Thomas Hampel

 1 December 2023
Hi Folks,

the new version 1.2.1 of the Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.

The new version addresses a number of issues ad improvement requests customers had reported, here's a short list:

What's New ?

• Added support for scanning Directory Assistance on all servers in the environment.

Idea Domino-I-2499 - The Customer Name, HCL Customer, etc. can now be stored in a configuration document

Added the ability to output logging to the status bar to give the scanner an improved experience to understand progress.
Set DLAU_VERBOSE_MODE=1 in the Notes.INI before beginning the scan.

Version of DLAU is now included in the printable report as well as it is stored on the results of each scan to see how scans change over releases.

Addressing an issue when Domino is used as LDAP server

Fixed Issue #54 - Logging improvements have additional spaces around each functional area of scanning for visual improvements.

Fixed Issue #34 - Export CCB Users does not provide content

Fixed Issue #39 - Clicking on “Deny Access Users” opens the view “dagroups” instead of “UserInfo”

Fixed Issue #41 - Issues with Directory Catalog not in root directory

Fixed Issue #46 - Bug when DA is not trusted for credentials

Fixed Issue #47 - External (CCX) Users Who are not listed in Entitlement Tracking are being recognized as CCB Users

Fixed an issue when Clicking on the pop-up help does not work and is missing in certain situations.

Fixed an issue when the UI shifts when selecting an entry in the “Observations” field on the results page if there is a value that is too long
For more details and to download the latest version see
https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/

PS: As mentioned in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.

Thomas Hampel

 13 October 2023
The short answer: No!

Background:
On January 23, 2023, Oracle announced (again) yet another new licensing model for Oracle Java that represents a dramatic price increase for large organizations.
This can lead to interesting discussions since e.g., a 40,000-employee organization could be asked spending USD $2.5M annually just on Oracle Java alone.

What Java version is used by Notes and Domino?
Notes and Domino are providing the Java runtime as part of the product, so customers do NOT need to download or install the Java runtime environment separately.
Since the JVM/JDK is part of the licensed product, it is covered under the product license of HCL or previously the product license of IBM.

With the acquisition of the product by HCL, dependencies to IBM Java were removed and got replaced with OpenJDK effectively in version 11.0.0 of HCL Notes/Domino.
Java updates are provided by HCL (and previously by IBM) typically as part of regular fix packs.

Here is a simplified overview of what Java version is used in the product:

Notes/Domino	Java Version	Java Vendor	JVM	Remarks
14.0.x	17 LTS	IBM Semeru	OpenJ9	Open Edition
12.0.x	8	AdoptOpenJDK, later IBM Semeru	OpenJ9	renamed to Adoptium
11.0.x	8	AdoptOpenJDK, later IBM Semeru	OpenJ9	renamed to Adoptium
10.0.x	8	IBM	IBM J9	see IBM FAQ
9.0.1	8	IBM	IBM J9	see IBM FAQ
9.0.0	6	IBM	IBM J9

a more comprehensive overview of which Java flavour and patchlevel is included in which release of Domino is provided later on in this blog post.

For details, please refer to

• For HCL Notes/Domino version 11 and later: KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?
• For IBM Notes/Domino version 9 and 10: IBM FAQ to Oracle’s Java Products Commercial Licensing
• AdoptOpenJDK statement on Oracle's support announcement

Special cases and exceptions?

• MacOS : old versions of the IBM Notes Client before(!) 9.0.1 IF17 did not include any Java runtime. Customers may have manually installed a JVM, e.g. the Oracle runtime.
  Starting with Notes Client 9.0.1 IF17 the product includes the IBM Java runtime. Customers are encouraged to upgrade to a more current version of the HCL Notes Client for MacOS.
• IBMi (=iSeries) : HCL Domino will use the version provided by the platform.
• HCL Client for Application Access (HCAA), formerly known as IBM Client for Application Access (ICAA), does not provide a Java VM, it uses a JVM that you choose to install yourself.
  Only for acessing Domino applications that are running Java code >in< the HCAA client, a JVM needs to be provided.

What about Nomad, Verse, Enterprise Integrator, SAP Connector, etc?
These products are addons to Domino and unless otherwise specified they leverage the JVM provided by Domino.

IBM? OpenJDK? Semeru? Adoptium? Eclipse? - Are you confused as well?
It's not easy to even get a basic understanding of the various project names, forks, branches and takeovers, but I'll try providing a short intro without covering the entire history of Java nor what Java itself is.
In the context of Notes and Domino, this is what you need to know:

• OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition (Java SE), it is a Java Development Kit (JDK)
• OpenJ9 is a java virtual machine (JVM), contributed to the Eclipse project by IBM
• AdoptOpenJDK was a project for producing vendor neutral builds of OpenJDK
• AdoptOpenJDK merged into Eclipse Adoptium, to provide a prebuilt OpenJDK, that release is now named Temurin
  With this move, Adoptium is, according to them, is not allowed to release OpenJ9-based or GraalVM-based runtimes
• IBM comes to the rescue and provides OpenJ9 builds at no charge as the IBM Semeru runtime which includes the OpenJ9 Java VM
• IBM Semeru comes in two flavours:
  a) IBM Semeru Runtime Open Edition, which is open source (GPLv2) licensed and is not TCK (Technology Compatibility Kit) certified
  b) IBM Semeru Runtime Certified Edition, which is Java TCK-certified
• Former "IBM Java" has been moved into IBM Semeru Runtime Certified Edition at Java version 11
• HCL Notes and Domino are using IBM Semeru Open Edition.

For better understanding of the above, here is a chart that explains:

As outlined above, HCL Notes and Domino is embedding IBM Semeru and does not use any Oracle Java.

Table: Java versions is used by Notes and Domino
Source: KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?

Notes/Domino Version		Java Runtime Vendor	Java Version
V12	12.0.2 Fix Pack 2	IBM Semeru Runtime Open Edition 8	Semeru jdk8u372-b07
	12.0.2 Fix Pack 1		Semeru jdk8u362-b09
	12.0.2	AdoptOpenJDK 8	OpenJDK jdk8u345-b01
	12.0.1 Fix Pack 1		OpenJDK jdk8u312-b07
	12.0.1		OpenJDK jdk8u302-b08
	12.0.0		OpenJDK jdk8u282-b08
V11	11.0.1 Fix Pack 8		OpenJDK jdk8u372-b07
	11.0.1 Fix Pack 7		OpenJDK jdk8u352-b08
	11.0.1 Fix Pack 6		OpenJDK jdk8u332-b09
	11.0.1 Fix Pack 5		OpenJDK jdk8u312-b07
	11.0.1 Fix Pack 4		OpenJDK jdk8u302-b08
	11.0.1 Fix Pack 3		OpenJDK jdk8u282-b08
	11.0.1 Fix Pack 2		OpenJDK jdk8u265-b01
	11.0.1 Fix Pack 1		OpenJDK jdk8u252-b09 tzdata 2020a
	11.0.1		OpenJDK jdk8u242-b08 tzdata2019c
	11.0.0		OpenJDK jdk8u222-b10
V10	10.0.1 FP8	IBM Java 8	IBM Java 8.0 SR7FP6_tzdata2022a
	10.0.1 FP7		IBM Java 8.0 SR6FP25_tzdata2021a
	10.0.1 FP6		IBM Java 8.0 SR6FP10_tzdata2020a
	10.0.1 FP5		IBM Java 8.0 SR6FP5_tzdata2019c
	10.0.1 FP4		IBM Java 8.0 SR5FP40_tzdata2019c
	10.0.1		IBM Java 8.0 SR5FP21
	10.0.0		IBM Java 8.0 SR5FP16ifix
V9	9.0.1 Fix Pack 10 Interim Fix		IBM Java 8.0 SR6FP25
	9.0.1 Fix Pack 10		IBM Java 8.0 SR5FP21 tzdata2018e
	9.0.1 Fix Pack 9		IBM Java 8.0 SR4FP5
	9.0.1 Fix Pack 8		IBM Java 8.0 SR3FP12
	9.0.1 Fix Pack 7	IBM Java 6	IBM Java 6.0 SF16FP30
	9.0.1 Fix Pack 6		IBM Java 6.0 SF16FP20
	9.0.1 Fix Pack 5		IBM Java 6.0 SF16FP15
	9.0.1 Fix Pack 4		IBM Java 6.0 SR16FP4
	9.0.1 Fix Pack 3		IBM Java 6.0 SR16FP2
	9.0.1 Fix Pack 2		IBM Java 6.0 SR16
	9.0.1 Fix Pack 1		IBM Java 6.0 SR15FP1
	9.0.1		IBM Java 6.0 SR14 + ifix
	9.0.0		IBM Java 6.0 SR12+ ifix

Remarks:
IBM SDK, Java Technology Edition, Version 6 has reached end of life, see https://www.ibm.com/support/pages/java-sdk-downloads-version-60

How to check which Java version is used?
From the program directory of the Notes client or Domino server:

cd jvm/bin
./java -version

Example:
Checking the Java version used by the HCL Notes Client 14.0 (Early Access version) on Windows:

C:\Program Files\HCL\Notes>cd jvm/bin

C:\Program Files\HCL\Notes\jvm\bin>java -version
openjdk 17.0.4.1 2022-08-12
IBM Semeru Runtime Open Edition 17.0.4.1 (build 17.0.4.1+1)
Eclipse OpenJ9 VM 17.0.4.1 (build openj9-0.33.1, JRE 17 Windows 7 amd64-64-Bit
Compressed References 20220812_237 (JIT enabled, AOT enabled)
OpenJ9   - 1d9d16830
OMR      - b58aa2708
JCL      - 1f4d354e654 based on jdk-17.0.4.1+1)

References:

• AdoptOpenJDK statement on Oracle's support announcement
• KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?
• IBM FAQ to Oracle’s Java Products Commercial Licensing
• KB0073999 - Interim Fixes & JVM patches for 9.0.1.x versions of IBM Notes/Domino & add-ons
• IBM Semeru Runtime vulnerabilities

Finally:
I hope this brief explanation will help to better understand the usage of Java in our product and provides you with enough of a justification to upgrade to the most current version of HCL Notes and Domino.
so upgrade NOW !

Thomas Hampel

 13 September 2023
Good News for Domino customers running on IBMi hardware!


as of today HCL Domino 12.0.2 is offiically supported to run on IBMi 7.5 on Power 10 hardware.

Compatibility testing took longer than expected but has now finished successfully, so you can now go ahead and plan your ugprade projects.
Please note that customers are recommended to use FixPack 2 for Domino 12.0.2 as this Fix Pack is addressing some IBMi specific updates


References:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101447

Thomas Hampel

 11 September 2023


Hallo HCL & DNUG Community Berlin!

auf vielfachen Wunsch möchten wir euch in heissen Zeiten nicht schwitzen lassen und laden euch zu einem echten Community-Meeting, vor Ort in Berlin ein.
Es gibt Neuigkeiten rund um die HCL Produkte, einen Ausblick auf Domino V14 und live Demo's die noch niemals vorher gezeigt wurden.
Mit kühlen Getränken, Essen und Guter Laune verbringen wir den weiteren Abend mit Gesprächen und Fragen rund um die HCL Produktfamilie.

Jeder Teilnehmer ist natürlich Herzlich Willkommen!


Wir bieten:

• HCL Software News (Thomas Hampel)

What's New in Domino V14 - eine Vorschauf auf Coole Features in der nächsten Version.

Wann?
Donnerstag, 21. Sept 2023
Zeit : 18:00 bis ...

Wo?
Paulaner im Spreebogen
Alt-Moabit 98
10559 Berlin
https://paulaner-im-spreebogen.de/

Anmeldung?
https://dnug.de/events/stammtische/berlin/

Thomas Hampel

 20 April 2023
IBM XForce is well known for the quality of their research - however this time I'm wondering about the publication.
They discovered and analyzed a new type of malware (so far so good) and they named it ... "Domino"

Don't Panic!
HCL already published this technote to clarify that this is unrelated to the HCL Domino product and has requested IBM Security X-Force to correct this unfortunate use of HCLSoftware’s registered and licensed product name.

Update!
IBM updated their article and have renamed the malware - it is now called "Minodo"

In short:
1. There is no backdoor in HCL Domino
2. The new malware which IBM has discovered has NOTHING to do with HCL Domino.
3. This malware does NOT affect HCL Domino


Reference:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104503
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/

Thomas Hampel

 18 April 2023
Hey Domino Administrators out there,

HCL is looking for your input regarding how you are managing your environment.
Can you please help by answering this small survey?

It is completely anonymous and consists of a few questions to gather information on how Domino is used and how software updates are handled by Domino customers.
It should take less than 3min. to complete.

If you are managing more than one Domino environment please submit a survey for each one.

https://hclsw.co/domino-admin-survey

Thomas Hampel

 17 April 2023
HCL just released Fix Pack 1 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

Before installing this update, please verify the system requirements:

• HCL Notes 12.0.2 and 12.0.2 Fix Pack 1 System Requirements
• HCL Domino 12.0.2 and 12.0.2 Fix Pack 1 System Requirements

The following kits/packages are now available for download on Flexnet for entitled customers:

Notes Client
HCL Notes 12.0.2FP1 Basic Configuration for Windows English 32-bit
HCL Notes 12.0.2FP1 for Windows 32-bit
HCL Notes 12.0.2FP1 for Windows 64-bit
HCL Notes 12.0.2FP1 for Mac 64 bit

Domino Server
HCL Domino Server 12.0.2FP1 for Windows 64bit
HCL Domino Server 12.0.2FP1 for AIX
HCL Domino Server 12.0.2FP1 for Linux
HCL Domino Server 12.0.2FP1 IBMi
HCL Domino 12.0.2FP1 Docker image

Thomas Hampel

 21 March 2023


Some time ago I've done a demo running Domino on a QNAP network attached storage device.
Thanks to Docker and the Domino Container project which Daniel and I are maintaining, running a fully a featured Domino environment incl. Verse, Nomad, Rest API, Traveler and Leap is not a problem even on entry level hardware.

Datails and step-by-step instructions have been published here in the Domino container project documentation.
Enjoy reading!

Thomas Hampel

 22 February 2023
Recently a customer approached me with a request for help. I'd like to briefly share the story here because it was an interesting case.

On a Friday, the Domino team noticed severe problems with loading attachments, users reported they are no longer able to open attachments.
It seems like no single DAOS object can be opened anymore by the server.
Domino servers are reporting: Error 0x80070780: The file cannot be acessed by the system.

Checking the DAOS repository on the Domino server's disk revealed those files are displaying with a file size of XX MByte but actually have a size of ZERO BYTES (!!!)


Potential cause? Maybe a broken hard disc or filesystem? People even assumed Domino itself would be responsible for destroying DAOS objects on disk.

To mitigate the issue, a full restore of all DAOS objects was initaited which took a couple of hours. Afterwards it seemed the situation was resolved.
However just one day later the same problem appeared. All DAOS objects again had a size of 0 byte again with millions of DAOS objects being affected.

Root cause:
It turned out the backup software ( Commvault ) was misconfigured - instead of taking a backup of DAOS objects it was configured for >archiving< them.
Archiving in this case means that files will be moved to the backup environment but a 0 byte place holder will remain.
One could claim the user interface of Commvault backup easily allows for clicking the wrong option as both of them are listed next to each other.
There is no visible difference between the configuration screens later on, so unfortunately it was a human error/mistake to click on the wrong option.


Solution:
Initiate a restore job of files that were archived to the commvault envioronment.
https://documentation.commvault.com/v11/essential/134649_restoring_archived_data.html

Lessons learned:
Dont blame the top level application for a failure just because it is most impacted.
Open a support ticket at HCL and work together as a team to investigate and resolve the issue.

Thomas Hampel

 2 September 2021
Again: good news for developers and partners out there who work on plugins and extensions for Domino.
We just published the V12 version of the C API Toolkit for Domino and Notes:

Interesting side note: after 7 years without any new release, HCL published two major releases of the toolkit just in one year.

This new version provides a number of new API calls and -as promosed- provides the make files and MSVS project files developers were looking for.
You can find the new V12 C API Toolkit in the Domino V12 server product category on Flexnet Downloads



Reference:

• Flexnet Downloads
• Ulrlich Krause - CAPI SDK 11.0.1 for HCL Notes / Domino released

Thomas Hampel

 16 August 2021
Good news: HCL Notes 11.0.1 is now available in even more languages!

You asked for it (see DOMINO-I-831 and NTS-I-842), so in addition to the 16 languages the Notes client was already providing, HCL is delivering nine more language translations:

• Danish
• Finnish
• Norwegian
• Catalan
• Hebrew
• Hungarian
• Slovenian
• Thai
• Turkish

Install kits for the HCL Notes Standard and Basic Client V11.0.1 in those languages can be found at Flexnet under the Notes/Domino version 11.0.1.



Multilingual User Interface (MUI) kits for those languages, as well as the Install Shield Tuner files to customize your installation are also provided:



References:

• HCL software download / Flexnet
  https://hclsoftware.flexnetoperations.com/flexnet/operationsportal/startPage.do

Thomas Hampel

 8 February 2021
Good news for developers and partners out there who work on plugins and extensions for Domino.
We just published a new version of the C API Toolkit, actually the first new version since more than 7 years.

This is the first HCL shipment of the C API and it signals an ongoing commitment to revamp the C API delopment story,
it now supports building applications using the GUI environment for Visual Studio 2017.

However, as Ulrich Krause already highlighted in his blog it does contain just a very few new API calls yet, also make files were removed because they did not work anymore.
HCL's development team is working on a V12 version of the C API Toolkit that will be providing make files and MSVS project files again. This version 12 will be provided after Domino V12 has shipped.

You can find the current/updated C API Toolkit in the Domino server product category on Flexnet Downloads




Reference:

• Flexnet Downloads
• Ulrlich Krause - CAPI SDK 11.0.1 for HCL Notes / Domino released

Thomas Hampel

 1 February 2021
Recently we have announced the beta launch of HCL Domino V12 which is available to all current customers.
While for a customer the download is easy to find, partners have to navigate along the entitlement tree to find it.

So for reference here is how an HCL Partner can locate the download packages:

1. Login to Flexnet
2. Click on "List all entitlements"
3. In the top right corner of the list, search by Product contains 'collab' as shown in the screenshot below.
4. Find the product bundle "HCL Bundle Mail & Social Collaboration", make sure the entitlement has not expired and click the "Download Now" button




5. In this bundle, click the package"Notes/Domino 12.0 Beta 1"


6. ...and find the downloads you are looking for, including the Notes Client in 16 local language versions, the Domino installer for AIX, Linux and Windows, as well as the V12 Domino Docker image.


It also needs to be noted that the Domino on Docker community project added support for V12 in the develop branch

Happy testing !

References:

• Post your feedback to the Domino V12 Beta Forum
• Ideas for new features should be posted to https://domino-ideas.hcltechsw.com/
• HCL Domino V12 Beta Launch blog post

Thomas Hampel

 13 October 2020
Last month we have introduced the HCL Domino V12 Early Access Program, in which we are providing customers the chance to test new product features early in the development cycle.
Our engaged development team has provided a new code drop (named "October 2020") which is available now for download at Flexnet to all current customers.
This code drop provides a number of very interesting features that our dev team wants to have YOUR feedback on:


What is being provided in this release

Time-based one-time password (TOTP) authentication
When users log on to a Domino Web server, you can now require that they provide time-based one-time passwords in addition to their user names and passwords.
These one-time passwords are generated by authenticator apps like Authy, Google Authenticator or similar.

DAOS Version 2
DAOS Version 2 (DAOSV2) is a new version of DAOS that provides a more reliable way of tracking DAOS objects on a server.

Certificate management improvements
A number of enhancements and improvements related to certificate management are provided:

• Disable TLS 1.0 by default now
• Support for PEM-file format, in additon to *.kyr file format
  (Note: This feature is intended as a test bed for future work supporting PEM-formatted keys and certificates )
• Support for using CertMgr to import third-party CA keys and certificates - based on this idea (Thanks Martin!)
• Support for replacing keys generated by the Let's Encrypt CA

Domino directory enhancements
The number of improvements around the Domino directory design (pubnames.ntf) to improve usability for administrators. Some of which were long standing requests - if you like what you see, please vote for the idea(s)s referenced below

• Mail-In Databases and Resources view - based on your input from this idea (Thanks Michael!)
  The Mail-In Databases and Resources view now displays the internet addresses of mail-in databases that have them and also includes a Go to Database button to open mail-in databases from the view.
• Custom criteria to populate groups - based on your input in this idea (Thanks Vladislav!)
  When you create a group in the Domino directory, you can now populate the members of the group based on an LDAP search query.
• HEX codes displayed for TLS ciphers - based on this idea (Thanks Torsten!)
  As a convenience to administrators, HEX codes are shown next to the symbolic names for the TLS ciphers that can be selected in various fields in the Domino directory.
• Applets no longer used - based on your input from this idea (Thanks Bill !)
  Applets are not longer used to display the navigational outline of the Domino Directory or action buttons such as Add Person.
• Button to see all Configuration Settings documents associated with a server
  From an open Server document you can click the Find Server Config button to see all of the Configuration Settings documents associated with the server.
• Button to find all groups a users belongs to  - based on your input from this idea (Thanks Christian!)
  From an open Person document you can click the Find Groups button to see all of the groups that a user belongs to, including groups they are members of through other groups.
• Lists of notes.ini settings sorted alphabetically - based on your input from this idea (Thanks Jesper!)
  Lists of notes.ini settings are shown in alphabetical order wherever they occcur in the Domino directory.
• Explicitly select the methods to use in Web Site documents
  For improved security, administrators now explicitly select the HTTP methods to enable in Web Site documents.
• Older security options are no longer selectable
  630-bit and 512-bit public key options are no longer available to apply to Notes IDs. The "4.6 or greater" password verification option is no longer available to apply for internet password strength.

New LotusScript & Java Methods for developers - also based on your input from this idea (Thanks Michael!)
...to support transaction based operations in LS and Java.

Furthermore I need to mention those features that were provided in the previous release (September 2020)

• Database Quota Settings are now replicating - which is implementing this idea (Thanks Roland!)
• New certificate management features
• AES-128 encryption used for DAOS objects
• Formula Language in DQL search terms
• New template signing ID uses 2048-bit keys

We are looking for YOUR feedback on the features provided above, so please:
1. Start testing the Early Access Code - details on how to get started can be found here
2. Vote for the ideas referenced or leave a comment
3. Join the discussion and provide feedback in our forum here.  

References:

• Blog post : Introducing HCL Domino Early Access Program  
• Documentation : Early Access Program  
• DNUG47online Presentation : Fast Forward

Thomas Hampel

 29 September 2020
For those of you who have not yet upgraded to V11 but are running Notes/Domino V10.0.1 we have just released a new Fix Pack.
Fix Pack 6 for 10.0.1 is the latest update and HCL strongly recommends that customers running Notes/Domino 10.0.1 to apply this Fix Pack since it addresses a small percentage of defects that impact the broadest set of customers.

More details of what has been fixed are provided here => Notes/Domino 10.0.1 Fix Pack 6 Release Notice and Fix List or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List

also please verify the system requirements:

• Notes 10.0.1 Fix Pack 6 System Requirements
• Domino 10.0.1 Fix Pack 6 System Requirements

Finally the following kits/packages are now available for download on Flexnet for entitled customers:

Notes Client
HCL Notes v10.0.1 FP6 Basic Configuration for Windows English
HCL Notes v10.0.1 FP6 Windows English
HCL Notes v10.0.1 FP6 Mac 64 bit English

Domino Server
HCL Domino Server v10.0.1 FP6 64 bit for Windows English
HCL Domino Server v10.0.1 FP6 64 bit for AIX English
HCL Domino Server v10.0.1 FP6 64 bit for Linux English
HCL Domino Server v10.0.1 FP6 for IBM i

Client for Application Access
IBM Client Application Access v2.0.5 Windows English
IBM Client Application Access v2.0.5 Mac English

Thomas Hampel

 3 August 2019
Two weeks ago at the the HCL Factory Tour #3 we've shown the (possibly) smallest Domino server ever built.
With just 47,88 ccm (6,3 x 9,5 x 0,8 cm) it is just a little bigger than a credit card and small enough to fit your pocket. Also, for those of you who remember, it's much smaller than the Lotus Foundations box which Mike Rhodin introduced at Lotusphere 2008.
Thanks to Panagenda we also were able to show that you can run Domino off the grid.

What kind of hardware is this based on?
It is Zotac Pi 225 pico, a mini PC fully equiped with CPU, memory and storage, all combined in a case that is passively cooled.
The case itself looks like a thin 2,5" HDD - but thinner (for US folks : 3.76 x 2.48 x 0.31 inches )


Compared to the well known Raspberry Pi, this Zotac device is actually smaller (thinner) because it does not expose an ethernet port.


It weights less than 500g and is hardware specs looked promissing: Intel N3350 dual-core CPU (x86 compatible!), 4GB RAM, 32GB internal storage (expandable via microSD card), Intel HD Graphics 500,
Furthermore it provides two USB 3.0 Type-C Ports for connecting keyboard, HDMI an ethernet adapter. It also provides an internal 802.11ac Wi-Fi antenna, which I want use for creating a WiFi Hotspot later on.
You can find it here on Amazon for approx. €150

Stage 1 - Installing Linux
Zotac comes preinstalled with Windows 10 - an operating system which beside being clunky is not supported for running Domino.
Of course my idea was to install Domino on Linux. As you know IBM/HCL is supporting to run Domino on SuSE or Redhat Linux and also fully supporting CentOS since last year.
After spending a few hours with CentOS I had to learn by hard that it can not simply be installed on this Zotac device because it is missing support for this specific Intel Atom CPU.
The installation caused errors and booting it took several hours before it finally failed.

Plan B:
Switch to Ubuntu 18.04.2 LTS (alternative installer!) which installs without problems from a USB stick.

Stage 2 - Linux tuning
Although the installation itself completed in a few minutes there still are some errors when booting up.
Most annoying this one: systemd-gpt-auto-generator: Failed to dissect: Input/output error. which is caused by the device using an internal MMC card as disk storage.

To fix this error we have to modify the kernel boot parameters as follows:

sudo nano /etc/default/grub

add a parameter to the line "GRUB_CMDLINE_LINUX_DEFAULT"

GRUB_CMDLINE_LINUX_DEFAULT="systemd.gpt_auto=0"

After saving changes we need to tell grub to update the bootloader using

sudo update-grub

Stage 3 - Install Docker
We could have installed Domino natively on Linux but why wasting time if we can also run Domino on Docker.
Installation of Docker on Ubuntu Linux is staight forward

sudo apt-get install docker-ce

To avoid having to type 'sudo' every time you run the docker command, just add your username to the docker group.

sudo usermod -aG docker ${USER}

For changes to take effect, log off and log on again.


Stage 4 - Create Domino Image for Docker
In order to run Domino in Docker I'm using my (more powerful) MacBook and this Github repo to build a docker image.
All that needs to be done is...
- clone the repository (or download and extract the zip file) to a directory of your choice.
- Add the Domino Linux installation package + FP2 package into the subfolder "software"
- run "./build domino"
A few minutes later you'll have a perfect Domino image to work with...


Now we need to export this image by turning it into a tar file using this command:

docker image save -o domino1001fp2.tar ibmcom/domino:10.0.1FP2

Copy the resulting file "domino1001fp2.tar" to a USB stick

Stage 5 - Import Docker Image
Attach the USB stick to the Zotac device and copy the file  "domino1001fp2.tar" to a directory of your choice, e.g. /tmp
Then import the image using the command:

docker image load -i domino1001fp2.tar

Verify results using the command docker image ls - you should now have one image listed.

in case any TAGs are missing, add them using

docker image tag ibmcom/domino:10.0.1FP2
docker image tag ibmcom/domino:latest

Stage 6 - Run Domino and Enjoy
Finally running Domino in this configuration is a piece of cake:
At first create a persistent volume - this is required because we would like to preserve our data directory in case the container is being restarted or recreated.

docker volume create dominodata

then spin up a (new) Domino server with a name of your choice.

docker run -it -d -e "ServerName=Zotac" -e "AdminPassword=passw0rd" -p 1352:1352 -p 80:80 -p 443:443 -v dominodata:/local/notesdata --cap-add=SYS_PTRACE --name domino ibmcom/domino:10.0.1FP2

Without supplying a config file, this image will not start the HTTP task by default, so we need to open a shell into the container

docker exec -it domino /bin/bash

and from within the container then run "domino monitor" to access the server console to launch the http task using "load http"

Browsing to http:// will now show up this well known homepage.

For more information on how to work with Domino in Docker please refer to this documentation ( Thanks Roberto ! )

Finall word of warning:
Certainly this Zotac device produces some heat, so running a Domino server in your trousers will for sure turn them into hot pants for geeks - so please be careful !

Further ideas & todo:
- I have not done any stress testing, so please dont ask me how many users this device is going to support in production
- Enabling the embedded WiFi antenna and turning it into a WiFi hotspot would make a cool demo
- Zotac Pi 225 is not the smallest device that can run Domino -- I have some more ideas but getting hold of the hardware is more complicated, stay tuned for more :)

References:
- Zotac Pi 225 nano on Amazon
- Domino on Docker
- Domino on Docker Management Script
- Mike Rhodin announcing Lotus Foundations

Thomas Hampel

 23 July 2019
Domino on Docker Project Updates
Daniel and me are working on the Domino on Docker project which has been around for a while. We are constantly updating it with more functionality.
Beside the main functionality of providing an automated installation we have a management script that can help to build custom Domino docker images for (e.g.) including applications.
We are working on making the resulting image more flexible. The first version allowed only to automatically setup a first server in a new Domain, but customers already have an environment and either want to setup an additional server in an existing domain or at least have a cross certified environment.

Whats new:
1. Additional server setup
You can now specify an existing server.id and existing server to get the system databases from. You still need to register the second server.id manually in your Domino Directory, however the ID file does not need to be copied anymore.
Just specify the environment variable ServerIDfile to point to a location (local or http/https) from where the server.id file can be downloaded and the container startup routine will take care of automatically setting up your second server.

2. Add your own data into a container at initial startup
The big challenge is how to bring in data into a new container automatically. Distributing server.id files, templates, or even full applications.
We looked at different approaches which included "Docker secrets", shared volumes and other options.
For improving flexibility we decided to use configurable http/https download links which can be used to download a server.id or an additional data-directory.zip which is automatically expanded at first server start.
This would be for example a way for business partners to deploy their software on top of the image. Or for a customer to deploy their applications or specific adoptions.
All you have to do is to specify an environment variable CustomNotesdataZip (attention, case sensitive!) pointing to a zip file that will be downloaded and extracted into the container at runtime.

3. Scriptable configuration
Now that you have provided your own templates - how do you turn them into an application, how do you change ACLs, or server settings at runtime?
We have added a method to automatically configure a server based on a config JSON file. This can be used to create databases, change groups, change server settings etc.
The configuration is applied before starting up the (new) Domino server for the first time and also allows to sign applications, change the ACL of databases.
...there is even more configuration options to come.

4. More flexible deployment options
In previews versions there was image specific data in the /local directory.
So we moved that data to a separate directory to optionally allow /local to be mapped to a volume instead of having multiple volumes for /local/notesdata, /local/translog and /local/daos.
Mounting /local to a single volume will work fine, but if you want to build a high performance Domino server we are recommending to have separate volumes for those different parts. We even added directories for nif and ft to allow separate volumes for those parts as well.
The Docker volume mapping is comparable to creating mount points. It's about providing most flexibility with best practices in mind.

5. Preparation for new binary location
The project now now includes a new start script version 3.3.0 which is already prepared for changing the program directory default location ( /opt/ibm/domino ) with Domino 11.
The start script and all docker image script files have been prepared to support a different binary location in future. All places in the scripts use standard variables. And we will keep the LOTUS variable to point to the binary location.

Feedback & Future planning
One of the next features will be to allow cross certification with existing IDs. The certifier.id is currently staying on the first installed machine. So the idea is to cross certify a provided safe.id.
This is specially helpful to create test environments. A small servertask will take care of creating cross certifying a safe.id and adding it to the LocalDomainAdmin group.
Another idea is to integrate this functionality into the toolchain which sets up the server, we have not decided yet.
We are looking for your feedback so leave a comment with your suggestions for improvement or create an issue in our domino-docker project

Thomas Hampel

 19 September 2017
According to RFC 2298 http://www.ietf.org/rfc/rfc2298.txt it is recommended to show a dialog box where the recipient of a mail can decide weather or not a return receipt shall be sent back to the originator of the mail. This behavior is not currently part of the Standard IBM Mail template.

To add this feature you have to modify the following design elements:

• Form “Memo”, Event "QueryOpenDocument", added the code shown below
• Form “Reply”, Event "QueryOpenDocument", added the code shown below
• Form “ReplyWithHistory”, Event "QueryOpenDocument", added the code shown below

Insert this code at the end of the QueryOpenDocument event.

Set doc = Source.document
If Source.isNewDoc Then
        '# don' t do anything, as this is a new document
Else
        If doc.GetItemValue("ReturnReceipt")(0) = "1"  And doc.HasItem ("DeliveredDate") Then
                If MessageBox ("The sender of this message has asked to be notified when you read this message." & Chr(13) & "Do you wish to notify the sender?", 36, "Send Return Receipt?") = 7 Then
                        Call doc.ReplaceItemValue ("ReturnReceipt", "0")
                        Call doc.Save(True, False, true)
                End if
        End If
End If

Reference:
http://www.ibm.com/developerworks/lotus/library/ls-BlockRetRec/index.html

Thomas Hampel

 9 March 2017
Note to self:
In case anyone is asking for new features of the Notes/Domino 9.0.1 Feature Pack 8, refer them to this blog post

• What's new in IBM Notes Feature Pack 8
• What's new in IBM Domino 9.0.1 Feature Pack 8
• What's new in IBM Domino Designer Feature Pack 8

and remind them to read Oliver Busse's blog post

Thomas Hampel

 14 February 2017
Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the second post our of a series of blog posts describing how to move from password based to seamless authentication.
Once you have established LDAP Authentication you can approach the next stage:

Level 2 - Self Service Password Reset Application
Combined with a Self Service Password Request HTTP application (or this fancy one ) users can reset Notes password without the help of an administrator just by using a web browser.
Users must be authenticated in order to reset their own password, but due to the configuration done in level 1 they can use Active Directory credentials to log in.
Once authenitcated a user can just define a new password which is applied immediately in the IDVault. And just seconds later the password can be used to log into the Notes Client.


Pros and Cons
+ Lost/forgotten passwords on a monday morning are no longer your problem. Users can handle this problem alone.
+ You don't need to distribute NotesID passwords for newly created users.
- There still is a NotesID password to remember
- There still is a password prompt every time you start the Notes client and/or every time you open an encrypted mail in iNotes
- The Self Service Password Request HTTP application does not apply any feedback on password quality or strength.

Prerequisites:

• Notes ID Vault has been established and contains the NotesID’s of all users
• User must be authenticated, preferably using Active Directory authentication as described in the previous post level 1
• Custom Password Reset application template,
  Please note the template provided by IBM as part of the Domino server is not officially supported and is provided as example only. See Technote 1330905

Configuration
Setup instructions have already been provided by IBM, so I'm not describing those steps again.
Once completed you should have a functioning PW reset application. However, I would like to highlight a few important details

• The agent and the form needs to be signed with an ID which has IDVault Password Reset authority
• The ACL of this database must have an Administration server defined, the Admin server specified there must be the one that hosts the IDVault.

For improved usability I do recommend a little tuning:

• Create a URL which users can remember, e.g. by creating a web redirect rule
  http://yourserver.domain.com/passwordreset ==> /pwreset.nsf
• Modify the form “fmPasswordReset” to display your corporate password rules, e.g.
  “The new password must have a minimum of 8 characters. It must contain a mixture of lowercase alphabetic, uppercase alphabetic, numbers and special characters. Three of these four conditions must be met.”
• Modify the source code to confirm the password change request has been submitted and to verify if password rules have been followed.
  Without this modification users will not get any feedback if the new password has been applied or not.
  so update the source code of the Form “Password Change” , Sub “OnSubmit” as follows:

• In order to support clustered environments the source code of the agent “User Password Reset” needs to be updated as follows:

Conclusion
Self Service Password Reset application combined with LDAP authentication will eliminate the need to distribute Notes ID passwords to end users.
Administrators can register new NotesID's with completely random passwords that they do not need to remember nor need to distribute to end users.
Notes client setup instructions can be simplified so that end users have to define the password themselfes before they can start Notes for the first time.

References:

• Karl-Henry Martinsson - Free Software – Password Reset for Notes/Domino
• Domino 9.0 - Setting up the sample self-service application to allow ID vault users to reset their Notes passwords
• Domino 8.5 - Setting up the sample self-service application to allow ID vault users to reset their Notes passwords
• Technote 1330905 - Is the sample password reset application supported in a production environment?

Thomas Hampel

 13 February 2017
Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.

Level 1 – LDAP Authentication
Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
When using a web browser to access a Domino server, users will be prompted for username and password.
This authentication dialog looks like one of the following examples:

Credentials entered here will be forwarded to Active Directory for authentication.
Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.

Pros and Cons
+ Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
+ No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
- All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.

Prerequisites:
In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.

• Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
• The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
  This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid.
• Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
• A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.

How to...
reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
If not already done:

• Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
  Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
• Create a Directory Assistence (DA) database
• Add the DA to your Domino server document
  

okay, whats next:

1. Within the Directory Assistance database, add a new document and configure it like shown below:
   
   Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin.
2. Set "Trusted for Credentials" to Yes
   
3. Configure how to connect to the LDAP (­) server.
   
4. Save & close

Now restart the Domino server and check if LDAP is being shown in the list of directories.
Issue the command "Show xdir" at the server console for details.

Troubleshooting:
Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
Some more hints:

• You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
• Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
• Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
  If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
  The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
  
• Thes Notes.ini variables will increase the log level for further debugging
  debug_directory_assistance=1
  debug_namelookup=1

Result:
When prompted for username/Password you can now use your Active Directory username and AD Password.
Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
Once the transition is completed you should clear the HTTP password field from the person document.

Thomas Hampel

 9 November 2015
There is a seucrity issue with Domino which allows anybody to gain access without authentication.
Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.

If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.

So there is a good chance that some people have enable this variable in production.
None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.

Steps to reproduce

• Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
  Remark: This will make the server insecure.
• Restart the HTTP task
• Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
• Restart Firefox for the plugin to be initialized
• In Firefox, open the configuration of the new plugin
  
• Add a new header called $WSRU with the desired username / shortname as available in the target environment
  
  Save + Enable the configuration
• Start the Plugin
  
• Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf

Surprise, surprise... you now have access rights of the user name you have specified in the request header, in my case thats PaulSmith.
Just imagine what can be done when using the name of an administrator...

How to fix it?
Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:

Of course you would use a configuration document in production to keep your Notes.ini under control.

References:

• Nevermind.dk - http://nevermind.dk/
• Sean Cull - Apache Proxy for Domino and HTTPEnableConnectorHeaders
• Darren Duke  - If you get page errors after disabling HTTPEnableConnectorHeaders in Domino, try this
• Jesse Gallagher - Domino's Server-Side User Security

Thomas Hampel

 9 August 2015
Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.

Delegating Access
A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:

This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
It might not even be an option as some organizations do not allow users to edit the person document.

Mail Rules
Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...

and defining a recipient of your choice --- in this example its "firstname.lastname@domain.com"

Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?

...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?

Agents
You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"


Duplicate Mails (with help of your Domino Administrator)
Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:

What you need to do:
1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
Make sure the Mail-in name is unique and does not resolve name lookup conflicts


2.) Create a Group of type "Mail only",
members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
You can define one or multiple recipients using internet mail addresses or Notes user names.


3.) Edit the person document and put the Group name created above to be the forwarding address


4.) Testing
Wait for replication to finish within your Domain and send a test mail to the user.
This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.

Remarks:
Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
If this is an issue either purge your recent contacts or disable it completely

References:

• IBM Lotus Notes 8 Recent Contacts and Type-ahead features: FAQs

Thomas Hampel

 23 July 2015
The Mindoo FTP Server project provides an FTP server wrapped into an XPages application. It is based on the Apache FtpServer which runs as OSGi plugin on the server side.
One day a customer reported the FTP server would no longer work. A quick check showed that port 21 does not respond any longer.

Restarting the HTTP task showed a JVM Exception


Checking the OSGI bundles showed the required bundle is not even installed.
> tell http osgi diag com.mindoo.ftp


Analysis
Check the file [DominoData]\domino\workspace\logs\error-log-0.xml for any problems
the very first warning in this file showed that a plugin was not loaded because the signer does not have the required access rights

and further down in the same file:


At the first access rights seemed to be ok, but when looking a little closer I have found the user name does not have access to the server any longer because the Organization was renamed from "OrgEU" to "Org"

Solution (Part1)
The signature which is being used here is not a signature of a design element, it is the content of the Eclipse Update site which still had the old signature referenced. So how are we going to fix this?

• Open the Eclipse UpdateSite and use "Actions\Sign All Content"
  Remark: This will not sign any design elements - it will sign the documents in the application only.
  
• Restart the HTTP task
  
  restart task http
• Watching the server console
  

Running into another problem
Although the FTP Server was running again, it seems like there still was an issue with the XPages application.
Quickly looking into  [DominoData]\domino\workspace\logs\error-log-0.xml showed a well known problem.


Solution (Part2)
Obviously someone did open the Application in Domino Designer without disabling the option to recompile xPages automatically.
So make sure this option is set to "Manually recompile Xpages"


and then open the Mindoo FTP Domino application in Domino Designer and hit "Project\Build Project" in your Designer client.


Testing results

• Opening the Mindoo FTP Application from a browser seems to work
  
• "tell http osgi mftp status" shows that our server is now running on port 21
  
• Opening an FTP connection from a remote client is working fine

Thomas Hampel

 18 June 2015
We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?

S/MIME Import / Export Automation
If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
Even exporting the certificate from the Notes ID is too complicated for most users...


Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates

• @X509Certificates([Subject];UserCertificate;"");
  Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate"
• @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
  Where "Number" is the element in the list returned by @X509Certificates

In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.

Wrapping both into a small script is easy...

Declare Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal ExportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Declare Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal ImportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Const PKCS12_EXCLUDE_PRIVATEKEYS=&h00000001

Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil

still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.

ImportInternetCertificatesFromOSCredentialStore.lss

ExportnternetCertificatesToOSCredentialStore.lss

As usual mind YMMV and feel free to further optimize the code to fit your needs-
Please use at your own risk and report back any suggestions or improvements!

Special Thanks to Marcus Floeser for providing the screenshot.

Thomas Hampel

 3 June 2015
The CA process in Domino is a server task to manage and process certificate requests. It is very helpful if you want support staff to register new users without knowing the password to your Domino Certificate.
As employees join or leave the support team you'll have to add / remove people from the list of Registration Authorities by using "Modify Certifier" from the Administrator Client tools menu.


Granting access for a new team member as usual...


and submitted the request


seemed to be successful


...but according to the log the Domino CA modification request failed with this error:


Root cause
One or more people listed in the first dialog do not have a person document in the Domino Directory or the person document does not have a public key specified.


Solution
First remove users which dont have a corresponding person document, and save + submit the request before adding new names.

Thomas Hampel

 1 June 2015
You are wondering why your beloved Notes widget all of a sudden is no longer available in the Widget catalog?
Of course the administrator of trust did not do anything - so what happened?

Here is a small hint:
Take a quick look into the widget catalog, there is a scheduled agent...


and the brief description
%REM *********************** Agent Notes **************************
This agent checks all new/modified documents to make sure that the
user created the document properly. It checks to make sure the proper
items are in place, and it also verifies that the categories that are
set are allowed by the document creator.

*************************** INTERACTIONS ***************************
There are no interactions with this agent. It is a scheduled agent
that is set to work against new/modified documents.

Conclusion:
If anything, such as AdminP, modified the document then this agent will run. In our case it was an AdminP name change request which caused the document to be modified.

Thomas Hampel

 27 March 2015
Tip of the day:
When running Domino server commands on the operating system of a server, make sure to run the command from a console with Admin access rights, otherwise you'll get this:

PANIC: Unexpected internal error returned to logger: 0x20692010



Reference:
SPR # PALL8WA3Y8

Solution
Open a command prompt by right clicking and selecting "Run as Administrator", then run the command(s) again.

Root cause:
Problem in front of keyboard.

Thomas Hampel

 12 January 2015
Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.

After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:

Errors:
Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director

Analysis
We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR

SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.

Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
We did a few tests and quickly found a workaround, so here is what you can do about it:

Temporary Solution:
Don't use groups to grant the specific access rights.
In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.

This is what the AdminP Move User reuqest should look like before the user authenticates


Permanent Solution
Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.

Lessons learned:
1.        Always install the latest version of Domino
Note: The destination server in question is not maintained by our team.
2.        What an awsome team we have :)

References

• SPR # JPAI9FEKCP
• IBM Technote # 1091068 - Steps taken by the Administration Process to move a mail file to a new server
• Download Options for Notes & Domino 9.0.1 Fix Packs

Thomas Hampel

 5 January 2015
Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
There are quite a few blog posts out there on the internet such as this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.

Background
Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
Vendors of a device are providing a definition of values which can be read or modified in form of a MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.

MIB definitions for Domino can be found online http://www.oidview.com/mibs/334/NOTES-MIB.html
A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"
On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib

Step-by-step Instructions
For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux. Instructions for Windows are available here
Examples below are based on CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.

Step 1 - SNMP Master Agent
Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7.
Currently version 5.7.3 is the latest version available. Check the net-snmp change log to see what has changed between versions.
Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
If not already installed, you can install the package net-snmp with the following command.

# yum install net-snmp

The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality

# yum install net-snmp-utils

To check the version you are running...

$ snmpwalk --version

Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.

Option B - NET-SNMPD v5.0.7 provided by Domino
Domino provides net-snmpd in version 5.0.7  - again, I do not recommend using this version.
However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.

Note that in this type of configuration your settings are stoed in the file  /etc/net-snmpd.conf

Step 2 - Update Configuration
Back up the original config file to a location of your choice

cp /etc/snmp/snmpd.conf /root

Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.

# nano /etc/snmp/snmpd.conf

1.) Search for sysLocation and update it according to your needs as shown here:


2.) define a username/password combination for SNMP v3 authentication
Of course the user name and password used in this example are to be changed to fit your needs

createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES

3.) At the end of the same file, add this line:

smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd

Dont forget to save the file

Step 3 - SNMP Startup Script
Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.
Domino already provides such a script - you just need to modify the configuration so that it can be used.


Update the configuration (starting in line 31) as follows:

Make sure the startup script runs at next boot


Step 4 - Update Firewall Rules
SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server


Step 3 - Testing basic functions
Test basic SNMP functionality from the local host and also from a remote server.

# snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0

As a result you should get the version number of the SMTP master agent


Step 5 - Enable Domino SNMP Agent
Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!)

In case you get the error  "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino

if everything has worked out, starting the lnsnmp should provide the following output


Step 6 - Domino Tasks
Start the following tasks from the Domino server console

"quryset" is required to support SNMP queries
"intrcpt" is required to support SNMP traps for Domino events
"Collect" is required to support statistic threasold traps
Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.

Step 7 - Testing Domino SNMP agent response
Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.

$ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0

Should return the fully qualified Domino Server name as a string


Ok, you're done... the Domino SNMP Agent is configured and can be used.
However, there still is some work to be done on your SNMP management console e.g. Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).

Next Actions:
If you like this post, please let me know via Twitter @ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.

Troublshooting

• Check snmpd.log for errors
  # cat /var/log/snmpd.log
• Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
  see IBM Technote 1313318
• Error - Unknown User
  Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
  createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
• Error in packet. Reason: authorizationError (access denied to that object)
  The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
  rouser SNMPv3UserName

Tools:
Take a look at Paessler SMTP Tester (Freeware / Windows)


Further reading:

• How to set up Domino and SNMP in Windows
• IBM Domino MIB - Notes-MIB (v1) Tree

Thomas Hampel

 23 September 2014
GDI Business Line is an ERP & CRM software for the small & medium businesses market. It is developed by the German vendor GDI based in Landau in der Pfalz.
A customer wanted to use the address data from the GDI platform in the Notes/Domino environment. Main purpose was to simplify communication with known customers by synchronizing contact names, addresses, and phone numbers to Domino.

We all know integrating Directory Data with Domino is made easy with TDI, so lets see if we can use it here.
The backend database of GDI is based on FirebirdSQL , and they provide a JDBC driver which is all we need to make it work.

Here are step-by-step instructions for connecting TDI with the GDI Address table

Part 1 - TDI Installation
Tivoli Directory Integrator V7.1.1 is provided free of charge as an additional entitlement for Notes/Domino customers.
All you need to download from Passport Advantage is IBM Tivoli Directory Integrator Identity Edition V7.1.1 with the part number that fits you needs

Platform	Part Number	Size
Windows 32Bit	CZUF0ML	555mb
Windows 64Bit	CZUF7ML	567mb
Linux 32bit	CZUF2ML	547mb
Linux 64bit	CZUF3ML	554mb

We are intending to use a local Notes Client connector so we will be using the 32bit version of TDI. In case you're planning to install TDI on a  64bit Domino Server you could also go for that version.
The installation process of version 7.1.1 is not any different than V7.1, so you can just follow instructions for installing Tivoli Directory Integrator on IBM Infocenter or on Connections101 (Thanks gabturtle & Paul Mooney for this site).

Part 2 - Apply TDI Fix Pack
Download the latest fix pack for TDI v7.1.1 from Fix Central which at the time of writing this blog post is Fix Pack 3 and this JRE upgrade
Follow installation instructions provided with the fix pack(s)
Hint : {TDI_install_dir}\bin\Applyupdates.bat  -update [path to FP zip file]

Part 3 - Notes Connector
TDI can establish different types of connections to Notes/Domino, not all of them can be used everywhere (see Supported session types by Connector )
e.g. if you dont want IIOP to be enabled on your Domino server, you'll have to use either the Local Client connector, which requries a Notes Client to be installed on the same machine, or the Local Server Connector, which requires a Domino Server installed on the same machine. My personal preference is the Notes client connector because it just requires a Notes ID and I can connect from my own client workstation to any server regardless if IIOP is enabled or not.

• Copy the file {NotesProgramDir}\jvm\lib\ext\Notes.jar  to  {TDI_install_dir}/jars/3rdparty/IBM  
  (or to the folder defined in the variable "com.ibm.di.loader.userjars" parameter defined in the solution.properties file)
• Append the Notes Directory to the PATH parameter in the following TWO files
  {TDI_install_dir}ibmditk.bat
  {TDI_install_dir}ibmdisrv.bat
  Example:
  set PATH=%TDI_HOME_DIR%;%TDI_JAVA_BIN_DIR%;%TDI_LIB_DIR%;C:\Program Files (x86)\IBM\Notes;%PATH%

Part 4 - Firebird JDBC Connector
As long as there is a JDBC connector, TDI should be able to connect to the database. FirebirdSQL is nothing special here, so this is what you have to do:

• Pick the JDBC driver here (make sure to choose the one for Java 7)
• Extract the ZIP file to a temporary folder of your choice
• Copy the following three files to the folder {TDI_install_dir}\jars\3rdparty\other
  jaybird22.dll, jaybird-2.2.5.jar, jaybird-full-2.2.5.jar
  

Part 5 - Connect and Feed Data
Now launch TDI Configuration Editor ( {TDI_install_dir}ibmditk.bat ) and add a new JDBC connector

We would like this connector to be used in Iterator mode because we want to loop thru the data later on.
When you click on "Next >" you will be prompted to specify additional connection parameters.
The syntax for the JDBC URL is

jdbc:firebirdsql://host[:port]/database

JDBC URL = jdbc:firebirdsql://sqlserver:23053/C:\Database\GDI.GDB?sql_dialect=1&charset=WIN1252
JDBC Driver = org.firebirdsql.jdbc.FBDriver

and of course you must define your database credentials and the table you want to connect to. In our case the table is "CM_ADRESSEN"

Click Finish to add the connector as your input feed.


Part 6 - Data Map
Now lets use the connection and define the input map:

• Within the connector, use to connect button to establish a first connection for reading the database schema.
• Select the fields which you want to make use of by either dragging/dropping them from the schema or by using the button "Add"
  

Part 7 - Output to Notes/Domino
Lets write this data to Domino...
(Remark: assuming the target database already exists and is using a standard pubnames template)

• Add a Notes Connector in Update mode
  
  When you click on "Next >" you will be prompted to specify additional connection parameters.
  This example will connect to a remote database hosted on "DominoServer/Org/O", you can of course leave the server name empty to connect to a local database.
  
  Click Finish to add the connector as your Data Flow.
• Click the output connector again to define which data to write to which field in Notes/Domino
  Here is an example, feel free to modify or extend:
  
• In the connector define the Link Criteria
  It seems the field SATZUUID is used as a unique key, so we are going to use it as well. Of course you need to make sure to write this field to the target database, otherwise the lookup will always fail and duplicate entries are the result.
  

Part 8 - Fine Tuning
This part is to be done by yourself. You should probably add some special handling to handle different address types such as if the record is using...
"Adresstyp=1" = Contact
"Adresstyp=4" = Company
"Adresstyp=16" = Person

or updating the full text index when the assemblyline has finished...

try{
  notes=NotesConnector.getConnector
  dbname=notes.getParam("notesDatabase")
  srvname=notes.getParam("notesServer")
  sess=notes.getDominoSession()
  db=sess.getDatabase(srvname,dbname)
  if (db.isOpen())         {
          message="Requesting to update FTIndex on " + srvname + "!!" + dbname ;
          task.logmsg ("INFO",message) ;
          db.updateFTIndex(true);
  } else {
          message="Unable to open target notes database." + srvname + "!!" + dbname
          task.logmsg ("ERROR",message) ;
          java.lang.System.out.println (message);
}
 
} catch (ex) {
  message="Unable to update FTIndex in target Notes database. , "  + ex
  task.logmsg ("ERROR",message)
  java.lang.System.out.println (message)
}

Part 9 - Run it
Run the assemblyline and (optionally) have a beer while you will see new person documents showing up in Domino.

Summary
For those of you who are very lazy, here is the TDI AssemblyLine for further use.
GDIDataImportExample.xml

Please note that you must adjust it to fit your needs!  Concluding with Notes Sensei's words : YMMV

Thomas Hampel

 13 May 2014
After upgrading to Domino 9.0.1 the following messages show up at the console.
It seems the agent manager is trying to send file names as commands to the server's console...

AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
....

It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY

Thomas Hampel

 9 May 2014
I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:
1. Create a key ring file that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino
Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA
Just read and follow instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users
Follow instructions for Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.

Done!
Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?
Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?
When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...


at the very bottom there's a small check box...


Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.

Further reading:

• Quick guide to securing a Domino server with SSL using the CA process
• IBM Developerworks article "Enhancing e-mail security with S/MIME" by Chuck Connell
  http://chc-3.com/pub/Notes-Internet-Encrypted-Email.pdf
• Lotus Domino Certification Authority Tutorial
• Lotus Security Handbook,
• Technote #1308138 Export the private key from a Domino keyfile by using IKEYMAN
• Import & Export an Internet certificate from a Person document

Thomas Hampel

 7 May 2014
Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....

When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see http://technet.microsoft.com/en-us/security/advisory/2661254


So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »