Query results for : Domino
Welcome Domino License Analysis Utility (DLAU) 1.2.6- 20 November 2024 - (0) Comments
Thomas Hampel
20 November 2024Hi Folks,
the new version 1.2.6 of the Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.
What's has changed in this release?
- Issue #79 - “External Org” users getting improperly categorized as Known Guests
- Issue #78 - External users by organization name is case sensitive
- Issue #72 - Directory Assistance processed differently based on sequence of loading server docs
- UI/UX Issues in Scan Wizard: “Environment Scan Results” is not displaying the list of additional Domino Directories found
- UI/UX Issues in Scan Wizard: “User Report Tool” Scan tab should no longer allow the user to change the location of the User Report Tool.
- User Report Tool Selection Change
Here is a direct link to the download page for DLAU V1.2.6
For more details and to download the latest version see
https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/
PS: As mentioned in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.
What is a Large Domino Application and why DAOS rocks- 4 October 2024 - (0) Comments
Thomas Hampel
4 October 2024What is a large Domino application?
To answer this question you might think of limits of the NSF datastore, such as 64Gbyte in v9 and 256GByte with Domino v10 and up.
Well, that is just what the NSF itself can store.
Thanks to DAOS you can put a lot more data into an application or mail file using attachments as they are stored outside of the NSF in a transparent way.
Recently a customer brought up an interesting example of an application they are running in production.
Database properties look like this:
I had to look twice to realize that it is cutting off "MByte" at the end, so this SINGLE instance in fact has a size of
13 TeraByte
I've seen this in test environments or playgrounds but never in the wild before.
To double check we looked at the files panel of the Admin client, which confirmed the size:
The application is working fine and is heavily used (as you can see), just backup and some maintenance tasks were a bid slow (one might guess why)
It's an app for records management and most of its size is caused by DAOS objects. In fact there are 1,9 million DAOS objects just used by this application.
Impressive and clearly a last and final reminder to customers out there who have not enabled DAOS yet.
It is not only going to save lots of storage cost, it also benefits the performance and scalability of your databases.
If you already use DAOS, take a look at the new DAOS Tuner which can optimize your environment
Large Domino Server?
Speaking of large, let me post a screenshot from a Domino server which marks the largest single Domino server (not partitioned, in prodution use) I came across so far
What is a Large Mail?
I'm sure admins out there have all seen something like this:
...a single mail with a size of 1,6 GByte, obviously containing a maultaschen recipe, which was routed perfectly fine.
While this is certainly not the world record for the largest mail, but it's one that I've seen myself and was able to take a screenshot from.
Reading about email size limits of 100 MB or even 20 MB per message as enforced at most cloud vendors sounds silly compared to what Domino was routing just fine for decades.
What about you?
Have you seen similar cases ? Do you even have examples of large Domino applications, servers, mail, etc. beyond those above?
If so, please send me a mail - preferably with (anonymized) screenshots.
References:
- The Domino® Attachment and Object Service (DAOS)
- New DAOS Tuner in Domino 14.5
PS: Thanks D. for the screenshots
Improving the Mail Template in 12.0.x and 14.0 - Manage Return Receipts according to RFC 2298- 24 September 2024 - (0) Comments
Thomas Hampel
24 September 2024Just a short revisit of a previous blog post which I wrote 7 years ago based on a friendly request from a customer.
mail-template-9.0.1-feature-pack-9-manage-return-receipts-according-to-rfc-2298.htm
The code below is almost the same. It is just now avoiding to introduce a new variable named 'doc' and it is put at the beginning of the event to also cover situations where the document is opened in preview mode.
According to RFC 2298 http://www.ietf.org/rfc/rfc2298.txt it is recommended to show a dialog box where the recipient of a mail can decide weather or not a return receipt shall be sent back to the originator of the mail.
This behavior is not currently part of the Standard HCL Mail template.
To add this feature you have to modify the following design elements:
- Form “Memo”, Event "QueryOpenDocument", added the code shown below
- Form “Reply”, Event "QueryOpenDocument", added the code shown below
- Form “Reply With History”, Event "QueryOpenDocument", added the code shown below
Insert this code at the BEGINNING of the QueryOpenDocument event.
If Source.isNewDoc Then
'# don' t do anything, as this is a new document
Else
If Source.document.GetItemValue("ReturnReceipt")(0) = "1" And Source.document.HasItem ("DeliveredDate") Then
If Messagebox ("The sender of this message has asked to be notified when you read this message." & Chr(13) & "Do you wish to notify the sender?", 36, "Send Return Receipt?") = 7 Then
Call Source.document.ReplaceItemValue ("ReturnReceipt", "0")
Call Source.document.Save(True, False, True)
End If
End If
End If
For clarity, this is what the QueryOpen event looks like BEFORE the modification:
and AFTER the modification it looks like this:
Available now: HCL Notes/Domino 11.0.1 Fix Pack 9- 17 July 2024 - (0) Comments
Thomas Hampel
17 July 2024HCL just released Fix Pack 9 for HCL Notes/Domino 11.0.1
More details of what has been fixed are provided in the Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List
Before installing this update, please verify the system requirements:
- HCL Notes 11.0.1 Fix Pack 7, Fix Pack 8, and Fix Pack 9 System Requirements
- HCL Domino 11.0.1 Fix Pack 7, Fix Pack 8, and Fix Pack 9 System Requirements
These kits are also available on MHS at the following URLs:
- Domino 11.0.1 FP9 : https://my.hcltechsw.com/downloads/domino/domino/11.0.1fp9
- Notes : https://my.hcltechsw.com/downloads/domino/domino/11.0.1fp9
- Client for Application Access : https://my.hcltechsw.com/downloads/domino/caa/3.0.10
WARNING
HCL Notes/Domino 11.0.x will be End of Support by 26. June 2025 (=next year) !!
It's time to plan your upgrade, which as you know is quite an easy and straightforward upgrade.
Available now: HCL Notes/Domino 12.0.2 Fix Pack 4- 16 May 2024 - (0) Comments
Thomas Hampel
16 May 2024HCL just released Fix Pack 4 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List
Before installing this update, please verify the system requirements:
- HCL Notes 12.0.2, 12.0.2 Fix Pack 4 System Requirements
- HCL Domino 12.0.2 Fix Pack 4 System Requirements
These kits are available for download at our new MyHCLSoftware download portal at the following URLs:
https://my.hcltechsw.com/downloads/domino/notes/12.0.2fp4
https://my.hcltechsw.com/downloads/domino/domino/12.0.2fp4
Bonus:
If you are already running Domino V14 and have the new AutoUpdate feature enabled, you'll see whats shown in the screenshot below:
Learn more on how to use this feature, by joining our Domino V14 Deep Dive webinar series on Jan. 31 on Domino v14 Auto Notify, Update & Install
Welcome Domino License Analysis Utility (DLAU) 1.2.4- 17 April 2024 - (0) Comments
Thomas Hampel
17 April 2024Hi Folks,
the new version 1.2.4 of the Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.
The new version now supports MacOS clients to perform the scan and it resolves a number of issues which customers have reported.
What's New ?
- Report now inclludes Domino server versions
- Supports Readonly user with the appropriate rights
- Support for MacOS
- Save the server versions as a reference for each scan
- Note when server access is setup to allow wildcarded usernames
- BugFix: Add new export category and create directory if it does not exist
- BugFix: New version available string is missing the new version title
- BugFix:Error when dividing by zero when creating the digital signature
- BugFix:User information from primary directory is lost when they also exist in another scanned directory
- BugFix:Attempt to fix situations where user receives ERROR: Object variable not set #: 91, line: 3
- BugFix:Correct the spelling of “signing” on “signing” page
- BugFix:utility is duplicated on the Nomad page
For more details and to download the latest version see
https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/
PS: As mentioned in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.
Available now: HCL Notes/Domino 14.0 Fix Pack 1- 17 April 2024 - (0) Comments
Thomas Hampel
17 April 2024HCL just released Fix Pack 1 for HCL Notes/Domino 14, providing 92 fixes and updates for client and server.
More details of what has been fixed are provided in the Release Notice or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List
Before installing this update, please verify the system requirements:
- HCL Domino 14.0 and 14.0 Fix Pack 1 System Requirements (KB0108740) +for IIBMi see KB0108946
- HCL Notes 14.0 and 14.0 Fix Pack 1 System Requirements (KB0108739)
- HCL iNotes 14.0 and 14.0 Fix Pack 1 Browser Requirements (KB0108942)
These kits are available for download at our new MyHCLSoftware download portal at the following URLs:
https://my.hcltechsw.com/downloads/domino/notes/14.0fp1
https://my.hcltechsw.com/downloads/domino/domino/14.0fp1
Bonus:
If you are already have the new AutoUpdate feature enabled, you'll see whats shown in the screenshot below:
For how to use this feature, see Domino V14 Deep Dive webinar Auto Notify, Update & Install
New HCL Domino Marketplace - Get your apps & tools listed now!- 3 April 2024 - (0) Comments
Thomas Hampel
3 April 2024Good News Folks!
"It took forever, but now it's live" wrote the engineer (Thank You Scott) when he told me that our redesigned HCL Domino Marketplace submission form finally went live.
Based on input from our developer and partner community the team improved the functionality and the look and feel of the site.
The submission process has been revamped into a multi-stage form with improved structure, enabling the option to save submissions as drafts.
Submitting your products, solutions, or Domino templates is free of charge and now is even easier than ever.
Try yourself:
Simply follow these steps:
1. Start here: https://hclsofy.com/managecontent
2. Log in with your existing HCL ID / Partner credentials, or create a new account as needed.
3. Click on "Domino Submission"
4. Fill in the required information about your application.
Please note, there are two type of applications:
- Products, which are commercial Domino applications, addons, templates, etc.
- Templates, which are non-commercial templates you want to make available for download at no charge.
5. Upload any necessary screenshots, provide the metadata required
6. Hit submit, and you're done!
References:
- HCL Domino Marketplace
- Here you can find a more detailled description of each field and how to fill the form
- My Blog Submit your apps now.
Welcome Domino License Analysis Utility (DLAU) 1.2.3- 29 March 2024 - (0) Comments
Thomas Hampel
29 March 2024Hi Folks,
the new version 1.2.3 of the Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.
The new version especially addresses a problem (DNEXT-26194) where 32Bit Notes clients may not be able to run an analysis.
What's New ?
- Include DLAU version in the emailed report
- Added additional logging output behind Notes.ini DLAU_VERBOSE_MODE=1
- Fix : DNEXT-26194 - Recompiled LotusScript with 32-bit compiler
- Fix : DNEXT-26190 - Global variable was being updated incorrectly causing incorrect error message
- Fix : DNEXT-25836, DNEXT-25837 - addressed typo and string updates
For more details and to download the latest version see
https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/
PS: As mentioned in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.
Welcome Domino License Analysis Utility (DLAU) 1.2.2- 19 February 2024 - (0) Comments
Thomas Hampel
19 February 2024Hi Folks,
the new version 1.2.2 of the Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.
The new version addresses a number of issues ad improvement requests customers had reported, here's a short list:
What's New ?
- Ability to check for new version
- Include user names from entitlement tracking (if it exists) in user counting process
- Fix string in dialog that warns the user they don’t have appropriate rights to the names.nsf
- Fix string in dialog that warns the user they don’t have the appropriate role in the Domino Directory
- Fix Issue #50 Observation information is not accurate when non-Domino LDAP is used as authentication
- Admin server is changing when additional directories are identified
- Incorrect error message due to improper casing on file naming comparison
- Corrected misspelled word
- Ability to add DLAU_VERBOSE_MODE=1 with the Notes.INI set before beginning the scan, the logging has been enhanced to capture the output in the scan log as well as logging additional information.
For more details and to download the latest version see
https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/
PS: As mentioned in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.
Available now: HCL Notes/Domino 12.0.2 Fix Pack 3- 17 January 2024 - (0) Comments
Thomas Hampel
17 January 2024HCL just released Fix Pack 3 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List
Before installing this update, please verify the system requirements:
- HCL Notes 12.0.2, 12.0.2 Fix Pack 3 System Requirements
- HCL Domino 12.0.2 Fix Pack 3 System Requirements
These kits are available for download at our new MyHCLSoftware download portal at the following URLs:
https://my.hcltechsw.com/downloads/domino/notes/12.0.2fp3
https://my.hcltechsw.com/downloads/domino/domino/12.0.2fp3
Bonus:
If you are already running Domino V14 and have the new AutoUpdate feature enabled, you'll see whats shown in the screenshot below:
Learn more on how to use this feature, by joining our Domino V14 Deep Dive webinar series on Jan. 31 on Domino v14 Auto Notify, Update & Install
HCL Domino Marketplace - submit your apps, products, solutions, and templates NOW- 19 December 2023 - (0) Comments
Thomas Hampel
19 December 2023Dear HCL Domino Community, Developers and Partners,
Earlier this year at the Collabsphere conference, we announced to be working on our brand-new HCL Domino application marketplace/appstore, and we want YOU to be a part of it!
We believe that your applications deserve a spotlight, and our new marketplace is the perfect platform for you to showcase your work to a wider audience.
Here are a few reasons why you should consider submitting your applications to our marketplace:
Increased Visibility:
The new Domino marketplace is designed to attract current and new customers, tech enthusiasts, and industry professionals.
By featuring your applications here, you'll get the exposure your work deserves.
Our courtesy to your HCL Domino investment
Having your application listed is free of charge.
All we need is some information about your app such as name, description, sreenshots.
Improving adoption
Even if your application or tool is a non-commercial asset you have developed, submitting it to the Domino marketplace will grow your user base and reputation.
Receive valuable feedback from users and improve your applications based on real-world usage. This iterative process can lead to enhancements and optimizations you might not have considered.
Submitting your application is easy!
Simply follow these steps:
1. Start here: https://hclsofy.com/managecontent
2. Log in with your existing HCL ID / Partner credentials, or create a new account as needed.
3. Click on "Domino Submission"
4. Fill in the required information about your application.
Please note, there are two type of applications:
- Products, which are commercial Domino applications, addons, templates, etc.
- Templates, which are non-commercial templates you want to make available for download at no charge.
5. Upload any necessary screenshots, provide the metadata required
6. Hit submit, and you're done!
Here you can find a more detailled description of each field and how to fill the form.
We can't wait to see the amazing applications you've developed and share them with the world.
If you have any questions or need assistance during the submission process, please let me know
Thank you for being a driving force in the world of the Domino technology!
HCL Domino 14 is available now!- 7 December 2023 - (0) Comments
Thomas Hampel
7 December 2023Hi Folks
I'm very happy to announce that HCL Notes/Domino V14 has just been released and is available for download.
Among lots of other new features and cool stuff, my personal highlights in this release are:
- Passkey support
- Auto-Update / Update Notifications
- AdminCentral
and of course the matter of fact that Verse, Nomad and Ontime are now integrated in the Domino installer.
Of course there is a lot more that I could write about here, but I've already written a comprehensive blog post that will be posted later today at our corporate blog
What do you need to do now?
1. Join our webcast on December 7 @ 10am ET - to attend, please Register now!
2. Read What's new in HCL Domino 14
3. Download the latest version from our new software download portal
4. Plan your upgrade
Welcome Domino License Analysis Utility (DLAU) 1.2.1- 1 December 2023 - (0) Comments
Thomas Hampel
1 December 2023Hi Folks,
the new version 1.2.1 of the Domino License Analysis Utility (DLAU) has just been published.
The tool allows customers to analyze their current environment to identify the license needs.
The new version addresses a number of issues ad improvement requests customers had reported, here's a short list:
What's New ?
- Added support for scanning Directory Assistance on all servers in the environment.
Set DLAU_VERBOSE_MODE=1 in the Notes.INI before beginning the scan.
For more details and to download the latest version see
https://opensource.hcltechsw.com/domino-license-analysis-utility-DLAU/
PS: As mentioned in our privacy statement, the tool performs all activity in your environment with no data being sent back to HCL without your explicit consent.
Is HCL Notes/Domino using Oracle Java?- 13 October 2023 - (0) Comments
Thomas Hampel
13 October 2023The short answer: No!
Background:
On January 23, 2023, Oracle announced (again) yet another new licensing model for Oracle Java that represents a dramatic price increase for large organizations.
This can lead to interesting discussions since e.g., a 40,000-employee organization could be asked spending USD $2.5M annually just on Oracle Java alone.
What Java version is used by Notes and Domino?
Notes and Domino are providing the Java runtime as part of the product, so customers do NOT need to download or install the Java runtime environment separately.
Since the JVM/JDK is part of the licensed product, it is covered under the product license of HCL or previously the product license of IBM.
With the acquisition of the product by HCL, dependencies to IBM Java were removed and got replaced with OpenJDK effectively in version 11.0.0 of HCL Notes/Domino.
Java updates are provided by HCL (and previously by IBM) typically as part of regular fix packs.
Here is a simplified overview of what Java version is used in the product:
Notes/Domino | Java Version | Java Vendor | JVM | Remarks |
14.0.x | 17 LTS | IBM Semeru | OpenJ9 | Open Edition |
12.0.x | 8 | AdoptOpenJDK, later IBM Semeru | OpenJ9 | renamed to Adoptium |
11.0.x | 8 | AdoptOpenJDK, later IBM Semeru | OpenJ9 | renamed to Adoptium |
10.0.x | 8 | IBM | IBM J9 | see IBM FAQ |
9.0.1 | 8 | IBM | IBM J9 | see IBM FAQ |
9.0.0 | 6 | IBM | IBM J9 |
a more comprehensive overview of which Java flavour and patchlevel is included in which release of Domino is provided later on in this blog post.
For details, please refer to
- For HCL Notes/Domino version 11 and later: KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?
- For IBM Notes/Domino version 9 and 10: IBM FAQ to Oracle’s Java Products Commercial Licensing
- AdoptOpenJDK statement on Oracle's support announcement
Special cases and exceptions?
- MacOS : old versions of the IBM Notes Client before(!) 9.0.1 IF17 did not include any Java runtime. Customers may have manually installed a JVM, e.g. the Oracle runtime.
Starting with Notes Client 9.0.1 IF17 the product includes the IBM Java runtime. Customers are encouraged to upgrade to a more current version of the HCL Notes Client for MacOS. - IBMi (=iSeries) : HCL Domino will use the version provided by the platform.
- HCL Client for Application Access (HCAA), formerly known as IBM Client for Application Access (ICAA), does not provide a Java VM, it uses a JVM that you choose to install yourself.
Only for acessing Domino applications that are running Java code >in< the HCAA client, a JVM needs to be provided.
What about Nomad, Verse, Enterprise Integrator, SAP Connector, etc?
These products are addons to Domino and unless otherwise specified they leverage the JVM provided by Domino.
IBM? OpenJDK? Semeru? Adoptium? Eclipse? - Are you confused as well?
It's not easy to even get a basic understanding of the various project names, forks, branches and takeovers, but I'll try providing a short intro without covering the entire history of Java nor what Java itself is.
In the context of Notes and Domino, this is what you need to know:
- OpenJDK is a free and open-source implementation of the Java Platform, Standard Edition (Java SE), it is a Java Development Kit (JDK)
- OpenJ9 is a java virtual machine (JVM), contributed to the Eclipse project by IBM
- AdoptOpenJDK was a project for producing vendor neutral builds of OpenJDK
- AdoptOpenJDK merged into Eclipse Adoptium, to provide a prebuilt OpenJDK, that release is now named Temurin
With this move, Adoptium is, according to them, is not allowed to release OpenJ9-based or GraalVM-based runtimes - IBM comes to the rescue and provides OpenJ9 builds at no charge as the IBM Semeru runtime which includes the OpenJ9 Java VM
- IBM Semeru comes in two flavours:
a) IBM Semeru Runtime Open Edition, which is open source (GPLv2) licensed and is not TCK (Technology Compatibility Kit) certified
b) IBM Semeru Runtime Certified Edition, which is Java TCK-certified - Former "IBM Java" has been moved into IBM Semeru Runtime Certified Edition at Java version 11
- HCL Notes and Domino are using IBM Semeru Open Edition.
For better understanding of the above, here is a chart that explains:
As outlined above, HCL Notes and Domino is embedding IBM Semeru and does not use any Oracle Java.
Table: Java versions is used by Notes and Domino
Source: KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?
Notes/Domino Version | Java Runtime Vendor | Java Version | |
V12 | 12.0.2 Fix Pack 2 | IBM Semeru Runtime Open Edition 8 | Semeru jdk8u372-b07 |
12.0.2 Fix Pack 1 | Semeru jdk8u362-b09 | ||
12.0.2 | AdoptOpenJDK 8 | OpenJDK jdk8u345-b01 | |
12.0.1 Fix Pack 1 | OpenJDK jdk8u312-b07 | ||
12.0.1 | OpenJDK jdk8u302-b08 | ||
12.0.0 | OpenJDK jdk8u282-b08 | ||
V11 | 11.0.1 Fix Pack 8 | OpenJDK jdk8u372-b07 | |
11.0.1 Fix Pack 7 | OpenJDK jdk8u352-b08 | ||
11.0.1 Fix Pack 6 | OpenJDK jdk8u332-b09 | ||
11.0.1 Fix Pack 5 | OpenJDK jdk8u312-b07 | ||
11.0.1 Fix Pack 4 | OpenJDK jdk8u302-b08 | ||
11.0.1 Fix Pack 3 | OpenJDK jdk8u282-b08 | ||
11.0.1 Fix Pack 2 | OpenJDK jdk8u265-b01 | ||
11.0.1 Fix Pack 1 | OpenJDK jdk8u252-b09 tzdata 2020a | ||
11.0.1 | OpenJDK jdk8u242-b08 tzdata2019c | ||
11.0.0 | OpenJDK jdk8u222-b10 | ||
V10 | 10.0.1 FP8 | IBM Java 8 | IBM Java 8.0 SR7FP6_tzdata2022a |
10.0.1 FP7 | IBM Java 8.0 SR6FP25_tzdata2021a | ||
10.0.1 FP6 | IBM Java 8.0 SR6FP10_tzdata2020a | ||
10.0.1 FP5 | IBM Java 8.0 SR6FP5_tzdata2019c | ||
10.0.1 FP4 | IBM Java 8.0 SR5FP40_tzdata2019c | ||
10.0.1 | IBM Java 8.0 SR5FP21 | ||
10.0.0 | IBM Java 8.0 SR5FP16ifix | ||
V9 | 9.0.1 Fix Pack 10 Interim Fix | IBM Java 8.0 SR6FP25 | |
9.0.1 Fix Pack 10 | IBM Java 8.0 SR5FP21 tzdata2018e | ||
9.0.1 Fix Pack 9 | IBM Java 8.0 SR4FP5 | ||
9.0.1 Fix Pack 8 | IBM Java 8.0 SR3FP12 | ||
9.0.1 Fix Pack 7 | IBM Java 6 | IBM Java 6.0 SF16FP30 | |
9.0.1 Fix Pack 6 | IBM Java 6.0 SF16FP20 | ||
9.0.1 Fix Pack 5 | IBM Java 6.0 SF16FP15 | ||
9.0.1 Fix Pack 4 | IBM Java 6.0 SR16FP4 | ||
9.0.1 Fix Pack 3 | IBM Java 6.0 SR16FP2 | ||
9.0.1 Fix Pack 2 | IBM Java 6.0 SR16 | ||
9.0.1 Fix Pack 1 | IBM Java 6.0 SR15FP1 | ||
9.0.1 | IBM Java 6.0 SR14 + ifix | ||
9.0.0 | IBM Java 6.0 SR12+ ifix |
Remarks:
IBM SDK, Java Technology Edition, Version 6 has reached end of life, see https://www.ibm.com/support/pages/java-sdk-downloads-version-60
How to check which Java version is used?
From the program directory of the Notes client or Domino server:
cd jvm/bin
./java -version
Example:
Checking the Java version used by the HCL Notes Client 14.0 (Early Access version) on Windows:
C:\Program Files\HCL\Notes>cd jvm/bin
C:\Program Files\HCL\Notes\jvm\bin>java -version
openjdk 17.0.4.1 2022-08-12
IBM Semeru Runtime Open Edition 17.0.4.1 (build 17.0.4.1+1)
Eclipse OpenJ9 VM 17.0.4.1 (build openj9-0.33.1, JRE 17 Windows 7 amd64-64-Bit
Compressed References 20220812_237 (JIT enabled, AOT enabled)
OpenJ9 - 1d9d16830
OMR - b58aa2708
JCL - 1f4d354e654 based on jdk-17.0.4.1+1)
References:
- AdoptOpenJDK statement on Oracle's support announcement
- KB0037886 - What is the impact to JVM support in Notes/Domino with Oracle's announcement to charge?
- IBM FAQ to Oracle’s Java Products Commercial Licensing
- KB0073999 - Interim Fixes & JVM patches for 9.0.1.x versions of IBM Notes/Domino & add-ons
- IBM Semeru Runtime vulnerabilities
Finally:
I hope this brief explanation will help to better understand the usage of Java in our product and provides you with enough of a justification to upgrade to the most current version of HCL Notes and Domino.
so upgrade NOW !
Good News for IBMi customers - Domino now supports Power 10 Hardware- 13 September 2023 - (0) Comments
Thomas Hampel
13 September 2023Good News for Domino customers running on IBMi hardware!
as of today HCL Domino 12.0.2 is offiically supported to run on IBMi 7.5 on Power 10 hardware.
Compatibility testing took longer than expected but has now finished successfully, so you can now go ahead and plan your ugprade projects.
Please note that customers are recommended to use FixPack 2 for Domino 12.0.2 as this Fix Pack is addressing some IBMi specific updates
References:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101447
HCL and DNUG Community Meeting Berlin - 21.Sept 2023- 11 September 2023 - (0) Comments
Thomas Hampel
11 September 2023Hallo HCL & DNUG Community Berlin!
auf vielfachen Wunsch möchten wir euch in heissen Zeiten nicht schwitzen lassen und laden euch zu einem echten Community-Meeting, vor Ort in Berlin ein.
Es gibt Neuigkeiten rund um die HCL Produkte, einen Ausblick auf Domino V14 und live Demo's die noch niemals vorher gezeigt wurden.
Mit kühlen Getränken, Essen und Guter Laune verbringen wir den weiteren Abend mit Gesprächen und Fragen rund um die HCL Produktfamilie.
Jeder Teilnehmer ist natürlich Herzlich Willkommen!
Wir bieten:
- HCL Software News (Thomas Hampel)
Wann?
Donnerstag, 21. Sept 2023
Zeit : 18:00 bis ...
Wo?
Paulaner im Spreebogen
Alt-Moabit 98
10559 Berlin
https://paulaner-im-spreebogen.de/
Anmeldung?
https://dnug.de/events/stammtische/berlin/
False Alarm: New Domino Backdoor- 20 April 2023 - (0) Comments
Thomas Hampel
20 April 2023IBM XForce is well known for the quality of their research - however this time I'm wondering about the publication.
They discovered and analyzed a new type of malware (so far so good) and they named it ... "Domino"
Don't Panic!
HCL already published this technote to clarify that this is unrelated to the HCL Domino product and has requested IBM Security X-Force to correct this unfortunate use of HCLSoftware’s registered and licensed product name.
Update!
IBM updated their article and have renamed the malware - it is now called "Minodo"
In short:
1. There is no backdoor in HCL Domino
2. The new malware which IBM has discovered has NOTHING to do with HCL Domino.
3. This malware does NOT affect HCL Domino
Reference:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0104503
https://securityintelligence.com/posts/ex-conti-fin7-actors-collaborate-new-domino-backdoor/
- 18 April 2023 - (0) Comments
Thomas Hampel
18 April 2023Hey Domino Administrators out there,
HCL is looking for your input regarding how you are managing your environment.
Can you please help by answering this small survey?
It is completely anonymous and consists of a few questions to gather information on how Domino is used and how software updates are handled by Domino customers.
It should take less than 3min. to complete.
If you are managing more than one Domino environment please submit a survey for each one.
https://hclsw.co/domino-admin-survey
Available now: HCL Notes/Domino 12.0.2 Fix Pack 1- 17 April 2023 - (0) Comments
Thomas Hampel
17 April 2023HCL just released Fix Pack 1 for HCL Notes/Domino 12.0.2
More details of what has been fixed are provided in the Release Notes or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List
Before installing this update, please verify the system requirements:
- HCL Notes 12.0.2 and 12.0.2 Fix Pack 1 System Requirements
- HCL Domino 12.0.2 and 12.0.2 Fix Pack 1 System Requirements
The following kits/packages are now available for download on Flexnet for entitled customers:
Notes Client
HCL Notes 12.0.2FP1 Basic Configuration for Windows English 32-bit
HCL Notes 12.0.2FP1 for Windows 32-bit
HCL Notes 12.0.2FP1 for Windows 64-bit
HCL Notes 12.0.2FP1 for Mac 64 bit
Domino Server
HCL Domino Server 12.0.2FP1 for Windows 64bit
HCL Domino Server 12.0.2FP1 for AIX
HCL Domino Server 12.0.2FP1 for Linux
HCL Domino Server 12.0.2FP1 IBMi
HCL Domino 12.0.2FP1 Docker image
How to run HCL Domino on a QNAP NAS- 21 March 2023 - (0) Comments
Thomas Hampel
21 March 2023Some time ago I've done a demo running Domino on a QNAP network attached storage device.
Thanks to Docker and the Domino Container project which Daniel and I are maintaining, running a fully a featured Domino environment incl. Verse, Nomad, Rest API, Traveler and Leap is not a problem even on entry level hardware.
Datails and step-by-step instructions have been published here in the Domino container project documentation.
Enjoy reading!
Help! DAOS files have been removed - the impact of a misconfigured backup job- 22 February 2023 - (0) Comments
Thomas Hampel
22 February 2023Recently a customer approached me with a request for help. I'd like to briefly share the story here because it was an interesting case.
On a Friday, the Domino team noticed severe problems with loading attachments, users reported they are no longer able to open attachments.
It seems like no single DAOS object can be opened anymore by the server.
Domino servers are reporting: Error 0x80070780: The file cannot be acessed by the system.
Checking the DAOS repository on the Domino server's disk revealed those files are displaying with a file size of XX MByte but actually have a size of ZERO BYTES (!!!)
Potential cause? Maybe a broken hard disc or filesystem? People even assumed Domino itself would be responsible for destroying DAOS objects on disk.
To mitigate the issue, a full restore of all DAOS objects was initaited which took a couple of hours. Afterwards it seemed the situation was resolved.
However just one day later the same problem appeared. All DAOS objects again had a size of 0 byte again with millions of DAOS objects being affected.
Root cause:
It turned out the backup software ( Commvault ) was misconfigured - instead of taking a backup of DAOS objects it was configured for >archiving< them.
Archiving in this case means that files will be moved to the backup environment but a 0 byte place holder will remain.
One could claim the user interface of Commvault backup easily allows for clicking the wrong option as both of them are listed next to each other.
There is no visible difference between the configuration screens later on, so unfortunately it was a human error/mistake to click on the wrong option.
Solution:
Initiate a restore job of files that were archived to the commvault envioronment.
https://documentation.commvault.com/v11/essential/134649_restoring_archived_data.html
Lessons learned:
Dont blame the top level application for a failure just because it is most impacted.
Open a support ticket at HCL and work together as a team to investigate and resolve the issue.
Developers: New C API Toolkit 12.0 is available now- 2 September 2021 - (0) Comments
Thomas Hampel
2 September 2021Again: good news for developers and partners out there who work on plugins and extensions for Domino.
We just published the V12 version of the C API Toolkit for Domino and Notes:
Interesting side note: after 7 years without any new release, HCL published two major releases of the toolkit just in one year.
This new version provides a number of new API calls and -as promosed- provides the make files and MSVS project files developers were looking for.
You can find the new V12 C API Toolkit in the Domino V12 server product category on Flexnet Downloads
Reference:
Group 3 Languages for HCL Notes and Domino 11.0.1- 16 August 2021 - (0) Comments
Thomas Hampel
16 August 2021Good news: HCL Notes 11.0.1 is now available in even more languages!
You asked for it (see DOMINO-I-831 and NTS-I-842), so in addition to the 16 languages the Notes client was already providing, HCL is delivering nine more language translations:
- Danish
- Finnish
- Norwegian
- Catalan
- Hebrew
- Hungarian
- Slovenian
- Thai
- Turkish
Install kits for the HCL Notes Standard and Basic Client V11.0.1 in those languages can be found at Flexnet under the Notes/Domino version 11.0.1.
Multilingual User Interface (MUI) kits for those languages, as well as the Install Shield Tuner files to customize your installation are also provided:
References:
- HCL software download / Flexnet
https://hclsoftware.flexnetoperations.com/flexnet/operationsportal/startPage.do
Developers: New C API Toolkit 11.0.1 now available- 8 February 2021 - (0) Comments
Thomas Hampel
8 February 2021Good news for developers and partners out there who work on plugins and extensions for Domino.
We just published a new version of the C API Toolkit, actually the first new version since more than 7 years.
This is the first HCL shipment of the C API and it signals an ongoing commitment to revamp the C API delopment story,
it now supports building applications using the GUI environment for Visual Studio 2017.
However, as Ulrich Krause already highlighted in his blog it does contain just a very few new API calls yet, also make files were removed because they did not work anymore.
HCL's development team is working on a V12 version of the C API Toolkit that will be providing make files and MSVS project files again. This version 12 will be provided after Domino V12 has shipped.
You can find the current/updated C API Toolkit in the Domino server product category on Flexnet Downloads
Reference:
Partners : locating the Domino V12 Beta in Flexnet- 1 February 2021 - (0) Comments
Thomas Hampel
1 February 2021Recently we have announced the beta launch of HCL Domino V12 which is available to all current customers.
While for a customer the download is easy to find, partners have to navigate along the entitlement tree to find it.
So for reference here is how an HCL Partner can locate the download packages:
1. Login to Flexnet
2. Click on "List all entitlements"
3. In the top right corner of the list, search by Product contains 'collab' as shown in the screenshot below.
4. Find the product bundle "HCL Bundle Mail & Social Collaboration", make sure the entitlement has not expired and click the "Download Now" button
5. In this bundle, click the package"Notes/Domino 12.0 Beta 1"
6. ...and find the downloads you are looking for, including the Notes Client in 16 local language versions, the Domino installer for AIX, Linux and Windows, as well as the V12 Domino Docker image.
It also needs to be noted that the Domino on Docker community project added support for V12 in the develop branch
Happy testing !
References:
- Post your feedback to the Domino V12 Beta Forum
- Ideas for new features should be posted to https://domino-ideas.hcltechsw.com/
- HCL Domino V12 Beta Launch blog post
HCL Domino V12 Early Access Program - New October release is available now- 13 October 2020 - (0) Comments
Thomas Hampel
13 October 2020Last month we have introduced the HCL Domino V12 Early Access Program, in which we are providing customers the chance to test new product features early in the development cycle.
Our engaged development team has provided a new code drop (named "October 2020") which is available now for download at Flexnet to all current customers.
This code drop provides a number of very interesting features that our dev team wants to have YOUR feedback on:
What is being provided in this release
Time-based one-time password (TOTP) authentication
When users log on to a Domino Web server, you can now require that they provide time-based one-time passwords in addition to their user names and passwords.
These one-time passwords are generated by authenticator apps like Authy, Google Authenticator or similar.
DAOS Version 2
DAOS Version 2 (DAOSV2) is a new version of DAOS that provides a more reliable way of tracking DAOS objects on a server.
Certificate management improvements
A number of enhancements and improvements related to certificate management are provided:
- Disable TLS 1.0 by default now
- Support for PEM-file format, in additon to *.kyr file format
(Note: This feature is intended as a test bed for future work supporting PEM-formatted keys and certificates ) - Support for using CertMgr to import third-party CA keys and certificates - based on this idea (Thanks Martin!)
- Support for replacing keys generated by the Let's Encrypt CA
Domino directory enhancements
The number of improvements around the Domino directory design (pubnames.ntf) to improve usability for administrators. Some of which were long standing requests - if you like what you see, please vote for the idea(s)s referenced below
- Mail-In Databases and Resources view - based on your input from this idea (Thanks Michael!)
The Mail-In Databases and Resources view now displays the internet addresses of mail-in databases that have them and also includes a Go to Database button to open mail-in databases from the view. - Custom criteria to populate groups - based on your input in this idea (Thanks Vladislav!)
When you create a group in the Domino directory, you can now populate the members of the group based on an LDAP search query. - HEX codes displayed for TLS ciphers - based on this idea (Thanks Torsten!)
As a convenience to administrators, HEX codes are shown next to the symbolic names for the TLS ciphers that can be selected in various fields in the Domino directory. - Applets no longer used - based on your input from this idea (Thanks Bill !)
Applets are not longer used to display the navigational outline of the Domino Directory or action buttons such as Add Person. - Button to see all Configuration Settings documents associated with a server
From an open Server document you can click the Find Server Config button to see all of the Configuration Settings documents associated with the server. - Button to find all groups a users belongs to - based on your input from this idea (Thanks Christian!)
From an open Person document you can click the Find Groups button to see all of the groups that a user belongs to, including groups they are members of through other groups. - Lists of notes.ini settings sorted alphabetically - based on your input from this idea (Thanks Jesper!)
Lists of notes.ini settings are shown in alphabetical order wherever they occcur in the Domino directory. - Explicitly select the methods to use in Web Site documents
For improved security, administrators now explicitly select the HTTP methods to enable in Web Site documents. - Older security options are no longer selectable
630-bit and 512-bit public key options are no longer available to apply to Notes IDs. The "4.6 or greater" password verification option is no longer available to apply for internet password strength.
New LotusScript & Java Methods for developers - also based on your input from this idea (Thanks Michael!)
...to support transaction based operations in LS and Java.
Furthermore I need to mention those features that were provided in the previous release (September 2020)
- Database Quota Settings are now replicating - which is implementing this idea (Thanks Roland!)
- New certificate management features
- AES-128 encryption used for DAOS objects
- Formula Language in DQL search terms
- New template signing ID uses 2048-bit keys
We are looking for YOUR feedback on the features provided above, so please:
1. Start testing the Early Access Code - details on how to get started can be found here
2. Vote for the ideas referenced or leave a comment
3. Join the discussion and provide feedback in our forum here.
References:
- Blog post : Introducing HCL Domino Early Access Program
- Documentation : Early Access Program
- DNUG47online Presentation : Fast Forward
Available now: Notes/Domino 10.0.1 Fix Pack 6- 29 September 2020 - (0) Comments
Thomas Hampel
29 September 2020For those of you who have not yet upgraded to V11 but are running Notes/Domino V10.0.1 we have just released a new Fix Pack.
Fix Pack 6 for 10.0.1 is the latest update and HCL strongly recommends that customers running Notes/Domino 10.0.1 to apply this Fix Pack since it addresses a small percentage of defects that impact the broadest set of customers.
More details of what has been fixed are provided here => Notes/Domino 10.0.1 Fix Pack 6 Release Notice and Fix List or if you prefer reading the classic Fix List Database style see this => Notes/Domino Fix List
also please verify the system requirements:
Finally the following kits/packages are now available for download on Flexnet for entitled customers:
Notes Client
HCL Notes v10.0.1 FP6 Basic Configuration for Windows English
HCL Notes v10.0.1 FP6 Windows English
HCL Notes v10.0.1 FP6 Mac 64 bit English
Domino Server
HCL Domino Server v10.0.1 FP6 64 bit for Windows English
HCL Domino Server v10.0.1 FP6 64 bit for AIX English
HCL Domino Server v10.0.1 FP6 64 bit for Linux English
HCL Domino Server v10.0.1 FP6 for IBM i
Client for Application Access
IBM Client Application Access v2.0.5 Windows English
IBM Client Application Access v2.0.5 Mac English
Domino Portable Edition - Building the smallest Domino server - Hot Pants for Geeks- 3 August 2019 - (0) Comments
Thomas Hampel
3 August 2019Two weeks ago at the the HCL Factory Tour #3 we've shown the (possibly) smallest Domino server ever built.
With just 47,88 ccm (6,3 x 9,5 x 0,8 cm) it is just a little bigger than a credit card and small enough to fit your pocket. Also, for those of you who remember, it's much smaller than the Lotus Foundations box which Mike Rhodin introduced at Lotusphere 2008.
Thanks to Panagenda we also were able to show that you can run Domino off the grid.
What kind of hardware is this based on?
It is Zotac Pi 225 pico, a mini PC fully equiped with CPU, memory and storage, all combined in a case that is passively cooled.
The case itself looks like a thin 2,5" HDD - but thinner (for US folks : 3.76 x 2.48 x 0.31 inches )
Compared to the well known Raspberry Pi, this Zotac device is actually smaller (thinner) because it does not expose an ethernet port.
It weights less than 500g and is hardware specs looked promissing: Intel N3350 dual-core CPU (x86 compatible!), 4GB RAM, 32GB internal storage (expandable via microSD card), Intel HD Graphics 500,
Furthermore it provides two USB 3.0 Type-C Ports for connecting keyboard, HDMI an ethernet adapter. It also provides an internal 802.11ac Wi-Fi antenna, which I want use for creating a WiFi Hotspot later on.
You can find it here on Amazon for approx. €150
Stage 1 - Installing Linux
Zotac comes preinstalled with Windows 10 - an operating system which beside being clunky is not supported for running Domino.
Of course my idea was to install Domino on Linux. As you know IBM/HCL is supporting to run Domino on SuSE or Redhat Linux and also fully supporting CentOS since last year.
After spending a few hours with CentOS I had to learn by hard that it can not simply be installed on this Zotac device because it is missing support for this specific Intel Atom CPU.
The installation caused errors and booting it took several hours before it finally failed.
Plan B:
Switch to Ubuntu 18.04.2 LTS (alternative installer!) which installs without problems from a USB stick.
Stage 2 - Linux tuning
Although the installation itself completed in a few minutes there still are some errors when booting up.
Most annoying this one: systemd-gpt-auto-generator: Failed to dissect: Input/output error. which is caused by the device using an internal MMC card as disk storage.
To fix this error we have to modify the kernel boot parameters as follows:
sudo nano /etc/default/grub
add a parameter to the line "GRUB_CMDLINE_LINUX_DEFAULT"
GRUB_CMDLINE_LINUX_DEFAULT="systemd.gpt_auto=0"
After saving changes we need to tell grub to update the bootloader using
sudo update-grub
Stage 3 - Install Docker
We could have installed Domino natively on Linux but why wasting time if we can also run Domino on Docker.
Installation of Docker on Ubuntu Linux is staight forward
sudo apt-get install docker-ce
To avoid having to type 'sudo' every time you run the docker command, just add your username to the docker group.
sudo usermod -aG docker ${USER}
For changes to take effect, log off and log on again.
Stage 4 - Create Domino Image for Docker
In order to run Domino in Docker I'm using my (more powerful) MacBook and this Github repo to build a docker image.
All that needs to be done is...
- clone the repository (or download and extract the zip file) to a directory of your choice.
- Add the Domino Linux installation package + FP2 package into the subfolder "software"
- run "./build domino"
A few minutes later you'll have a perfect Domino image to work with...
Now we need to export this image by turning it into a tar file using this command:
docker image save -o domino1001fp2.tar ibmcom/domino:10.0.1FP2
Copy the resulting file "domino1001fp2.tar" to a USB stick
Stage 5 - Import Docker Image
Attach the USB stick to the Zotac device and copy the file "domino1001fp2.tar" to a directory of your choice, e.g. /tmp
Then import the image using the command:
docker image load -i domino1001fp2.tar
Verify results using the command docker image ls - you should now have one image listed.
in case any TAGs are missing, add them using
docker image tag ibmcom/domino:10.0.1FP2
docker image tag ibmcom/domino:latest
docker image tag
Stage 6 - Run Domino and Enjoy
Finally running Domino in this configuration is a piece of cake:
At first create a persistent volume - this is required because we would like to preserve our data directory in case the container is being restarted or recreated.
docker volume create dominodata
then spin up a (new) Domino server with a name of your choice.
docker run -it -d -e "ServerName=Zotac" -e "AdminPassword=passw0rd" -p 1352:1352 -p 80:80 -p 443:443 -v dominodata:/local/notesdata --cap-add=SYS_PTRACE --name domino ibmcom/domino:10.0.1FP2
Without supplying a config file, this image will not start the HTTP task by default, so we need to open a shell into the container
docker exec -it domino /bin/bash
and from within the container then run "domino monitor" to access the server console to launch the http task using "load http"
Browsing to http://
For more information on how to work with Domino in Docker please refer to this documentation ( Thanks Roberto ! )
Finall word of warning:
Certainly this Zotac device produces some heat, so running a Domino server in your trousers will for sure turn them into hot pants for geeks - so please be careful !
Further ideas & todo:
- I have not done any stress testing, so please dont ask me how many users this device is going to support in production
- Enabling the embedded WiFi antenna and turning it into a WiFi hotspot would make a cool demo
- Zotac Pi 225 is not the smallest device that can run Domino -- I have some more ideas but getting hold of the hardware is more complicated, stay tuned for more :)
References:
- Zotac Pi 225 nano on Amazon
- Domino on Docker
- Domino on Docker Management Script
- Mike Rhodin announcing Lotus Foundations
Domino on Docker Project Updates- 23 July 2019 - (0) Comments
Thomas Hampel
23 July 2019Domino on Docker Project Updates
Daniel and me are working on the Domino on Docker project which has been around for a while. We are constantly updating it with more functionality.
Beside the main functionality of providing an automated installation we have a management script that can help to build custom Domino docker images for (e.g.) including applications.
We are working on making the resulting image more flexible. The first version allowed only to automatically setup a first server in a new Domain, but customers already have an environment and either want to setup an additional server in an existing domain or at least have a cross certified environment.
Whats new:
1. Additional server setup
You can now specify an existing server.id and existing server to get the system databases from. You still need to register the second server.id manually in your Domino Directory, however the ID file does not need to be copied anymore.
Just specify the environment variable ServerIDfile to point to a location (local or http/https) from where the server.id file can be downloaded and the container startup routine will take care of automatically setting up your second server.
2. Add your own data into a container at initial startup
The big challenge is how to bring in data into a new container automatically. Distributing server.id files, templates, or even full applications.
We looked at different approaches which included "Docker secrets", shared volumes and other options.
For improving flexibility we decided to use configurable http/https download links which can be used to download a server.id or an additional data-directory.zip which is automatically expanded at first server start.
This would be for example a way for business partners to deploy their software on top of the image. Or for a customer to deploy their applications or specific adoptions.
All you have to do is to specify an environment variable CustomNotesdataZip (attention, case sensitive!) pointing to a zip file that will be downloaded and extracted into the container at runtime.
3. Scriptable configuration
Now that you have provided your own templates - how do you turn them into an application, how do you change ACLs, or server settings at runtime?
We have added a method to automatically configure a server based on a config JSON file. This can be used to create databases, change groups, change server settings etc.
The configuration is applied before starting up the (new) Domino server for the first time and also allows to sign applications, change the ACL of databases.
...there is even more configuration options to come.
4. More flexible deployment options
In previews versions there was image specific data in the /local directory.
So we moved that data to a separate directory to optionally allow /local to be mapped to a volume instead of having multiple volumes for /local/notesdata, /local/translog and /local/daos.
Mounting /local to a single volume will work fine, but if you want to build a high performance Domino server we are recommending to have separate volumes for those different parts. We even added directories for nif and ft to allow separate volumes for those parts as well.
The Docker volume mapping is comparable to creating mount points. It's about providing most flexibility with best practices in mind.
5. Preparation for new binary location
The project now now includes a new start script version 3.3.0 which is already prepared for changing the program directory default location ( /opt/ibm/domino ) with Domino 11.
The start script and all docker image script files have been prepared to support a different binary location in future. All places in the scripts use standard variables. And we will keep the LOTUS variable to point to the binary location.
Feedback & Future planning
One of the next features will be to allow cross certification with existing IDs. The certifier.id is currently staying on the first installed machine. So the idea is to cross certify a provided safe.id.
This is specially helpful to create test environments. A small servertask will take care of creating cross certifying a safe.id and adding it to the LocalDomainAdmin group.
Another idea is to integrate this functionality into the toolchain which sets up the server, we have not decided yet.
We are looking for your feedback so leave a comment with your suggestions for improvement or create an issue in our domino-docker project
Improving the Mail Template 9.0.1FP9 - Manage Return Receipts according to RFC 2298- 19 September 2017 - (0) Comments
Thomas Hampel
19 September 2017According to RFC 2298 http://www.ietf.org/rfc/rfc2298.txt it is recommended to show a dialog box where the recipient of a mail can decide weather or not a return receipt shall be sent back to the originator of the mail. This behavior is not currently part of the Standard IBM Mail template.
To add this feature you have to modify the following design elements:
- Form “Memo”, Event "QueryOpenDocument", added the code shown below
- Form “Reply”, Event "QueryOpenDocument", added the code shown below
- Form “ReplyWithHistory”, Event "QueryOpenDocument", added the code shown below
Insert this code at the end of the QueryOpenDocument event.
Set doc = Source.document
If Source.isNewDoc Then
'# don' t do anything, as this is a new document
Else
If doc.GetItemValue("ReturnReceipt")(0) = "1" And doc.HasItem ("DeliveredDate") Then
If MessageBox ("The sender of this message has asked to be notified when you read this message." & Chr(13) & "Do you wish to notify the sender?", 36, "Send Return Receipt?") = 7 Then
Call doc.ReplaceItemValue ("ReturnReceipt", "0")
Call doc.Save(True, False, true)
End if
End If
End If
Reference:
http://www.ibm.com/developerworks/lotus/library/ls-BlockRetRec/index.html
Notes Domino 9.0.1 Feature Pack 8- 9 March 2017 - (0) Comments
Thomas Hampel
9 March 2017Note to self:
In case anyone is asking for new features of the Notes/Domino 9.0.1 Feature Pack 8, refer them to this blog post
- What's new in IBM Notes Feature Pack 8
- What's new in IBM Domino 9.0.1 Feature Pack 8
- What's new in IBM Domino Designer Feature Pack 8
and remind them to read Oliver Busse's blog post
Domino SingleSignOn - Level 2 - Self Service Password Reset Application - 14 February 2017 - (0) Comments
Thomas Hampel
14 February 2017Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the second post our of a series of blog posts describing how to move from password based to seamless authentication.
Once you have established LDAP Authentication you can approach the next stage:
Level 2 - Self Service Password Reset Application
Combined with a Self Service Password Request HTTP application (or this fancy one ) users can reset Notes password without the help of an administrator just by using a web browser.
Users must be authenticated in order to reset their own password, but due to the configuration done in level 1 they can use Active Directory credentials to log in.
Once authenitcated a user can just define a new password which is applied immediately in the IDVault. And just seconds later the password can be used to log into the Notes Client.
Pros and Cons
+ Lost/forgotten passwords on a monday morning are no longer your problem. Users can handle this problem alone.
+ You don't need to distribute NotesID passwords for newly created users.
- There still is a NotesID password to remember
- There still is a password prompt every time you start the Notes client and/or every time you open an encrypted mail in iNotes
- The Self Service Password Request HTTP application does not apply any feedback on password quality or strength.
Prerequisites:
- Notes ID Vault has been established and contains the NotesID’s of all users
- User must be authenticated, preferably using Active Directory authentication as described in the previous post level 1
- Custom Password Reset application template,
Please note the template provided by IBM as part of the Domino server is not officially supported and is provided as example only. See Technote 1330905
Configuration
Setup instructions have already been provided by IBM, so I'm not describing those steps again.
Once completed you should have a functioning PW reset application. However, I would like to highlight a few important details
- The agent and the form needs to be signed with an ID which has IDVault Password Reset authority
- The ACL of this database must have an Administration server defined, the Admin server specified there must be the one that hosts the IDVault.
For improved usability I do recommend a little tuning:
- Create a URL which users can remember, e.g. by creating a web redirect rule
http://yourserver.domain.com/passwordreset ==> /pwreset.nsf - Modify the form “fmPasswordReset” to display your corporate password rules, e.g.
“The new password must have a minimum of 8 characters. It must contain a mixture of lowercase alphabetic, uppercase alphabetic, numbers and special characters. Three of these four conditions must be met.” - Modify the source code to confirm the password change request has been submitted and to verify if password rules have been followed.
Without this modification users will not get any feedback if the new password has been applied or not.
so update the source code of the Form “Password Change” , Sub “OnSubmit” as follows:
var i = 0;
var k = 0;
var h = 0;
var have = [0, 0, 0, 0];
var characters = ["abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "0123456789"];
var minLen = 8;
var minDif = 3;
var pw1 = document.forms[0].pw1.value;
var pw2 = document.forms[0].pw2.value;
for (i=0; i {
h = 3;
for (k=0; k {
if(characters[k].indexOf(pw1.substr(i,1)) >= 0)
{
h = k;
}
}
have[h] = 1;
}
if ( pw1.length < minLen )
{
alert("You must enter a password with at least " + minLen + " characters");
return false
}
else if( pw1 != pw2 )
{
alert("Entered password don't match");
return false
}
else if( have[0] + have[1] + have[2] + have[3] < minDif )
{
alert("Password must be more complex, use Numbers, Lower-, Upper-, Special-Characters");
return false
}
else
{
alert("Thank you, your request has been submitted. The new password can be used now.");
return true
}
var k = 0;
var h = 0;
var have = [0, 0, 0, 0];
var characters = ["abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "0123456789"];
var minLen = 8;
var minDif = 3;
var pw1 = document.forms[0].pw1.value;
var pw2 = document.forms[0].pw2.value;
for (i=0; i
h = 3;
for (k=0; k
if(characters[k].indexOf(pw1.substr(i,1)) >= 0)
{
h = k;
}
}
have[h] = 1;
}
if ( pw1.length < minLen )
{
alert("You must enter a password with at least " + minLen + " characters");
return false
}
else if( pw1 != pw2 )
{
alert("Entered password don't match");
return false
}
else if( have[0] + have[1] + have[2] + have[3] < minDif )
{
alert("Password must be more complex, use Numbers, Lower-, Upper-, Special-Characters");
return false
}
else
{
alert("Thank you, your request has been submitted. The new password can be used now.");
return true
}
- In order to support clustered environments the source code of the agent “User Password Reset” needs to be updated as follows:
Set Doc = Session.DocumentContext
Call Session.ResetUserPassword( session.Currentdatabase.Acl .Administrationserver,"",Doc.GetItemValue("pw1")(0))
Call Session.ResetUserPassword( session.Currentdatabase.Acl .Administrationserver,"",Doc.GetItemValue("pw1")(0))
Conclusion
Self Service Password Reset application combined with LDAP authentication will eliminate the need to distribute Notes ID passwords to end users.
Administrators can register new NotesID's with completely random passwords that they do not need to remember nor need to distribute to end users.
Notes client setup instructions can be simplified so that end users have to define the password themselfes before they can start Notes for the first time.
References:
- Karl-Henry Martinsson - Free Software – Password Reset for Notes/Domino
- Domino 9.0 - Setting up the sample self-service application to allow ID vault users to reset their Notes passwords
- Domino 8.5 - Setting up the sample self-service application to allow ID vault users to reset their Notes passwords
- Technote 1330905 - Is the sample password reset application supported in a production environment?
Domino SingleSignOn - Level 1 - LDAP Authentication- 13 February 2017 - (1) Comments
Thomas Hampel
13 February 2017Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.
Level 1 – LDAP Authentication
Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
When using a web browser to access a Domino server, users will be prompted for username and password.
This authentication dialog looks like one of the following examples:
Credentials entered here will be forwarded to Active Directory for authentication.
Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.
Pros and Cons
+ Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
+ No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
- All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.
Prerequisites:
In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.
- Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
- The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid. - Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
- A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.
reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
If not already done:
- Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document! - Create a Directory Assistence (DA) database
- Add the DA to your Domino server document
okay, whats next:
- Within the Directory Assistance database, add a new document and configure it like shown below:
Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin. - Set "Trusted for Credentials" to Yes
- Configure how to connect to the LDAP () server.
- Save & close
Now restart the Domino server and check if LDAP is being shown in the list of directories.
Issue the command "Show xdir" at the server console for details.
Troubleshooting:
Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
Some more hints:
- You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
- Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
- Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
- Thes Notes.ini variables will increase the log level for further debugging
debug_directory_assistance=1
debug_namelookup=1
Result:
When prompted for username/Password you can now use your Active Directory username and AD Password.
Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
Once the transition is completed you should clear the HTTP password field from the person document.
Domino Security - Disable HTTPEnableConnectorHeaders NOW- 9 November 2015 - (1) Comments
Thomas Hampel
9 November 2015There is a seucrity issue with Domino which allows anybody to gain access without authentication.
Jesper Kiaer wrote about this problem before in his blog post ( Part1 and Part2 ) and also created a video showing the problem.
If the Notes.ini variable HTTPEnableConnectorHeaders is set to 1, an attacker just needs to pass the user name he wants to be within a request header to get unauthorized access to Domino servers.
This notes.ini variable is referenced in the product documentation as well as in this technote for configuring Domino servers behind an IIS reverse proxy.
So there is a good chance that some people have enable this variable in production.
None of the Domino servers I have checked was affected, however I was able to reproduce the findings and can confirm it is working as described even with Domino 9.0.1 with latest fixes installed.
Steps to reproduce
- Add the Notes.ini variable "HTTPEnableConnectorHeaders=1" to the Notes.ini of the Domino server
Remark: This will make the server insecure. - Restart the HTTP task
- Use Firefox and install this plugin => https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
- Restart Firefox for the plugin to be initialized
- In Firefox, open the configuration of the new plugin
- Add a new header called $WSRU with the desired username / shortname as available in the target environment
Save + Enable the configuration - Start the Plugin
- Navigate to an existing Domino server resource, e.g. https://your-domino-server.your-domain.com/mail/username.nsf
Just imagine what can be done when using the name of an administrator...
How to fix it?
Well, as simple as removing the Notes.ini variable in question, using the following two commands at the Domino server console:
set config HTTPEnableConnectorHeaders=0
tell http restart
tell http restart
Of course you would use a configuration document in production to keep your Notes.ini under control.
References:
- Nevermind.dk - http://nevermind.dk/
- Sean Cull - Apache Proxy for Domino and HTTPEnableConnectorHeaders
- Darren Duke - If you get page errors after disabling HTTPEnableConnectorHeaders in Domino, try this
- Jesse Gallagher - Domino's Server-Side User Security
Out of Office - Send Full Copy to deputy- 9 August 2015 - (3) Comments
Thomas Hampel
9 August 2015Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.
Delegating Access
A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:
This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
It might not even be an option as some organizations do not allow users to edit the person document.
Mail Rules
Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...
and defining a recipient of your choice --- in this example its "firstname.lastname@domain.com"
Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?
...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?
Agents
You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"
Duplicate Mails (with help of your Domino Administrator)
Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:
What you need to do:
1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
Make sure the Mail-in name is unique and does not resolve name lookup conflicts
2.) Create a Group of type "Mail only",
members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
You can define one or multiple recipients using internet mail addresses or Notes user names.
3.) Edit the person document and put the Group name created above to be the forwarding address
4.) Testing
Wait for replication to finish within your Domain and send a test mail to the user.
This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.
Remarks:
Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
If this is an issue either purge your recent contacts or disable it completely
References:
Mindoo FTP Server stopped running in Domino- 23 July 2015 - (2) Comments
Thomas Hampel
23 July 2015The Mindoo FTP Server project provides an FTP server wrapped into an XPages application. It is based on the Apache FtpServer which runs as OSGi plugin on the server side.
One day a customer reported the FTP server would no longer work. A quick check showed that port 21 does not respond any longer.
Restarting the HTTP task showed a JVM Exception
restart task http
...
17.07.2015 18:00:07 HTTP Server: Using Internet Site Configuration View
17.07.2015 18:00:12 JVM: Java Virtual Machine initialized.
17.07.2015 18:00:12 HTTP Server: Java Virtual Machine loaded
17.07.2015 18:00:16 XSP Command Manager initialized
17.07.2015 18:00:17 HTTP JVM: java.lang.reflect.InvocationTargetException
...
17.07.2015 18:00:07 HTTP Server: Using Internet Site Configuration View
17.07.2015 18:00:12 JVM: Java Virtual Machine initialized.
17.07.2015 18:00:12 HTTP Server: Java Virtual Machine loaded
17.07.2015 18:00:16 XSP Command Manager initialized
17.07.2015 18:00:17 HTTP JVM: java.lang.reflect.InvocationTargetException
Checking the OSGI bundles showed the required bundle is not even installed.
> tell http osgi diag com.mindoo.ftp
Cannot find bundle com.mindoo.ftp.
Analysis
Check the file [DominoData]\domino\workspace\logs\error-log-0.xml for any problems
the very first warning in this file showed that a plugin was not loaded because the signer does not have the required access rights
CLFAD0331W: NSF Based plugin contribution denied because signer CN=SignerName/OU=Unit2/OU=Unit1/O=OrgEU does not have required access: CN=SignerName/OU=Unit2/OU=Unit1/O=OrgEU:System\UpdateSiteServer.nsf
and further down in the same file:
CLFAD0334W: Feature com.mindoo.ftp_feature_1.0.0.201306221322 skipped
At the first access rights seemed to be ok, but when looking a little closer I have found the user name does not have access to the server any longer because the Organization was renamed from "OrgEU" to "Org"
Solution (Part1)
The signature which is being used here is not a signature of a design element, it is the content of the Eclipse Update site which still had the old signature referenced. So how are we going to fix this?
- Open the Eclipse UpdateSite and use "Actions\Sign All Content"
Remark: This will not sign any design elements - it will sign the documents in the application only.
- Restart the HTTP task
restart task http - Watching the server console
Running into another problem
Although the FTP Server was running again, it seems like there still was an issue with the XPages application.
Quickly looking into [DominoData]\domino\workspace\logs\error-log-0.xml showed a well known problem.
Solution (Part2)
Obviously someone did open the Application in Domino Designer without disabling the option to recompile xPages automatically.
So make sure this option is set to "Manually recompile Xpages"
and then open the Mindoo FTP Domino application in Domino Designer and hit "Project\Build Project" in your Designer client.
Testing results
- Opening the Mindoo FTP Application from a browser seems to work
- "tell http osgi mftp status" shows that our server is now running on port 21
- Opening an FTP connection from a remote client is working fine
Import & Export Internet Certificates Programatically- 18 June 2015 - (0) Comments
Thomas Hampel
18 June 2015We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?
S/MIME Import / Export Automation
If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
Even exporting the certificate from the Notes ID is too complicated for most users...
Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates
- @X509Certificates([Subject];UserCertificate;"");
Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate" - @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
Where "Number" is the element in the list returned by @X509Certificates
In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.
Wrapping both into a small script is easy...
Declare Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
ByVal pIdFilename As String,_
ByVal pIdFilepassword As String,_
ByVal pPKCS12Filename As String,_
ByVal pPKCS12Filepassword As String,_
ByVal ExportFlags As Long,_
ByVal ReservedFlags As Long,_
Preserved As Any) As Integer
Declare Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
ByVal pPKCS12Filename As String,_
ByVal pPKCS12Filepassword As String,_
ByVal pIdFilename As String,_
ByVal pIdFilepassword As String,_
ByVal ImportFlags As Long,_
ByVal ReservedFlags As Long,_
Preserved As Any) As Integer
Const PKCS12_EXCLUDE_PRIVATEKEYS=&h00000001
Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil
still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.
ImportInternetCertificatesFromOSCredentialStore.lss
ExportnternetCertificatesToOSCredentialStore.lss
As usual mind YMMV and feel free to further optimize the code to fit your needs-
Please use at your own risk and report back any suggestions or improvements!
Special Thanks to Marcus Floeser for providing the screenshot.
Domino CA Process ’Error processing CCS Mod Request’- 3 June 2015 - (0) Comments
Thomas Hampel
3 June 2015The CA process in Domino is a server task to manage and process certificate requests. It is very helpful if you want support staff to register new users without knowing the password to your Domino Certificate.
As employees join or leave the support team you'll have to add / remove people from the list of Registration Authorities by using "Modify Certifier" from the Administrator Client tools menu.
Granting access for a new team member as usual...
and submitted the request
seemed to be successful
...but according to the log the Domino CA modification request failed with this error:
CA Process (OU=OU/O=Company): Error processing CCS Mod Request.: There is no certificate in the Address Book.
Root cause
One or more people listed in the first dialog do not have a person document in the Domino Directory or the person document does not have a public key specified.
Solution
First remove users which dont have a corresponding person document, and save + submit the request before adding new names.
Notes Widgets disappear from Catalog- 1 June 2015 - (0) Comments
Thomas Hampel
1 June 2015You are wondering why your beloved Notes widget all of a sudden is no longer available in the Widget catalog?
Of course the administrator of trust did not do anything - so what happened?
Here is a small hint:
Take a quick look into the widget catalog, there is a scheduled agent...
and the brief description
%REM *********************** Agent Notes **************************
This agent checks all new/modified documents to make sure that the
user created the document properly. It checks to make sure the proper
items are in place, and it also verifies that the categories that are
set are allowed by the document creator.
*************************** INTERACTIONS ***************************
There are no interactions with this agent. It is a scheduled agent
that is set to work against new/modified documents.
Conclusion:
If anything, such as AdminP, modified the document then this agent will run. In our case it was an AdminP name change request which caused the document to be modified.
PANIC Unexpected internal error returned to logger 0x20692010- 27 March 2015 - (0) Comments
Thomas Hampel
27 March 2015Tip of the day:
When running Domino server commands on the operating system of a server, make sure to run the command from a console with Admin access rights, otherwise you'll get this:
PANIC: Unexpected internal error returned to logger: 0x20692010
Reference:
SPR # PALL8WA3Y8
Solution
Open a command prompt by right clicking and selecting "Run as Administrator", then run the command(s) again.
Root cause:
Problem in front of keyboard.
AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around- 12 January 2015 - (0) Comments
Thomas Hampel
12 January 2015Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.
After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:
Errors:
Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director
Analysis
We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR
SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.
Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
We did a few tests and quickly found a workaround, so here is what you can do about it:
Temporary Solution:
Don't use groups to grant the specific access rights.
In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.
This is what the AdminP Move User reuqest should look like before the user authenticates
Permanent Solution
Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.
Lessons learned:
1. Always install the latest version of Domino
Note: The destination server in question is not maintained by our team.
2. What an awsome team we have :)
References
- SPR # JPAI9FEKCP
- IBM Technote # 1091068 - Steps taken by the Administration Process to move a mail file to a new server
- Download Options for Notes & Domino 9.0.1 Fix Packs
Monitoring IBM Domino Server on Linux via SNMPv3- 5 January 2015 - (0) Comments
Thomas Hampel
5 January 2015Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
There are quite a few blog posts out there on the internet such as this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.
Background
Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
Vendors of a device are providing a definition of values which can be read or modified in form of a MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.
MIB definitions for Domino can be found online http://www.oidview.com/mibs/334/NOTES-MIB.html
A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"
On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib
Step-by-step Instructions
For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux. Instructions for Windows are available here
Examples below are based on CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.
Step 1 - SNMP Master Agent
Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7.
Currently version 5.7.3 is the latest version available. Check the net-snmp change log to see what has changed between versions.
Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
If not already installed, you can install the package net-snmp with the following command.
# yum install net-snmp
The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality
# yum install net-snmp-utils
To check the version you are running...
$ snmpwalk --version
Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.
Option B - NET-SNMPD v5.0.7 provided by Domino
Domino provides net-snmpd in version 5.0.7 - again, I do not recommend using this version.
However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.
# cp /opt/ibm/domino/notes/latest/linux/net-snmpd* /etc
# ln –f –s /etc/net-snmpd.sh /etc/init.d/net-snmpd
# chkconfig --add net-snmpd
# chkconfig net-snmpd on
# ln –f –s /etc/net-snmpd.sh /etc/init.d/net-snmpd
# chkconfig --add net-snmpd
# chkconfig net-snmpd on
Note that in this type of configuration your settings are stoed in the file /etc/net-snmpd.conf
Step 2 - Update Configuration
Back up the original config file to a location of your choice
cp /etc/snmp/snmpd.conf /root
Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.
# nano /etc/snmp/snmpd.conf
1.) Search for sysLocation and update it according to your needs as shown here:
sysLocation YourDataCenterLocation
sysContact email@yourdomain.com
sysContact email@yourdomain.com
2.) define a username/password combination for SNMP v3 authentication
Of course the user name and password used in this example are to be changed to fit your needs
createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
3.) At the end of the same file, add this line:
smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd
Dont forget to save the file
Step 3 - SNMP Startup Script
Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.
Domino already provides such a script - you just need to modify the configuration so that it can be used.
# cp /data/ibm/domino/notes/latest/linux/net-snmpd.sh /etc/init.d/net-snmpd
# nano /etc/init.d/net-snmpd
Update the configuration (starting in line 31) as follows:
INSTDIR=/usr/sbin
PROGNAME=snmpd
PROGPATH=$INSTDIR/$PROGNAME
CONFNAME=snmpd.conf
CONFPATH=/etc/snmp/$CONFNAME
LOGPATH=/var/log/snmpd.log
PROGARGS="-C -c $CONFPATH -l $LOGPATH"
PROGNAME=snmpd
PROGPATH=$INSTDIR/$PROGNAME
CONFNAME=snmpd.conf
CONFPATH=/etc/snmp/$CONFNAME
LOGPATH=/var/log/snmpd.log
PROGARGS="-C -c $CONFPATH -l $LOGPATH"
Make sure the startup script runs at next boot
# chkconfig --add net-snmpd
# chkconfig net-snmpd on
# chkconfig net-snmpd on
Step 4 - Update Firewall Rules
SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server
# iptables -I INPUT -p udp --dport 161 -j ACCEPT
Step 3 - Testing basic functions
Test basic SNMP functionality from the local host and also from a remote server.
# snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0
As a result you should get the version number of the SMTP master agent
Step 5 - Enable Domino SNMP Agent
Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!)
# ln -f -s /opt/ibm/domino/notes/latest/linux/lnsnmp.sh /etc/rc.d/init.d/lnsnmp
# chkconfig --add lnsnmp
# chkconfig lnsnmp on
# service lnsnmp start
# chkconfig --add lnsnmp
# chkconfig lnsnmp on
# service lnsnmp start
In case you get the error "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino
if everything has worked out, starting the lnsnmp should provide the following output
New sub-agent on server is registering a sub-tree with branch ID:
1.3.6.1.4.1.334.72.3
Sending SNMP "Server Up" trap for server.
service lnsnmp startNew sub-agent on server is registering a sub-tree with branch ID:
1.3.6.1.4.1.334.72.1
1.3.6.1.4.1.334.72.3
Sending SNMP "Server Up" trap for server
service lnsnmp startNew sub-agent on server
1.3.6.1.4.1.334.72.1
Step 6 - Domino Tasks
Start the following tasks from the Domino server console
load quryset
load intrcpt
load collect
load intrcpt
load collect
"quryset" is required to support SNMP queries
"intrcpt" is required to support SNMP traps for Domino events
"Collect" is required to support statistic threasold traps
Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.
Step 7 - Testing Domino SNMP agent response
Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.
$ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0
Should return the fully qualified Domino Server name as a string
Ok, you're done... the Domino SNMP Agent is configured and can be used.
However, there still is some work to be done on your SNMP management console e.g. Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).
Next Actions:
If you like this post, please let me know via Twitter @ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.
Troublshooting
- Check snmpd.log for errors
# cat /var/log/snmpd.log - Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
see IBM Technote 1313318 - Error - Unknown User
Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES - Error in packet. Reason: authorizationError (access denied to that object)
The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
rouser SNMPv3UserName
Tools:
Take a look at Paessler SMTP Tester (Freeware / Windows)
Further reading:
- How to set up Domino and SNMP in Windows
- IBM Domino MIB - Notes-MIB (v1) Tree
Import Contacts from GDI Business Line / FirebirdSQL to Domino- 23 September 2014 - (1) Comments
Thomas Hampel
23 September 2014GDI Business Line is an ERP & CRM software for the small & medium businesses market. It is developed by the German vendor GDI based in Landau in der Pfalz.
A customer wanted to use the address data from the GDI platform in the Notes/Domino environment. Main purpose was to simplify communication with known customers by synchronizing contact names, addresses, and phone numbers to Domino.
We all know integrating Directory Data with Domino is made easy with TDI, so lets see if we can use it here.
The backend database of GDI is based on FirebirdSQL , and they provide a JDBC driver which is all we need to make it work.
Here are step-by-step instructions for connecting TDI with the GDI Address table
Part 1 - TDI Installation
Tivoli Directory Integrator V7.1.1 is provided free of charge as an additional entitlement for Notes/Domino customers.
All you need to download from Passport Advantage is IBM Tivoli Directory Integrator Identity Edition V7.1.1 with the part number that fits you needs
Platform | Part Number | Size |
Windows 32Bit | CZUF0ML | 555mb |
Windows 64Bit | CZUF7ML | 567mb |
Linux 32bit | CZUF2ML | 547mb |
Linux 64bit | CZUF3ML | 554mb |
We are intending to use a local Notes Client connector so we will be using the 32bit version of TDI. In case you're planning to install TDI on a 64bit Domino Server you could also go for that version.
The installation process of version 7.1.1 is not any different than V7.1, so you can just follow instructions for installing Tivoli Directory Integrator on IBM Infocenter or on Connections101 (Thanks gabturtle & Paul Mooney for this site).
Part 2 - Apply TDI Fix Pack
Download the latest fix pack for TDI v7.1.1 from Fix Central which at the time of writing this blog post is Fix Pack 3 and this JRE upgrade
Follow installation instructions provided with the fix pack(s)
Hint : {TDI_install_dir}\bin\Applyupdates.bat -update [path to FP zip file]
Part 3 - Notes Connector
TDI can establish different types of connections to Notes/Domino, not all of them can be used everywhere (see Supported session types by Connector )
e.g. if you dont want IIOP to be enabled on your Domino server, you'll have to use either the Local Client connector, which requries a Notes Client to be installed on the same machine, or the Local Server Connector, which requires a Domino Server installed on the same machine. My personal preference is the Notes client connector because it just requires a Notes ID and I can connect from my own client workstation to any server regardless if IIOP is enabled or not.
- Copy the file {NotesProgramDir}\jvm\lib\ext\Notes.jar to {TDI_install_dir}/jars/3rdparty/IBM
(or to the folder defined in the variable "com.ibm.di.loader.userjars" parameter defined in the solution.properties file) - Append the Notes Directory to the PATH parameter in the following TWO files
{TDI_install_dir}ibmditk.bat
{TDI_install_dir}ibmdisrv.bat
Example:
set PATH=%TDI_HOME_DIR%;%TDI_JAVA_BIN_DIR%;%TDI_LIB_DIR%;C:\Program Files (x86)\IBM\Notes;%PATH%
Part 4 - Firebird JDBC Connector
As long as there is a JDBC connector, TDI should be able to connect to the database. FirebirdSQL is nothing special here, so this is what you have to do:
- Pick the JDBC driver here (make sure to choose the one for Java 7)
- Extract the ZIP file to a temporary folder of your choice
- Copy the following three files to the folder {TDI_install_dir}\jars\3rdparty\other
jaybird22.dll, jaybird-2.2.5.jar, jaybird-full-2.2.5.jar
Part 5 - Connect and Feed Data
Now launch TDI Configuration Editor ( {TDI_install_dir}ibmditk.bat ) and add a new JDBC connector
We would like this connector to be used in Iterator mode because we want to loop thru the data later on.
When you click on "Next >" you will be prompted to specify additional connection parameters.
The syntax for the JDBC URL is
jdbc:firebirdsql://host[:port]/database
JDBC URL = jdbc:firebirdsql://sqlserver:23053/C:\Database\GDI.GDB?sql_dialect=1&charset=WIN1252
JDBC Driver = org.firebirdsql.jdbc.FBDriver
and of course you must define your database credentials and the table you want to connect to. In our case the table is "CM_ADRESSEN"
Click Finish to add the connector as your input feed.
Part 6 - Data Map
Now lets use the connection and define the input map:
- Within the connector, use to connect button to establish a first connection for reading the database schema.
- Select the fields which you want to make use of by either dragging/dropping them from the schema or by using the button "Add"
Lets write this data to Domino...
(Remark: assuming the target database already exists and is using a standard pubnames template)
- Add a Notes Connector in Update mode
When you click on "Next >" you will be prompted to specify additional connection parameters.
This example will connect to a remote database hosted on "DominoServer/Org/O", you can of course leave the server name empty to connect to a local database.
Click Finish to add the connector as your Data Flow. - Click the output connector again to define which data to write to which field in Notes/Domino
Here is an example, feel free to modify or extend:
- In the connector define the Link Criteria
It seems the field SATZUUID is used as a unique key, so we are going to use it as well. Of course you need to make sure to write this field to the target database, otherwise the lookup will always fail and duplicate entries are the result.
Part 8 - Fine Tuning
This part is to be done by yourself. You should probably add some special handling to handle different address types such as if the record is using...
"Adresstyp=1" = Contact
"Adresstyp=4" = Company
"Adresstyp=16" = Person
or updating the full text index when the assemblyline has finished...
try{
notes=NotesConnector.getConnector
dbname=notes.getParam("notesDatabase")
srvname=notes.getParam("notesServer")
sess=notes.getDominoSession()
db=sess.getDatabase(srvname,dbname)
if (db.isOpen()) {
message="Requesting to update FTIndex on " + srvname + "!!" + dbname ;
task.logmsg ("INFO",message) ;
db.updateFTIndex(true);
} else {
message="Unable to open target notes database." + srvname + "!!" + dbname
task.logmsg ("ERROR",message) ;
java.lang.System.out.println (message);
}
} catch (ex) {
message="Unable to update FTIndex in target Notes database. , " + ex
task.logmsg ("ERROR",message)
java.lang.System.out.println (message)
}
Part 9 - Run it
Run the assemblyline and (optionally) have a beer while you will see new person documents showing up in Domino.
Summary
For those of you who are very lazy, here is the TDI AssemblyLine for further use.
GDIDataImportExample.xml
Please note that you must adjust it to fit your needs! Concluding with Notes Sensei's words : YMMV
AMgr: Console command ’LOG.NSF’ is unknown- 13 May 2014 - (0) Comments
Thomas Hampel
13 May 2014After upgrading to Domino 9.0.1 the following messages show up at the console.
It seems the agent manager is trying to send file names as commands to the server's console...
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
....
It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY
Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments
Thomas Hampel
9 May 2014I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.
After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:
Basic steps are:
1. Create a key ring file that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm
2. Set up the CA process in Domino
Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.
3. Migrate an (internet) Certifier into the CA
Just read and follow instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"
4. Rolling out Internet Certificates to Users
Follow instructions for Issuing Internet certificates in a Person document or use the step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.
Done!
Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.
What about Step-by-Step deployment instructions?
Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )
How to obtain the internet certificate's public key of a user?
When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...
at the very bottom there's a small check box...
Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way to protect your privacy forever.
Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.
Further reading:
- Quick guide to securing a Domino server with SSL using the CA process
- IBM Developerworks article "Enhancing e-mail security with S/MIME" by Chuck Connell
http://chc-3.com/pub/Notes-Internet-Encrypted-Email.pdf - Lotus Domino Certification Authority Tutorial
- Lotus Security Handbook,
- Technote #1308138 Export the private key from a Domino keyfile by using IKEYMAN
- Import & Export an Internet certificate from a Person document
The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino- 7 May 2014 - (3) Comments
Thomas Hampel
7 May 2014Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....
When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see http://technet.microsoft.com/en-us/security/advisory/2661254
So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »
HTTP/SSL in Domino 9.0 - more Notes.ini variables to be removed after upgrade- 12 March 2014 - (0) Comments
Thomas Hampel
12 March 2014After upgrading to Domino 9.0 some users (but not all) claimed they are unable to access a server via HTTP, in specific it was iNotes access to one server while access was okay on other servers.
Quick check:
- Domino HTTP task was running fine
- TCP port 80 was responding
- Redirect to SSL seemed not to work (Error "The connection was interrupted")
HTTP Server: SSL handshake failure, no website found for IP address [123.123.123.123]
[...]
New SSL session data length of 5132 bytes is larger than the current size of 5000 bytes.
Especially the second error message cause me to start thinking... Yes! I did remember there was an issue with earlier releases of Domino, where Technote 1220425 suggested setting two Notes.ini variables to fix a crash related to SSL
SSL_SESSION_SIZE
SSL_USE_ADDSESSION2
Of course these Notes.ini variables were still in place and still work -- they are not obsolete as such (see list of obsolete Notes.ini variables)
However, after upgrading to Domino 9.0 they are no longer required and as we have seen even cause problems if set too small.
Resolution:
1.) Remove these two variables as (Reference : IBM Technote 1657588)
2.) Restart the HTTP task
...and iNotes with SSL is working again.
Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0 - 11 February 2014 - (1) Comments
Thomas Hampel
11 February 2014Two weeks ago at IBM Connect 2014 attendees were able to test their knowledge in the IBM Certification Lab.
Most of the IBM Certification tests were offered, so I decided to sign up and give it a try without any preparation.
For updating my existing Advanced System Administrator certificate to version 9.0 level, the following two tests were required
- LOT-405 IBM Notes and Domino 9.0 Social Edition System Administration Update
- C2040-412: IBM Notes Traveler Administration
Both tests were simple, for Traveler you need to know how to configure Traveler in high availability mode and for the Upgrade examn most questions were about SAML & OpenSocial.
Having passed the upgrade examn and the IBM Traveler exam, this certificate was sent to me as an official statement that I have qualified as IBM Certified Advanced System Administrator for Notes & Domino 9.0
Next action: updating my Certified Advanced Development Certificate to version 9.0 and signing up for Connections & Sametime tests.
IDVault - ID file upload fails with Error 03:11- 16 August 2013 - (1) Comments
Thomas Hampel
16 August 2013Problem
A Notes ID is not uploaded to an IDVault although the configuration of the Client itself as well as the IDVault incl. its trust certificates seem to be correct.
Analysis
The administrator wanted to force the Notes client to upload his ID file to the server, since there already was an (old) IDfile stored in the vault, it has been deleted manually.
However, the client still doesnt upload its local userID.
Looking at the servers log file / Security Events....
provided a few hints about the problem:
> Unable to find ID for 'dummy username/OU/O' in vault 'O=IDVault'. Error: 03:11
> ID failed to authenticate in vault 'O=IDVault'. 'dummy username/OU/O' (IP address 10.10.10.10:57739) made request. Error: 03:11
and further down other user names:
> Error: Entry not found in index
Indicating a view isnt updated...
Resolution
1.) Update the view index for the hidden view $IDFile in the IDVault database by using the following command
load updall -R IBM_ID_VAULT\IDvault.nsf
2.) Remove the pending name change as described in my previous blog post id-vault-error-0311.htm
Hint: Although this has fixed the problem in my case, there's more to know.
IDVault does not honor view updates made directly in the database, maybe for performance reasons.
There is a DEBUG parameter for the IDVault which can override this behaviour so that VIEWUPDATES are being reflected/enabled.
Create a replica without having direct server access- 5 July 2013 - (0) Comments
Thomas Hampel
5 July 2013Here the problem:
You want to create a new replica of an existing database on a server which you are responsible for, you are not allowed to access the remote server.
Not having access means your user ID is e.g. in an access deny group, or in a more simple scenario a firewall is blocking direct access.
However, how would you pull a new replica from the remote server down to yours?
The answer is simple - you can set up a replica stub on your server without the need of accessing the remote server.
Step by step instructions
1. Switch to your workspace, make sure you have no database selected.
2. Use File\Replication\New Replica
3. Type the Servername + Filename >from< which you want to pull the replica.
4. Click "Select"
Now your client will try to connect to the remote server, which of course wont work.
5. A dialog box will display, showing an incomplete question
Here you have to select "Yes" without knowing what the question actually means.
Note: Obviously thats a bug, but it seems that it has not been fixed yet.
6. Choose to which server you want to put the replica, also define a file name of your choice.
7. Disable "Create Immediately"
8. Hit okay to create an uninitialized replica stub
9. Last and final step is to replicate this database on console level using the command:
>pull remoteserver/ou/o localpath/filename.nsf
A note for beginners:
Your server also must be allowed to read from the remote server and the target server needs to know how to reach the source server...so make sure you have propper name resolution or connection documents in place.
Achieving (a working) high availability with IBM Lotus iNotes- 2 July 2013 - (1) Comments
Thomas Hampel
2 July 2013Update: For configuring High Availability for HCL Verse please refer to this technote: Configuring a Proxy for HCL Verse High Availability
We all like well working products and love good documentation, even better when there is a step by step instruction on how to set up a specific configuration to work perfectly.
One of those often referenced instructions is an IBM developerWorks article "Achieving high availability with IBM Lotus iNotes" based on a product from BigIP F5 which explains a clever reverse proxy configuration for optimizing performance.
Unfortunately the configuration outlined there DOES NOT WORK because it contains multiple errors/failures/mistakes.
Following instructions step by step will make it impossible to get the expected solution in place. Let me explain the problem in more details.
For a small environment with only two servers in one cluster, you wont notice any problem, everything seems to work perfectly.
What you dont know is that the iRule does not work, and traffic is always dispatched to both of your servers. As soon as you will have multiple clusters involved the problem becomes visible.
From time to time users receive "Error 404 - HTTP Web Server: Lotus Notes Exception - File does not exist" which indicate that traffic was routed to a server that does'nt host the file requested.
The (not working) documentation has been published in at least two other places, a DominoWiki Article and a WhitePaper
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Achieving_high_availability_with_IBM_Lotus_iNotes
http://www.f5.com/pdf/deployment-guides/f5-ibm-inotes-dg.pdf
Lets get back to the roots - according to the developerworks article this is what (in theory) should happen:
BigIP F5 reverse proxy appliance will intercept inbound HTTP requests which end with ".nsf" and are not dedicated to "names.nsf"
Domino will figure out which servers are hosting the requested file and will return a list of server DNS names in form of an HTTP header.
The problems are:
- BigIP will send traffic to any server in the server pool which is configured - so your session can end up on any randome cluster/server which may not host the database you are looking for.
- Domino lookups are performed towards the local "cldbdir.nsf" which holds information from databases in this cluster only. What if there are multiple clusters involved?
but the iRule itself is only referring to "X-Domino-ClusterServers", the other header "X-Domino-ReplicaServers" is never used. #fail !
Lets look into details:
In Domino, a customized ServersLookup form in "iwaredir.nsf" is used to lookup the "cldbdir.nsf" to figure out what servers are hosting the file and will return this information as part of an HTTP header.
Sniffing network traffic using Wireshark shows that the HTTP header is never returned, it also shows that the URL referenced in the iRule is never called.
According to the iRule documented in Appendix B is calling the (modified) ServersLookup form to retreive the list of servers as an HTTP header,
HTTP::uri /iwaredir.nsf/ServersLookup?OpenForm&nsfpath=$nsf
unfortunately this iRule is never called., because it is expecting the request URL to >end< with ".nsf"
if { ([HTTP::uri]ends_with ".nsf") and not ([HTTP::uri] contains "names.nsf")}{
Ok, lets try to fix it !
Resolving the problem requires changes on both sides, multiple changes in Domino and changing slightly the F5 iRule. I'm trying to cover the modifications step by step:
Part 1 - Lets start with the iRule,
here you need to change the if-clause to check for "path" rather than "uri", and also exclude any any lookups towards "iwaredir.nsf", changes are highlighed in bold.
if { ([HTTP::path]ends_with ".nsf") and not ([HTTP::path] contains "iwaredir.nsf") and not ([HTTP::path] contains "names.nsf")}{
Part 2 - Database Catalog
In order to find the correct servers at the first attempt, my idea was to look up the (in our case always perfect) database catalog to find the servers hosting the requested file.
To do that we will need to create a new (hidden) view in the catalog.nsf with two columns
View Formula |
@Text(ReplicaID2; "*")
Part 3 - ServersLookup
Now lets make use of the view by updating the code in the "ServersLookup" form of the file iwaredir.nsf.
If no parameter is provided, its assumed the user wants to access his mail server
The code behind the $$HTMLHead field should look like this:
tmpDebug := "";
tmpNSFPath := @ReplaceSubstring(@URLDecode( "Domino"; @UrlQueryString("nsfpath") );"/";"\\");
@If (tmpNSFPath = ""; tmpNSFPath:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailFile" ));"");
REM {Lookup home mail server };
tmpHomeServer:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailServer" ));
tmpLookupKey := @ReplaceSubstring (tmpNSFPath;"\\";"/") ;
REM {Get replicaID of this mail file};
tmpReplicaID := @DbLookup( "":"" ; "":"catalog.nsf" ; "($LookupServerFilename)" ;tmpLookupKey; "TextReplicaID");
REM {Find all servers who are hosting this replicaID };
tmpServers := @DbLookup( "":"" ; "":"catalog.nsf" ; "($ReplicaID)" ;tmpReplicaID; "Server");
tmpServers:=@If(@IsError(tmpServers);"";tmpServers);
REM {Is Home Mail server in list of servers, then move this up to the front of the list};
tmpServers := @If(@IsMember(tmpHomeServer;tmpServers);tmpHomeServer : @Transform(tmpServers;"x";@If(x=tmpHomeServer;@Nothing;x));tmpServers);
tmpDNSNames := "";
REM {Resolve host names for each server name in list};
tmpLimit:=@Elements(tmpServers)+1;
@For(n:=1; ntmpHTTPHostNameALT:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ;"($ServersLookup)" ; tmpServers[n] ; "HTTP_Hostname");1);
tmpServerFQDN:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ; "($ServersLookup)" ; tmpServers[n] ; "SMTPFullHostDomain");1);
tmpString:=tmpString+@Text(n)+tmpHTTPHostNameAlt+tmpServerFQDN;
tmpDNSNames := @If(@Length(tmpDNSNames)>0;tmpDNSNames+",";"") + @LowerCase(@If (tmpHTTPHostNameALT!="";tmpHTTPHostNameALT;tmpServerFQDN))
);
REM {Return results to F5};
@SetHTTPHeader("X-Domino-ClusterServers";tmpDNSNames);
@SetHTTPHeader("Cache-control";"no-store");
@If(tmpDebug="";"";"")
Update:
Session persistence is causing some headaches when F5 needs to select an address from the pool. To work around this issue you can use this iRule
inotes-irule.txt
Result:
No more nasty HTTP404 unless the database really can not be found anywhere.
Of course even this solution depends on a few assumtions, one is the catalog must be up to date and must be replicating within the environment.
Disclaimer: Use at your own risk, no warranty is provided. However, please let me know if you have further suggestions how to improve this solution.
Notes and Domino 9.0- 22 March 2013 - (0) Comments
Thomas Hampel
22 March 2013IBM just announced the availability of IBM Notes and Domino 9.0 Social Edition.
The software packages are available to download from Passport Advantage, in specific the part numbers are:
- Domino from Passport Advantage
- Notes from Passport Advantage
- Domino Designer 9 from developerWorks
System requirements for IBM Notes and Domino 9.0 Social Edition
If you are interested to know what has been changed from previous versions, take a look at the fix list
http://www-10.lotus.com/ldd/fixlist.nsf/%28Progress%29/90
Recover your Domino SSL Keystore password- 27 February 2013 - (2) Comments
Thomas Hampel
27 February 2013In a situation where an you need to verify the contents of a Domino SSL Key ring file (*.kyr) its very useful to know the password to that key ring.
Unfortunately thats not always the case, e.g. when inheriting a server for which no documentation exists, or in simple terms when you forgot the password.
In order to recover the password in clear text, just enable the debug parameter SSL_TRACE_KEYFILEREAD=1 in the Notes.ini
To avoid any impact to production, you might want to do this in an isolated environment like a fresh installed Domino server or a test server you already have.
So this is what you have to do:
- Install a new isolated Domino server (or use a test server of your choice)
- Copy the *.kyr + *.sth file from the production server to the new server
- Configure the HTTP task to make use of this key ring file, by updating the server document/internet ports, or by updating the internet site / security configuration.
- Enable the Notes.ini parameter by typing this command at the server's console
set config SSL_TRACE_KEYFILEREAD=1 - Restart the HTTP task
tell http restart - Watch the console to obtain the password in plain text:
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for trusted roots
ReadKeyfile> Found trusted roots
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for cert chain
ReadKeyfile> Got cert chain
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for private key
ReadKeyfile> Decoding keys
ReadKeyfile> Keys decoded
ReadKeyfile> Exit status = 0
HTTP Server: Using Internet Site Configuration View
Now you can use the Domino Server Certificate Authority application to take a closer look into the *.kyr file.
Change ReplicaID of existing DBs without creating a Notes Copy- 23 February 2013 - (0) Comments
Enable ’Show in-line MIME images as attachments’ via Policies- 11 February 2013 - (0) Comments
Thomas Hampel
11 February 2013Some Notes client preferences can not be enabled via Domino Policies because the values are not exposed as a parameter in the Domino Directory template.
One of them is "Show in-line MIME images as attachments"
In order to enable/disable this setting, you'll have to set a Notes.ini variable via policies
ShowIMIMEImagesAsAttachments=1
Instead of modifying the Domino Directory template its enough to add this variable in the custom settings section of the Desktop policy settings.
IBM Lotus Connector for SAP Solutions with IBM Lotus Enterprise Integrator for Domino 8.5.3 64-bit- 23 January 2013 - (2) Comments
Thomas Hampel
23 January 2013For running IBM Lotus Connector for SAP Solutions with the 64bit version of IBM Lotus Enterprise Integrator for Domino 8.5.3, you will need the following packages:
Part nr. Software name
CRG0LEN IBM Lotus Enterprise Integrator for Domino V8.5.3 Multi O/S English 64-bit
CZN8CEN IBM Lotus Connector for SAP Solutions 2.0.1 64-bit
Unfortunately this is not enough - according to the LEI documentation there should be one more file "librfc32.dll" which is missing
librfc32.dll <- not present in the package, missing !
librfc32u.dll
Icudt*.dll
Icuin*.dll
Icuuc*.dll
libsapucum.dll
The file can be found in the 64-bit version of SAP RFC SDK 6.40 kit which is not part of the IBM packages
This software is only available from SAP via the SAP Marketplace., so download and unpack the SAP RFC SDK to find the DLL you are looking for.
Copy the DLL files from the SDK into the same place as the other libraries above (e.g. C:\WINDOWS\SYSTEM32\ ) to make the SAP Connector work.
How to supply your admin with a precise copy of a mail for further analysis- 13 December 2012 - (0) Comments
Thomas Hampel
13 December 2012Have you ever been in the situation when a user had to supply an admin with an example of the message incl. header information?
Forwarding copies or replied mails are unusable regardless of how they are saved.
In order to supply admins with what they need for further analysis, please follow these instructions...
Lotus Notes 6.x-8.x
- From the Lotus Notes mail database window, select the message you want to submit.
- Open the message full view (not preview mode).
- From the "View" menu, select "Show" then "Page Source".
- From the "File" menu, select "Export."
- In the "Export" pop-up window, enter a filename and choose a location to save the file.
From the "Save as type" drop-down list select "ASCII Text." After entering the filename, press "Export." - In the next dialog box, select "Default Character Set" and then click OK.
Lotus Notes 5.x and below
- From the Lotus Notes mail database window, select the message you want to submit.
- From the "File" menu, select "Export."
- In the "Export" pop-up window, enter a filename and choose a location to save the file.
From the "Save as type" drop-down list select "Structured Text." After entering the filename, press "Export." - Select "Selected documents" in "How Much to Export" of the "Structured Text Export" dialog box, and press OK.
Now, save the text file in the location you designated in Step 3.
And in case anyone is still using less functional mail clients....
Note: Some versions of Outlook offer two options to save an .msg file - one is "Outlook Message Format", the other is "Outlook Message Format - Unicode". You should NOT select the Unicode format, this could cause problems when you save and submit the file.
Microsoft Office Outlook 2003/2010
- Open Microsoft Office Outlook 2003.
- Double click to open the email message that you want to save.
- From the "File" menu, select "Save As."
- The "Save As" pop-up window displays. Select "Outlook Message Format" from the "Save as type" drop-down list.
- Select the folder in which you want to save the message. Note, the "File name" is provided by default. You can change this if you want.
- Click "Save." The message is saved with an ".msg" file extension.
Microsoft Office Outlook XP
- Open Microsoft Office Outlook XP.
- Double click to open the email message that you want to save.
- From the "File" menu, select "Save As."
The "Save As" window displays. Select "Message Format (*.msg)" in the "Save as type" drop-down list. - Select the folder in which you want to save the message. Note, that the "File name" is provided by default. You may change this if you want.
- Click "Save." The message is saved with an ".msg" file extension.
Microsoft Outlook Express
- Open Microsoft Outlook Express.
- Double click to open the email message that you want to save.
- From the "File" menu, select "Save As."
- The "Save Message As" pop-up window displays. Select "Mail (*.eml)" from the "Save as type" drop-down list.
- Select the folder that in which you want to save the message. Note, the "File name" is provided by default. You can change this if you want.
- Click "Save." The message is saved with an ".eml" file extension.
Apple (Mac) Mail
- Select the message you want to save.
- From the "File" menu, select "Save as ..."
- In the pop-up window, select the format "Raw Message Source"
- Save with a filename including a .txt or .eml extension
Other Mail User Agents
Save the email that you want to report as a text file. Make sure that the message is as close to its original form as possible. Your mail client might allow you to save rendered text as well as the original source -- it is the original "raw source" that is needed. Make sure the original email headers are intact and included in RFC-822 format. Typical file name extensions are .eml and .txt
Please attach .txt/.msg/.eml file to a new email which you can send to your administrator.
TechLesson of the day - Language Pack installer does not find Domino server- 7 November 2012 - (2) Comments
Thomas Hampel
7 November 2012A small lesson learned today:
When applying a language pack to a Domino server, the following error message will appear
Could not find any indications of a Domino server in your selected paths, either path(s) are incorrect, or you do not have a Domino server at the location. please confirm selected path(s) are correct. [OK]
Root cause: The Domino data directory did not contain a the file "pubnames.ntf", some admin thought it would be a good idea to delete all *.ntf files from the server.
So of course a Language Pack could not be installed.
In case of further problems, check this technote for troubleshooting language pack installation issues.
http://www-01.ibm.com/support/docview.wss?uid=swg21229337
Exporting Notes Documents- 2 October 2012 - (1) Comments
Thomas Hampel
2 October 2012A customer wanted to have all attachments of some selected Notes document exported to the file system and also wanted to keep an option for developers to access the metadata of the original Notes document.
Nothing easier than that, so I wrote this small script to get the job done.
First the entire document is exported into DXL, then all attachments are detached to the file system. Both parts are not rocket science, but some people might want to reuse the code.
To avoid name conflicts while detaching files a folder is created for each Notes document so all attachments of this Notes document will be stored in this subfolder.
Option Public
Option Declare
Dim gCounter&
Sub Initialize
Dim s As New NotesSession
Dim coll As NotesDocumentCollection
Dim BasePath$
BasePath$ = InputBox ("Export data to path...: ", "Export", "C:\")
'# add backslash at the end
If right (BasePath$,1) <> "\" Then BasePath$ = BasePath$ & "\"
Print "Using BasePath : " & BasePath$
Set coll = s.currentdatabase.Unprocesseddocuments
If coll Is Nothing Then
MessageBox "No documents selected"
Else
Print "Processing " & coll.count & " documents..."
Call ExportToDXL (coll, BasePath$)
Call ExportToFile (coll, BasePath$)
MessageBox "Export completed."
End If
End Sub
Function ExportToDXL (Coll As NotesDocumentCollection, BasePath As String)
Dim session As New NotesSession
Dim stream As NotesStream
Dim DXLfilename$
Dim doc As NotesDocument
Dim tdoc As NotesDocument
Dim exporter As NotesDXLExporter
If coll Is Nothing Then Exit function
Set doc = coll.getfirstdocument
While Not doc Is Nothing
Set tdoc = coll.getNextDocument (doc)
'# Open xml file named after current database
Set stream = session.CreateStream
DXLfilename$ = BasePath$ & doc.universalid & ".dxl"
If Not stream.Open(DXLfilename$) Then
MessageBox "Cannot open " & DXLfilename$,, "Error"
Exit Function
End If
'# kick off the exporter process
Set exporter = session.CreateDXLExporter
Call exporter.SetInput(doc)
Call exporter.SetOutput(stream)
Call exporter.Process
Set doc = tdoc
Wend
End Function
Function ExportToFile (coll As NotesDocumentCollection, BasePath As String)
On Error GoTo ErrH
Dim doc As NotesDocument
Dim tdoc As NotesDocument
Dim rtitem As variant
Dim targetpath$, fname$
Dim FieldList(0) As String
Dim oba As Variant
'# define which fields to scan for attachments
FieldList (0) = "Body"
If coll Is Nothing Then Exit Function
Set doc = coll.getfirstdocument
While Not doc Is Nothing
Set tdoc = coll.getNextDocument (doc)
If doc.Hasembedded Then
targetpath$ = BasePath$ & doc.universalid & "\"
If Dir$ (BasePath$ & doc.universalid, 16) = "" Then MkDir targetpath$
'# loop list of fields
ForAll f In FieldList
Set rtitem = doc.GetFirstItem(f)
If Not rtitem Is Nothing Then
If (rtitem.Type = RICHTEXT ) Then
'# make sure the field contains some objects and detach
If IsArray(rtitem.embeddedObjects) Then
ForAll o In rtitem.EmbeddedObjects
If ( o.Type = EMBED_ATTACHMENT ) Then
Fname$=o.Name
If FileExists (fname$) Then fname$ = CStr(gCounter&) & Fname$
Call o.ExtractFile(targetPath$ & Fname$)
gCounter& = gCounter& + 1
End If
End ForAll
End If
End If
End If
End ForAll
End If
Set doc = tdoc
Wend
continue:
Exit Function
errH:
Stop
Print "Error " & Err() & " in line " & Erl() & " - " & Error
Resume continue
End Function
EMC SourceOne- 27 September 2012 - (0) Comments
Thomas Hampel
27 September 2012When running EMC SourceOne with Domino, it might happen that users can only see a subset of the mails they have received, even if the mail itself is stored in the EMC system.
Here are the details...
Problem
When logging in with Active Directory credentials, users can only see emails which have been sent to the internet address of that user.
Logging in with Notes/Domino user name and HTTPPassword, only the Lotus Notes mails can be found.
Analysis
By opening one email in each account and looking at the header, it became clear that EMC SourceOne can not associate the AD user name with the Notes user name.
The Notes user name is stored in a custom attribute of the Active Directory user object, but there is no option to customize the EMC software to make use of this attribute.
For each mail, EMC seems to use the recipients name as a string to search ActiveDirectory. So if the mail has been sent to "firstname.lastname@company.com" it will find a corresponding user in AD and can associate it with the user.
When the mail is sent to "Firstname Lastname/OU/O", there is no corresponding user in AD, at least not among the list of objects which EMC is searching in.
Those of you who have already migrated from Exchange to Domino already know that for perfect CoExistence between both systems, the AD user needs to have a Notes proxyAddress defined.
Based on this knowledge it was easy to resolve the problem.
Solution
adding the Notes user name to the list of email addresses ("proxyAddresses") in the AD user object resolved the issue.
The result is another proxy address "NOTES:CN=Firstname Lastname/OU=X/O=Y" in addition to the internet address itself.
Domino Program documents and schedule- 6 September 2012 - (1) Comments
Thomas Hampel
6 September 2012Problem: A customer reported Domino would not be responding at a specific point in time, but servers dont crash - they are unresponsive.
Analysis: Looking into the Domino server logs at about the time when the problem reported showed that some scheduled tasks were running.
While scrolling down the logs it became clear that the compact task was blocking access to the server's system databases - in this case log.nsf - which caused the server to ignore incomming requests.
From the end users point of view the server came to an halt while from the servers point of view all was okay.
Action: Getting Domino program documents scheduled perfect could be a long journey. Here is my recommendation on how to do it right.
Program | Command Line | Schedule | Comments |
convert | -l mailprimary.ind | 18:50 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Generates a list of mail files by reading people's mail files from the Domino Directory and writes the list into an IND file. |
compact | -A mailprimary.ind | 19:00 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Archive data but dont reduce the mail file size, thats because compacting will be done thru another program document. |
compact | -B -S 20 -w | 23:00 each day Repeat interval of: 0 minutes Days of week: Fri | Once per week, reduce the file size if there are at least 20% whitespace in the file Exclude system DB's with option -w , for servers before 8.5.4 this requires the variable DEBUG_ENABLE_COMPACT_8_5=1 Note: Reducing the file size for every file every day will just increase the level of fragmentation and will reduce performance. |
compact | -b -w | 23:00 each day Repeat interval of: 0 minutes Days of week: Sun, Sat | Make sure the white space is located at the end of the NSF file for better performance when creating new documents Note : Do not run on Friday, due to backup. |
compact | -b log.nsf | 04:30 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Special schedule for log.nsf after 04:00 when purge has been completed. To make sure the white space is located at the end of the NSF file for better performance when creating new documents. |
catalog | 01:00 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Updates information in catalog.nsf | |
updall | 02:00 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Updates existing views | |
statlog | 05:00 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Record statistics | |
daosmgr | resync | 23:30 each day Repeat interval of: 0 minutes Days of week: Mon, Wed, Fri | Every second day resync the DAOS repository |
collect | At server startup only | Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=” | |
http | At server startup only | Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=” | |
rnrmgr | At server startup only | Remark: Make sure the task is not loaded in the Notes.ini via “ServerTasks=” | |
(n)server | -c "tell sched validate" | 02:00 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Rebuilds the clubusy/busytime |
(n)server | -c "tell mtc purge 7" | 00:00 each day Repeat interval of: 0 minutes Days of week: Sun, Mon, Tue, Wed, Thu, Fri, Sat | Purge data older than 7 days from the message tracking store |
Optional Program Documents for Specific Server Types
Program | Command Line | Schedule | Comments |
(n)server | -c “tell router compact” | 18:00 each day Repeat interval of: 0 minutes Days of week: Sun | This will reduce the file size of the mail.box'es, but will increase fragmentation on disk. Not recommended for servers with high mail volume. |
Of course noone is perfect, so any comments and suggestions for improvements are very welcome !
ID Vault - Error 03:11- 8 June 2012 - (0) Comments
Thomas Hampel
8 June 2012When deploying the IDVault, administrators may see the following error in the Log.nsf of the server hosting the IDVault.
06/08/2012 04:54:18 PM ID failed to upload to vault 'O=XYZ-IDVault'. 'Firstname Lastname/OU/O' (IP Address a.b.c.d:port) made request. Error: 03:11
06/08/2012 04:59:16 PM Unable to find ID for 'Firstname Lastname/OU/O' in vault 'O=XYZ-IDVault'. Error: 03:11
Root cause for this is a pending name change reuqest which was not applied to the user. Take a look into the person document of this user, especially the tab "Administration",
the Client Information section will display if there are any pending name change requests outstanding.
Technically the name change request is stored in a field called "ChangeRequest", supported by "ChangeRequestDate" which is storing the date/time of when this request was initiated.
In my particular case, the name change request was almost 3 years old and it was not possible to find out what has caused this request to still appear in the system.
Workaround:
Remove both fields (or set them to an empty value) e..g. by using the Change Any Field method
Can’t contact LDAP server- 1 June 2012 - (0) Comments
Thomas Hampel
1 June 2012Authenticating Domino users against a remote LDAP is nothing new. Some people have blogged about it or created a presentation already.
Furthermore there are some good articles out there explaining the implementation of AD Authentication, Directory Integration and SPNEGO.
When you're done with the configuration, things may run smooth first, but after a few days authentication may not work any longer.
Restarting the server might help, but only for a short time frame - the reason for that is a bug in the Domino server referenced as SPR# AJMO8NVM8F where Domino seems not to find the remote LDAP server any longer.
Steps to reproduce:
1. Enable the following debug parameters:
Debug_DirectoryAssistence=1
WebAuth_Verbose_Trace=1
LDAPDEBUG=512
2. After some time, Domino may become unable to contact the remote LDAP server
The error message displayed at the console is the following:
LDAP> connect_to_host: EndPoint connect failed: The remote server is not a known TCP/IP host.
LDAP> Unable to chase references (Can't contact LDAP server)
This issue has been documented in LO66491 http://www-304.ibm.com/support/docview.wss?uid=swg1LO66491
It seems the problem still exists in Domino 8.5.3 with FixPack1. so if you run into this problem, open a PMR to get an hotfix.
A temporary workaround is to issue the command "show xdir reload" at the server, which can also run as a scheduled program document every 30min.
It wont fix the issue itself, but will reload directory assistence tables by which the error state will reset back to normal.
Winmail.dat- 29 December 2011 - (1) Comments
Thomas Hampel
29 December 2011Every couple of years the same story...
Lotus Notes/Domino users reveive emails containing an attachment "winmail.dat" or "att00001.dat" which the Lotus Notes® client's is unable to open..
Examination of the document properties reveals that the message was sent as a Content-Type: application/ms-tnef; name="winmail.dat", which actually is a format only used by Microsoft® Exchange/Outlook
The problem itself is described in IBM Technote 1093342
http://www-01.ibm.com/support/docview.wss?rs=475&uid=swg21093342
but let me point out that this clearly is not problem caused by Lotus Domino, its the sender's fault which has configured its messaging system to send the email in a Microsoft specific TNEF format rather than using a common standard.
The Microsoft TNEF format is not at all a public standard like those documented within RFC's. Even Microsoft pointed out that the TNEF format isnt RFC compliant ( see Microsoft KBA #323483 )
According to IBM Technote 1093342 Domino administrators can enable a Notes.ini variable TNEFEnableConversion=1 on the server to improve situation, but this can only be a short term workaround because every time Microsoft decides to change the format of its TNEF file type, Domino wont be able to convert the data stored within. Furtheremore this file may contain specific content which Domino will never be able to convert properly such as voting buttons or custom forms.
A real solution is to fix the problem at the source, which is to remind the sender to turn off the sending of mails in TNEF format.
Microsoft published a knowledge base article http://support.microsoft.com/kb/241538 a few years ago which is suggests to turn off using the TNEF format either globally or per recipient.
Once again, this can only be done by the sender or actually the senders administrator, not by the recipient.
Please note:
If the sender is using Microsoft Exchange 2007, the format of "winmail.dat" has changed compared to earlier versions, so conversion will NOT work in some cases!!!
Since Microsoft is changing the format of the file winmail.dat whenever they want, the variable TNEFEnableConversion wont guarantuee to be working all the time - Domino server crashes will be the result.
This also is true for any upcomming changes in the file format.
To avoid misunderstandings :
- TNEF Format is not based on common standards
- Email clients other than MS Outlook can not handle TNEF, because TNEF may contain elements such as forms or voting buttons.
- TNEF encoded raw binary independent of what is advertised by the receiving SMTP server. As documented in Microsoft KBA #323483, this technique is not RFC compliant.
- Most Exchange Admins configure their servers correctly to NOT send TNEF encoded mails to recipients on the internet.
- S/MIME signed emails will not be converted unless the Domino Administrator will force to break the digital signature by using the Notes.ini variable TNEFBreakSMIME=1
How to handle the problem:
- Catch all mails with Content-Type: application/ms-tnef before they arrive the Domino server
Return a message to the sender telling them that they should disable sending mails in TNEF format. Refer them to http://support.microsoft.com/KB/138053 for further instructions - Enable TNEFEnableConversion=1
Why take this risk?? Simply because your users will be frustrated getting mails with "winmail.dat" attachments. - Do not use TNEFBreakSMIME=1
Because security warnings where the client will get used to ignore are even worse
How many users a single Domino server can handle???- 5 December 2011 - (0) Comments
Thomas Hampel
5 December 2011In the past a lot of server.load tests have been done to "proof" that Domino can handle a certain amount of users.
As you can imagine, each simulation does not really reflect what a real user can do. Especially not the wide range of different actions.
So lets take a look into a production environment.... this environment is based on Domino 8.5.2 - 64Bit running on AIX.
Showing a peak of 10040 users, within just one Domino partition. This statistic doesnt say if users were happy with the response time of the server at peak workload times, which of course is something that can be figured out. However the statistic shows that Domino can handle the workload when enough I/O capacity is available.
I'm not able to share more technical details but what I can say is that CPU and memory utilization were high, but not were reaching limits.