paul Mooney for this site).

Part 2 - Apply TDI Fix Pack

Download the
latest fix pack for TDI v7.1.1 from Fix Central which at the time of writing this blog post is Fix Pack 3 and this JRE upgrade
Follow installation instructions provided with the fix pack(s)
Hint : {TDI_install_dir}\bin\Applyupdates.bat  -update [path to FP zip file]

Part 3 - Notes Connector

TDI can establish different types of connections to Notes/Domino, not all of them can be used everywhere (see
Supported session types by Connector )
e.g. if you dont want IIOP to be enabled on your Domino server, you'll have to use either the Local Client connector, which requries a Notes Client to be installed on the same machine, or the Local Server Connector, which requires a Domino Server installed on the same machine. My personal preference is the Notes client connector because it just requires a Notes ID and I can connect from my own client workstation to any server regardless if IIOP is enabled or not.
  • Copy the file {NotesProgramDir}\jvm\lib\ext\Notes.jar  to  {TDI_install_dir}/jars/3rdparty/IBM  
    (or to the folder defined in the variable "com.ibm.di.loader.userjars" parameter defined in the solution.properties file)
  • Append the Notes Directory to the PATH parameter in the following TWO files
    {TDI_install_dir}ibmditk.bat
    {TDI_install_dir}ibmdisrv.bat
    Example:
    set PATH=%TDI_HOME_DIR%;%TDI_JAVA_BIN_DIR%;%TDI_LIB_DIR%;C:\Program Files (x86)\IBM\Notes;%PATH%


Part 4 - Firebird JDBC Connector

As long as there is a JDBC connector, TDI should be able to connect to the database. FirebirdSQL is nothing special here, so this is what you have to do:
  • Pick the JDBC driver here (make sure to choose the one for Java 7)
  • Extract the ZIP file to a temporary folder of your choice
  • Copy the following three files to the folder {TDI_install_dir}\jars\3rdparty\other
    jaybird22.dll, jaybird-2.2.5.jar, jaybird-full-2.2.5.jar

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

Part 5 - Connect and Feed Data

Now launch TDI Configuration Editor ( {TDI_install_dir}ibmditk.bat ) and add a new JDBC connector

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
We would like this connector to be used in Iterator mode because we want to loop thru the data later on.
When you click on "Next >" you will be prompted to specify additional connection parameters.
The syntax for the JDBC URL is

jdbc:firebirdsql://host[:port]/database


JDBC URL = jdbc:firebirdsql://sqlserver:23053/C:\Database\GDI.GDB?sql_dialect=1&charset=WIN1252
JDBC Driver = org.firebirdsql.jdbc.FBDriver

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
and of course you must define your database credentials and the table you want to connect to. In our case the table is "CM_ADRESSEN"

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
Click Finish to add the connector as your input feed.

Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

Part 6 - Data Map

Now lets use the connection and define the input map:
  • Within the connector, use to connect button to establish a first connection for reading the database schema.
  • Select the fields which you want to make use of by either dragging/dropping them from the schema or by using the button "Add"
    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
Part 7 - Output to Notes/Domino
Lets write this data to Domino...
(Remark: assuming the target database already exists and is using a standard pubnames template)
  • Add a Notes Connector in Update mode
    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    When you click on "Next >" you will be prompted to specify additional connection parameters.
    This example will connect to a remote database hosted on "DominoServer/Org/O", you can of course leave the server name empty to connect to a local database.

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    Click Finish to add the connector as your Data Flow.
  • Click the output connector again to define which data to write to which field in Notes/Domino
    Here is an example, feel free to modify or extend:

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
  • In the connector define the Link Criteria
    It seems the field SATZUUID is used as a unique key, so we are going to use it as well. Of course you need to make sure to write this field to the target database, otherwise the lookup will always fail and duplicate entries are the result.

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

Part 8 - Fine Tuning

This part is to be done by yourself. You should probably add some special handling to handle different address types such as if the record is using...

"Adresstyp=1" = Contact
"Adresstyp=4" = Company

"Adresstyp=16" = Person


or updating the full text index when the assemblyline has finished...


try{

  notes=NotesConnector.getConnector

  dbname=notes.getParam(
"notesDatabase")
  srvname=notes.getParam(
"notesServer")
  sess=notes.getDominoSession()

  db=sess.getDatabase(srvname,dbname)

 
if (db.isOpen())         {
          message=
"Requesting to update FTIndex on " + srvname + "!!" + dbname ;
          task.logmsg (
"INFO",message) ;
          db.updateFTIndex(true);

  }
else {
          message=
"Unable to open target notes database." + srvname + "!!" + dbname
          task.logmsg (
"ERROR",message) ;
          java.lang.System.out.println (message);

}

 
} catch (ex) {

  message=
"Unable to update FTIndex in target Notes database. , "  + ex
  task.logmsg (
"ERROR",message)
  java.lang.System.out.println (message)

}



Part 9 - Run it

Run the assemblyline and (optionally) have a beer while you will see new person documents showing up in Domino.


Summary

For those of you who are very lazy, here is the TDI AssemblyLine for further use.
GDIDataImportExample.xml


Please note that you must adjust it to fit your needs!  Concluding with
Notes Sensei's words : YMMV

AMgr: Console command ’LOG.NSF’ is unknown- 13 May 2014 - (0) Comments

Thomas Hampel
 13 May 2014

After upgrading to Domino 9.0.1 the following messages show up at the console.
It seems the agent manager is trying to send file names as commands to the server's console...


AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
....


It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY

Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments

Thomas Hampel
 9 May 2014

I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:

1. Create a key ring file
that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino

Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA

Just read and follow
instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users

Follow instructions for
Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.

Done!

Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?

Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know
how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?

When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

at the very bottom there's a small check box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.


Further reading
:

The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino- 7 May 2014 - (3) Comments

Thomas Hampel
 7 May 2014

Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see
http://technet.microsoft.com/en-us/security/advisory/2661254
Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »

HTTP/SSL in Domino 9.0 - more Notes.ini variables to be removed after upgrade- 12 March 2014 - (0) Comments

Thomas Hampel
 12 March 2014

After upgrading to Domino 9.0 some users (but not all) claimed they are unable to access a server via HTTP, in specific it was iNotes access to one server while access was okay on other servers.

Quick check:
  • Domino HTTP task was running fine
  • TCP port 80 was responding
  • Redirect to SSL seemed not to work (Error "The connection was interrupted")
With the help of my colleagues we were looking at the console and found a number of errors showing up:

HTTP Server: SSL handshake failure, no website found for IP address [123.123.123.123]
[...]
New SSL session data length of 5132 bytes is larger than the current size of 5000 bytes.

Especially the second error message cause me to start thinking... Yes! I did remember there was an issue with earlier releases of Domino, where Technote 1220425 suggested setting two Notes.ini variables to fix a crash related to SSL
SSL_SESSION_SIZE
SSL_USE_ADDSESSION2

Of course these Notes.ini variables were still in place and still work -- they are not obsolete as such (see list of obsolete Notes.ini variables)
However, after upgrading to Domino 9.0 they are no longer required and as we have seen even cause problems if set too small.

Resolution:
1.) Remove these two variables as  (Reference : IBM Technote 1657588)
2.) Restart the HTTP task
...and iNotes with SSL is working again.

Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0 - 11 February 2014 - (1) Comments

Thomas Hampel
 11 February 2014

Two weeks ago at IBM Connect 2014 attendees were able to test their knowledge in the IBM Certification Lab.
Most of the IBM Certification tests were offered, so I decided to sign up and give it a try without any preparation.


For updating my existing Advanced System Administrator certificate to version 9.0 level, the following two tests were required

Both tests were simple, for Traveler you need to know how to configure Traveler in high availability mode and for the Upgrade examn most questions were about SAML & OpenSocial.

Having passed the upgrade examn and the IBM Traveler exam, this certificate was sent to me as an official statement that I have qualified as IBM Certified Advanced System Administrator for Notes & Domino 9.0


Image:Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0

Next action: updating my Certified Advanced Development Certificate to version 9.0 and signing up for Connections & Sametime tests.

IDVault - ID file upload fails with Error 03:11- 16 August 2013 - (0) Comments

Thomas Hampel
 16 August 2013

Problem
A Notes ID is not uploaded to an IDVault although the configuration of the Client itself as well as the IDVault incl. its trust certificates seem to be correct.


Analysis

The administrator wanted to force the Notes client to upload his ID file to the server, since there already was an (old) IDfile stored in the vault, it has been deleted manually.
However, the client still doesnt upload its local userID.

Looking at the servers log file / Security Events....

Image:IDVault - ID file upload fails with Error 03:11
provided a few hints about the problem:


> Unable to find ID for 'dummy username/OU/O' in vault 'O=IDVault'.  Error: 03:11
> ID failed to authenticate in vault 'O=IDVault'.  'dummy username/OU/O' (IP address 10.10.10.10:57739) made request.  Error: 03:11


and further down other user names:

> Error: Entry not found in index

Indicating a view isnt updated...


Resolution

1.) Update the view index for the hidden view $IDFile in the IDVault database by using the following command
load updall -R IBM_ID_VAULT\IDvault.nsf

2.) Remove the pending name change as described in my previous blog post id-vault-error-0311.htm


Hint: Although this has fixed the problem in my case, there's more to know.

IDVault does not honor view updates made directly in the database, maybe for performance reasons.
There is a DEBUG parameter for the IDVault which can override this behaviour so that VIEWUPDATES are being reflected/enabled.

Create a replica without having direct server access- 5 July 2013 - (0) Comments

Thomas Hampel
 5 July 2013

Here the problem:
You want to create a new replica of an existing database on a server which you are responsible for, you are not allowed to access the remote server.
Not having access means your user ID is e.g. in an access deny group, or in a more simple scenario a firewall is blocking direct access.

However, how would you pull a new replica from the remote server down to yours?
The answer is simple - you can set up a replica stub on your server without the need of accessing the remote server.

Step by step instructions

1. Switch to your workspace, make sure you have no database selected.
2. Use File\Replication\New Replica
3. Type the Servername + Filename >from< which you want to pull the replica.

Image:Create a replica without having direct server access
4. Click "Select"
Now your client will try to connect to the remote server, which of course wont work.

Image:Create a replica without having direct server access
5. A dialog box will display, showing an incomplete question

Image:Create a replica without having direct server access
Here you have to select "Yes" without knowing what the question actually means.
Note: Obviously thats a bug, but it seems that it has not been fixed yet.
6. Choose to which server you want to put the replica, also define a file name of your choice.
7. Disable "Create Immediately"

Image:Create a replica without having direct server access
8. Hit okay to create an uninitialized replica stub
9. Last and final step is to replicate this database on console level using the command:

    >pull remoteserver/ou/o localpath/filename.nsf

A note for beginners:
Your server also must be allowed to read from the remote server and the target server needs to know how to reach the source server...so make sure you have propper name resolution or connection documents in place.  

Achieving (a working) high availability with IBM Lotus iNotes- 2 July 2013 - (0) Comments

Thomas Hampel
 2 July 2013

We all like well working products and love good documentation, even better when there is a step by step instruction on how to set up a specific configuration to work perfectly.
One of those often referenced instructions is an IBM developerWorks article "
Achieving high availability with IBM Lotus iNotes" based on a product from BigIP F5 which explains a clever reverse proxy configuration for optimizing performance.

Unfortunately the configuration outlined there DOES NOT WORK because it contains multiple errors/failures/mistakes.

Following instructions step by step will make it impossible to get the expected solution in place. Let me explain the problem in more details.


For a small environment with only two servers in one cluster, you wont notice any problem, everything seems to work perfectly.
What you dont know is that the iRule does not work, and traffic is always dispatched to both of your servers. As soon as you will have multiple clusters involved the problem becomes visible.


From time to time users receive "Error 404 - HTTP Web Server: Lotus Notes Exception - File does not exist" which indicate that traffic was routed to a server that does'nt host the file requested.


The (not working) documentation has been published in at least two other places, a DominoWiki Article and a WhitePaper

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Achieving_high_availability_with_IBM_Lotus_iNotes
http://www.f5.com/pdf/deployment-guides/f5-ibm-inotes-dg.pdf

Lets get back to the roots - according to the developerworks article this is what (in theory) should happen:

BigIP F5 reverse proxy appliance will intercept inbound HTTP requests which end with ".nsf" and are not dedicated to "names.nsf"

Domino will figure out which servers are hosting the requested file and will return a list of server DNS names in form of an HTTP header.


The problems are:
  • BigIP will send traffic to any server in the server pool which is configured - so your session can end up on any randome cluster/server which may not host the database you are looking for.
  • Domino lookups are performed towards the local "cldbdir.nsf" which holds information from databases in this cluster only. What if there are multiple clusters involved?
According to the documentation: "X-Domino-ReplicaServers is returned when the service finds the relevant path within its own cluster, whereas X-Domino-ClusterServers is returned only when the mail servers are part of a different cluster."
but the iRule itself is only referring to "X-Domino-ClusterServers", the other header "X-Domino-ReplicaServers" is never used. #fail !


Lets look into details:

In Domino, a customized ServersLookup form in "iwaredir.nsf" is used to lookup the "cldbdir.nsf" to figure out what servers are hosting the file and will return this information as part of an HTTP header.
Sniffing network traffic using
Wireshark shows that the HTTP header is never returned, it also shows that the URL referenced in the iRule is never called.

According to the iRule documented in
Appendix B is calling the (modified) ServersLookup form to retreive the list of servers as an HTTP header,

HTTP::uri /iwaredir.nsf/ServersLookup?OpenForm&nsfpath=$nsf



unfortunately this iRule is never called., because it is expecting the request URL to >end< with ".nsf"


if { ([HTTP::uri]ends_with ".nsf") and not ([HTTP::uri] contains "names.nsf")}{



Ok, lets try to fix it !

Resolving the problem requires changes on both sides, multiple changes in Domino and changing slightly the F5 iRule. I'm trying to cover the modifications step by step
:

Part 1 - Lets start with the iRule,

here you need to change the if-clause to check for "path" rather than "uri", and also exclude any any lookups towards "iwaredir.nsf", changes are highlighed in bold.


if { ([HTTP::path]ends_with ".nsf") and not ([HTTP::path] contains "iwaredir.nsf") and not ([HTTP::path] contains "names.nsf")}{



Part 2 - Database Catalog

In order to find the correct servers at the first attempt, my idea was to look up the (in our case always perfect) database catalog to find the servers hosting the requested file.

To do that we will need to create a new (hidden) view in the catalog.nsf with two columns
View Formula SELECT @IsAvailable(ReplicaID)& @IsUnavailable(RepositoryType)
Column1 Formula Pathname
Column2 Formula ReplicaID2 := @If((@Text(ReplicaID; "*") = "00000000:00001601"); "Non-replicatable files"; ReplicaID);
@Text(ReplicaID2; "*")
Column2 Programmatic Use TextReplicaID





Part 3 - ServersLookup

Now lets make use of the view by updating the code in the "ServersLookup" form of the file iwaredir.nsf.

If no parameter is provided, its assumed the user wants to access his mail server
The code behind the $$HTMLHead field should look like this:



tmpDebug := "";

tmpNSFPath := @ReplaceSubstring(@URLDecode( "Domino"; @UrlQueryString("nsfpath") );"/";"\\");

@If (tmpNSFPath = ""; tmpNSFPath:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailFile" ));"");


REM {Lookup home mail server };

tmpHomeServer:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailServer" ));

tmpLookupKey := @ReplaceSubstring (tmpNSFPath
;"\\";"/") ;

REM {Get replicaID of this mail file};

tmpReplicaID := @DbLookup( "":"" ; "":"catalog.nsf" ; "($LookupServerFilename)" ;tmpLookupKey; "TextReplicaID");


REM {Find all servers who are hosting this replicaID  };

tmpServers := @DbLookup( "":"" ; "":"catalog.nsf" ; "($ReplicaID)" ;tmpReplicaID; "Server");

tmpServers:=@If(@IsError(tmpServers);"";tmpServers);


REM {Is Home Mail server in list of servers, then move this up to the front of the list};

tmpServers := @If(@IsMember(tmpHomeServer;tmpServers);tmpHomeServer : @Transform(tmpServers;"x";@If(x=tmpHomeServer;@Nothing;x));tmpServers);

tmpDNSNames := "";


REM {Resolve host names for each server name in list};

tmpLimit:=@Elements(tmpServers)+1;

@For(n:=1;        n tmpHTTPHostNameALT:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ;"($ServersLookup)" ; tmpServers[n] ; "HTTP_Hostname");1);

tmpServerFQDN:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ; "($ServersLookup)" ; tmpServers[n] ; "SMTPFullHostDomain");1);

tmpString:=tmpString+@Text(n)+tmpHTTPHostNameAlt+tmpServerFQDN;

tmpDNSNames := @If(@Length(tmpDNSNames)>0;tmpDNSNames+",";"") + @LowerCase(@If (tmpHTTPHostNameALT!="";tmpHTTPHostNameALT;tmpServerFQDN))

);

REM {Return results to F5};

@SetHTTPHeader("X-Domino-ClusterServers";tmpDNSNames);

@SetHTTPHeader("Cache-control";"no-store");

@If(tmpDebug="";"";"")



Update:

Session persistence is causing some headaches when F5 needs to select an address from the pool. To work around this issue you can use this iRule

inotes-irule.txt


Result:

No more nasty HTTP404 unless the database really can not be found anywhere.
Of course even this solution depends on a few assumtions, one is the catalog must be up to date and must be replicating within the environment.


Disclaimer: Use at your own risk, no warranty is provided. However, please let me know if you have further suggestions how to improve this solution.

Notes and Domino 9.0- 22 March 2013 - (0) Comments

Thomas Hampel
 22 March 2013

IBM just announced the availability of IBM Notes and Domino 9.0 Social Edition.
The software packages are available to download from Passport Advantage, in specific the part numbers are:

System requirements for IBM Notes and Domino 9.0 Social Edition
If you are interested to know what has been changed from previous versions, take a look at the fix list
http://www-10.lotus.com/ldd/fixlist.nsf/%28Progress%29/90

Recover your Domino SSL Keystore password- 27 February 2013 - (2) Comments

Thomas Hampel
 27 February 2013

In a situation where an you need to verify the contents of a Domino SSL Key ring file (*.kyr) its very useful to know the password to that key ring.
Unfortunately thats not always the case, e.g. when inheriting a server for which no documentation exists, or in simple terms when you forgot the password.

In order to recover the password in clear text, just enable the debug parameter SSL_TRACE_KEYFILEREAD=1 in the Notes.ini
To avoid any impact to production, you might want to do this in an isolated environment like a fresh installed Domino server or a test server you already have.

So this is what you have to do:
  1. Install a new isolated Domino server (or use a test server of your choice)
  2. Copy the *.kyr + *.sth file from the production server to the new server
  3. Configure the HTTP task to make use of this key ring file, by updating the server document/internet ports, or by updating the internet site / security configuration.
  4. Enable the Notes.ini parameter by typing this command at the server's console
    set config SSL_TRACE_KEYFILEREAD=1
  5. Restart the HTTP task
    tell http restart
  6. Watch the console to obtain the password in plain text:

ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for trusted roots
ReadKeyfile> Found trusted roots
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for cert chain
ReadKeyfile> Got cert chain
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for private key
ReadKeyfile> Decoding keys
ReadKeyfile> Keys decoded
ReadKeyfile> Exit status = 0
HTTP Server: Using Internet Site Configuration View

Now you can use the Domino Server Certificate Authority application to take a closer look into the *.kyr file.

Change ReplicaID of existing DBs without creating a Notes Copy- 23 February 2013 - (0) Comments

Thomas Hampel
 23 February 2013

If you want to change the replicaID of a database without doing a Notes Copy, feel free to use this small script:
ChangeReplicaID.lss

Enable ’Show in-line MIME images as attachments’ via Policies- 11 February 2013 - (0) Comments

Thomas Hampel
 11 February 2013

Some Notes client preferences can not be enabled via Domino Policies because the values are not exposed as a parameter in the Domino Directory template.
One of them is "Show in-line MIME images as attachments"
Image:Enable ’Show in-line MIME images as attachments’ via Policies

In order to enable/disable this setting, you'll have to set a Notes.ini variable via policies
ShowIMIMEImagesAsAttachments=1

Instead of modifying the Domino Directory template its enough to add this variable in the custom settings section of the Desktop policy settings.
Image:Enable ’Show in-line MIME images as attachments’ via Policies
Image:Enable ’Show in-line MIME images as attachments’ via Policies

IBM Lotus Connector for SAP Solutions with IBM Lotus Enterprise Integrator for Domino 8.5.3 64-bit- 23 January 2013 - (2) Comments

Thomas Hampel
 23 January 2013

For running IBM Lotus Connector for SAP Solutions with the 64bit version of IBM Lotus Enterprise Integrator for Domino 8.5.3, you will need the following packages:

Part nr.         Software name
CRG0LEN        IBM Lotus Enterprise Integrator for Domino V8.5.3 Multi O/S English 64-bit
CZN8CEN        IBM Lotus Connector for SAP Solutions 2.0.1 64-bit

Unfortunately this is not enough - according to the LEI documentation there should be one more file "librfc32.dll" which is missing
librfc32.dll                <- not present in the package, missing !
librfc32u.dll
Icudt*.dll
Icuin*.dll
Icuuc*.dll
libsapucum.dll

The file can be found in the 64-bit version of SAP RFC SDK 6.40 kit  which is not part of the IBM packages
This software is only available from SAP via the SAP Marketplace., so download and unpack the SAP RFC SDK to find the DLL you are looking for.

Copy the DLL files from the SDK into the same place as the other libraries above (e.g. C:\WINDOWS\SYSTEM32\ ) to make the SAP Connector work.

How to supply your admin with a precise copy of a mail for further analysis- 13 December 2012 - (0) Comments

Thomas Hampel
 13 December 2012

Have you ever been in the situation when a user had to supply an admin with an example of the message incl. header information?
Forwarding copies or replied mails are unusable regardless of how they are saved.


In order to supply admins with what they need for further analysis, please follow these instructions...

Lotus Notes 6.x-8.x
  1. From the Lotus Notes mail database window, select the message you want to submit.
  2. Open the message full view (not preview mode).
  3. From the "View" menu, select "Show" then "Page Source".
  4. From the "File" menu, select "Export."
  5. In the "Export" pop-up window, enter a filename and choose a location to save the file.
    From the "Save as type" drop-down list select "ASCII Text." After entering the filename, press "Export."
  6. In the next dialog box, select "Default Character Set" and then click OK.

Lotus Notes 5.x and below
  1. From the Lotus Notes mail database window, select the message you want to submit.
  2. From the "File" menu, select "Export."
  3. In the "Export" pop-up window, enter a filename and choose a location to save the file.
    From the "Save as type" drop-down list select "Structured Text." After entering the filename, press "Export."
  4. Select "Selected documents" in "How Much to Export" of the "Structured Text Export" dialog box, and press OK.
    Now, save the text file in the location you designated in Step 3.

And in case anyone is still using less functional mail clients....

Note: Some versions of Outlook offer two options to save an .msg file - one is "Outlook Message Format", the other is "Outlook Message Format - Unicode". You should NOT select the Unicode format, this could cause problems when you save and submit the file.

Microsoft Office Outlook 2003/2010
  1. Open Microsoft Office Outlook 2003.
  2. Double click to open the email message that you want to save.
  3. From the "File" menu, select "Save As."
  4. The "Save As" pop-up window displays. Select "Outlook Message Format" from the "Save as type" drop-down list.
  5. Select the folder in which you want to save the message. Note, the "File name" is provided by default. You can change this if you want.
  6. Click "Save." The message is saved with an ".msg" file extension.

Microsoft Office Outlook XP
  1. Open Microsoft Office Outlook XP.
  2. Double click to open the email message that you want to save.
  3. From the "File" menu, select "Save As."
    The "Save As" window displays. Select "Message Format (*.msg)" in the "Save as type" drop-down list.
  4. Select the folder in which you want to save the message. Note, that the "File name" is provided by default. You may change this if you want.
  5. Click "Save." The message is saved with an ".msg" file extension.

Microsoft Outlook Express
  1. Open Microsoft Outlook Express.
  2. Double click to open the email message that you want to save.
  3. From the "File" menu, select "Save As."
  4. The "Save Message As" pop-up window displays. Select "Mail (*.eml)" from the "Save as type" drop-down list.
  5. Select the folder that in which you want to save the message. Note, the "File name" is provided by default. You can change this if you want.
  6. Click "Save." The message is saved with an ".eml" file extension.

Apple (Mac) Mail
  1. Select the message you want to save.
  2. From the "File" menu, select "Save as ..."
  3. In the pop-up window, select the format "Raw Message Source"
  4. Save with a filename including a .txt or .eml extension

Other Mail User Agents
Save the email that you want to report as a text file. Make sure that the message is as close to its original form as possible. Your mail client might allow you to save rendered text as well as the original source -- it is the original "raw source" that is needed. Make sure the original email headers are intact and included in RFC-822 format. Typical file name extensions are .eml and .txt

Please attach .txt/.msg/.eml file to a new email which you can send to your administrator.

TechLesson of the day - Language Pack installer does not find Domino server- 7 November 2012 - (2) Comments

Thomas Hampel
 7 November 2012

A small lesson learned today:

When applying a language pack to a Domino server, the following error message will appear
Image:TechLesson of the day - Language Pack installer does not find Domino server
Could not find any indications of a Domino server in your selected paths, either path(s) are incorrect, or you do not have a Domino server at the location. please confirm selected path(s) are correct. [OK]

Root cause: The Domino data directory did not contain a the file "pubnames.ntf", some admin thought it would be a good idea to delete all *.ntf files from the server.
So of course a Language Pack could not be installed.

In case of further problems, check this technote for troubleshooting language pack installation issues.
http://www-01.ibm.com/support/docview.wss?uid=swg21229337

Exporting Notes Documents- 2 October 2012 - (0) Comments

Thomas Hampel
 2 October 2012

A customer wanted to have all attachments of some selected Notes document exported to the file system and also wanted to keep an option for developers to access the metadata of the original Notes document.
Nothing easier than that, so I wrote this small script to get the job done.


First the entire document is exported into DXL, then all attachments are detached to the file system. Both parts are not rocket science, but some people might want to reuse the code.
To avoid name conflicts while detaching files a folder is created for each Notes document so all attachments of this Notes document will be stored in this subfolder.


Option
Public
Option
Declare
Dim
gCounter&
Sub
Initialize
     
Dim s As New NotesSession
     
Dim coll As NotesDocumentCollection
     
Dim BasePath$

      BasePath$ =
InputBox ("Export data to path...: ", "Export", "C:\")
     
     
'# add backslash at the end
     
If right (BasePath$,1) <> "\" Then BasePath$ = BasePath$ & "\"
     
     
Print "Using BasePath : " & BasePath$
     
     
Set coll = s.currentdatabase.Unprocesseddocuments
     
If coll Is Nothing Then
             
MessageBox "No documents selected"
     
Else
             
Print "Processing " & coll.count & " documents..."
             
Call ExportToDXL (coll, BasePath$)
             
Call ExportToFile (coll, BasePath$)
             
MessageBox "Export completed."
     
End If        
End
Sub

Function
ExportToDXL (Coll As NotesDocumentCollection, BasePath As String)
     
Dim session As New NotesSession
     
Dim stream As NotesStream
     
Dim DXLfilename$
     
Dim doc As NotesDocument
     
Dim tdoc As NotesDocument
     
Dim exporter As NotesDXLExporter
     
     
If coll Is Nothing Then Exit function
     
Set doc = coll.getfirstdocument
     
While Not doc Is Nothing
             
Set tdoc = coll.getNextDocument (doc)
             
'# Open xml file named after current database
             
Set stream = session.CreateStream
              DXLfilename$ = BasePath$ & doc.universalid &
".dxl"
             
If Not stream.Open(DXLfilename$) Then
                     
MessageBox "Cannot open " & DXLfilename$,, "Error"
                     
Exit Function
             
End If
             
             
'# kick off the exporter process
             
Set exporter = session.CreateDXLExporter
             
Call exporter.SetInput(doc)
             
Call exporter.SetOutput(stream)
             
Call exporter.Process
             
             
Set doc = tdoc
     
Wend
End
Function

Function
ExportToFile (coll As NotesDocumentCollection, BasePath As String)
        On Error GoTo ErrH
        Dim doc As NotesDocument
        Dim tdoc As NotesDocument
        Dim rtitem As variant
        Dim targetpath$, fname$
        Dim FieldList(0) As String
        Dim oba As Variant
       
        '# define which fields to scan for attachments
        FieldList (0) = "Body"
       
        If coll Is Nothing Then Exit Function
       
        Set doc = coll.getfirstdocument
        While Not doc Is Nothing
                Set tdoc = coll.getNextDocument (doc)
                If doc.Hasembedded Then
                        targetpath$ = BasePath$ & doc.universalid & "\"
                       
                        If Dir$ (BasePath$ & doc.universalid, 16) = "" Then MkDir targetpath$
                       
                        '# loop list of fields
                        ForAll f In FieldList
                                 Set rtitem = doc.GetFirstItem(f)
                                 If Not rtitem Is Nothing Then
                                        If (rtitem.Type = RICHTEXT ) Then
                                                '# make sure the field contains some objects and detach
                                                If IsArray(rtitem.embeddedObjects) Then
                                                        ForAll o In rtitem.EmbeddedObjects
                                                                If ( o.Type = EMBED_ATTACHMENT ) Then
                                                                        Fname$=o.Name
                                                                        If FileExists (fname$) Then fname$ = CStr(gCounter&) & Fname$
                                                                        Call o.ExtractFile(targetPath$ & Fname$)
                                                                        gCounter& = gCounter& + 1
                                                                End If
                                                        End ForAll
                                                End If

                                        End If
                                End If
                        End ForAll
                End If
                Set doc = tdoc
        Wend
continue:
        Exit Function
       
errH:
        Stop
        Print "Error " & Err() & " in line " & Erl() & " - " & Error
        Resume continue
End Function

EMC SourceOne- 27 September 2012 - (0) Comments

Thomas Hampel
 27 September 2012

When running EMC SourceOne with Domino, it might happen that users can only see a subset of the mails they have received, even if the mail itself is stored in the EMC system.
Here are the details...


Problem
When logging in with Active Directory credentials, users can only see emails which have been sent to the internet address of that user.
Logging in with Notes/Domino user name and HTTPPassword, only the Lotus Notes mails can be found.

Analysis
By opening one email in each account and looking at the header, it became clear that EMC SourceOne can not associate the AD user name with the Notes user name.
The Notes user name is stored in a custom attribute of the Active Directory user object, but there is no option to customize the EMC software to make use of this attribute.

For each mail, EMC seems to use the recipients name as a string to search ActiveDirectory. So if the mail has been sent to "firstname.lastname@company.com" it will find a corresponding user in AD and can associate it with the user.
When the mail is sent to "Firstname Lastname/OU/O", there is no corresponding user in AD, at least not among the list of objects which EMC is searching in.

Those of you who have already migrated from Exchange to Domino already know that for perfect CoExistence between both systems, the AD user needs to have a Notes proxyAddress defined.
Based on this knowledge it was easy to resolve the problem.


Solution
adding the Notes user name to the list of email addresses ("proxyAddresses") in  the AD user object resolved the issue.
Image:EMC SourceOne

The result is another proxy address "NOTES:CN=Firstname Lastname/OU=X/O=Y" in addition to the internet address itself.

Domino Program documents and schedule- 6 September 2012 - (1) Comments

Thomas Hampel
 6 September 2012

Problem: A customer reported Domino would not be responding at a specific point in time, but servers dont crash - they are unresponsive.

Analysis
: Looking into the Domino server logs at about the time when the problem reported showed that some scheduled tasks were running.
While scrolling down the logs it became clear that the compact task was blocking access to the server's system databases - in this case log.nsf - which caused the server to ignore incomming requests.

From the end users point of view the server came to an halt while from the servers point of view all was okay.


Action:
Getting Domino program documents scheduled perfect could be a long journey. Here is my recommendation on how to do it right.
Program Command Line Schedule Comments
convert -l mailprimary.ind 18:50 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Generates a list of mail files by reading people's mail files from the Domino Directory and writes the list into an IND file.
compact -A mailprimary.ind 19:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Archive data but dont reduce the mail file size, thats because compacting will be done thru another program document.
compact -B -S 20 -w 23:00 each day
Repeat interval of: 0 minutes
Days of week: Fri
Once per week, reduce the file size if there are at least 20% whitespace in the file
Exclude system DB's with option -w , for servers before 8.5.4 this requires the variable DEBUG_ENABLE_COMPACT_8_5=1

Note: Reducing the file size for every file every day will just increase the level of fragmentation and will reduce performance.
compact -b -w 23:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Sat
Make sure the white space is located at the end of the NSF file for better performance when creating new documents
Note : Do not run on Friday, due to backup.
compact -b log.nsf 04:30 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Special schedule for log.nsf after 04:00 when purge has been completed.
To make sure the white space is located at the end of the NSF file for better performance when creating new documents.
catalog 01:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Updates information in catalog.nsf
updall 02:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Updates existing views
statlog 05:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Record statistics
daosmgr resync 23:30 each day
Repeat interval of: 0 minutes
Days of week: Mon, Wed, Fri
Every second day resync the DAOS repository
collect At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
http At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
rnrmgr At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
(n)server -c "tell sched validate" 02:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Rebuilds the clubusy/busytime
(n)server -c "tell mtc purge 7" 00:00 each day
Repeat interval of: 0 minutes
Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
Purge data older than 7 days from the message tracking store





Optional Program Documents for Specific Server Types
Program Command Line Schedule Comments
(n)server -c “tell router compact” 18:00 each day
Repeat interval of: 0 minutes
Days of week: Sun
This will reduce the file size of the mail.box'es, but will increase fragmentation on disk. Not recommended for servers with high mail volume.




Of course noone is perfect, so any comments and suggestions for improvements are very welcome !

ID Vault - Error 03:11- 8 June 2012 - (0) Comments

Thomas Hampel
 8 June 2012

When deploying the IDVault, administrators may see the following error in the Log.nsf of the server hosting the IDVault.

06/08/2012 04:54:18 PM  ID failed to upload to vault 'O=XYZ-IDVault'.  'Firstname Lastname/OU/O' (IP Address a.b.c.d:port) made request.  Error: 03:11
06/08/2012 04:59:16 PM  Unable to find ID for 'Firstname Lastname/OU/O' in vault 'O=XYZ-IDVault'.  Error: 03:11


Image:ID Vault - Error 03:11
Root cause for this is a pending name change reuqest which was not applied to the user. Take a look into the person document of this user, especially the tab "Administration",
the Client Information section will display if there are any pending name change requests outstanding.

Technically the name change request is stored in a field called "ChangeRequest", supported by "ChangeRequestDate" which is storing the date/time of when this request was initiated.
In my particular case, the name change request was almost 3 years old and it was not possible to find out what has caused this request to still appear in the system.

Image:ID Vault - Error 03:11
Workaround:

Remove both fields (or set them to an empty value) e..g. by using the
Change Any Field method

Can’t contact LDAP server- 1 June 2012 - (0) Comments

Thomas Hampel
 1 June 2012

Authenticating Domino users against a remote LDAP is nothing new. Some people have blogged about it or created a presentation already.
Furthermore there are some good articles out there explaining the implementation of AD Authentication, Directory Integration and SPNEGO.

When you're done with the configuration, things may run smooth first, but after a few days authentication may not work any longer.
Restarting the server might help, but only for a short time frame - the reason for that is a bug in the Domino server referenced as SPR# AJMO8NVM8F where Domino seems not to find the remote LDAP server any longer.

Steps to reproduce:
1.        Enable the following debug parameters:
Debug_DirectoryAssistence=1
WebAuth_Verbose_Trace=1
LDAPDEBUG=512
2.        After some time, Domino may become unable to contact the remote LDAP server
The error message displayed at the console is the following:
LDAP> connect_to_host:  EndPoint connect failed:  The remote server is not a known TCP/IP host.
LDAP> Unable to chase references (Can't contact LDAP server)

This issue has been documented in LO66491 http://www-304.ibm.com/support/docview.wss?uid=swg1LO66491
It seems the problem still exists in Domino 8.5.3 with FixPack1. so if you run into this problem, open a PMR to get an hotfix.

A temporary workaround is to issue the command "show xdir reload" at the server, which can also run as a scheduled program document every 30min.
It wont fix the issue itself, but will reload directory assistence tables by which the error state will reset back to normal.

Winmail.dat- 29 December 2011 - (1) Comments

Thomas Hampel
 29 December 2011

Every couple of years the same story...

Lotus Notes/Domino users reveive emails containing an attachment "winmail.dat" or "att00001.dat" which the Lotus Notes® client's is unable to open..
Examination of the document properties reveals that the message was sent as a Content-Type: application/ms-tnef; name="winmail.dat", which actually is a format only used by Microsoft® Exchange/Outlook

The problem itself is described in IBM Technote 1093342
http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21093342

but let me point out that this clearly is not problem caused by Lotus Domino, its the sender's fault which has configured its messaging system to send the email in a Microsoft specific TNEF format rather than using a common standard.
The Microsoft TNEF format is not at all a public standard like those documented within RFC's. Even Microsoft pointed out that the TNEF format isnt RFC compliant ( see Microsoft KBA #323483 )

According to IBM Technote 1093342 Domino administrators can enable a Notes.ini variable TNEFEnableConversion=1 on the server to improve situation, but this can only be a short term workaround because every time Microsoft decides to change the format of its TNEF file type, Domino wont be able to convert the data stored within. Furtheremore this file may contain specific content which Domino will never be able to convert properly such as voting buttons or custom forms.

A real solution is to fix the problem at the source, which is to remind the sender to turn off the sending of mails in TNEF format.
Microsoft published a knowledge base article http://support.microsoft.com/kb/241538 a few years ago which is suggests to turn off using the TNEF format either globally or per recipient.
Once again, this can only be done by the sender or actually the senders administrator, not by the recipient.

Please note:
If the sender is using Microsoft Exchange 2007, the format of "winmail.dat" has changed compared to earlier versions, so conversion will NOT work in some cases!!!
Since Microsoft is changing the format of the file winmail.dat whenever they want, the variable TNEFEnableConversion wont guarantuee to be working all the time - Domino server crashes will be the result.
This also is true for any upcomming changes in the file format.

To avoid misunderstandings :
  • TNEF Format is not based on common standards
  • Email clients other than MS Outlook can not handle TNEF, because TNEF may contain elements such as forms or voting buttons.
  • TNEF encoded raw binary independent of what is advertised by the receiving SMTP server. As documented in Microsoft KBA #323483, this technique is not RFC compliant.
  • Most Exchange Admins configure their servers correctly to NOT send TNEF encoded mails to recipients on the internet.
  • S/MIME signed emails will not be converted unless the Domino Administrator will force to break the digital signature by using the Notes.ini variable TNEFBreakSMIME=1

How to handle the problem:
  • Catch all mails with Content-Type: application/ms-tnef before they arrive the Domino server
    Return a message to the sender telling them that they should disable sending mails in TNEF format. Refer them to http://support.microsoft.com/KB/138053 for further instructions
  • Enable TNEFEnableConversion=1
    Why take this risk?? Simply because your users will be frustrated getting mails with "winmail.dat" attachments.
  • Do not use TNEFBreakSMIME=1
    Because security warnings where the client will get used to ignore are even worse

How many users a single Domino server can handle???- 5 December 2011 - (0) Comments

Thomas Hampel
 5 December 2011

In the past a lot of server.load tests have been done to "proof" that Domino can handle a certain amount of users.
As you can imagine, each simulation does not really reflect what a real user can do. Especially not the wide range of different actions.


So lets take a look into a production environment.... this environment is based on Domino 8.5.2 - 64Bit running on AIX.

Image:How many users a single Domino server can handle???

Showing a peak of 10040 users, within just one Domino partition. This statistic doesnt say if users were happy with the response time of the server at peak workload times, which of course is something that can be figured out. However the statistic shows that Domino can handle the workload when enough I/O capacity is available.

I'm not able to share more technical details but what I can say is that CPU and memory utilization were high, but not were reaching limits.
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.