Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : Domino

Welcome Domino License Analysis Utility (DLAU) 1.2.6- 20 November 2024 - (0) Comments

Thomas Hampel
 20 November 2024

Hi Folks,

the new version 1.2.6 of the
Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.

What's has changed in this release?

-
Issue #79 - “External Org” users getting improperly categorized as Known Guests
- Issue #78 - External users by organization name is case sensitive
- Issue #72 - Directory Assistance processed differently based on sequence of loading server docs
- UI/UX Issues in Scan Wizard: “Environment Scan Results” is not displaying the list of additional Domino Directories found
- UI/UX Issues in Scan Wizard: “User Report Tool” Scan tab should no longer allow the user to change the location of the User Report Tool.
- User Report Tool Selection Change

Here is a direct link to the download page for DLAU V1.2.6

For more details and to download the latest version see

https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/

PS: As mentioned
in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.

What is a Large Domino Application and why DAOS rocks- 4 October 2024 - (0) Comments

Thomas Hampel
 4 October 2024

What is a large Domino application?

To answer this question you might think of limits of the NSF datastore, such as 64Gbyte in v9 and 256GByte with Domino v10 and up.

Well, that is just what the NSF itself can store.

Thanks to
DAOS you can put a lot more data into an application or mail file using attachments as they are stored outside of the NSF in a transparent way.

Recently a customer brought up an interesting example of an application they are running in production.


Database properties look like this:

Image:What is a Large Domino Application and why DAOS rocks

I had to look twice to realize that it is cutting off "MByte" at the end, so this SINGLE instance in fact has a size of

13 TeraByte


I've seen this in test environments or playgrounds but never in the wild before.


To double check we looked at the files panel of the Admin client, which confirmed the size:

Image:What is a Large Domino Application and why DAOS rocks

The application is working fine and is heavily used (as you can see), just backup and some maintenance tasks were a bid slow (one might guess why)

It's an app for records management and most of its size is caused by DAOS objects. In fact there are 1,9 million DAOS objects just used by this application.

Image:What is a Large Domino Application and why DAOS rocks

Impressive and clearly a last and final reminder to customers out there who have not enabled DAOS yet.

It is not only going to save lots of storage cost, it also benefits the performance and scalability of your databases.
If you already use DAOS, take a look at the
new DAOS Tuner which can optimize your environment

Large Domino Server?


Speaking of large, let me post a screenshot from a Domino server which marks the largest single Domino server (not partitioned, in prodution use) I came across so far

Image:What is a Large Domino Application and why DAOS rocks

What is a Large Mail?


I'm sure admins out there have all seen something like this:

...a single mail with a size of 1,6 GByte, obviously containing a
maultaschen recipe, which was routed perfectly fine.

Image:What is a Large Domino Application and why DAOS rocks

While this is certainly not the world record for the largest mail, but it's one that I've seen myself and was able to take a screenshot from.
Reading about email size limits of 100 MB or even 20 MB per message as enforced at most cloud vendors sounds silly compared to what Domino was routing just fine for decades.


What about you?


Have you seen similar cases ? Do you even have examples of large Domino applications, servers, mail, etc. beyond those above?
If so, please send me a mail - preferably with (anonymized) screenshots.


References:

-
The Domino® Attachment and Object Service (DAOS)
-
New DAOS Tuner in Domino 14.5

PS: Thanks D. for the screenshots

Improving the Mail Template in 12.0.x and 14.0 - Manage Return Receipts according to RFC 2298- 24 September 2024 - (0) Comments

Thomas Hampel
 24 September 2024

Just a short revisit of a previous blog post which I wrote 7 years ago based on a friendly request from a customer.
mail-template-9.0.1-feature-pack-9-manage-return-receipts-according-to-rfc-2298.htm


The code below is almost the same. It is just now avoiding to introduce a new variable named 'doc' and it is put at the beginning of the event to also cover situations where the document is opened in preview mode.


According to RFC 2298
http://www.ietf.org/rfc/rfc2298.txt it is recommended to show a dialog box where the recipient of a mail can decide weather or not a return receipt shall be sent back to the originator of the mail.
This behavior is not currently part of the Standard HCL Mail template.


To add this feature you have to modify the following design elements:


- Form “Memo”, Event "QueryOpenDocument", added the code shown below

- Form “Reply”, Event "QueryOpenDocument", added the code shown below

- Form “Reply With History”, Event "QueryOpenDocument", added the code shown below


Insert this code at the BEGINNING of the QueryOpenDocument event.


If Source.isNewDoc Then

 '# don' t do anything, as this is a new document

Else

       If Source.document.GetItemValue("ReturnReceipt")(0) = "1"  And Source.document.HasItem ("DeliveredDate") Then

               If Messagebox ("The sender of this message has asked to be notified when you read this message." & Chr(13) & "Do you wish to notify the sender?", 36, "Send Return Receipt?") = 7 Then

                       Call Source.document.ReplaceItemValue ("ReturnReceipt", "0")

                       Call Source.document.Save(True, False, True)

               End If

       End If

End If



For clarity, this is what the QueryOpen event looks like BEFORE the modification:

Image:Improving the Mail Template in 12.0.x and 14.0 - Manage Return Receipts according to RFC 2298

and AFTER the modification it looks like this:

Image:Improving the Mail Template in 12.0.x and 14.0 - Manage Return Receipts according to RFC 2298

Available now: HCL Notes/Domino 11.0.1 Fix Pack 9- 17 July 2024 - (0) Comments

Thomas Hampel
 17 July 2024

HCL just released Fix Pack 9 for HCL Notes/Domino 11.0.1
More details of what has been fixed are provided in the
Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

Before installing this update, please verify the system requirements:
-
HCL Notes 11.0.1 Fix Pack 7, Fix Pack 8, and Fix Pack 9 System Requirements
- HCL Domino 11.0.1 Fix Pack 7, Fix Pack 8, and Fix Pack 9 System Requirements

These kits are also available on MHS at the following URLs:
- Domino 11.0.1 FP9 : https://my.hcltechsw.com/downloads/domino/domino/11.0.1fp9
- Notes : https://my.hcltechsw.com/downloads/domino/domino/11.0.1fp9
- Client for Application Access : https://my.hcltechsw.com/downloads/domino/caa/3.0.10

WARNING
HCL Notes/Domino 11.0.x will be End of Support by 26. June 2025 (=next year) !!
It's time to
plan your upgrade, which as you know is quite an easy and straightforward upgrade.

Available now: HCL Notes/Domino 12.0.2 Fix Pack 4- 16 May 2024 - (0) Comments

Thomas Hampel
 16 May 2024

HCL just released Fix Pack 4 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the
Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

Before installing this update, please verify the system requirements:
-
HCL Notes 12.0.2, 12.0.2 Fix Pack 4 System Requirements
-
HCL Domino 12.0.2 Fix Pack 4 System Requirements

These kits are available for download at our new MyHCLSoftware download portal at the following URLs:

https://my.hcltechsw.com/downloads/domino/notes/12.0.2fp4
https://my.hcltechsw.com/downloads/domino/domino/12.0.2fp4

Bonus:

If you are already running Domino V14 and have the new
AutoUpdate feature enabled, you'll see whats shown in the screenshot below:
Learn more on how to use this feature, by joining our
Domino V14 Deep Dive webinar series on Jan. 31 on Domino v14 Auto Notify, Update & Install

Image:Available now: HCL Notes/Domino 12.0.2 Fix Pack 4

Welcome Domino License Analysis Utility (DLAU) 1.2.4- 17 April 2024 - (0) Comments

Thomas Hampel
 17 April 2024

Hi Folks,

the new version 1.2.4 of the
Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.

The new version now supports MacOS clients to perform the scan and it resolves a number of issues which customers have reported.

What's New ?

- Report now inclludes Domino server versions

- Supports Readonly user with the appropriate rights
- Support for MacOS
- Save the server versions as a reference for each scan
- Note when server access is setup to allow wildcarded usernames
- BugFix: Add new export category and create directory if it does not exist
- BugFix: New version available string is missing the new version title
- BugFix:Error when dividing by zero when creating the digital signature
- BugFix:User information from primary directory is lost when they also exist in another scanned directory
- BugFix:Attempt to fix situations where user receives ERROR: Object variable not set #: 91, line: 3
- BugFix:Correct the spelling of “signing” on “signing” page
- BugFix:utility is duplicated on the Nomad page

For more details and to download the latest version see

https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/

PS: As mentioned
in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.

Available now: HCL Notes/Domino 14.0 Fix Pack 1- 17 April 2024 - (0) Comments

Thomas Hampel
 17 April 2024

HCL just released Fix Pack 1 for HCL Notes/Domino 14, providing 92 fixes and updates for client and server.
More details of what has been fixed are provided in the
Release Notice or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

Before installing this update, please verify the system requirements:
-
HCL Domino 14.0 and 14.0 Fix Pack 1 System Requirements (KB0108740) +for IIBMi see KB0108946
-
HCL Notes 14.0 and 14.0 Fix Pack 1 System Requirements (KB0108739)
-
HCL iNotes 14.0 and 14.0 Fix Pack 1 Browser Requirements (KB0108942)

These kits are available for download at our new MyHCLSoftware download portal at the following URLs:

https://my.hcltechsw.com/downloads/domino/notes/14.0fp1
https://my.hcltechsw.com/downloads/domino/domino/14.0fp1

Bonus
:
If you are already have the new AutoUpdate feature enabled, you'll see whats shown in the screenshot below:

For how to use this feature, see Domino V14 Deep Dive
webinar Auto Notify, Update & Install
 
Image:Available now: HCL Notes/Domino 14.0 Fix Pack 1

New HCL Domino Marketplace - Get your apps & tools listed now!- 3 April 2024 - (0) Comments

Thomas Hampel
 3 April 2024

Good News Folks!

"It took forever, but now it's live" wrote the engineer (Thank You Scott) when he told me that our redesigned HCL Domino Marketplace submission form finally went live.
Based on input from our developer and partner community the team improved the functionality and the look and feel of the site.

The submission process has been revamped into a multi-stage form with improved structure, enabling the option to save submissions as drafts.
Submitting your products, solutions, or Domino templates is free of charge and now is even easier than ever.

Try yourself:
Image:New HCL Domino Marketplace - Get your apps & tools listed now!

Simply follow these steps:


1. Start here:
https://hclsofy.com/managecontent
2. Log in with your existing HCL ID / Partner credentials, or create a new account as needed.

3. Click on "Domino Submission"

Image:New HCL Domino Marketplace - Get your apps & tools listed now!
4. Fill in the required information about your application.

Please note, there are two type of applications:
- Products, which are commercial Domino applications, addons, templates, etc.
- Templates, which are non-commercial templates you want to make available for download at no charge.

5. Upload any necessary screenshots, provide the metadata required

6. Hit submit, and you're done!


References:
- HCL Domino Marketplace
- Here you can find a more detailled description of each field and how to fill the form
- My Blog Submit your apps now.

Welcome Domino License Analysis Utility (DLAU) 1.2.3- 29 March 2024 - (0) Comments

Thomas Hampel
 29 March 2024

Hi Folks,

the new version 1.2.3 of the
Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.

The new version especially addresses a problem (DNEXT-26194) where 32Bit Notes clients may not be able to run an analysis.


What's New ?

- Include DLAU version in the emailed report

- Added additional logging output behind Notes.ini DLAU_VERBOSE_MODE=1
- Fix : DNEXT-26194 - Recompiled LotusScript with 32-bit compiler
- Fix : DNEXT-26190 - Global variable was being updated incorrectly causing incorrect error message
- Fix : DNEXT-25836, DNEXT-25837 - addressed typo and string updates

For more details and to download the latest version see

https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/

PS: As mentioned
in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.

Welcome Domino License Analysis Utility (DLAU) 1.2.2- 19 February 2024 - (0) Comments

Thomas Hampel
 19 February 2024

Hi Folks,

the new version 1.2.2 of the
Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.

The new version addresses a number of issues ad improvement requests customers had reported, here's a short list:

What's New ?

- Ability to check for new version

- Include user names from entitlement tracking (if it exists) in user counting process
- Fix string in dialog that warns the user they don’t have appropriate rights to the names.nsf
- Fix string in dialog that warns the user they don’t have the appropriate role in the Domino Directory
- Fix
Issue #50 Observation information is not accurate when non-Domino LDAP is used as authentication
- Admin server is changing when additional directories are identified
- Incorrect error message due to improper casing on file naming comparison
- Corrected misspelled word
- Ability to add DLAU_VERBOSE_MODE=1 with the Notes.INI set before beginning the scan, the logging has been enhanced to capture the output in the scan log as well as logging additional information.

For more details and to download the latest version see

https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/

PS: As mentioned
in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.

Available now: HCL Notes/Domino 12.0.2 Fix Pack 3- 17 January 2024 - (0) Comments

Thomas Hampel
 17 January 2024

HCL just released Fix Pack 3 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the
Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

Before installing this update, please verify the system requirements:
-
HCL Notes 12.0.2, 12.0.2 Fix Pack 3 System Requirements
-
HCL Domino 12.0.2 Fix Pack 3 System Requirements

These kits are available for download at our new MyHCLSoftware download portal at the following URLs:

https://my.hcltechsw.com/downloads/domino/notes/12.0.2fp3
https://my.hcltechsw.com/downloads/domino/domino/12.0.2fp3

Bonus:
If you are already running Domino V14 and have the new AutoUpdate feature enabled, you'll see whats shown in the screenshot below:
Learn more on how to use this feature, by joining our
Domino V14 Deep Dive webinar series on Jan. 31 on Domino v14 Auto Notify, Update & Install

Image:Available now: HCL Notes/Domino 12.0.2 Fix Pack 3

HCL Domino Marketplace - submit your apps, products, solutions, and templates NOW- 19 December 2023 - (0) Comments

Thomas Hampel
 19 December 2023

Dear HCL Domino Community, Developers and Partners,

Earlier this year at the
Collabsphere conference, we announced to be working on our brand-new HCL Domino application marketplace/appstore, and we want YOU to be a part of it!
We believe that your applications deserve a spotlight, and our new marketplace is the perfect platform for you to showcase your work to a wider audience.


Here are a few reasons why you should consider submitting your applications to our marketplace:


Increased Visibility:

The new Domino marketplace is designed to attract current and new customers, tech enthusiasts, and industry professionals.
By featuring your applications here, you'll get the exposure your work deserves.


Our courtesy to your HCL Domino investment

Having your application listed is free of charge.
All we need is some information about your app such as name, description, sreenshots.


Improving adoption

Even if your application or tool is a non-commercial asset you have developed, submitting it to the Domino marketplace will grow your user base and reputation.

Receive valuable feedback from users and improve your applications based on real-world usage. This iterative process can lead to enhancements and optimizations you might not have considered.


Submitting your application is easy!

Simply follow these steps:


1. Start here:
https://hclsofy.com/managecontent
2. Log in with your existing HCL ID / Partner credentials, or create a new account as needed.

3. Click on "Domino Submission"

Image:HCL Domino Marketplace - submit your apps, products, solutions, and templates NOW
4. Fill in the required information about your application.

Please note, there are two type of applications:
- Products, which are commercial Domino applications, addons, templates, etc.
- Templates, which are non-commercial templates you want to make available for download at no charge.


5. Upload any necessary screenshots, provide the metadata required

6. Hit submit, and you're done!


Here you can find a more detailled description of each field and how to fill the form.

We can't wait to see the amazing applications you've developed and share them with the world.
If you have any questions or need assistance during the submission process, please let me know


Thank you for being a driving force in the world of the Domino technology!

HCL Domino 14 is available now!- 7 December 2023 - (0) Comments

Thomas Hampel
 7 December 2023

Hi Folks

I'm very happy to announce that HCL Notes/Domino V14 has just been released and is available for download.


Among lots of other new features and cool stuff, my personal highlights in this release are:

-
Passkey support
-
Auto-Update / Update Notifications
-
AdminCentral
and of course the matter of fact that Verse, Nomad and Ontime are now integrated in the Domino installer.


Of course there is a lot more that I could write about here, but I've already written a comprehensive blog post that will be posted later today at our
corporate blog

What do you need to do now?

1. Join our webcast on December 7 @ 10am ET - to attend, please
Register now!
2. Read
What's new in HCL Domino 14
3. Download the latest version from our new
software download portal
4.
Plan your upgrade


Image:HCL Domino 14 is available now!

Image:HCL Domino 14 is available now!

Welcome Domino License Analysis Utility (DLAU) 1.2.1- 1 December 2023 - (0) Comments

Thomas Hampel
 1 December 2023

Hi Folks,

the new version 1.2.1 of the
Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.

The new version addresses a number of issues ad improvement requests customers had reported, here's a short list:


What's New ?
  • Added support for scanning Directory Assistance on all servers in the environment.
  • Idea Domino-I-2499 - The Customer Name, HCL Customer, etc. can now be stored in a configuration document
    • Added the ability to output logging to the status bar to give the scanner an improved experience to understand progress.
      Set DLAU_VERBOSE_MODE=1 in the Notes.INI before beginning the scan.
  • Version of DLAU is now included in the printable report as well as it is stored on the results of each scan to see how scans change over releases.
  • Addressing an issue when Domino is used as LDAP server
  • Fixed Issue #54 - Logging improvements have additional spaces around each functional area of scanning for visual improvements.
  • Fixed Issue #34 - Export CCB Users does not provide content
  • Fixed Issue #39 - Clicking on “Deny Access Users” opens the view “dagroups” instead of “UserInfo”
  • Fixed Issue #41 - Issues with Directory Catalog not in root directory
  • Fixed Issue #46 - Bug when DA is not trusted for credentials
  • Fixed Issue #47 - External (CCX) Users Who are not listed in Entitlement Tracking are being recognized as CCB Users
  • Fixed an issue when Clicking on the pop-up help does not work and is missing in certain situations.
  • Fixed an issue when the UI shifts when selecting an entry in the “Observations” field on the results page if there is a value that is too long
    For more details and to download the latest version see

    https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/

    PS: As mentioned
    in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.
  • Is HCL Notes/Domino using Oracle Java?- 13 October 2023 - (0) Comments

    Thomas Hampel
     13 October 2023

    The short answer: No!

    Background:

    On January 23, 2023, Oracle
    announced (again) yet another new licensing model for Oracle Java that represents a dramatic price increase for large organizations.
    This can lead to interesting discussions since e.g., a 40,000-employee organization could be asked spending USD $2.5M annually just on Oracle Java alone.

    What Java version is used by Notes and Domino?

    Notes and Domino are providing the Java runtime as part of the product, so customers do NOT need to download or install the Java runtime environment separately.
    Since the JVM/JDK is part of the licensed product, it is covered under the
    product license of HCL or previously the product license of IBM.

    With the
    acquisition of the product by HCL, dependencies to IBM Java were removed and got replaced with OpenJDK effectively in version 11.0.0 of HCL Notes/Domino.
    Java updates are provided by HCL (and previously by IBM) typically as part of regular fix packs.

    Here is a simplified overview of what Java version is used in the product:
    Notes/Domino
    Java Version
    Java Vendor
    JVM Remarks
    14.0.x
    17 LTS
    IBM Semeru
    OpenJ9 Open Edition
    12.0.x
    8
    AdoptOpenJDK, later IBM Semeru
    OpenJ9 renamed to Adoptium
    11.0.x
    8
    AdoptOpenJDK, later IBM Semeru
    OpenJ9 renamed to Adoptium
    10.0.x
    8
    IBM
    IBM J9 see IBM FAQ
     9.0.1
    8
    IBM
    IBM J9 see IBM FAQ
    9.0.0
    6
    IBM
    IBM J9





    a more comprehensive overview of which Java flavour and patchlevel is included in which release of Domino is provided later on in this blog post.

    For details, please refer to

    Special cases and exceptions?
    • MacOS : old versions of the IBM Notes Client before(!) 9.0.1 IF17 did not include any Java runtime. Customers may have manually installed a JVM, e.g. the Oracle runtime.
      Starting with
      Notes Client 9.0.1 IF17 the product includes the IBM Java runtime. Customers are encouraged to upgrade to a more current version of the HCL Notes Client for MacOS.
    • IBMi (=iSeries) : HCL Domino will use the version provided by the platform.
    • HCL Client for Application Access (HCAA), formerly known as IBM Client for Application Access (ICAA), does not provide a Java VM, it uses a JVM that you choose to install yourself.
      Only for acessing Domino applications that are running Java code >in< the HCAA client, a JVM needs to be provided.

    What about Nomad, Verse, Enterprise Integrator, SAP Connector, etc?

    These products are addons to Domino and unless otherwise specified they leverage the JVM provided by Domino.


    IBM? OpenJDK? Semeru? Adoptium? Eclipse? - Are you confused as well?

    It's not easy to even get a basic understanding of the various project names, forks, branches and takeovers, but I'll try providing a short intro without covering the entire
    history of Java nor what Java itself is.
    In the context of Notes and Domino, this is what you need to know:
    • OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition (Java SE), it is a Java Development Kit (JDK)
    • OpenJ9 is a java virtual machine (JVM), contributed to the Eclipse project by IBM
    • AdoptOpenJDK was a project for producing vendor neutral builds of OpenJDK
    • AdoptOpenJDK merged into Eclipse Adoptium, to provide a prebuilt OpenJDK, that release is now named Temurin
      With this move, Adoptium is, according to them, is not allowed to release OpenJ9-based or GraalVM-based runtimes
    • IBM comes to the rescue and provides OpenJ9 builds at no charge as the IBM Semeru runtime which includes the OpenJ9 Java VM
    • IBM Semeru comes in two flavours:
      a) IBM Semeru Runtime Open Edition, which is open source (GPLv2) licensed and is not
      TCK (Technology Compatibility Kit) certified
      b) IBM Semeru Runtime
      Certified Edition, which is Java TCK-certified
    • Former "IBM Java" has been moved into IBM Semeru Runtime Certified Edition at Java version 11
    • HCL Notes and Domino are using IBM Semeru Open Edition.

    For better understanding of the above, here is a chart that explains:

    Image:Is HCL Notes/Domino using Oracle Java?
    As outlined above, HCL Notes and Domino is embedding IBM Semeru and does not use any Oracle Java.

    Table: Java versions is used by Notes and Domino

    Source:
    KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?
    Notes/Domino Version Java Runtime Vendor Java Version
    V12 12.0.2 Fix Pack 2 IBM Semeru Runtime Open Edition 8 Semeru jdk8u372-b07
    12.0.2 Fix Pack 1 Semeru jdk8u362-b09
    12.0.2 AdoptOpenJDK 8 OpenJDK jdk8u345-b01
    12.0.1 Fix Pack 1 OpenJDK jdk8u312-b07
    12.0.1 OpenJDK jdk8u302-b08
    12.0.0 OpenJDK jdk8u282-b08
    V11 11.0.1 Fix Pack 8 OpenJDK jdk8u372-b07
    11.0.1 Fix Pack 7 OpenJDK jdk8u352-b08
    11.0.1 Fix Pack 6 OpenJDK jdk8u332-b09
    11.0.1 Fix Pack 5 OpenJDK jdk8u312-b07
    11.0.1 Fix Pack 4 OpenJDK jdk8u302-b08
    11.0.1 Fix Pack 3 OpenJDK jdk8u282-b08
    11.0.1 Fix Pack 2 OpenJDK jdk8u265-b01
    11.0.1 Fix Pack 1 OpenJDK jdk8u252-b09 tzdata 2020a
    11.0.1 OpenJDK jdk8u242-b08 tzdata2019c
    11.0.0 OpenJDK jdk8u222-b10
    V10 10.0.1 FP8 IBM Java 8 IBM Java 8.0 SR7FP6_tzdata2022a
    10.0.1 FP7 IBM Java 8.0 SR6FP25_tzdata2021a
    10.0.1 FP6 IBM Java 8.0 SR6FP10_tzdata2020a
    10.0.1 FP5 IBM Java 8.0 SR6FP5_tzdata2019c
    10.0.1 FP4 IBM Java 8.0 SR5FP40_tzdata2019c
    10.0.1 IBM Java 8.0 SR5FP21
    10.0.0 IBM Java 8.0 SR5FP16ifix
    V9 9.0.1 Fix Pack 10 Interim Fix IBM Java 8.0 SR6FP25
    9.0.1 Fix Pack 10 IBM Java 8.0 SR5FP21 tzdata2018e
    9.0.1 Fix Pack 9 IBM Java 8.0 SR4FP5
    9.0.1 Fix Pack 8 IBM Java 8.0 SR3FP12
    9.0.1 Fix Pack 7 IBM Java 6 IBM Java 6.0 SF16FP30
    9.0.1 Fix Pack 6 IBM Java 6.0 SF16FP20
    9.0.1 Fix Pack 5 IBM Java 6.0 SF16FP15
    9.0.1 Fix Pack 4 IBM Java 6.0 SR16FP4
    9.0.1 Fix Pack 3 IBM Java 6.0 SR16FP2
    9.0.1 Fix Pack 2 IBM Java 6.0 SR16
    9.0.1 Fix Pack 1 IBM Java 6.0 SR15FP1
    9.0.1 IBM Java 6.0 SR14 + ifix
    9.0.0 IBM Java 6.0 SR12+ ifix





    Remarks:

    IBM SDK, Java Technology Edition, Version 6 has reached end of life, see
    https://www.ibm.com/support/pages/java-sdk-downloads-version-60

    How to check which Java version is used?

    From the program directory of the Notes client or Domino server:

    cd jvm/bin
    ./java -version


    Example:

    Checking the Java version used by the HCL Notes Client 14.0 (Early Access version) on Windows:

    Image:Is HCL Notes/Domino using Oracle Java?

    C:\Program Files\HCL\Notes>cd jvm/bin

    C:\Program Files\HCL\Notes\jvm\bin>java -version
    openjdk 17.0.4.1 2022-08-12
    IBM Semeru Runtime Open Edition 17.0.4.1 (build 17.0.4.1+1)
    Eclipse OpenJ9 VM 17.0.4.1 (build openj9-0.33.1, JRE 17 Windows 7 amd64-64-Bit
    Compressed References 20220812_237 (JIT enabled, AOT enabled)
    OpenJ9   - 1d9d16830
    OMR      - b58aa2708
    JCL      - 1f4d354e654 based on jdk-17.0.4.1+1)



    References:

    Finally
    :
    I hope this brief explanation will help to better understand the usage of Java in our product and provides you with enough of a justification to upgrade to the most current version of HCL Notes and Domino.

    so
    upgrade NOW !

    Good News for IBMi customers - Domino now supports Power 10 Hardware- 13 September 2023 - (0) Comments

    Thomas Hampel
     13 September 2023

    Good News for Domino customers running on IBMi hardware!


    as of today HCL Domino 12.0.2 is offiically supported to run on IBMi 7.5 on Power 10 hardware.

    Compatibility testing took longer than expected but has now finished successfully, so you can now go ahead and plan your ugprade projects.
    Please note that customers are recommended to use FixPack 2 for Domino 12.0.2 as this Fix Pack is addressing some IBMi specific updates
    Image:Good News for IBMi customers - Domino now supports Power 10 Hardware

    References:
    https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101447

    HCL and DNUG Community Meeting Berlin - 21.Sept 2023- 11 September 2023 - (0) Comments

    Thomas Hampel
     11 September 2023

    Image:HCL and DNUG Community Meeting Berlin - 21.Sept 2023

    Hallo HCL & DNUG Community Berlin!

    auf vielfachen Wunsch möchten wir euch in heissen Zeiten nicht schwitzen lassen und laden euch zu einem echten Community-Meeting, vor Ort in Berlin ein.
    Es gibt Neuigkeiten rund um die HCL Produkte, einen Ausblick auf Domino V14 und live Demo's die noch niemals vorher gezeigt wurden.

    Mit kühlen Getränken, Essen und Guter Laune verbringen wir den weiteren Abend mit Gesprächen und Fragen rund um die HCL Produktfamilie.

    Jeder Teilnehmer ist natürlich Herzlich Willkommen!


    Wir bieten:
  • What's New in Domino V14 - eine Vorschauf auf Coole Features in der nächsten Version.

    Wann?
    Donnerstag, 21. Sept 2023
    Zeit : 18:00 bis ...

    Wo?

    Paulaner im Spreebogen

    Alt-Moabit 98

    10559 Berlin

    https://paulaner-im-spreebogen.de/

    Anmeldung?

    https://dnug.de/events/stammtische/berlin/
  • False Alarm: New Domino Backdoor- 20 April 2023 - (0) Comments

    Thomas Hampel
     20 April 2023

    IBM XForce is well known for the quality of their research - however this time I'm wondering about the publication.
    They
    discovered and analyzed a new type of malware (so far so good) and they named it ... "Domino"

    Don't Panic!

    HCL already published
    this technote to clarify that this is unrelated to the HCL Domino product and has requested IBM Security X-Force to correct this unfortunate use of HCLSoftware’s registered and licensed product name.

    Update!
    IBM updated their article and have renamed the malware - it is now called "Minodo"

    In short:

    1. There is no backdoor in HCL Domino

    2. The new malware which IBM has discovered has NOTHING to do with HCL Domino.

    3. This malware does NOT affect HCL Domino



    Reference:

    https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104503
    https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

    - 18 April 2023 - (0) Comments

    Thomas Hampel
     18 April 2023

    Hey Domino Administrators out there,

    HCL is looking for your input regarding how you are managing your environment.

    Can you please help by answering this small survey?

    It is completely anonymous and consists of a few questions to gather information on how Domino is used and how software updates are handled by Domino customers.

    It should take less than 3min. to complete.


    If you are managing more than one Domino environment please submit a survey for each one.

    https://hclsw.co/domino-admin-survey

    Image:We need your input - Domino Admin Survey

    Available now: HCL Notes/Domino 12.0.2 Fix Pack 1- 17 April 2023 - (0) Comments

    Thomas Hampel
     17 April 2023

    HCL just released Fix Pack 1 for HCL Notes/Domino 12.0.2
    More details of what has been fixed are provided in the Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

    Before installing this update, please verify the system requirements:
    The following kits/packages are now available for download on Flexnet for entitled customers:

    Notes Client
    HCL Notes 12.0.2FP1 Basic Configuration for Windows English 32-bit
    HCL Notes 12.0.2FP1 for Windows 32-bit
    HCL Notes 12.0.2FP1 for Windows 64-bit
    HCL Notes 12.0.2FP1 for Mac 64 bit

    Domino Server
    HCL Domino Server 12.0.2FP1 for Windows 64bit
    HCL Domino Server 12.0.2FP1 for AIX
    HCL Domino Server 12.0.2FP1 for Linux
    HCL Domino Server 12.0.2FP1 IBMi
    HCL Domino 12.0.2FP1 Docker image

    How to run HCL Domino on a QNAP NAS- 21 March 2023 - (0) Comments

    Thomas Hampel
     21 March 2023

    Image:How to run HCL Domino on a QNAP NAS

    Some time ago I've done a demo running Domino on a QNAP network attached storage device.
    Thanks to Docker and the Domino Container project which Daniel and I are maintaining, running a fully a featured Domino environment incl. Verse, Nomad, Rest API, Traveler and Leap is not a problem even on entry level hardware.

    Datails and step-by-step instructions have been published here in the Domino container project documentation.
    Enjoy reading!

    Help! DAOS files have been removed - the impact of a misconfigured backup job- 22 February 2023 - (0) Comments

    Thomas Hampel
     22 February 2023

    Recently a customer approached me with a request for help. I'd like to briefly share the story here because it was an interesting case.

    On a Friday, the Domino team noticed severe problems with loading attachments, users reported they are no longer able to open attachments.

    It seems like no single DAOS object can be opened anymore by the server.

    Domino servers are reporting: Error 0x80070780: The file cannot be acessed by the system.


    Checking the DAOS repository on the Domino server's disk revealed those files are displaying with a file size of XX MByte but actually have a size of ZERO BYTES (!!!)

    Image:Help! DAOS files have been removed - the impact of a misconfigured backup job

    Potential cause? Maybe a broken hard disc or filesystem? People even assumed Domino itself would be responsible for destroying DAOS objects on disk.

    To mitigate the issue, a full restore of all DAOS objects was initaited which took a couple of hours. Afterwards it seemed the situation was resolved.

    However just one day later the same problem appeared. All DAOS objects again had a size of 0 byte again with millions of DAOS objects being affected.


    Root cause:

    It turned out the backup software ( Commvault ) was misconfigured - instead of taking a backup of DAOS objects it was configured for >archiving< them.

    Archiving in this case means that files will be moved to the backup environment but a 0 byte place holder will remain.

    One could claim the user interface of Commvault backup easily allows for clicking the wrong option as both of them are listed next to each other.
    There is no visible difference between the configuration screens later on, so unfortunately it was a human error/mistake to click on the wrong option.

    Image:Help! DAOS files have been removed - the impact of a misconfigured backup job

    Solution:

    Initiate a restore job of files that were archived to the commvault envioronment.

    https://documentation.commvault.com/v11/essential/134649_restoring_archived_data.html

    Lessons learned:

    Dont blame the top level application for a failure just because it is most impacted.
    Open a support ticket at HCL and work together as a team to investigate and resolve the issue.

    Developers: New C API Toolkit 12.0 is available now- 2 September 2021 - (0) Comments

    Thomas Hampel
     2 September 2021

    Again: good news for developers and partners out there who work on plugins and extensions for Domino.
    We just published the V12 version of the C API Toolkit for Domino and Notes:

    Image:Developers: New C API Toolkit 12.0 is available now
    Interesting side note: after 7 years without any new release, HCL published two major releases of the toolkit just in one year.

    This new version provides a number of new API calls and -as promosed- provides the make files and MSVS project files
    developers were looking for.
    You can find the new V12 C API Toolkit in the Domino V12 server product category on Flexnet Downloads

    Image:Developers: New C API Toolkit 12.0 is available now

    Reference:

    Group 3 Languages for HCL Notes and Domino 11.0.1- 16 August 2021 - (0) Comments

    Thomas Hampel
     16 August 2021

    Good news: HCL Notes 11.0.1 is now available in even more languages!

    You asked for it (see DOMINO-I-831 and NTS-I-842), so in addition to the 16 languages the Notes client was already providing, HCL is delivering nine more language translations:
    • Danish
    • Finnish
    • Norwegian
    • Catalan
    • Hebrew
    • Hungarian
    • Slovenian
    • Thai
    • Turkish

    Install kits for the HCL Notes Standard and Basic Client V11.0.1 in those languages can be found at Flexnet under the Notes/Domino version 11.0.1.

    Image:Group 3 Languages for HCL Notes and Domino 11.0.1

    Multilingual User Interface (MUI) kits for those languages, as well as the Install Shield Tuner files to customize your installation are also provided:
    Image:Group 3 Languages for HCL Notes and Domino 11.0.1
    Image:Group 3 Languages for HCL Notes and Domino 11.0.1

    References:

    Developers: New C API Toolkit 11.0.1 now available- 8 February 2021 - (0) Comments

    Thomas Hampel
     8 February 2021

    Good news for developers and partners out there who work on plugins and extensions for Domino.
    We just published a new version of the C API Toolkit, actually the first new version since more than 7 years.

    This is the first HCL shipment of the C API and it signals an ongoing commitment to revamp the C API delopment story,
    it now supports building applications using the GUI environment for Visual Studio 2017.

    However, as
    Ulrich Krause already highlighted in his blog it does contain just a very few new API calls yet, also make files were removed because they did not work anymore.
    HCL's development team is working on a V12 version of the C API Toolkit that will be providing make files and MSVS project files again. This version 12 will be provided after Domino V12 has shipped.


    You can find the current/updated C API Toolkit in the Domino server product category on
    Flexnet Downloads

    Image:Developers: New C API Toolkit 11.0.1 now available


    Reference:

    Partners : locating the Domino V12 Beta in Flexnet- 1 February 2021 - (0) Comments

    Thomas Hampel
     1 February 2021

    Recently we have announced the beta launch of HCL Domino V12 which is available to all current customers.
    While for a customer the download is easy to find, partners have to navigate along the entitlement tree to find it.


    So for reference here is how an HCL Partner can locate the download packages:


    1. Login to
    Flexnet
    2. Click on "List all entitlements"

    3. In the top right corner of the list, search by Product contains 'collab' as shown in the screenshot below.

    4. Find the product bundle "HCL Bundle Mail & Social Collaboration", make sure the entitlement has not expired and click the "Download Now" button


    Image:Partners : locating the Domino V12 Beta in Flexnet


    5. In this bundle, click the package"Notes/Domino 12.0 Beta 1"

    Image:Partners : locating the Domino V12 Beta in Flexnet

    6. ...and find the downloads you are looking for, including the Notes Client in 16 local language versions, the Domino installer for AIX, Linux and Windows, as well as the V12 Domino Docker image.

    Image:Partners : locating the Domino V12 Beta in Flexnet

    It also needs to be noted that the
    Domino on Docker community project added support for V12 in the develop branch

    Happy testing !


    References:

    HCL Domino V12 Early Access Program - New October release is available now- 13 October 2020 - (0) Comments

    Thomas Hampel
     13 October 2020

    Last month we have introduced the HCL Domino V12 Early Access Program, in which we are providing customers the chance to test new product features early in the development cycle.
    Our engaged development team has provided a new code drop (named "October 2020") which is available now for download at Flexnet to all current customers.

    This code drop provides a number of very interesting features that our dev team wants to have YOUR feedback on:

    Image:HCL Domino V12 Early Access Program - New October release is available now

    What is being provided in this release


    Time-based one-time password (TOTP) authentication
    When users log on to a Domino Web server, you can now require that they provide time-based one-time passwords in addition to their user names and passwords.
    These one-time passwords are generated by authenticator apps like
    Authy, Google Authenticator or similar.

    DAOS Version 2
    DAOS Version 2 (DAOSV2) is a new version of DAOS that provides a more reliable way of tracking DAOS objects on a server.


    Certificate management improvements
    A number of enhancements and improvements related to certificate management are provided:
    • Disable TLS 1.0 by default now
    • Support for PEM-file format, in additon to *.kyr file format
      (Note: This feature is intended as a test bed for future work supporting PEM-formatted keys and certificates )
    • Support for using CertMgr to import third-party CA keys and certificates - based on this idea (Thanks Martin!)
    • Support for replacing keys generated by the Let's Encrypt CA

    Domino directory enhancements
    The number of improvements around the Domino directory design (pubnames.ntf) to improve usability for administrators. Some of which were long standing requests - if you like what you see, please vote for the idea(s)s referenced below

    New LotusScript & Java Methods for developers - also based on your input from this idea (Thanks Michael!)
    ...to support transaction based operations in LS and Java.


    Furthermore I need to mention those features that were provided in the previous release (September 2020)

    We are looking for YOUR feedback on the features provided above
    , so please:

    1. Start testing the Early Access Code - details on how to get started can be found
    here
    2. Vote for the ideas referenced or leave a comment

    3. Join the discussion and provide feedback in our forum
    here.  

    References:

    Available now: Notes/Domino 10.0.1 Fix Pack 6- 29 September 2020 - (0) Comments

    Thomas Hampel
     29 September 2020

    For those of you who have not yet upgraded to V11 but are running Notes/Domino V10.0.1 we have just released a new Fix Pack.
    Fix Pack 6 for 10.0.1 is the latest update and HCL strongly recommends that customers running Notes/Domino 10.0.1 to apply this Fix Pack since it addresses a small percentage of defects that impact the broadest set of customers.

    More details of what has been fixed are provided here => Notes/Domino 10.0.1 Fix Pack 6 Release Notice and Fix List or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

    also please verify the system requirements:
    Finally the following kits/packages are now available for download on Flexnet for entitled customers:

    Notes Client
    HCL Notes v10.0.1 FP6 Basic Configuration for Windows English
    HCL Notes v10.0.1 FP6 Windows English
    HCL Notes v10.0.1 FP6 Mac 64 bit English

    Domino Server
    HCL Domino Server v10.0.1 FP6 64 bit for Windows English
    HCL Domino Server v10.0.1 FP6 64 bit for AIX English
    HCL Domino Server v10.0.1 FP6 64 bit for Linux English
    HCL Domino Server v10.0.1 FP6 for IBM i

    Client for Application Access
    IBM Client Application Access v2.0.5 Windows English
    IBM Client Application Access v2.0.5 Mac English

    Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks- 3 August 2019 - (0) Comments

    Thomas Hampel
     3 August 2019

    Two weeks ago at the the HCL Factory Tour #3 we've shown the (possibly) smallest Domino server ever built.
    With just 47,88 ccm (6,3 x 9,5 x 0,8 cm) it is just a little bigger than a credit card and small enough to fit your pocket. Also, for those of you who remember, it's much smaller than the
    Lotus Foundations box which Mike Rhodin introduced at Lotusphere 2008.
    Thanks to
    Panagenda we also were able to show that you can run Domino off the grid.

    What kind of hardware is this based on?

    It is
    Zotac Pi 225 pico, a mini PC fully equiped with CPU, memory and storage, all combined in a case that is passively cooled.
    The case itself looks like a thin 2,5" HDD - but thinner (for US folks : 3.76 x 2.48 x 0.31 inches )

    Image:Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks

    Compared to the well known
    Raspberry Pi, this Zotac device is actually smaller (thinner) because it does not expose an ethernet port.
    Image:Domino Portable Edition - Building the smallest Domino server - Hot Pants for GeeksImage:Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks

    It weights less than 500g and is hardware specs looked promissing: Intel N3350 dual-core CPU (x86 compatible!), 4GB RAM, 32GB internal storage (expandable via microSD card), Intel HD Graphics 500,
    Furthermore it provides two USB 3.0 Type-C Ports for connecting keyboard, HDMI an ethernet adapter. It also provides an internal 802.11ac Wi-Fi antenna, which I want use for creating a WiFi Hotspot later on.

    You can find it
    here on Amazon for approx. €150

    Stage 1 - Installing Linux

    Zotac comes preinstalled with Windows 10 - an operating system which beside being clunky is not supported for running Domino.

    Of course my idea was to install Domino on Linux. As you know IBM/HCL is supporting to run
    Domino on SuSE or Redhat Linux and also fully supporting CentOS since last year.
    After spending a few hours with CentOS I
    had to learn by hard that it can not simply be installed on this Zotac device because it is missing support for this specific Intel Atom CPU.
    The installation caused errors and booting it took several hours before it finally failed.

    Plan B:

    Switch to
    Ubuntu 18.04.2 LTS (alternative installer!) which installs without problems from a USB stick.

    Stage 2 - Linux tuning

    Although the installation itself completed in a few minutes there still are some errors when booting up.

    Most annoying this one:
    systemd-gpt-auto-generator: Failed to dissect: Input/output error. which is caused by the device using an internal MMC card as disk storage.

    To fix this error we have to modify the kernel boot parameters as follows:

    sudo nano /etc/default/grub

    add a parameter to the line "GRUB_CMDLINE_LINUX_DEFAULT"
    GRUB_CMDLINE_LINUX_DEFAULT="systemd.gpt_auto=0"

    After saving changes we need to tell grub to update the bootloader using
    sudo update-grub


    Stage 3 - Install Docker

    We could have installed Domino natively on Linux but why wasting time if we can also run Domino on Docker.

    Installation of Docker on Ubuntu Linux is staight forward
    sudo apt-get install docker-ce


    To avoid having to type 'sudo' every time you run the docker command, just add your username to the docker group.

    sudo usermod -aG docker ${USER}

    For changes to take effect, log off and log on again.

    Image:Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks

    Stage 4 - Create Domino Image for Docker

    In order to run Domino in Docker I'm using my (more powerful) MacBook and
    this Github repo to build a docker image.
    All that needs to be done is...
    - clone the repository (or
    download and extract the zip file) to a directory of your choice.
    - Add the Domino Linux installation package + FP2 package into the subfolder "software"

    - run "./build domino"

    A few minutes later you'll have a perfect Domino image to work with...

    Image:Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks

    Now we need to export this image by turning it into a tar file using this command:

    docker image save -o domino1001fp2.tar ibmcom/domino:10.0.1FP2

    Copy the resulting file "domino1001fp2.tar" to a USB stick


    Stage 5 - Import Docker Image

    Attach the USB stick to the Zotac device and copy the file  "domino1001fp2.tar" to a directory of your choice, e.g. /tmp

    Then import the image using the command:

    docker image load -i domino1001fp2.tar

    Verify results using the command
    docker image ls - you should now have one image listed.

    in case any TAGs are missing, add them using

    docker image tag ibmcom/domino:10.0.1FP2
    docker image tag ibmcom/domino:latest


    Stage 6 - Run Domino and Enjoy

    Finally running Domino in this configuration is a piece of cake:

    At first create a persistent volume - this is required because we would like to preserve our data directory in case the container is being restarted or recreated.

    docker volume create dominodata

    then spin up a (new) Domino server with a name of your choice.

    docker run -it -d -e "ServerName=Zotac" -e "AdminPassword=passw0rd" -p 1352:1352 -p 80:80 -p 443:443 -v dominodata:/local/notesdata --cap-add=SYS_PTRACE --name domino ibmcom/domino:10.0.1FP2


    Without supplying a
    config file, this image will not start the HTTP task by default, so we need to open a shell into the container
    docker exec -it domino /bin/bash

    and from within the container then run "domino monitor" to access the server console to launch the http task using "load http"


    Browsing to http:// will now show up this well known homepage.

    Image:Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks
    For more information on how to work with Domino in Docker please refer to
    this documentation ( Thanks Roberto ! )

    Finall word of warning:

    Certainly this Zotac device produces some heat, so running a Domino server in your trousers will for sure turn them into
    hot pants for geeks - so please be careful !

    Further ideas & todo:

    - I have not done any stress testing, so please dont ask me how many users this device is going to support in production

    - Enabling the embedded WiFi antenna and turning it into a WiFi hotspot would make a cool demo
    - Zotac Pi 225 is not the smallest device that can run Domino -- I have some more ideas but getting hold of the hardware is more complicated, stay tuned for more :)


    References:

    -
    Zotac Pi 225 nano on Amazon
    -
    Domino on Docker
    - Domino on Docker
    Management Script
    - Mike Rhodin
    announcing Lotus Foundations

    Domino on Docker Project Updates- 23 July 2019 - (0) Comments

    Thomas Hampel
     23 July 2019

    Domino on Docker Project Updates
    Daniel and me are working on the Domino on Docker project which has been around for a while. We are constantly updating it with more functionality.
    Beside the main functionality of providing an automated installation we have a management script that can help to build custom Domino docker images for (e.g.) including applications.
    We are working on making the resulting image more flexible. The first version allowed only to automatically setup a first server in a new Domain, but customers already have an environment and either want to setup an additional server in an existing domain or at least have a cross certified environment.

    Whats new:
    1. Additional server setup
    You can now specify an existing server.id and existing server to get the system databases from. You still need to register the second server.id manually in your Domino Directory, however the ID file does not need to be copied anymore.
    Just specify the environment variable
    ServerIDfile to point to a location (local or http/https) from where the server.id file can be downloaded and the container startup routine will take care of automatically setting up your second server.

    2. Add your own data into a container at initial startup
    The big challenge is how to bring in data into a new container automatically. Distributing server.id files, templates, or even full applications.
    We looked at different approaches which included "Docker secrets", shared volumes and other options.
    For improving flexibility we decided to use configurable http/https download links which can be used to download a server.id or an additional data-directory.zip which is automatically expanded at first server start.
    This would be for example a way for business partners to deploy their software on top of the image. Or for a customer to deploy their applications or specific adoptions.
    All you have to do is to specify an environment variable CustomNotesdataZip (attention, case sensitive!) pointing to a zip file that will be downloaded and extracted into the container at runtime.

    3. Scriptable configuration
    Now that you have provided your own templates - how do you turn them into an application, how do you change ACLs, or server settings at runtime?
    We have added a method to automatically configure a server based on a config JSON file. This can be used to create databases, change groups, change server settings etc.
    The configuration is applied before starting up the (new) Domino server for the first time and also allows to sign applications, change the ACL of databases.
    ...there is even more configuration options to come.


    4. More flexible deployment options
    In previews versions there was image specific data in the /local directory.
    So we moved that data to a separate directory to optionally allow /local to be mapped to a volume instead of having multiple volumes for /local/notesdata, /local/translog and /local/daos.
    Mounting /local to a single volume will work fine, but if you want to build a high performance Domino server we are recommending to have separate volumes for those different parts. We even added directories for nif and ft to allow separate volumes for those parts as well.
    The Docker volume mapping is comparable to creating mount points. It's about providing most flexibility with best practices in mind.

    5. Preparation for new binary location
    The project now now includes a new start script version 3.3.0 which is already prepared for changing the program directory default location ( /opt/ibm/domino ) with Domino 11.
    The start script and all docker image script files have been prepared to support a different binary location in future. All places in the scripts use standard variables. And we will keep the LOTUS variable to point to the binary location.

    Feedback & Future planning
    One of the next features will be to allow cross certification with existing IDs. The certifier.id is currently staying on the first installed machine. So the idea is to cross certify a provided safe.id.
    This is specially helpful to create test environments. A small servertask will take care of creating cross certifying a safe.id and adding it to the LocalDomainAdmin group.
    Another idea is to integrate this functionality into the toolchain which sets up the server, we have not decided yet.
    We are looking for your feedback so leave a comment with your suggestions for improvement or create an issue in our domino-docker project

    Improving the Mail Template 9.0.1FP9 - Manage Return Receipts according to RFC 2298- 19 September 2017 - (0) Comments

    Thomas Hampel
     19 September 2017

    According to RFC 2298 http://www.ietf.org/rfc/rfc2298.txt it is recommended to show a dialog box where the recipient of a mail can decide weather or not a return receipt shall be sent back to the originator of the mail. This behavior is not currently part of the Standard IBM Mail template.

    To add this feature you have to modify the following design elements:
    • Form “Memo”, Event "QueryOpenDocument", added the code shown below
    • Form “Reply”, Event "QueryOpenDocument", added the code shown below
    • Form “ReplyWithHistory”, Event "QueryOpenDocument", added the code shown below

    Insert this code at the end of the QueryOpenDocument event.

    Set doc = Source.document
    If Source.isNewDoc Then
            '# don' t do anything, as this is a new document
    Else
            If doc.GetItemValue("ReturnReceipt")(0) = "1"  And doc.HasItem ("DeliveredDate") Then
                    If MessageBox ("The sender of this message has asked to be notified when you read this message." & Chr(13) & "Do you wish to notify the sender?", 36, "Send Return Receipt?") = 7 Then
                            Call doc.ReplaceItemValue ("ReturnReceipt", "0")
                            Call doc.Save(True, False, true)
                    End if
            End If
    End If


    Reference:
    http://www.ibm.com/developerworks/lotus/library/ls-BlockRetRec/index.html

    Notes Domino 9.0.1 Feature Pack 8- 9 March 2017 - (0) Comments

    Thomas Hampel
     9 March 2017

    Note to self:
    In case anyone is asking for new features of the Notes/Domino 9.0.1 Feature Pack 8, refer them to this blog post

    and remind them to read Oliver Busse's blog post

    Domino SingleSignOn - Level 2 - Self Service Password Reset Application - 14 February 2017 - (0) Comments

    Thomas Hampel
     14 February 2017

    Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
    This is the second post our of a series of blog posts describing how to move from password based to seamless authentication.
    Once you have established LDAP Authentication you can approach the next stage:

    Level 2 - Self Service Password Reset Application

    Combined with a Self Service Password Request HTTP application (or this fancy one ) users can reset Notes password without the help of an administrator just by using a web browser.
    Users must be authenticated in order to reset their own password, but due to the configuration done in level 1 they can use Active Directory credentials to log in.
    Once authenitcated a user can just define a new password which is applied immediately in the IDVault. And just seconds later the password can be used to log into the Notes Client.
    Image:Domino SingleSignOn - Level 2 - Self Service Password Reset Application

    Pros and Cons

    + Lost/forgotten passwords on a monday morning are no longer your problem. Users can handle this problem alone.
    + You don't need to distribute NotesID passwords for newly created users.
    - There still is a NotesID password to remember
    - There still is a password prompt every time you start the Notes client and/or every time you open an encrypted mail in iNotes
    - The Self Service Password Request HTTP application does not apply any feedback on password quality or strength.

    Prerequisites:
    • Notes ID Vault has been established and contains the NotesID’s of all users
    • User must be authenticated, preferably using Active Directory authentication as described in the previous post level 1
    • Custom Password Reset application template,
      Please note the template provided by IBM as part of the Domino server is not officially supported and is provided as example only. See Technote 1330905

    Configuration

    Setup instructions have already been provided by IBM, so I'm not describing those steps again.
    Once completed you should have a functioning PW reset application. However, I would like to highlight a few important details
    • The agent and the form needs to be signed with an ID which has IDVault Password Reset authority
    • The ACL of this database must have an Administration server defined, the Admin server specified there must be the one that hosts the IDVault.

    For improved usability I do recommend a little tuning:
    • Create a URL which users can remember, e.g. by creating a web redirect rule
      http://yourserver.domain.com/passwordreset ==> /pwreset.nsf
    • Modify the form “fmPasswordReset” to display your corporate password rules, e.g.
      “The new password must have a minimum of 8 characters. It must contain a mixture of lowercase alphabetic, uppercase alphabetic, numbers and special characters. Three of these four conditions must be met.”
    • Modify the source code to confirm the password change request has been submitted and to verify if password rules have been followed.
      Without this modification users will not get any feedback if the new password has been applied or not.
      so update the source code of the Form “Password Change” , Sub “OnSubmit” as follows:
    var i = 0;
    var k = 0;
    var h = 0;
    var have = [0, 0, 0, 0];
    var characters = ["abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "0123456789"];
    var minLen = 8;
    var minDif = 3;
    var pw1 = document.forms[0].pw1.value;
    var pw2 = document.forms[0].pw2.value;
    for (i=0; i {
           h = 3;
           for (k=0; k        {
                   if(characters[k].indexOf(pw1.substr(i,1)) >= 0)
                   {
                           h = k;
                   }
           }
           have[h] = 1;
    }

    if ( pw1.length < minLen )
    {
           alert("You must enter a password with at least " + minLen + " characters");
           return false
    }
    else if( pw1 != pw2 )
    {
           alert("Entered password don't match");
           return false
    }
    else if( have[0] + have[1] + have[2] + have[3] < minDif )
    {
           alert("Password must be more complex,  use Numbers, Lower-, Upper-, Special-Characters");
           return false
    }
    else
    {
           alert("Thank you, your request has been submitted. The new password can be used now.");
           return true
    }
    • In order to support clustered environments the source code of the agent “User Password Reset” needs to be updated as follows:
    Set Doc = Session.DocumentContext
    Call
    Session.ResetUserPassword( session.Currentdatabase.Acl .Administrationserver,"",Doc.GetItemValue("pw1")(0))


    Conclusion

    Self Service Password Reset application combined with LDAP authentication will eliminate the need to distribute Notes ID passwords to end users.
    Administrators can register new NotesID's with completely random passwords that they do not need to remember nor need to distribute to end users.
    Notes client setup instructions can be simplified so that end users have to define the password themselfes before they can start Notes for the first time.

    References:

    Domino SingleSignOn - Level 1 - LDAP Authentication- 13 February 2017 - (1) Comments

    Thomas Hampel
     13 February 2017

    Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
    This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.

    Level 1 – LDAP Authentication

    Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
    When using a web browser to access a Domino server, users will be prompted for username and password.
    This authentication dialog looks like one of the following examples:
    Image:Domino SingleSignOn - Level 1 - LDAP AuthenticationImage:Domino SingleSignOn - Level 1 - LDAP Authentication
    Credentials entered here will be forwarded to Active Directory for authentication.
    Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.

    Pros and Cons

    + Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
    + No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
    - All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.

    Prerequisites:

    In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.
    • Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
    • The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
      This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid.
    • Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
    • A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.
    How to...
    reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
    If not already done:
    • Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
      Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
    • Create a Directory Assistence (DA) database
    • Add the DA to your Domino server document
      Image:Domino SingleSignOn - Level 1 - LDAP Authentication

    okay, whats next:
    1. Within the Directory Assistance database, add a new document and configure it like shown below:
      Image:Domino SingleSignOn - Level 1 - LDAP Authentication
      Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin.
    2. Set "Trusted for Credentials" to Yes
      Image:Domino SingleSignOn - Level 1 - LDAP Authentication
    3. Configure how to connect to the LDAP (­) server.
      Image:Domino SingleSignOn - Level 1 - LDAP Authentication
    4. Save & close

    Now restart the Domino server and check if LDAP is being shown in the list of directories.
    Issue the command "Show xdir" at the server console for details.

    Troubleshooting:

    Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
    Some more hints:
    • You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
    • Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
    • Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
      If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
      The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
      Image:Domino SingleSignOn - Level 1 - LDAP Authentication
    • Thes Notes.ini variables will increase the log level for further debugging
      debug_directory_assistance=1
      debug_namelookup=1

    Result:

    When prompted for username/Password you can now use your Active Directory username and AD Password.
    Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
    Once the transition is completed you should clear the HTTP password field from the person document.

    Domino Security - Disable HTTPEnableConnectorHeaders NOW- 9 November 2015 - (1) Comments

    Thomas Hampel
     9 November 2015

    There is a seucrity issue with Domino which allows anybody to gain access without authentication.
    Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.

    If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
    This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.

    So there is a good chance that some people have enable this variable in production.
    None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.

    Steps to reproduce
    • Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
      Remark: This will make the server insecure.
    • Restart the HTTP task
    • Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
    • Restart Firefox for the plugin to be initialized
    • In Firefox, open the configuration of the new plugin
      Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
    • Add a new header called $WSRU with the desired username / shortname as available in the target environment
      Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
      Save + Enable the configuration
    • Start the Plugin
      Image:Domino Security - Disable HTTPEnableConnectorHeaders NOW
    • Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf
    Surprise, surprise... you now have access rights of the user name you have specified in the request header, in my case thats PaulSmith.
    Just imagine what can be done when using the name of an administrator...

    How to fix it?

    Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:
    set config HTTPEnableConnectorHeaders=0
    tell http restart

    Of course you would use a configuration document in production to keep your Notes.ini under control.

    References:

    Out of Office - Send Full Copy to deputy- 9 August 2015 - (3) Comments

    Thomas Hampel
     9 August 2015

    Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
    Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
    In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.

    Delegating Access
    A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
    Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:
    Image:Out of Office - Send Full Copy to deputy
    This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
    It might not even be an option as some organizations do not allow users to edit the person document.

    Mail Rules
    Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...
    Image:Out of Office - Send Full Copy to deputy
    and defining a recipient of your choice --- in this example its "firstname.lastname@domain.com"
    Image:Out of Office - Send Full Copy to deputy
    Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?
    Image:Out of Office - Send Full Copy to deputy
    ...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?

    Agents
    You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
    So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"
    Image:Out of Office - Send Full Copy to deputy

    Duplicate Mails (with help of your Domino Administrator)
    Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:

    What you need to do:
    1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
    Make sure the Mail-in name is unique and does not resolve name lookup conflicts
    Image:Out of Office - Send Full Copy to deputy

    2.) Create a Group of type "Mail only",
    members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
    You can define one or multiple recipients using internet mail addresses or Notes user names.
    Image:Out of Office - Send Full Copy to deputy

    3.) Edit the person document and put the Group name created above to be the forwarding address
    Image:Out of Office - Send Full Copy to deputy

    4.) Testing
    Wait for replication to finish within your Domain and send a test mail to the user.
    This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.

    Remarks:
    Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
    If this is an issue either purge your recent contacts or disable it completely

    References:

    Mindoo FTP Server stopped running in Domino- 23 July 2015 - (2) Comments

    Thomas Hampel
     23 July 2015

    The Mindoo FTP Server project provides an FTP server wrapped into an XPages application. It is based on the Apache FtpServer which runs as OSGi plugin on the server side.
    One day a customer reported the FTP server would no longer work. A quick check showed that port 21 does not respond any longer.

    Restarting the HTTP task showed a JVM Exception
    restart task http
    ...
    17.07.2015 18:00:07   HTTP Server: Using Internet Site Configuration View
    17.07.2015 18:00:12   JVM: Java Virtual Machine initialized.
    17.07.2015 18:00:12   HTTP Server: Java Virtual Machine loaded
    17.07.2015 18:00:16   XSP Command Manager initialized
    17.07.2015 18:00:17   HTTP JVM: java.lang.reflect.InvocationTargetException


    Checking the OSGI bundles showed the required bundle is not even installed.
    > tell http osgi diag com.mindoo.ftp
    Cannot find bundle com.mindoo.ftp.


    Analysis

    Check the file [DominoData]\domino\workspace\logs\error-log-0.xml for any problems
    the very first warning in this file showed that a plugin was not loaded because the signer does not have the required access rights
    CLFAD0331W: NSF Based plugin contribution denied because signer CN=SignerName/OU=Unit2/OU=Unit1/O=OrgEU does not have required access: CN=SignerName/OU=Unit2/OU=Unit1/O=OrgEU:System\UpdateSiteServer.nsf

    and further down in the same file:
    CLFAD0334W: Feature com.mindoo.ftp_feature_1.0.0.201306221322 skipped


    At the first access rights seemed to be ok, but when looking a little closer I have found the user name does not have access to the server any longer because the Organization was renamed from "OrgEU" to "Org"

    Solution (Part1)

    The signature which is being used here is not a signature of a design element, it is the content of the Eclipse Update site which still had the old signature referenced. So how are we going to fix this?
    • Open the Eclipse UpdateSite and use "Actions\Sign All Content"
      Remark: This will not sign any design elements - it will sign the documents in the application only.
      Image:Mindoo FTP Server stopped running in Domino
    • Restart the HTTP task
      restart task http
    • Watching the server console
      Image:Mindoo FTP Server stopped running in Domino

    Image:Mindoo FTP Server stopped running in Domino

    Running into another problem

    Although the FTP Server was running again, it seems like there still was an issue with the XPages application.
    Quickly looking into  [DominoData]\domino\workspace\logs\error-log-0.xml showed a well known problem.
    Image:Mindoo FTP Server stopped running in Domino

    Solution (Part2)

    Obviously someone did open the Application in Domino Designer without disabling the option to recompile xPages automatically.
    So make sure this option is set to "Manually recompile Xpages"
    Image:Mindoo FTP Server stopped running in Domino

    and then open the Mindoo FTP Domino application in Domino Designer and hit "Project\Build Project" in your Designer client.
    Image:Mindoo FTP Server stopped running in Domino

    Testing results
    • Opening the Mindoo FTP Application from a browser seems to work
      Image:Mindoo FTP Server stopped running in Domino
    • "tell http osgi mftp status" shows that our server is now running on port 21
      Image:Mindoo FTP Server stopped running in Domino
    • Opening an FTP connection from a remote client is working fine

    Import & Export Internet Certificates Programatically- 18 June 2015 - (0) Comments

    Thomas Hampel
     18 June 2015

    We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
    How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?

    S/MIME Import / Export Automation

    If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
    Even exporting the certificate from the Notes ID is too complicated for most users...
    Image:Import & Export Internet Certificates Programatically

    Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates
    • @X509Certificates([Subject];UserCertificate;"");
      Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate"
    • @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
      Where "Number" is the element in the list returned by @X509Certificates

    In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
    The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.

    Wrapping both into a small script is easy...

    Declare
    Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
               ByVal pIdFilename As String,_
               ByVal pIdFilepassword As String,_
               ByVal pPKCS12Filename As String,_
               ByVal pPKCS12Filepassword As String,_
               ByVal ExportFlags As Long,_
               ByVal ReservedFlags As Long,_                
               Preserved As Any) As Integer

    Declare
    Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
               ByVal pPKCS12Filename As String,_
               ByVal pPKCS12Filepassword As String,_
               ByVal pIdFilename As String,_
               ByVal pIdFilepassword As String,_
               ByVal ImportFlags As Long,_
               ByVal ReservedFlags As Long,_                
               Preserved As Any) As Integer

    Const
    PKCS12_EXCLUDE_PRIVATEKEYS=&h00000001


    Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
    It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
    Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil

    still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.

    ImportInternetCertificatesFromOSCredentialStore.lss

    ExportnternetCertificatesToOSCredentialStore.lss

    As usual mind YMMV and feel free to further optimize the code to fit your needs-
    Please use at your own risk and report back any suggestions or improvements!

    Special Thanks to Marcus Floeser for providing the screenshot.

    Domino CA Process ’Error processing CCS Mod Request’- 3 June 2015 - (0) Comments

    Thomas Hampel
     3 June 2015

    The CA process in Domino is a server task to manage and process certificate requests. It is very helpful if you want support staff to register new users without knowing the password to your Domino Certificate.
    As employees join or leave the support team you'll have to add / remove people from the list of Registration Authorities by using "Modify Certifier" from the Administrator Client tools menu.
    Image:Domino CA Process ’Error processing CCS Mod Request’

    Granting access for a new team member as usual...
    Image:Domino CA Process ’Error processing CCS Mod Request’

    and submitted the request
    Image:Domino CA Process ’Error processing CCS Mod Request’

    seemed to be successful
    Image:Domino CA Process ’Error processing CCS Mod Request’

    ...but according to the log the Domino CA modification request failed with this error:
    CA Process (OU=OU/O=Company): Error processing CCS Mod Request.: There is no certificate in the Address Book.


    Root cause
    One or more people listed in the first dialog do not have a person document in the Domino Directory or the person document does not have a public key specified.
    Image:Domino CA Process ’Error processing CCS Mod Request’

    Solution
    First remove users which dont have a corresponding person document, and save + submit the request before adding new names.

    Notes Widgets disappear from Catalog- 1 June 2015 - (0) Comments

    Thomas Hampel
     1 June 2015

    You are wondering why your beloved Notes widget all of a sudden is no longer available in the Widget catalog?
    Of course the administrator of trust did not do anything - so what happened?

    Here is a small hint:
    Take a quick look into the widget catalog, there is a scheduled agent...
    Image:Notes Widgets disappear from Catalog

    and the brief description
    %REM *********************** Agent Notes **************************
    This agent checks all new/modified documents to make sure that the
    user created the document properly. It checks to make sure the proper
    items are in place, and it also verifies that the categories that are
    set are allowed by the document creator.

    *************************** INTERACTIONS ***************************
    There are no interactions with this agent. It is a scheduled agent
    that is set to work against new/modified documents.

    Conclusion:
    If anything, such as AdminP, modified the document then this agent will run. In our case it was an AdminP name change request which caused the document to be modified.

    PANIC Unexpected internal error returned to logger 0x20692010- 27 March 2015 - (0) Comments

    Thomas Hampel
     27 March 2015

    Tip of the day:
    When running Domino server commands on the operating system of a server, make sure to run the command from a console with Admin access rights, otherwise you'll get this:

    PANIC: Unexpected internal error returned to logger: 0x20692010

    Image:PANIC Unexpected internal error returned to logger 0x20692010

    Reference:

    SPR # PALL8WA3Y8

    Solution

    Open a command prompt by right clicking and selecting "Run as Administrator", then run the command(s) again.

    Root cause:

    Problem in front of keyboard.

    AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around- 12 January 2015 - (0) Comments

    Thomas Hampel
     12 January 2015

    Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
    Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.

    After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:
    Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around
    Errors:

    Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
    Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director

    Analysis

    We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
    Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR

    SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.

    Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
    We did a few tests and quickly found a workaround, so here is what you can do about it:

    Temporary Solution:

    Don't use groups to grant the specific access rights.
    In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.

    This is what the AdminP Move User reuqest should look like before the user authenticates
    Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around

    Permanent Solution

    Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.

    Lessons learned:

    1.        Always install the latest version of Domino
    Note: The destination server in question is not maintained by our team.
    2.        What an awsome team we have :)

    References

    Monitoring IBM Domino Server on Linux via SNMPv3- 5 January 2015 - (0) Comments

    Thomas Hampel
     5 January 2015

    Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
    There are quite a few blog posts out there on the internet such as
    this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.

    Background

    Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
    Vendors of a device are providing a definition of values which can be read or modified in form of a
    MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.

    MIB definitions for Domino can be found online
    http://www.oidview.com/mibs/334/NOTES-MIB.html
    A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"

    On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib


    Step-by-step Instructions

    For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux.
    Instructions for Windows are available here
    Examples below are based on
    CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.

    Step 1 - SNMP Master Agent

    Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7
    .
    Currently version 5.7.3 is the latest version available. Check the
    net-snmp change log to see what has changed between versions.
    Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
    If not already installed, you can install the package net-snmp with the following command.

    # yum install net-snmp

    The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality
    # yum install net-snmp-utils

    To check the version you are running...

    $ snmpwalk --version

    Image:Monitoring IBM Domino Server on Linux via SNMPv3
    Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.


    Option B - NET-SNMPD v5.0.7 provided by Domino

    Domino provides net-snmpd in version 5.0.7  - again, I do not recommend using this version.

    However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.

    # cp /opt/ibm/domino/notes/latest/linux/net-snmpd* /etc
    # ln –f –s /etc/net-snmpd.sh /etc/init.d/net-snmpd

    # chkconfig --add net-snmpd

    # chkconfig net-snmpd on

    Note that in this type of configuration your settings are stoed in the file  /etc/net-snmpd.conf

    Step 2 - Update Configuration

    Back up the original config file to a location of your choice

    cp /etc/snmp/snmpd.conf /root

    Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.

    # nano /etc/snmp/snmpd.conf

    1.) Search for sysLocation and update it according to your needs as shown here:
    sysLocation    YourDataCenterLocation
    sysContact     email@yourdomain.com


    2.) define a username/password combination for SNMP v3 authentication
    Of course the user name and password used in this example are to be changed to fit your needs

    createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES


    3.) At the end of the same file, add this line:
    smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd

    Dont forget to save the file


    Step 3 - SNMP Startup Script

    Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.

    Domino already provides such a script - you just need to modify the configuration so that it can be used.


    # cp /data/ibm/domino/notes/latest/linux/net-snmpd.sh /etc/init.d/net-snmpd

    # nano /etc/init.d/net-snmpd


    Update the configuration (starting in line 31) as follows:

    INSTDIR=/usr/sbin
    PROGNAME=snmpd

    PROGPATH=$INSTDIR/$PROGNAME

    CONFNAME=snmpd.conf

    CONFPATH=/etc/snmp/$CONFNAME

    LOGPATH=/var/log/snmpd.log

    PROGARGS="-C -c $CONFPATH -l $LOGPATH"

    Make sure the startup script runs at next boot

    # chkconfig --add net-snmpd
    # chkconfig net-snmpd on


    Step 4 - Update Firewall Rules

    SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
    Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server
    # iptables -I INPUT -p udp --dport 161 -j ACCEPT


    Step 3 - Testing basic functions

    Test basic SNMP functionality
    from the local host and also from a remote server.
    # snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0

    As a result you should get the version number of the SMTP master agent

    Image:Monitoring IBM Domino Server on Linux via SNMPv3

    Step 5 - Enable Domino SNMP Agent

    Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!
    )
    # ln -f -s /opt/ibm/domino/notes/latest/linux/lnsnmp.sh /etc/rc.d/init.d/lnsnmp
    # chkconfig --add lnsnmp

    # chkconfig lnsnmp on
    # service lnsnmp start

    In case you get the error  "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino


    if everything has worked out, starting the lnsnmp should provide the following output

    New sub-agent on server is registering a sub-tree with branch ID:
    1.3.6.1.4.1.334.72.3

    Sending SNMP "Server Up" trap for server .

    service lnsnmp startNew sub-agent on server is registering a sub-tree with branch ID:

    1.3.6.1.4.1.334.72.1


    Step 6 - Domino Tasks

    Start the following tasks from the Domino server console

    load quryset
    load intrcpt
    load collect

    "quryset" is required to support SNMP queries

    "intrcpt" is required to support SNMP traps for Domino events

    "Collect" is required to support statistic threasold traps

    Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.

    Step 7 - Testing Domino SNMP agent response

    Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.

    $ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0

    Should return the fully qualified Domino Server name as a string

    Image:Monitoring IBM Domino Server on Linux via SNMPv3

    Ok, you're done... the Domino SNMP Agent is configured and can be used.

    However, there still is some work to be done on your SNMP management console e.g.
    Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).

    Next Actions:

    If you like this post, please let me know via Twitter
    @ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
    Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.


    Troublshooting
    • Check snmpd.log for errors
      # cat /var/log/snmpd.log
    • Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
      see
      IBM Technote 1313318
    • Error - Unknown User
      Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
      createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
    • Error in packet. Reason: authorizationError (access denied to that object)
      The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
      rouser SNMPv3UserName

    Tools:

    Take a look at
    Paessler SMTP Tester (Freeware / Windows)
    Image:Monitoring IBM Domino Server on Linux via SNMPv3

    Further reading:

    Import Contacts from GDI Business Line / FirebirdSQL to Domino- 23 September 2014 - (1) Comments

    Thomas Hampel
     23 September 2014

    GDI Business Line is an ERP & CRM software for the small & medium businesses market. It is developed by the German vendor GDI based in Landau in der Pfalz.
    A customer wanted to use the address data from the GDI platform in the Notes/Domino environment. Main purpose was to simplify communication with known customers by synchronizing contact names, addresses, and phone numbers to Domino.

    We all know integrating Directory Data with Domino is made easy with TDI, so lets see if we can use it here.
    The backend database of GDI is based on
    FirebirdSQL , and they provide a JDBC driver which is all we need to make it work.

    Here are step-by-step instructions for connecting TDI with the GDI Address table

    Part 1 - TDI Installation

    Tivoli Directory Integrator V7.1.1 is provided free of charge as an additional entitlement for Notes/Domino customers.
    All you need to download from
    Passport Advantage is IBM Tivoli Directory Integrator Identity Edition V7.1.1 with the part number that fits you needs
    Platform Part Number Size
    Windows 32Bit CZUF0ML 555mb
    Windows 64Bit CZUF7ML 567mb
    Linux 32bit CZUF2ML 547mb
    Linux 64bit CZUF3ML 554mb


    We are intending to use a local Notes Client connector so we will be using the 32bit version of TDI. In case you're planning to install TDI on a  64bit Domino Server you could also go for that version.
    The installation process of version 7.1.1 is not any different than V7.1, so you can just follow instructions for installing Tivoli Directory Integrator on
    IBM Infocenter or on Connections101 (Thanks gabturtle & Paul Mooney for this site).

    Part 2 - Apply TDI Fix Pack

    Download the
    latest fix pack for TDI v7.1.1 from Fix Central which at the time of writing this blog post is Fix Pack 3 and this JRE upgrade
    Follow installation instructions provided with the fix pack(s)
    Hint : {TDI_install_dir}\bin\Applyupdates.bat  -update [path to FP zip file]

    Part 3 - Notes Connector

    TDI can establish different types of connections to Notes/Domino, not all of them can be used everywhere (see
    Supported session types by Connector )
    e.g. if you dont want IIOP to be enabled on your Domino server, you'll have to use either the Local Client connector, which requries a Notes Client to be installed on the same machine, or the Local Server Connector, which requires a Domino Server installed on the same machine. My personal preference is the Notes client connector because it just requires a Notes ID and I can connect from my own client workstation to any server regardless if IIOP is enabled or not.
    • Copy the file {NotesProgramDir}\jvm\lib\ext\Notes.jar  to  {TDI_install_dir}/jars/3rdparty/IBM  
      (or to the folder defined in the variable "com.ibm.di.loader.userjars" parameter defined in the solution.properties file)
    • Append the Notes Directory to the PATH parameter in the following TWO files
      {TDI_install_dir}ibmditk.bat
      {TDI_install_dir}ibmdisrv.bat
      Example:
      set PATH=%TDI_HOME_DIR%;%TDI_JAVA_BIN_DIR%;%TDI_LIB_DIR%;C:\Program Files (x86)\IBM\Notes;%PATH%


    Part 4 - Firebird JDBC Connector

    As long as there is a JDBC connector, TDI should be able to connect to the database. FirebirdSQL is nothing special here, so this is what you have to do:
    • Pick the JDBC driver here (make sure to choose the one for Java 7)
    • Extract the ZIP file to a temporary folder of your choice
    • Copy the following three files to the folder {TDI_install_dir}\jars\3rdparty\other
      jaybird22.dll, jaybird-2.2.5.jar, jaybird-full-2.2.5.jar

      Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

    Part 5 - Connect and Feed Data

    Now launch TDI Configuration Editor ( {TDI_install_dir}ibmditk.bat ) and add a new JDBC connector

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    We would like this connector to be used in Iterator mode because we want to loop thru the data later on.
    When you click on "Next >" you will be prompted to specify additional connection parameters.
    The syntax for the JDBC URL is

    jdbc:firebirdsql://host[:port]/database


    JDBC URL = jdbc:firebirdsql://sqlserver:23053/C:\Database\GDI.GDB?sql_dialect=1&charset=WIN1252
    JDBC Driver = org.firebirdsql.jdbc.FBDriver

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    and of course you must define your database credentials and the table you want to connect to. In our case the table is "CM_ADRESSEN"

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    Click Finish to add the connector as your input feed.

    Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

    Part 6 - Data Map

    Now lets use the connection and define the input map:
    • Within the connector, use to connect button to establish a first connection for reading the database schema.
    • Select the fields which you want to make use of by either dragging/dropping them from the schema or by using the button "Add"
      Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    Part 7 - Output to Notes/Domino
    Lets write this data to Domino...
    (Remark: assuming the target database already exists and is using a standard pubnames template)
    • Add a Notes Connector in Update mode
      Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
      When you click on "Next >" you will be prompted to specify additional connection parameters.
      This example will connect to a remote database hosted on "DominoServer/Org/O", you can of course leave the server name empty to connect to a local database.

      Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
      Click Finish to add the connector as your Data Flow.
    • Click the output connector again to define which data to write to which field in Notes/Domino
      Here is an example, feel free to modify or extend:

      Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino
    • In the connector define the Link Criteria
      It seems the field SATZUUID is used as a unique key, so we are going to use it as well. Of course you need to make sure to write this field to the target database, otherwise the lookup will always fail and duplicate entries are the result.

      Image:Import Contacts from GDI Business Line / FirebirdSQL to Domino

    Part 8 - Fine Tuning

    This part is to be done by yourself. You should probably add some special handling to handle different address types such as if the record is using...

    "Adresstyp=1" = Contact
    "Adresstyp=4" = Company

    "Adresstyp=16" = Person


    or updating the full text index when the assemblyline has finished...


    try{

      notes=NotesConnector.getConnector

      dbname=notes.getParam(
    "notesDatabase")
      srvname=notes.getParam(
    "notesServer")
      sess=notes.getDominoSession()

      db=sess.getDatabase(srvname,dbname)

     
    if (db.isOpen())         {
              message=
    "Requesting to update FTIndex on " + srvname + "!!" + dbname ;
              task.logmsg (
    "INFO",message) ;
              db.updateFTIndex(true);

      }
    else {
              message=
    "Unable to open target notes database." + srvname + "!!" + dbname
              task.logmsg (
    "ERROR",message) ;
              java.lang.System.out.println (message);

    }

     
    } catch (ex) {

      message=
    "Unable to update FTIndex in target Notes database. , "  + ex
      task.logmsg (
    "ERROR",message)
      java.lang.System.out.println (message)

    }



    Part 9 - Run it

    Run the assemblyline and (optionally) have a beer while you will see new person documents showing up in Domino.


    Summary

    For those of you who are very lazy, here is the TDI AssemblyLine for further use.
    GDIDataImportExample.xml


    Please note that you must adjust it to fit your needs!  Concluding with
    Notes Sensei's words : YMMV

    AMgr: Console command ’LOG.NSF’ is unknown- 13 May 2014 - (0) Comments

    Thomas Hampel
     13 May 2014

    After upgrading to Domino 9.0.1 the following messages show up at the console.
    It seems the agent manager is trying to send file names as commands to the server's console...


    AMgr: Console command 'ddm.nsf' is unknown
    AMgr: Console command 'admin4.nsf' is unknown
    AMgr: Console command 'LOG.NSF' is unknown
    AMgr: Console command 'LOG.NSF' is unknown
    AMgr: Console command 'ddm.nsf' is unknown
    AMgr: Console command 'ddm.nsf' is unknown
    AMgr: Console command 'admin4.nsf' is unknown
    AMgr: Console command 'admin4.nsf' is unknown
    AMgr: Console command 'LOG.NSF' is unknown
    AMgr: Console command 'LOG.NSF' is unknown
    ....


    It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
    A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY

    Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments

    Thomas Hampel
     9 May 2014

    I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

    After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
    So lets roll out S/MIME certificates to Notes users in a Domino domain:

    Basic steps are:

    1. Create a key ring file
    that contains a self signed (or trusted ) certificate
    For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

    2. Set up the CA process in Domino

    Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
    set up the CA process in Domino,
    otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

    3. Migrate an (internet) Certifier into the CA

    Just read and follow
    instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
    Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

    4. Rolling out Internet Certificates to Users

    Follow instructions for
    Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
    Here the CA process becomes very handy when the rollout is done in waves.

    Done!

    Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
    If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

    What about Step-by-Step deployment instructions?

    Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
    SHOW104 - Crispy Certificates with Spicy SSL Salsa
    One might also want to know
    how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

    How to obtain the internet certificate's public key of a user?

    When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

    Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

    at the very bottom there's a small check box...

    Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

    Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
    Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
    to protect your privacy forever.

    Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
    Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.


    Further reading
    :

    The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino- 7 May 2014 - (3) Comments

    Thomas Hampel
     7 May 2014

    Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
    Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

    When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
    In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see
    http://technet.microsoft.com/en-us/security/advisory/2661254
    Image:The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino

    So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
    Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »

    HTTP/SSL in Domino 9.0 - more Notes.ini variables to be removed after upgrade- 12 March 2014 - (0) Comments

    Thomas Hampel
     12 March 2014

    After upgrading to Domino 9.0 some users (but not all) claimed they are unable to access a server via HTTP, in specific it was iNotes access to one server while access was okay on other servers.

    Quick check:
    • Domino HTTP task was running fine
    • TCP port 80 was responding
    • Redirect to SSL seemed not to work (Error "The connection was interrupted")
    With the help of my colleagues we were looking at the console and found a number of errors showing up:

    HTTP Server: SSL handshake failure, no website found for IP address [123.123.123.123]
    [...]
    New SSL session data length of 5132 bytes is larger than the current size of 5000 bytes.

    Especially the second error message cause me to start thinking... Yes! I did remember there was an issue with earlier releases of Domino, where Technote 1220425 suggested setting two Notes.ini variables to fix a crash related to SSL
    SSL_SESSION_SIZE
    SSL_USE_ADDSESSION2

    Of course these Notes.ini variables were still in place and still work -- they are not obsolete as such (see list of obsolete Notes.ini variables)
    However, after upgrading to Domino 9.0 they are no longer required and as we have seen even cause problems if set too small.

    Resolution:
    1.) Remove these two variables as  (Reference : IBM Technote 1657588)
    2.) Restart the HTTP task
    ...and iNotes with SSL is working again.

    Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0 - 11 February 2014 - (1) Comments

    Thomas Hampel
     11 February 2014

    Two weeks ago at IBM Connect 2014 attendees were able to test their knowledge in the IBM Certification Lab.
    Most of the IBM Certification tests were offered, so I decided to sign up and give it a try without any preparation.


    For updating my existing Advanced System Administrator certificate to version 9.0 level, the following two tests were required

    Both tests were simple, for Traveler you need to know how to configure Traveler in high availability mode and for the Upgrade examn most questions were about SAML & OpenSocial.

    Having passed the upgrade examn and the IBM Traveler exam, this certificate was sent to me as an official statement that I have qualified as IBM Certified Advanced System Administrator for Notes & Domino 9.0


    Image:Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0

    Next action: updating my Certified Advanced Development Certificate to version 9.0 and signing up for Connections & Sametime tests.

    IDVault - ID file upload fails with Error 03:11- 16 August 2013 - (1) Comments

    Thomas Hampel
     16 August 2013

    Problem
    A Notes ID is not uploaded to an IDVault although the configuration of the Client itself as well as the IDVault incl. its trust certificates seem to be correct.


    Analysis

    The administrator wanted to force the Notes client to upload his ID file to the server, since there already was an (old) IDfile stored in the vault, it has been deleted manually.
    However, the client still doesnt upload its local userID.

    Looking at the servers log file / Security Events....

    Image:IDVault - ID file upload fails with Error 03:11
    provided a few hints about the problem:


    > Unable to find ID for 'dummy username/OU/O' in vault 'O=IDVault'.  Error: 03:11
    > ID failed to authenticate in vault 'O=IDVault'.  'dummy username/OU/O' (IP address 10.10.10.10:57739) made request.  Error: 03:11


    and further down other user names:

    > Error: Entry not found in index

    Indicating a view isnt updated...


    Resolution

    1.) Update the view index for the hidden view $IDFile in the IDVault database by using the following command
    load updall -R IBM_ID_VAULT\IDvault.nsf

    2.) Remove the pending name change as described in my previous blog post id-vault-error-0311.htm


    Hint: Although this has fixed the problem in my case, there's more to know.

    IDVault does not honor view updates made directly in the database, maybe for performance reasons.
    There is a DEBUG parameter for the IDVault which can override this behaviour so that VIEWUPDATES are being reflected/enabled.

    Create a replica without having direct server access- 5 July 2013 - (0) Comments

    Thomas Hampel
     5 July 2013

    Here the problem:
    You want to create a new replica of an existing database on a server which you are responsible for, you are not allowed to access the remote server.
    Not having access means your user ID is e.g. in an access deny group, or in a more simple scenario a firewall is blocking direct access.

    However, how would you pull a new replica from the remote server down to yours?
    The answer is simple - you can set up a replica stub on your server without the need of accessing the remote server.

    Step by step instructions

    1. Switch to your workspace, make sure you have no database selected.
    2. Use File\Replication\New Replica
    3. Type the Servername + Filename >from< which you want to pull the replica.

    Image:Create a replica without having direct server access
    4. Click "Select"
    Now your client will try to connect to the remote server, which of course wont work.

    Image:Create a replica without having direct server access
    5. A dialog box will display, showing an incomplete question

    Image:Create a replica without having direct server access
    Here you have to select "Yes" without knowing what the question actually means.
    Note: Obviously thats a bug, but it seems that it has not been fixed yet.
    6. Choose to which server you want to put the replica, also define a file name of your choice.
    7. Disable "Create Immediately"

    Image:Create a replica without having direct server access
    8. Hit okay to create an uninitialized replica stub
    9. Last and final step is to replicate this database on console level using the command:

        >pull remoteserver/ou/o localpath/filename.nsf

    A note for beginners:
    Your server also must be allowed to read from the remote server and the target server needs to know how to reach the source server...so make sure you have propper name resolution or connection documents in place.  

    Achieving (a working) high availability with IBM Lotus iNotes- 2 July 2013 - (1) Comments

    Thomas Hampel
     2 July 2013

    Update: For configuring High Availability for HCL Verse please refer to this technote: Configuring a Proxy for HCL Verse High Availability

    We all like well working products and love good documentation, even better when there is a step by step instruction on how to set up a specific configuration to work perfectly.
    One of those often referenced instructions is an IBM developerWorks article "
    Achieving high availability with IBM Lotus iNotes" based on a product from BigIP F5 which explains a clever reverse proxy configuration for optimizing performance.

    Unfortunately the configuration outlined there DOES NOT WORK because it contains multiple errors/failures/mistakes.

    Following instructions step by step will make it impossible to get the expected solution in place. Let me explain the problem in more details.


    For a small environment with only two servers in one cluster, you wont notice any problem, everything seems to work perfectly.
    What you dont know is that the iRule does not work, and traffic is always dispatched to both of your servers. As soon as you will have multiple clusters involved the problem becomes visible.


    From time to time users receive "Error 404 - HTTP Web Server: Lotus Notes Exception - File does not exist" which indicate that traffic was routed to a server that does'nt host the file requested.


    The (not working) documentation has been published in at least two other places, a DominoWiki Article and a WhitePaper

    http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Achieving_high_availability_with_IBM_Lotus_iNotes
    http://www.f5.com/pdf/deployment-guides/f5-ibm-inotes-dg.pdf

    Lets get back to the roots - according to the developerworks article this is what (in theory) should happen:

    BigIP F5 reverse proxy appliance will intercept inbound HTTP requests which end with ".nsf" and are not dedicated to "names.nsf"

    Domino will figure out which servers are hosting the requested file and will return a list of server DNS names in form of an HTTP header.


    The problems are:
    • BigIP will send traffic to any server in the server pool which is configured - so your session can end up on any randome cluster/server which may not host the database you are looking for.
    • Domino lookups are performed towards the local "cldbdir.nsf" which holds information from databases in this cluster only. What if there are multiple clusters involved?
    According to the documentation: "X-Domino-ReplicaServers is returned when the service finds the relevant path within its own cluster, whereas X-Domino-ClusterServers is returned only when the mail servers are part of a different cluster."
    but the iRule itself is only referring to "X-Domino-ClusterServers", the other header "X-Domino-ReplicaServers" is never used. #fail !


    Lets look into details:

    In Domino, a customized ServersLookup form in "iwaredir.nsf" is used to lookup the "cldbdir.nsf" to figure out what servers are hosting the file and will return this information as part of an HTTP header.
    Sniffing network traffic using
    Wireshark shows that the HTTP header is never returned, it also shows that the URL referenced in the iRule is never called.

    According to the iRule documented in
    Appendix B is calling the (modified) ServersLookup form to retreive the list of servers as an HTTP header,

    HTTP::uri /iwaredir.nsf/ServersLookup?OpenForm&nsfpath=$nsf



    unfortunately this iRule is never called., because it is expecting the request URL to >end< with ".nsf"


    if { ([HTTP::uri]ends_with ".nsf") and not ([HTTP::uri] contains "names.nsf")}{



    Ok, lets try to fix it !

    Resolving the problem requires changes on both sides, multiple changes in Domino and changing slightly the F5 iRule. I'm trying to cover the modifications step by step
    :

    Part 1 - Lets start with the iRule,

    here you need to change the if-clause to check for "path" rather than "uri", and also exclude any any lookups towards "iwaredir.nsf", changes are highlighed in bold.


    if { ([HTTP::path]ends_with ".nsf") and not ([HTTP::path] contains "iwaredir.nsf") and not ([HTTP::path] contains "names.nsf")}{



    Part 2 - Database Catalog

    In order to find the correct servers at the first attempt, my idea was to look up the (in our case always perfect) database catalog to find the servers hosting the requested file.

    To do that we will need to create a new (hidden) view in the catalog.nsf with two columns
    View Formula
    SELECT @IsAvailable(ReplicaID)& @IsUnavailable(RepositoryType) Column1 Formula Pathname Column2 Formula ReplicaID2 := @If((@Text(ReplicaID; "*") = "00000000:00001601"); "Non-replicatable files"; ReplicaID);
    @Text(ReplicaID2; "*")
    Column2 Programmatic Use TextReplicaID







    Part 3 - ServersLookup

    Now lets make use of the view by updating the code in the "ServersLookup" form of the file iwaredir.nsf.

    If no parameter is provided, its assumed the user wants to access his mail server
    The code behind the $$HTMLHead field should look like this:



    tmpDebug := "";

    tmpNSFPath := @ReplaceSubstring(@URLDecode( "Domino"; @UrlQueryString("nsfpath") );"/";"\\");

    @If (tmpNSFPath = ""; tmpNSFPath:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailFile" ));"");


    REM {Lookup home mail server };

    tmpHomeServer:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailServer" ));

    tmpLookupKey := @ReplaceSubstring (tmpNSFPath
    ;"\\";"/") ;

    REM {Get replicaID of this mail file};

    tmpReplicaID := @DbLookup( "":"" ; "":"catalog.nsf" ; "($LookupServerFilename)" ;tmpLookupKey; "TextReplicaID");


    REM {Find all servers who are hosting this replicaID  };

    tmpServers := @DbLookup( "":"" ; "":"catalog.nsf" ; "($ReplicaID)" ;tmpReplicaID; "Server");

    tmpServers:=@If(@IsError(tmpServers);"";tmpServers);


    REM {Is Home Mail server in list of servers, then move this up to the front of the list};

    tmpServers := @If(@IsMember(tmpHomeServer;tmpServers);tmpHomeServer : @Transform(tmpServers;"x";@If(x=tmpHomeServer;@Nothing;x));tmpServers);

    tmpDNSNames := "";


    REM {Resolve host names for each server name in list};

    tmpLimit:=@Elements(tmpServers)+1;

    @For(n:=1;        n tmpHTTPHostNameALT:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ;"($ServersLookup)" ; tmpServers[n] ; "HTTP_Hostname");1);

    tmpServerFQDN:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ; "($ServersLookup)" ; tmpServers[n] ; "SMTPFullHostDomain");1);

    tmpString:=tmpString+@Text(n)+tmpHTTPHostNameAlt+tmpServerFQDN;

    tmpDNSNames := @If(@Length(tmpDNSNames)>0;tmpDNSNames+",";"") + @LowerCase(@If (tmpHTTPHostNameALT!="";tmpHTTPHostNameALT;tmpServerFQDN))

    );

    REM {Return results to F5};

    @SetHTTPHeader("X-Domino-ClusterServers";tmpDNSNames);

    @SetHTTPHeader("Cache-control";"no-store");

    @If(tmpDebug="";"";"")



    Update:

    Session persistence is causing some headaches when F5 needs to select an address from the pool. To work around this issue you can use this iRule

    inotes-irule.txt


    Result:

    No more nasty HTTP404 unless the database really can not be found anywhere.
    Of course even this solution depends on a few assumtions, one is the catalog must be up to date and must be replicating within the environment.


    Disclaimer: Use at your own risk, no warranty is provided. However, please let me know if you have further suggestions how to improve this solution.

    Notes and Domino 9.0- 22 March 2013 - (0) Comments

    Thomas Hampel
     22 March 2013

    IBM just announced the availability of IBM Notes and Domino 9.0 Social Edition.
    The software packages are available to download from Passport Advantage, in specific the part numbers are:

    System requirements for IBM Notes and Domino 9.0 Social Edition
    If you are interested to know what has been changed from previous versions, take a look at the fix list
    http://www-10.lotus.com/ldd/fixlist.nsf/%28Progress%29/90

    Recover your Domino SSL Keystore password- 27 February 2013 - (2) Comments

    Thomas Hampel
     27 February 2013

    In a situation where an you need to verify the contents of a Domino SSL Key ring file (*.kyr) its very useful to know the password to that key ring.
    Unfortunately thats not always the case, e.g. when inheriting a server for which no documentation exists, or in simple terms when you forgot the password.

    In order to recover the password in clear text, just enable the debug parameter SSL_TRACE_KEYFILEREAD=1 in the Notes.ini
    To avoid any impact to production, you might want to do this in an isolated environment like a fresh installed Domino server or a test server you already have.

    So this is what you have to do:
    1. Install a new isolated Domino server (or use a test server of your choice)
    2. Copy the *.kyr + *.sth file from the production server to the new server
    3. Configure the HTTP task to make use of this key ring file, by updating the server document/internet ports, or by updating the internet site / security configuration.
    4. Enable the Notes.ini parameter by typing this command at the server's console
      set config SSL_TRACE_KEYFILEREAD=1
    5. Restart the HTTP task
      tell http restart
    6. Watch the console to obtain the password in plain text:

    ReadKeyfile> Recovering password from stash file
    ReadKeyfile> Password is ABCDEFGH
    ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
    ReadKeyfile> Looking for trusted roots
    ReadKeyfile> Found trusted roots
    ReadKeyfile> Exit status = 0
    ReadKeyfile> Recovering password from stash file
    ReadKeyfile> Password is ABCDEFGH
    ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
    ReadKeyfile> Looking for cert chain
    ReadKeyfile> Got cert chain
    ReadKeyfile> Exit status = 0
    ReadKeyfile> Recovering password from stash file
    ReadKeyfile> Password is ABCDEFGH
    ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
    ReadKeyfile> Looking for private key
    ReadKeyfile> Decoding keys
    ReadKeyfile> Keys decoded
    ReadKeyfile> Exit status = 0
    HTTP Server: Using Internet Site Configuration View

    Now you can use the Domino Server Certificate Authority application to take a closer look into the *.kyr file.

    Change ReplicaID of existing DBs without creating a Notes Copy- 23 February 2013 - (0) Comments

    Thomas Hampel
     23 February 2013

    If you want to change the replicaID of a database without doing a Notes Copy, feel free to use this small script:
    ChangeReplicaID.lss

    Enable ’Show in-line MIME images as attachments’ via Policies- 11 February 2013 - (0) Comments

    Thomas Hampel
     11 February 2013

    Some Notes client preferences can not be enabled via Domino Policies because the values are not exposed as a parameter in the Domino Directory template.
    One of them is "Show in-line MIME images as attachments"
    Image:Enable ’Show in-line MIME images as attachments’ via Policies

    In order to enable/disable this setting, you'll have to set a Notes.ini variable via policies
    ShowIMIMEImagesAsAttachments=1

    Instead of modifying the Domino Directory template its enough to add this variable in the custom settings section of the Desktop policy settings.
    Image:Enable ’Show in-line MIME images as attachments’ via Policies
    Image:Enable ’Show in-line MIME images as attachments’ via Policies

    IBM Lotus Connector for SAP Solutions with IBM Lotus Enterprise Integrator for Domino 8.5.3 64-bit- 23 January 2013 - (2) Comments

    Thomas Hampel
     23 January 2013

    For running IBM Lotus Connector for SAP Solutions with the 64bit version of IBM Lotus Enterprise Integrator for Domino 8.5.3, you will need the following packages:

    Part nr.         Software name
    CRG0LEN        IBM Lotus Enterprise Integrator for Domino V8.5.3 Multi O/S English 64-bit
    CZN8CEN        IBM Lotus Connector for SAP Solutions 2.0.1 64-bit

    Unfortunately this is not enough - according to the LEI documentation there should be one more file "librfc32.dll" which is missing
    librfc32.dll                <- not present in the package, missing !
    librfc32u.dll
    Icudt*.dll
    Icuin*.dll
    Icuuc*.dll
    libsapucum.dll

    The file can be found in the 64-bit version of SAP RFC SDK 6.40 kit  which is not part of the IBM packages
    This software is only available from SAP via the SAP Marketplace., so download and unpack the SAP RFC SDK to find the DLL you are looking for.

    Copy the DLL files from the SDK into the same place as the other libraries above (e.g. C:\WINDOWS\SYSTEM32\ ) to make the SAP Connector work.

    How to supply your admin with a precise copy of a mail for further analysis- 13 December 2012 - (0) Comments

    Thomas Hampel
     13 December 2012

    Have you ever been in the situation when a user had to supply an admin with an example of the message incl. header information?
    Forwarding copies or replied mails are unusable regardless of how they are saved.


    In order to supply admins with what they need for further analysis, please follow these instructions...

    Lotus Notes 6.x-8.x
    1. From the Lotus Notes mail database window, select the message you want to submit.
    2. Open the message full view (not preview mode).
    3. From the "View" menu, select "Show" then "Page Source".
    4. From the "File" menu, select "Export."
    5. In the "Export" pop-up window, enter a filename and choose a location to save the file.
      From the "Save as type" drop-down list select "ASCII Text." After entering the filename, press "Export."
    6. In the next dialog box, select "Default Character Set" and then click OK.

    Lotus Notes 5.x and below
    1. From the Lotus Notes mail database window, select the message you want to submit.
    2. From the "File" menu, select "Export."
    3. In the "Export" pop-up window, enter a filename and choose a location to save the file.
      From the "Save as type" drop-down list select "Structured Text." After entering the filename, press "Export."
    4. Select "Selected documents" in "How Much to Export" of the "Structured Text Export" dialog box, and press OK.
      Now, save the text file in the location you designated in Step 3.

    And in case anyone is still using less functional mail clients....

    Note: Some versions of Outlook offer two options to save an .msg file - one is "Outlook Message Format", the other is "Outlook Message Format - Unicode". You should NOT select the Unicode format, this could cause problems when you save and submit the file.

    Microsoft Office Outlook 2003/2010
    1. Open Microsoft Office Outlook 2003.
    2. Double click to open the email message that you want to save.
    3. From the "File" menu, select "Save As."
    4. The "Save As" pop-up window displays. Select "Outlook Message Format" from the "Save as type" drop-down list.
    5. Select the folder in which you want to save the message. Note, the "File name" is provided by default. You can change this if you want.
    6. Click "Save." The message is saved with an ".msg" file extension.

    Microsoft Office Outlook XP
    1. Open Microsoft Office Outlook XP.
    2. Double click to open the email message that you want to save.
    3. From the "File" menu, select "Save As."
      The "Save As" window displays. Select "Message Format (*.msg)" in the "Save as type" drop-down list.
    4. Select the folder in which you want to save the message. Note, that the "File name" is provided by default. You may change this if you want.
    5. Click "Save." The message is saved with an ".msg" file extension.

    Microsoft Outlook Express
    1. Open Microsoft Outlook Express.
    2. Double click to open the email message that you want to save.
    3. From the "File" menu, select "Save As."
    4. The "Save Message As" pop-up window displays. Select "Mail (*.eml)" from the "Save as type" drop-down list.
    5. Select the folder that in which you want to save the message. Note, the "File name" is provided by default. You can change this if you want.
    6. Click "Save." The message is saved with an ".eml" file extension.

    Apple (Mac) Mail
    1. Select the message you want to save.
    2. From the "File" menu, select "Save as ..."
    3. In the pop-up window, select the format "Raw Message Source"
    4. Save with a filename including a .txt or .eml extension

    Other Mail User Agents
    Save the email that you want to report as a text file. Make sure that the message is as close to its original form as possible. Your mail client might allow you to save rendered text as well as the original source -- it is the original "raw source" that is needed. Make sure the original email headers are intact and included in RFC-822 format. Typical file name extensions are .eml and .txt

    Please attach .txt/.msg/.eml file to a new email which you can send to your administrator.

    TechLesson of the day - Language Pack installer does not find Domino server- 7 November 2012 - (2) Comments

    Thomas Hampel
     7 November 2012

    A small lesson learned today:

    When applying a language pack to a Domino server, the following error message will appear
    Image:TechLesson of the day - Language Pack installer does not find Domino server
    Could not find any indications of a Domino server in your selected paths, either path(s) are incorrect, or you do not have a Domino server at the location. please confirm selected path(s) are correct. [OK]

    Root cause: The Domino data directory did not contain a the file "pubnames.ntf", some admin thought it would be a good idea to delete all *.ntf files from the server.
    So of course a Language Pack could not be installed.

    In case of further problems, check this technote for troubleshooting language pack installation issues.
    http://www-01.ibm.com/support/docview.wss?uid=swg21229337

    Exporting Notes Documents- 2 October 2012 - (1) Comments

    Thomas Hampel
     2 October 2012

    A customer wanted to have all attachments of some selected Notes document exported to the file system and also wanted to keep an option for developers to access the metadata of the original Notes document.
    Nothing easier than that, so I wrote this small script to get the job done.


    First the entire document is exported into DXL, then all attachments are detached to the file system. Both parts are not rocket science, but some people might want to reuse the code.
    To avoid name conflicts while detaching files a folder is created for each Notes document so all attachments of this Notes document will be stored in this subfolder.


    Option
    Public
    Option
    Declare
    Dim
    gCounter&
    Sub
    Initialize
         
    Dim s As New NotesSession
         
    Dim coll As NotesDocumentCollection
         
    Dim BasePath$

          BasePath$ =
    InputBox ("Export data to path...: ", "Export", "C:\")
         
         
    '# add backslash at the end
         
    If right (BasePath$,1) <> "\" Then BasePath$ = BasePath$ & "\"
         
         
    Print "Using BasePath : " & BasePath$
         
         
    Set coll = s.currentdatabase.Unprocesseddocuments
         
    If coll Is Nothing Then
                 
    MessageBox "No documents selected"
         
    Else
                 
    Print "Processing " & coll.count & " documents..."
                 
    Call ExportToDXL (coll, BasePath$)
                 
    Call ExportToFile (coll, BasePath$)
                 
    MessageBox "Export completed."
         
    End If        
    End
    Sub

    Function
    ExportToDXL (Coll As NotesDocumentCollection, BasePath As String)
         
    Dim session As New NotesSession
         
    Dim stream As NotesStream
         
    Dim DXLfilename$
         
    Dim doc As NotesDocument
         
    Dim tdoc As NotesDocument
         
    Dim exporter As NotesDXLExporter
         
         
    If coll Is Nothing Then Exit function
         
    Set doc = coll.getfirstdocument
         
    While Not doc Is Nothing
                 
    Set tdoc = coll.getNextDocument (doc)
                 
    '# Open xml file named after current database
                 
    Set stream = session.CreateStream
                  DXLfilename$ = BasePath$ & doc.universalid &
    ".dxl"
                 
    If Not stream.Open(DXLfilename$) Then
                         
    MessageBox "Cannot open " & DXLfilename$,, "Error"
                         
    Exit Function
                 
    End If
                 
                 
    '# kick off the exporter process
                 
    Set exporter = session.CreateDXLExporter
                 
    Call exporter.SetInput(doc)
                 
    Call exporter.SetOutput(stream)
                 
    Call exporter.Process
                 
                 
    Set doc = tdoc
         
    Wend
    End
    Function

    Function
    ExportToFile (coll As NotesDocumentCollection, BasePath As String)
            On Error GoTo ErrH
            Dim doc As NotesDocument
            Dim tdoc As NotesDocument
            Dim rtitem As variant
            Dim targetpath$, fname$
            Dim FieldList(0) As String
            Dim oba As Variant
           
            '# define which fields to scan for attachments
            FieldList (0) = "Body"
           
            If coll Is Nothing Then Exit Function
           
            Set doc = coll.getfirstdocument
            While Not doc Is Nothing
                    Set tdoc = coll.getNextDocument (doc)
                    If doc.Hasembedded Then
                            targetpath$ = BasePath$ & doc.universalid & "\"
                           
                            If Dir$ (BasePath$ & doc.universalid, 16) = "" Then MkDir targetpath$
                           
                            '# loop list of fields
                            ForAll f In FieldList
                                     Set rtitem = doc.GetFirstItem(f)
                                     If Not rtitem Is Nothing Then
                                            If (rtitem.Type = RICHTEXT ) Then
                                                    '# make sure the field contains some objects and detach
                                                    If IsArray(rtitem.embeddedObjects) Then
                                                            ForAll o In rtitem.EmbeddedObjects
                                                                    If ( o.Type = EMBED_ATTACHMENT ) Then
                                                                            Fname$=o.Name
                                                                            If FileExists (fname$) Then fname$ = CStr(gCounter&) & Fname$
                                                                            Call o.ExtractFile(targetPath$ & Fname$)
                                                                            gCounter& = gCounter& + 1
                                                                    End If
                                                            End ForAll
                                                    End If

                                            End If
                                    End If
                            End ForAll
                    End If
                    Set doc = tdoc
            Wend
    continue:
            Exit Function
           
    errH:
            Stop
            Print "Error " & Err() & " in line " & Erl() & " - " & Error
            Resume continue
    End Function

    EMC SourceOne- 27 September 2012 - (0) Comments

    Thomas Hampel
     27 September 2012

    When running EMC SourceOne with Domino, it might happen that users can only see a subset of the mails they have received, even if the mail itself is stored in the EMC system.
    Here are the details...


    Problem
    When logging in with Active Directory credentials, users can only see emails which have been sent to the internet address of that user.
    Logging in with Notes/Domino user name and HTTPPassword, only the Lotus Notes mails can be found.

    Analysis
    By opening one email in each account and looking at the header, it became clear that EMC SourceOne can not associate the AD user name with the Notes user name.
    The Notes user name is stored in a custom attribute of the Active Directory user object, but there is no option to customize the EMC software to make use of this attribute.

    For each mail, EMC seems to use the recipients name as a string to search ActiveDirectory. So if the mail has been sent to "firstname.lastname@company.com" it will find a corresponding user in AD and can associate it with the user.
    When the mail is sent to "Firstname Lastname/OU/O", there is no corresponding user in AD, at least not among the list of objects which EMC is searching in.

    Those of you who have already migrated from Exchange to Domino already know that for perfect CoExistence between both systems, the AD user needs to have a Notes proxyAddress defined.
    Based on this knowledge it was easy to resolve the problem.


    Solution
    adding the Notes user name to the list of email addresses ("proxyAddresses") in  the AD user object resolved the issue.
    Image:EMC SourceOne

    The result is another proxy address "NOTES:CN=Firstname Lastname/OU=X/O=Y" in addition to the internet address itself.

    Domino Program documents and schedule- 6 September 2012 - (1) Comments

    Thomas Hampel
     6 September 2012

    Problem: A customer reported Domino would not be responding at a specific point in time, but servers dont crash - they are unresponsive.

    Analysis
    : Looking into the Domino server logs at about the time when the problem reported showed that some scheduled tasks were running.
    While scrolling down the logs it became clear that the compact task was blocking access to the server's system databases - in this case log.nsf - which caused the server to ignore incomming requests.

    From the end users point of view the server came to an halt while from the servers point of view all was okay.


    Action:
    Getting Domino program documents scheduled perfect could be a long journey. Here is my recommendation on how to do it right.
    Program Command Line Schedule Comments
    convert -l mailprimary.ind 18:50 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Generates a list of mail files by reading people's mail files from the Domino Directory and writes the list into an IND file.
    compact -A mailprimary.ind 19:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Archive data but dont reduce the mail file size, thats because compacting will be done thru another program document.
    compact -B -S 20 -w 23:00 each day
    Repeat interval of: 0 minutes
    Days of week: Fri
    Once per week, reduce the file size if there are at least 20% whitespace in the file
    Exclude system DB's with option -w , for servers before 8.5.4 this requires the variable DEBUG_ENABLE_COMPACT_8_5=1

    Note: Reducing the file size for every file every day will just increase the level of fragmentation and will reduce performance.
    compact -b -w 23:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Sat
    Make sure the white space is located at the end of the NSF file for better performance when creating new documents
    Note : Do not run on Friday, due to backup.
    compact -b log.nsf 04:30 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Special schedule for log.nsf after 04:00 when purge has been completed.
    To make sure the white space is located at the end of the NSF file for better performance when creating new documents.
    catalog 01:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Updates information in catalog.nsf
    updall 02:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Updates existing views
    statlog 05:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Record statistics
    daosmgr resync 23:30 each day
    Repeat interval of: 0 minutes
    Days of week: Mon, Wed, Fri
    Every second day resync the DAOS repository
    collect At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
    http At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
    rnrmgr At server startup only Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=”
    (n)server -c "tell sched validate" 02:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Rebuilds the clubusy/busytime
    (n)server -c "tell mtc purge 7" 00:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat
    Purge data older than 7 days from the message tracking store





    Optional Program Documents for Specific Server Types
    Program Command Line Schedule Comments
    (n)server -c “tell router compact” 18:00 each day
    Repeat interval of: 0 minutes
    Days of week: Sun
    This will reduce the file size of the mail.box'es, but will increase fragmentation on disk. Not recommended for servers with high mail volume.




    Of course noone is perfect, so any comments and suggestions for improvements are very welcome !

    ID Vault - Error 03:11- 8 June 2012 - (0) Comments

    Thomas Hampel
     8 June 2012

    When deploying the IDVault, administrators may see the following error in the Log.nsf of the server hosting the IDVault.

    06/08/2012 04:54:18 PM  ID failed to upload to vault 'O=XYZ-IDVault'.  'Firstname Lastname/OU/O' (IP Address a.b.c.d:port) made request.  Error: 03:11
    06/08/2012 04:59:16 PM  Unable to find ID for 'Firstname Lastname/OU/O' in vault 'O=XYZ-IDVault'.  Error: 03:11


    Image:ID Vault - Error 03:11
    Root cause for this is a pending name change reuqest which was not applied to the user. Take a look into the person document of this user, especially the tab "Administration",
    the Client Information section will display if there are any pending name change requests outstanding.

    Technically the name change request is stored in a field called "ChangeRequest", supported by "ChangeRequestDate" which is storing the date/time of when this request was initiated.
    In my particular case, the name change request was almost 3 years old and it was not possible to find out what has caused this request to still appear in the system.

    Image:ID Vault - Error 03:11
    Workaround:

    Remove both fields (or set them to an empty value) e..g. by using the
    Change Any Field method

    Can’t contact LDAP server- 1 June 2012 - (0) Comments

    Thomas Hampel
     1 June 2012

    Authenticating Domino users against a remote LDAP is nothing new. Some people have blogged about it or created a presentation already.
    Furthermore there are some good articles out there explaining the implementation of AD Authentication, Directory Integration and SPNEGO.

    When you're done with the configuration, things may run smooth first, but after a few days authentication may not work any longer.
    Restarting the server might help, but only for a short time frame - the reason for that is a bug in the Domino server referenced as SPR# AJMO8NVM8F where Domino seems not to find the remote LDAP server any longer.

    Steps to reproduce:
    1.        Enable the following debug parameters:
    Debug_DirectoryAssistence=1
    WebAuth_Verbose_Trace=1
    LDAPDEBUG=512
    2.        After some time, Domino may become unable to contact the remote LDAP server
    The error message displayed at the console is the following:
    LDAP> connect_to_host:  EndPoint connect failed:  The remote server is not a known TCP/IP host.
    LDAP> Unable to chase references (Can't contact LDAP server)

    This issue has been documented in LO66491 http://www-304.ibm.com/support/docview.wss?uid=swg1LO66491
    It seems the problem still exists in Domino 8.5.3 with FixPack1. so if you run into this problem, open a PMR to get an hotfix.

    A temporary workaround is to issue the command "show xdir reload" at the server, which can also run as a scheduled program document every 30min.
    It wont fix the issue itself, but will reload directory assistence tables by which the error state will reset back to normal.

    Winmail.dat- 29 December 2011 - (1) Comments

    Thomas Hampel
     29 December 2011

    Every couple of years the same story...

    Lotus Notes/Domino users reveive emails containing an attachment "winmail.dat" or "att00001.dat" which the Lotus Notes® client's is unable to open..
    Examination of the document properties reveals that the message was sent as a Content-Type: application/ms-tnef; name="winmail.dat", which actually is a format only used by Microsoft® Exchange/Outlook

    The problem itself is described in IBM Technote 1093342
    http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21093342

    but let me point out that this clearly is not problem caused by Lotus Domino, its the sender's fault which has configured its messaging system to send the email in a Microsoft specific TNEF format rather than using a common standard.
    The Microsoft TNEF format is not at all a public standard like those documented within RFC's. Even Microsoft pointed out that the TNEF format isnt RFC compliant ( see Microsoft KBA #323483 )

    According to IBM Technote 1093342 Domino administrators can enable a Notes.ini variable TNEFEnableConversion=1 on the server to improve situation, but this can only be a short term workaround because every time Microsoft decides to change the format of its TNEF file type, Domino wont be able to convert the data stored within. Furtheremore this file may contain specific content which Domino will never be able to convert properly such as voting buttons or custom forms.

    A real solution is to fix the problem at the source, which is to remind the sender to turn off the sending of mails in TNEF format.
    Microsoft published a knowledge base article http://support.microsoft.com/kb/241538 a few years ago which is suggests to turn off using the TNEF format either globally or per recipient.
    Once again, this can only be done by the sender or actually the senders administrator, not by the recipient.

    Please note:
    If the sender is using Microsoft Exchange 2007, the format of "winmail.dat" has changed compared to earlier versions, so conversion will NOT work in some cases!!!
    Since Microsoft is changing the format of the file winmail.dat whenever they want, the variable TNEFEnableConversion wont guarantuee to be working all the time - Domino server crashes will be the result.
    This also is true for any upcomming changes in the file format.

    To avoid misunderstandings :
    • TNEF Format is not based on common standards
    • Email clients other than MS Outlook can not handle TNEF, because TNEF may contain elements such as forms or voting buttons.
    • TNEF encoded raw binary independent of what is advertised by the receiving SMTP server. As documented in Microsoft KBA #323483, this technique is not RFC compliant.
    • Most Exchange Admins configure their servers correctly to NOT send TNEF encoded mails to recipients on the internet.
    • S/MIME signed emails will not be converted unless the Domino Administrator will force to break the digital signature by using the Notes.ini variable TNEFBreakSMIME=1

    How to handle the problem:
    • Catch all mails with Content-Type: application/ms-tnef before they arrive the Domino server
      Return a message to the sender telling them that they should disable sending mails in TNEF format. Refer them to http://support.microsoft.com/KB/138053 for further instructions
    • Enable TNEFEnableConversion=1
      Why take this risk?? Simply because your users will be frustrated getting mails with "winmail.dat" attachments.
    • Do not use TNEFBreakSMIME=1
      Because security warnings where the client will get used to ignore are even worse

    How many users a single Domino server can handle???- 5 December 2011 - (0) Comments

    Thomas Hampel
     5 December 2011

    In the past a lot of server.load tests have been done to "proof" that Domino can handle a certain amount of users.
    As you can imagine, each simulation does not really reflect what a real user can do. Especially not the wide range of different actions.


    So lets take a look into a production environment.... this environment is based on Domino 8.5.2 - 64Bit running on AIX.

    Image:How many users a single Domino server can handle???

    Showing a peak of 10040 users, within just one Domino partition. This statistic doesnt say if users were happy with the response time of the server at peak workload times, which of course is something that can be figured out. However the statistic shows that Domino can handle the workload when enough I/O capacity is available.

    I'm not able to share more technical details but what I can say is that CPU and memory utilization were high, but not were reaching limits.
    Thomas Hampel, All rights reserved.