Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Query results for : Notes

IBM Connections Plug-ins for IBM Notes - without logging in at Greenhouse- 25 March 2016 - (0) Comments

Thomas Hampel
 25 March 2016

IBM Social Software already posted the availability of the new IBM Connections Plug-Ins for Notes.which adds support for Connections Cloud.
In order to get this plug in you would normally have to browse to the Greenhouse Solutions Catalog , log in , find the package of interest, and then click "Get Download".

Maybe you noticed that the zip file itself is not hosted on Greenhouse, so you do not need to log in at all for downloading it.
Just head over to developerWorks and grab the file directly using this link:

Enable Apple TouchID support in IBM Verse mobile App for IBM Connections Cloud Users- 22 March 2016 - (0) Comments

Thomas Hampel
 22 March 2016

In general IBM Verse mobile app on iOS supports Apple's TouchID for authentication.
And we might agree that using fingerprints for unlocking phone is not only a convenient way for busy people, its also more secure than a 4 (or 6) digit passcode that anyone can get by shoulder surfing

According to Going Mobile with IBM Verse ( see slide #44 ) this feature seems to be available only for on premises Domino servers so unfortunately IBM Connections Cloud users cant use it.
Well... lets see :)

First some basics

To enable TouchID support In an on premises environment, an admin needs to update the on prem Domino Directory using this template which contains a new tab for IBM Verse Security settings.
Image:Enable Apple TouchID support in IBM Verse mobile App for IBM Connections Cloud Users
Which can be allowed or prohibited...
Image:Enable Apple TouchID support in IBM Verse mobile App for IBM Connections Cloud Users
and of course those settings are applied to a user using Domino policies.
Applying the same policy to a Connections Cloud (hybrid configuration) user unfortunately has no effect. TouchID support will remain disabled.
So far about the simple stuff.

Peeking into Policies and Profiles:

When enabling this setting in an OnPrem environment, a field named "devPapplAppTouchID" is set to "1" in the policy settings document.
Taking a closer look into the user's mail file using NotesPeek the same field name can be found in a profile document called "travelerprofile"
Image:Enable Apple TouchID support in IBM Verse mobile App for IBM Connections Cloud Users
Comparing this traveler profile document of an OnPrem user with a user in Connections Cloud shows that the field does not exist. if this is the only reason for the TouchID not to work, lets try to set it :)

Activate TouchID support for Connections Cloud users

All we need to do is set the field "devPapplAppTouchID" to a value of "1" in the "travelerprofile".
To do that use the following code in an agent or button...

     Dim s As New NotesSession
     Dim profile As NotesDocument
     Set profile = s.CurrentDatabase.GetProfileDocument ("travelerprofile")
     If Not profile.IsNewNote And profile.IsValid Then
             If profile.getitemvalue ("devPapplAppTouchID")(0) = "" Then
                     Call profile.replaceitemvalue ("devPapplAppTouchID","1")
                     Msgbox "TouchID support has been enabled."
             End If
     End If

Once this code runs against the current mail file the missing field is set and a couple of minutes later TouchID support for the IBM Verse App will be enabled on your Phone.
Hint : In case you're working in a local replica, make sure to replicate

Please note the method described above is not officially supported, so please use at your own risk!


Root Cause for ’Type mismatch in method OP_UNARY’- 21 March 2016 - (0) Comments

Thomas Hampel
 21 March 2016

Quickly creating a mail with Buttons containing LotusScript can cause headaches.
It just takes a few lines of code for running into undocumented error messages here is a small example:
Image:Root Cause for ’Type mismatch in method OP_UNARY’
will result in:
Image:Root Cause for ’Type mismatch in method OP_UNARY’

Changing "if not ..." to "is ..." like shown here
Image:Root Cause for ’Type mismatch in method OP_UNARY’
will result in a slightly different error message "Type mismatch in method IfCoerceBool: Unknown found, Uknown expected"
Image:Root Cause for ’Type mismatch in method OP_UNARY’
Do you spot the problem???

What is the root cause?

The property "IsNewDoc" acutally is a property of NotesUIDocument but is not a valid property of the NotesDocument class.
For testing if a NotesDocument is a new document, use the property IsNewNote
When creating a new button within the body of a new mail, Option Declare is not enabled by default like it is in the Designer client, so the error was not detected when saving the source code.
with Option Declare enabled its easier to spot the problem...
Image:Root Cause for ’Type mismatch in method OP_UNARY’


Deploying a customized Discover page in IBM Notes 9.0.x- 17 March 2016 - (3) Comments

Thomas Hampel
 17 March 2016

Vlad Tatarincevs already described how to customize the Discover page in the Notes Client.
In his guide he is assuming that all Notes clients are installed in exactly in the same path. While this might be the case for small deployments, its often not the case for enterprise deployments.

What is this Discovery page based on?

When starting the Notes client for the first time, it creates a text file in the Notes Data directory called "populatedTemplate.txt"
This file is used as a reference for computing the Notes Discovery page which is stored in a file called "populatedHTML.htm" in the same directory.

Both files are nothing else than a HTML page which you can customize according to your needs, but since the file populatedHTML.html is overwritten every once in a while, you should not modify this file directly.
Instead apply your modifications to the "populatedTemplate.txt"

Example Customization

In my example the following customizations have been done:
Image:Deploying a customized Discover page in IBM Notes 9.0.x
This file unfortunately contains hardcoded file and path references to the Notes program directory which are unique to the current computer.
In order to deploy a customized discover page in an enterprise environment you'll need to replace the path with the correct path on every single workstation. .

Once you've done your customizations you'll need to replace hardcoded path references with a placeholder which can be updated with computer specific path information when rolling out your new discover page to end user workstations. To do this we will be using a small VBS script that will read the Notes program directory from the Windows registry (sorry, no Mac / Linux support in this example) and updates the placeholder used above with the correct path reference before copying the file into the Notes data directory.

So this is what you have to do:

1.) put your customized "populatedTemplate.txt" into a new directory, and rename the file to "DiscoveryTemplate.txt" - this file name is used in the VBS script
2.) search "DiscoveryTemplate.txt" for the path of your Notes program directory and replace it with the placeholder. In my case I'm using "@NOTESPROGRAMDIR@" which is used in the script later on.
3.) put the following VBS script into the same directory

Running the script will overwrite any current "populatedTemplate.txt" in the Notes data directory with the DiscoveryTemplate that contains your customizations.
To display the updated Discover page you need to close and reopen it in the Notes client, or just restart your Notes client once.

You can manually open the Discover page from within the "Open" menu
Image:Deploying a customized Discover page in IBM Notes 9.0.x
where the second item from the bottom is your customized Discover page.
Image:Deploying a customized Discover page in IBM Notes 9.0.x

  • Upgrading the Notes client to a future version will most likely overwrite the file "populatedTemplate.txt", so all your customizations will be lost.
  • Yes, it would be possible to deploy a custom discovery page from within the Notes client, but in my experience most enterprise environments have some sort of software distribution method for rolling out patches.

PS: Thanks to Bjoern Wolfgardt for providing a few hints and Marc for testing.

Checklist for Smartcloud Notes Hybrid Configuration- 12 November 2015 - (0) Comments

Thomas Hampel
 12 November 2015

Your first step towards the cloud is to build a hybrid environment e.g. to support a proof of concept in your environment.
In most cases customers would like to move a few users to the cloud to experience the onboarding process, confirm seamless coexistence of on-premises and cloud environments, and explore new features of the cloud such as IBM Verse.

Although IBM provides a full training course for setting up a hybrid environment, I still would like to (with friendly support of Hagen Bauer) provide a checklist for customers to support this process and getting started as quickly as possible.


This checklist may not be perfect, you should still read the documentation and talk to your certified IBM expert of choice.
It is supposed to be a checklist for customers, not for certified onboarding specialists that will move your IBM Notes mail to IBM Cloud.
Suggestions and ideas for further improvement are always welcome.


This is a graphical overview of a hybrid environment. On top are your (On-Premises) servers, at the bottom are cloud servers and in between (red) the internet.
Image:Checklist for Smartcloud Notes Hybrid Configuration

  • Check your inventory! Are current servers available? Are they accessible? Are they placed in the network zone they are expected to be?
    See graphic above and verify positioning of:
    #1 = Domino Administrator Client
    #2 = On-Premises Mail Server
    #3 = On-Premises Directory Mail Server
    #4 = Passthru Server in DMZ
  • Complete this table with data from your environment. Make its correct and complete.
  • Configure your Firewall for inbound and outbound traffic.
    Check twice, and verify Firewall settings once again before claiming to be done. A mistake at this point will cause headaches later on.
  • Make sure your passthru server is using the same root certificate as your HUB and MAIL server?
    Can the Admin client (see #1 in the graphic above) access the passthru server?
  • Create a new OrgUnit based on your current Domino certificate. This certificate will be used later on for all your Domino servers in the cloud.
    Example: "/SCN/Company" or "/Cloud/SRV/Company"
  • In your current environment, does your Global Domain Document meet those requirements?
  • Make sure you still have the SmartCloud activation email available. The one that contains the SmartCloud activation link.
    Oh, and make sure the link has not expired.
  • In the SmartCloud Notes account initial setup, did you choose "Hybrid Account" ?
    If not you need to request a full reset of your account by contacting
  • Define a name prefix for your cloud mail servers. Choose a short but remarkable prefix and dont pick something too fancy.
    Example: **Cloud-**/SCN/Company
  • Are you prepared to create new and modify existing DNS records for your company domain?
    Make sure you have control over your DNS records.


All of the above steps are part of the documentation, but not in a single place. I hope you can make use of this reference in your SmartCloud onboarding project.
Feedback is very welcome, so drop me a mail or send a tweet


Out of Office - Send Full Copy to deputy- 9 August 2015 - (0) Comments

Thomas Hampel
 9 August 2015

Summer time, vacation time... You have enabled Out of Office notification, so why would you want to duplicate inbound mails?
Lets say you really are offline and you want your deputy / stand-in to take care of new mails, what options do you have?
In best case we want a deputy to receive a copy of each mail while keeping the original mail in your inbox.

Delegating Access
A first option is delegating access to your mail - this will grant read access to all your data and your deputy wont get notified on new mails.
Another option is to just forward all mails to your deputy by defining a forwarding address in the person document:
Image:Out of Office - Send Full Copy to deputy
This is not a good idea for people who want to see what happened while they were out because mails will just be forwarded. You wont get any mail in your inbox this way.
It might not even be an option as some organizations do not allow users to edit the person document.

Mail Rules
Another option is to use mail rules in your Notes client to send a copy of each inbound mail to somebody else. This can be done by creating a new rule which applies to all documents...
Image:Out of Office - Send Full Copy to deputy
and defining a recipient of your choice --- in this example its ""
Image:Out of Office - Send Full Copy to deputy
Works like a charm, but what if your Administrator has disabled user rules mail forwarding in the configuration document of your server?
Image:Out of Office - Send Full Copy to deputy
...or even took more drastic measures like modifying your mail template to not even show the option "Send Fully Copy to..:" ?

You could look into writing an agent that runs on the server, but no Domino Admin should allow users to run scheduled agents on the mail server.
So trying to create an agent in your mail file will most likely end up with "You are not authorized to use agents in this database"
Image:Out of Office - Send Full Copy to deputy

Duplicate Mails (with help of your Domino Administrator)
Since you have rewarded your administrator recently for keeping your computers running you'll get friendly support for the following configuratoin:

What you need to do:
1.) Create a Mail-In Database document which points to the mail file of the user who is out of office.
Make sure the Mail-in name is unique and does not resolve name lookup conflicts
Image:Out of Office - Send Full Copy to deputy

2.) Create a Group of type "Mail only",
members of this group will be Mail-in database which has been created above as well as any person who shall receive a copy of the mail(s).
You can define one or multiple recipients using internet mail addresses or Notes user names.
Image:Out of Office - Send Full Copy to deputy

3.) Edit the person document and put the Group name created above to be the forwarding address
Image:Out of Office - Send Full Copy to deputy

4.) Testing
Wait for replication to finish within your Domain and send a test mail to the user.
This mail will be delivered to the original users mail file and also to the deputy(s) defined in the group.

Depending on how you have configured the Recent Contacts feature your Notes client might show the name of the mail-in database in future name lookups.
If this is an issue either purge your recent contacts or disable it completely


Notes Widgets disappear from Catalog- 1 June 2015 - (0) Comments

Thomas Hampel
 1 June 2015

You are wondering why your beloved Notes widget all of a sudden is no longer available in the Widget catalog?
Of course the administrator of trust did not do anything - so what happened?

Here is a small hint:
Take a quick look into the widget catalog, there is a scheduled agent...
Image:Notes Widgets disappear from Catalog

and the brief description
%REM *********************** Agent Notes **************************
This agent checks all new/modified documents to make sure that the
user created the document properly. It checks to make sure the proper
items are in place, and it also verifies that the categories that are
set are allowed by the document creator.

*************************** INTERACTIONS ***************************
There are no interactions with this agent. It is a scheduled agent
that is set to work against new/modified documents.

If anything, such as AdminP, modified the document then this agent will run. In our case it was an AdminP name change request which caused the document to be modified.

Users can create new mails despite being over quota- 29 May 2015 - (0) Comments

Thomas Hampel
 29 May 2015

You have deployed mail quotas in your environment and your Notes Clients are configured to use local replicas or managed replicas.
Still you experience mail files are growing over quota limits without user complaints. How is this possible?

It seems there is a bug in the IBM Domino mail template version 9.0.1 which allows to create and send new mails even when the mail file is over quota.

Reproducing the problem

When working on the server replica:
  • create a new mail and try to save it will correctly display this warning:
    Image:Users can create new mails despite being over quota
When working on the local replica:
  • Create a new mail will display this error message, but clicking OK allows to continue saving & sending the new mail.
    Image:Users can create new mails despite being over quota
    Notes.ini variables have been verified to be set correctly on the client

The problem is known to IBM and is documented as LO83693 "Enforcing Quotas on new mail creation in local based mail files not reliably working in Notes 9.0.1"

How to fix it

As usual there are two options:
a) Wait for IBM to provide a new version of the mail template - maybe this will be done in the next major release.
b) fix it yourself by modifying the template with your Domino Designer client as described below:

Within the QueryOpen event of the form(s)  "Memo", "Reply" and "Reply with History" , "To Do", "_Calendar Entry", etc. search for the quota checking code and remove the "Executive" statement incl. its brackets.
Image:Users can create new mails despite being over quota

Interesting to note that special forms do not contain this code so they do not need to be patched
Image:Users can create new mails despite being over quota
Please note that design elements need to be signed properly in order to avoid ECL warnings on the client side.

  • LO83693: Enforcing Quotas on new mail creation in local based mail files not reliably working in Notes 9.0.1

Special thanks to Michal Wolczyk for this analysis and Marc for finding this bug.

Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected- 7 January 2015 - (2) Comments

Thomas Hampel
 7 January 2015

Opening the mail file of another person is causing the message "Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected" to be displayed:
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected
While IBM Technote 1303181 only provides a basic idea of what is wrong, it does not give any idea what can be done to fix it.
So I had to look into details and quickly found the problem.

Steps to reproduce

In order to reproduce the problem, this is what you have to do:
  • Make sure you have the Notes.ini variable CHECK_QUOTA_ON_MAIL_CREATE set to 1
  • Open another person's mail file, this will write the current date at the end of the Notes.ini variable DELEGATED_MAIL_FILEx
  • Close your Notes client
  • Change the date format of your operating system from DD.MM.YYYY to MM/DD/YYYY (or the other way around)
  • Open the same other persons mail file again.


Trying to find the root cause with debugging enabled shows a different error "*CE39918+421: Type mismatch"
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected
but at least it indiicates the problem is located in the Database Open script.
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected

What is causing this problem?

Obviously it is a String to Date conversion issue. Storing a Date in a String to convert it back to a date is never a good idea. If you really need to do it you should not rely on the CDat function to work. Write your own function which does ignore the
Regional settings - in specific the date format - of this workstation have been changed.

Resolving the problem

Change the date format of your operating system back to what it should be.
If the date format of your computer is correct and the problem still persists, then manually update your Notes.ini and remove all lines starting with DELEGATED_MAIL_FILE or by updating the date format at the end of this line yourself.

Permanent solution

A perfect solution would require to update the mail template to be updated. in specific the script Library "CheckQuotas" contains a class called "CheckQuota" with the Sub "SetCalMgrINI"
This sub contains several references where a string is being converted to a date. This is where additional verification is required to ensure the string value is a date which can be converted using the current regional settings.
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected

RSS Feed Reader - Error: Unable to download a feed from host- 18 December 2014 - (1) Comments

Thomas Hampel
 18 December 2014

Some time ago a user started to claim his Notes Sidebar would no longer display latest RSS news feeds.
Asking for details we checked functionality by subscribing to a new feed....which did not work either. The Notes client was throwing an error:

Image:RSS Feed Reader - Error: Unable to download a feed from host


At first one might think this is caused by the RSS feed itself, but since I'm a subscriber of the same feed I knew the root cause must be something different.

Within the corporate network Notes clients must be configured to use an HTTP proxy in order to access the internet, testing revealed outside of the customers network it is working fine when HTTP Proxy settings are disabled,

Feed reader components itself are running on the latest version, so
Michael Urspringer's hint (= SPR # IFAY7CTHAR ) seems not to apply
Image:RSS Feed Reader - Error: Unable to download a feed from host

Opening a PMR was followed with the usual request for logs and a
Wireshark network trace.
After some investigation and
discussions it turned out the network team changed some settings on the HTTP proxy server to block all HTTP traffic from web browsers where the user agent string includes "Windows NT 5.1" (which is Windows XP) because WinXP being out of support.

Wireshark showed the default setting for the feed reader in Notes 9.0.1 is user agent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"

...but how can you change this default??

A small hint can be found in the release notes of a previous
Notes client (8.5.2FP1) fix list
Take a closer look to SPR# MWER88NFWT which outlines the settings required for modifying the useragent.:

"Added an option to allow customers to override the "User Agent" value for Notes Client Feedreader. By default, Feed Reader authenticates itself as "MSIE 7.0" even on Linux and Mac.  
Customers can optionally add the following 2 lines to the /framework/rcp/plugin_customization.ini: SPECIFIED VALUE (<-replace CUSTOMER SPECIFIED VALUE with the value of your choosing)"

  • Change the useragent string of the feed reader to anything else. (You can find a long list of user agents to choose from as part of a Firefox Plugin.)
    Modify the file /framework/rcp/plugin_customization.ini and add the following lines for testing (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/25.0
  • After successful testing, deploy this parameter to all users by using Desktop Policies / Managed Settings:
    Image:RSS Feed Reader - Error: Unable to download a feed from host


The HTTP proxy was configured according to
RFC 3314 but mistakenly assuming WinXP in a useragent string is evil
....and of course...
whatever is wrong, it must have been the network guy!

Deploying IBM Notes Dictionaries in XTAF format using Widgets- 17 December 2014 - (1) Comments

Thomas Hampel
 17 December 2014

Believe it or not, English is not the only language on our planet...and the Notes client of course needs to provide spell checking capabilities for the most common languages.
For Notes v8.5.1 and above IBM provides dictionaries in XTAF format shipped in a ZIP file which can be
installed via File\Applications\Install, but I dont want the average end user to do that alone.

Although the Notes Client installer package can be customized to
include additional dictionaries, you probably have deployed the Notes Client already.
So how do you deploy additional dictionaries without building a new client package, preferably in a way that end users can self decide which dictionaires they would like to install?

Main idea is to use Widgets for allowing users to self install dictionaries they need by using a Widget Catalog and thw My Widgets sidebar of the Notes client.
Ok, lets get started...

  • Download the required dictionary files Passport Advantage
    Package is titled "IBM Notes XTAF Dictionaries V9.0", part numbers are :

Build an Eclipse UpdateSite for the XTAF dictionaires
  • Extract the packages to a new temporary folder, once completed it should somewhat look like that:
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Now you would create one subfolder for each language and extract EACH of the ZIP files into its own folder, and unzip files one by one.
    If you dont like to do this yourself, just put the following batch file into the same folder and run it.
    It will use
    7zip (which you have installed hopefully) to unzip each file to its own subfolder

    Once completed you should have 23 subdirectories by now, each one should contain the following:

    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Create a new NSF based Eclipse UpdateSite, a new one is recommended for not mixing up with other versions
    Make sure to set up a propper ACL, users should have read access only!
  • Open the newly created database and use the button Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets to load each of the XTAF dictionaries into the Eclipse Update Site
    The result should look like this:

    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets

Creating Widgets
  • If not already available, create a new Widget Catalog as described here
  • In your Notes Client, start creating a Widget by clicking the icon "Getting Started with Widgets...."
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • In the first dialog choose "Features and Plugins"
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Enter the URL for the update site.
    If you want the connection between the client and the server to use the Notes protocol, use "nrpc://" e.g.  "nrpc://your-servername/path/updatesitefilename.nsf/site.xml"
    if you want to use the HTTP protocol, use "http://" or "https://", e.g. """
    Click on "Load" to see the list of available features to install.

    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Select the language(s) you want to wrap into a widget, click Finish to create a widget.
    I do recommend one widget for each language, of course you can also wrap all at once into a single Widget or just use subset of available dictionaries.
    Note: You do not need to restart the Notes client when you are prompted.
  • Within the Widget Sidebar of your Notes Client, choose the new widget and right-click it to publish the widget to the widget catalog
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
    Dont forget to add meaningful details in the new document so that your end users know what the widget provides.
    e.g. All Dictionaries for IBM Notes 9.0
    and in the details section of the widget, provide a meaningful text explaining how to install a widget, e.g.:
    The result should somewhat look like this:

    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets

What end users need to do to (manually) install a new dictionary
When not using policies, end users need to...
  • Click "File\Preferences\" and select "Widgets"
  • Enable "Show Widget Toolbar..."
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • This will show the new My Widget sidebar panel on the right hand side of the Notes client.
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Click the first icon Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets "Browse the Widget catalog"
  • Open the widget catalog entry for the language(s) you want to install
  • Drag & drop the file attachment "extension.xml" from the catalog into the "My Widgets" sidebar
    The Notes Client will now automatically install the dictionary files and will prompt to restart the Notes client.

    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • After restarting the Notes Client, additional dictionaries are available in "File\Preferences\Spell Check"
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets

How to deploy dictionaries using Domino policies
  • Within the Desktop Policy Settings, verify that you have specified the widget catalog server and filename
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • In the same document, define a catagory which will be automatically deployed to end users, in this example it is "Autodeploy"
    You can of course use the category "Dictionaries" which you have defined when creating the widget itself but this will not allow to fine tune which dictionary to be pushed out.

    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Back in the Widget Catalog, modify those widgets which you want to deploy and add the (new) category "Autodeploy" to each of them.
    Image:Deploying IBM Notes Dictionaries in XTAF format using Widgets
  • Once done, the widgets/dictionaries will be deployed to your end users the next time they start the Notes client.


I know there are lots of other methods to roll out dictionaries, e.g. by using File\Application\Install , but I find this too complicated for average users.

Make sure to show the sidebar "My Widgets" to your users...
If you're using a desktop policy, check if you have set the parameter "Show the My Widgets panel in the sidebar:" set to "Yes" in the tab "Widgets" of the applicable policy settings document.


Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments

Thomas Hampel
 9 May 2014

I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:

1. Create a key ring file
that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino

Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA

Just read and follow
instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users

Follow instructions for
Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.


Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?

Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know
how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?

When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

at the very bottom there's a small check box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.

Further reading

Product codes for Notes 9.0.1 Multilingual User Interface (MUI) packs- 6 May 2014 - (0) Comments

Thomas Hampel
 6 May 2014

Customers were demanding for it and here they are - the Multilingual User Interface (MUI) kits for the Notes Client V9.0.1
Those kits allow switching between different languages without the need to reinstall a new client software each time.

For further reference, the table below provides the part numbers to download the packages from
Passport Advantage
Notes V9..0.1 Standard Basic Browser Plugin
IBM Notes 9.0.1 Client Windows English ( Announcement Letter ) CIQ7REN CIQ7QEN Full = CIQ90EN
Lite = CIQ96EN
IBM Notes XTAF Dictionaries V9.0 for Windows Multilingual
(Mac=CIF0DML , Linux=CIF6BML)
Multilingual User Interface for ...
Group 1 - Catalan, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Portuguese, Brazilian, Spanish ( Announcement Letter ) CIV5HML CIT8TML  CIT9GML
Group 2A - Danish, Dutch, Finnish, Norwegian, Swedish  ( Announcement Letter ) CIUZ6ML CIUZ7ML CIUZ8ML
Group 2B - Arabic, Czech, Greek, Hebrew, Hungarian, Polish, Portuguese, Russian, Turkish CIVY2ML CIVY5ML CIVY6ML
Group 3 -  Kazakh, Slovakian, Slovenian, Thai CIVY3ML CIVY4ML CIVY7ML


Unable to set/unset ’Record activity’ programmatically- 9 March 2014 - (0) Comments

Thomas Hampel
 9 March 2014

One little checkbox in Notes/Domino which can cause some headaches is "Record activity" which can be found in the Database Properties / User Detail window.
Audit & Compliance teams as well as work councils love it...

Image:Unable to set/unset ’Record activity’ programmatically
...and they always have the same opinion on how to set it, right?

Yes, I know you can
disable actvity logging for all databases on a server to improve performance, but what if you need the opposite compliance reasons? What if you need to enable activity logging for a few (hundred) databases at once, but not for all?

Developers of crouse will start searching the
Designer documentation for a LotusScript class of some sort, realizing quickly that it doesnt exist.
Next step of your research would be the
Notes C/C++ API Toolkits which normally provide methods to resolve the toughest problem -- bad luck this time.

Furtunately there are
clever business partners who seem to have found a way to mass-modify user activity settings by using the full version of the databaseEZ tool. (Thanks Ben for the hint)
Although this tool provides fast pain relief it is not always a perfect solution - think of situations where a large amount of servers is involved, or where admins dont have manager access to mail files, or where the setting has to be set on a regular basis etc.

So unfortunately there seems to be no (easy) programmatic way to modify this flag, at least there is no ready-made C-API, LotusScript or Java class for changing it.

The problem has already been reported to IBM within SPR # MSTS9G3AVP

Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0 - 11 February 2014 - (1) Comments

Thomas Hampel
 11 February 2014

Two weeks ago at IBM Connect 2014 attendees were able to test their knowledge in the IBM Certification Lab.
Most of the IBM Certification tests were offered, so I decided to sign up and give it a try without any preparation.

For updating my existing Advanced System Administrator certificate to version 9.0 level, the following two tests were required

Both tests were simple, for Traveler you need to know how to configure Traveler in high availability mode and for the Upgrade examn most questions were about SAML & OpenSocial.

Having passed the upgrade examn and the IBM Traveler exam, this certificate was sent to me as an official statement that I have qualified as IBM Certified Advanced System Administrator for Notes & Domino 9.0

Image:Testing knowledge - IBM Certified Advanced System Administrator Notes and Domino 9.0

Next action: updating my Certified Advanced Development Certificate to version 9.0 and signing up for Connections & Sametime tests.

Converting Private to Public folders- 6 February 2014 - (0) Comments

Thomas Hampel
 6 February 2014

After a migration from Exchange to Domino a customer reported that some folders are not visible iNotes but are available for the Notes Client.
In this particular case the folders not showing up have been created as private folders...and private folders are not supported in iNotes as documented in IBM Technote 1445118

Changing the field flags of the folder design element from private to public turned out not to be working anymore. A script which I have been using to resolve this problem with earlier versions of Notes did not work and just created a folder which can not be deleted/moved/renamed.
So I wrote this small script to fix the problem by creating a new temp folder -which will not be private by default- and moving documents from the private folder into the newly created folder. Once done, deleting the private folder and renaming the new folder.

One small drawback is that the original folder design will get lost because we are creating a brand new folder from the default folder design.
However, feel free to use this script at your own risk.


Sametime Missing single sign on token- 2 September 2013 - (1) Comments

Thomas Hampel
 2 September 2013

I've just fixed an authentication issue in a customer environment and wanted to pass along the findings.

The problem:
Sametime users can log on to via username/password, but SingleSign On isnt working as expected.
On the client, the configuration pretty much looks like that:
Image:Sametime Missing single sign on token

Authentication via Domino SingleSignOn is working fine at the first Notes Client logon. Once the client disconnects, e.g. network disconnect, computer went on standby, etc. etc. the Notes client can no longer authenitcate with the server. The error message "Missing single sign on token" is displayed.
Image:Sametime Missing single sign on token
For now, clients had to restart the Notes Client to log back into Sametime.

Root cause:
After successful authentication, the server is handing out a token (LtpaToken) to the client which seems to be bound to the DNS domain specified in this token.
The Sametime community configured at the client must be in the same DNS zone, otherwise users can only log in once but not re-logon without restarting the client.

Check the following three places and make sure the DNS domain specified is the same.
  1. The LtpaToken used by the server
    see Domino Directory : Web Configurations\Web SSO Configuration\LtpaToken
    Image:Sametime Missing single sign on token
  2. The Server document
    - Basics \ Fully Qualified Internet Host name
    Image:Sametime Missing single sign on token

    - Internet Protocols \ HTTP \ Host Name
    Image:Sametime Missing single sign on token
  3. Notes Client Preferences \ Sametime Communities
    Image:Sametime Missing single sign on token<< obviously this screenshot shows a different Domain name than the one specified in the LtpaToken

  • Without an authentication server specified, Notes will obtain the token directly from the Sametime server configured. If the token is obtained from an authentication server, the secret key within the token of course will have to match the token configured in your Sametime server.
  • A complete list of settings that can be predefined within the Sametime client by using Domino policies is available here

IDVault - ID file upload fails with Error 03:11- 16 August 2013 - (0) Comments

Thomas Hampel
 16 August 2013

A Notes ID is not uploaded to an IDVault although the configuration of the Client itself as well as the IDVault incl. its trust certificates seem to be correct.


The administrator wanted to force the Notes client to upload his ID file to the server, since there already was an (old) IDfile stored in the vault, it has been deleted manually.
However, the client still doesnt upload its local userID.

Looking at the servers log file / Security Events....

Image:IDVault - ID file upload fails with Error 03:11
provided a few hints about the problem:

> Unable to find ID for 'dummy username/OU/O' in vault 'O=IDVault'.  Error: 03:11
> ID failed to authenticate in vault 'O=IDVault'.  'dummy username/OU/O' (IP address made request.  Error: 03:11

and further down other user names:

> Error: Entry not found in index

Indicating a view isnt updated...


1.) Update the view index for the hidden view $IDFile in the IDVault database by using the following command
load updall -R IBM_ID_VAULT\IDvault.nsf

2.) Remove the pending name change as described in my previous blog post id-vault-error-0311.htm

Hint: Although this has fixed the problem in my case, there's more to know.

IDVault does not honor view updates made directly in the database, maybe for performance reasons.
There is a DEBUG parameter for the IDVault which can override this behaviour so that VIEWUPDATES are being reflected/enabled.

Product codes for Notes 9.0 Multilingual User Interface (MUI) packs- 10 August 2013 - (0) Comments

Thomas Hampel
 10 August 2013

Customers were demanding for it and here they are - the Multilingual User Interface (MUI) kits for the Notes Client V9.0.
Those kits allow switching between different languages without the need to reinstall a new client software each time.

For further reference, the table below provides the part numbers to download the packages from Passport Advantage
Notes V9.0 Standard Basic Browser Plugin
IBM Notes 9.0 Client Windows English CIB8LEN CIB8JEN Full = CIF0AEN
Lite = CIF0BEN
IBM Notes XTAF Dictionaries V9.0 for Windows Multilingual CIF0EML
Multilingual User Interface for ...
Group 1 - Catalan, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Portuguese, Brazilian, Spanish CIJ7MML CIJ7NML CIJE2ML
Group 2A - Danish, Dutch, Finnish, Norwegian, Swedish CILI6ML CILI7ML CILI8ML
Group 2B - Arabic, Czech, Greek, Hebrew, Hungarian, Polish, Portuguese, Russian, Turkish CINL5ML CINL8ML CINL9ML
Group 3 -  Kazakh, Slovakian, Slovenian, Thai CINL6ML CINL7ML CINM0ML

  • Installation instructions essentially are the same as in earlier versions, so refer to IBM Technote 1288585 for more information.
  • Upgrading from Notes 8.5.3 with a language pack installed directly to Notes 9.0 is not possible according to IBM Technote 1620790 so you need to uninstall it first.
  • For information on how to install XTAF spell check dictionaries please see Technote # 1411732

Achieving (a working) high availability with IBM Lotus iNotes- 2 July 2013 - (0) Comments

Thomas Hampel
 2 July 2013

We all like well working products and love good documentation, even better when there is a step by step instruction on how to set up a specific configuration to work perfectly.
One of those often referenced instructions is an IBM developerWorks article "
Achieving high availability with IBM Lotus iNotes" based on a product from BigIP F5 which explains a clever reverse proxy configuration for optimizing performance.

Unfortunately the configuration outlined there DOES NOT WORK because it contains multiple errors/failures/mistakes.

Following instructions step by step will make it impossible to get the expected solution in place. Let me explain the problem in more details.

For a small environment with only two servers in one cluster, you wont notice any problem, everything seems to work perfectly.
What you dont know is that the iRule does not work, and traffic is always dispatched to both of your servers. As soon as you will have multiple clusters involved the problem becomes visible.

From time to time users receive "Error 404 - HTTP Web Server: Lotus Notes Exception - File does not exist" which indicate that traffic was routed to a server that does'nt host the file requested.

The (not working) documentation has been published in at least two other places, a DominoWiki Article and a WhitePaper

Lets get back to the roots - according to the developerworks article this is what (in theory) should happen:

BigIP F5 reverse proxy appliance will intercept inbound HTTP requests which end with ".nsf" and are not dedicated to "names.nsf"

Domino will figure out which servers are hosting the requested file and will return a list of server DNS names in form of an HTTP header.

The problems are:
  • BigIP will send traffic to any server in the server pool which is configured - so your session can end up on any randome cluster/server which may not host the database you are looking for.
  • Domino lookups are performed towards the local "cldbdir.nsf" which holds information from databases in this cluster only. What if there are multiple clusters involved?
According to the documentation: "X-Domino-ReplicaServers is returned when the service finds the relevant path within its own cluster, whereas X-Domino-ClusterServers is returned only when the mail servers are part of a different cluster."
but the iRule itself is only referring to "X-Domino-ClusterServers", the other header "X-Domino-ReplicaServers" is never used. #fail !

Lets look into details:

In Domino, a customized ServersLookup form in "iwaredir.nsf" is used to lookup the "cldbdir.nsf" to figure out what servers are hosting the file and will return this information as part of an HTTP header.
Sniffing network traffic using
Wireshark shows that the HTTP header is never returned, it also shows that the URL referenced in the iRule is never called.

According to the iRule documented in
Appendix B is calling the (modified) ServersLookup form to retreive the list of servers as an HTTP header,

HTTP::uri /iwaredir.nsf/ServersLookup?OpenForm&nsfpath=$nsf

unfortunately this iRule is never called., because it is expecting the request URL to >end< with ".nsf"

if { ([HTTP::uri]ends_with ".nsf") and not ([HTTP::uri] contains "names.nsf")}{

Ok, lets try to fix it !

Resolving the problem requires changes on both sides, multiple changes in Domino and changing slightly the F5 iRule. I'm trying to cover the modifications step by step

Part 1 - Lets start with the iRule,

here you need to change the if-clause to check for "path" rather than "uri", and also exclude any any lookups towards "iwaredir.nsf", changes are highlighed in bold.

if { ([HTTP::path]ends_with ".nsf") and not ([HTTP::path] contains "iwaredir.nsf") and not ([HTTP::path] contains "names.nsf")}{

Part 2 - Database Catalog

In order to find the correct servers at the first attempt, my idea was to look up the (in our case always perfect) database catalog to find the servers hosting the requested file.

To do that we will need to create a new (hidden) view in the catalog.nsf with two columns
View Formula SELECT @IsAvailable(ReplicaID)& @IsUnavailable(RepositoryType)
Column1 Formula Pathname
Column2 Formula ReplicaID2 := @If((@Text(ReplicaID; "*") = "00000000:00001601"); "Non-replicatable files"; ReplicaID);
@Text(ReplicaID2; "*")
Column2 Programmatic Use TextReplicaID

Part 3 - ServersLookup

Now lets make use of the view by updating the code in the "ServersLookup" form of the file iwaredir.nsf.

If no parameter is provided, its assumed the user wants to access his mail server
The code behind the $$HTMLHead field should look like this:

tmpDebug := "";

tmpNSFPath := @ReplaceSubstring(@URLDecode( "Domino"; @UrlQueryString("nsfpath") );"/";"\\");

@If (tmpNSFPath = ""; tmpNSFPath:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailFile" ));"");

REM {Lookup home mail server };

tmpHomeServer:=@Name([Canonicalize];@NameLookup( [NoUpdate];@UserName; "MailServer" ));

tmpLookupKey := @ReplaceSubstring (tmpNSFPath
;"\\";"/") ;

REM {Get replicaID of this mail file};

tmpReplicaID := @DbLookup( "":"" ; "":"catalog.nsf" ; "($LookupServerFilename)" ;tmpLookupKey; "TextReplicaID");

REM {Find all servers who are hosting this replicaID  };

tmpServers := @DbLookup( "":"" ; "":"catalog.nsf" ; "($ReplicaID)" ;tmpReplicaID; "Server");


REM {Is Home Mail server in list of servers, then move this up to the front of the list};

tmpServers := @If(@IsMember(tmpHomeServer;tmpServers);tmpHomeServer : @Transform(tmpServers;"x";@If(x=tmpHomeServer;@Nothing;x));tmpServers);

tmpDNSNames := "";

REM {Resolve host names for each server name in list};


@For(n:=1;        n tmpHTTPHostNameALT:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ;"($ServersLookup)" ; tmpServers[n] ; "HTTP_Hostname");1);

tmpServerFQDN:=@Subset(@DbLookup( "":"" ; "":"names.nsf" ; "($ServersLookup)" ; tmpServers[n] ; "SMTPFullHostDomain");1);


tmpDNSNames := @If(@Length(tmpDNSNames)>0;tmpDNSNames+",";"") + @LowerCase(@If (tmpHTTPHostNameALT!="";tmpHTTPHostNameALT;tmpServerFQDN))


REM {Return results to F5};





Session persistence is causing some headaches when F5 needs to select an address from the pool. To work around this issue you can use this iRule



No more nasty HTTP404 unless the database really can not be found anywhere.
Of course even this solution depends on a few assumtions, one is the catalog must be up to date and must be replicating within the environment.

Disclaimer: Use at your own risk, no warranty is provided. However, please let me know if you have further suggestions how to improve this solution.

Enable ’Show in-line MIME images as attachments’ via Policies- 11 February 2013 - (0) Comments

Thomas Hampel
 11 February 2013

Some Notes client preferences can not be enabled via Domino Policies because the values are not exposed as a parameter in the Domino Directory template.
One of them is "Show in-line MIME images as attachments"
Image:Enable ’Show in-line MIME images as attachments’ via Policies

In order to enable/disable this setting, you'll have to set a Notes.ini variable via policies

Instead of modifying the Domino Directory template its enough to add this variable in the custom settings section of the Desktop policy settings.
Image:Enable ’Show in-line MIME images as attachments’ via Policies
Image:Enable ’Show in-line MIME images as attachments’ via Policies

Backup Notes ID on local computer- 14 January 2013 - (0) Comments

Thomas Hampel
 14 January 2013

On special request of a customer, I'm posting a little LotusScript to back up the current NotesID locally.

        Dim s As New NotesSession
        Dim NotesID$, BackupID$, NotesData$
        NotesData = s.Getenvironmentstring("Directory", True)
        NotesID$ = s.Getenvironmentstring("KeyFileName", True)
        '# check if the 2nd character in the string NotesID is a ':'
        If Not Right(Left(NotesID$,2),1) = ":" Then
                '# NotesID is located within Data Directory
                NotesID$ = NotesData$ & "\" & NotesID$                
        End If
        Print "Current NotesID is : " & NotesID$
        BackupID$ = NotesID$ & ".bak"
        Print "Backup will be stored in : " & BackupID$
        If Dir$ (BackupID$,0)="" Then
                '# No previous backup found, so okay to continue
                '# Previous backup found, so deleting existing file and create a new backup
                Print "Previous backup found, so deleting existing file and create a new backup"
                Kill BackupID$
        End If
        Print "Creating a backup of your NotesID in : " & BackupID$
        FileCopy NotesID$, BackupID$
        MsgBox "A backup of you Notes User ID was created in " & Chr(13) & BackupID$

EMC SourceOne- 27 September 2012 - (0) Comments

Thomas Hampel
 27 September 2012

When running EMC SourceOne with Domino, it might happen that users can only see a subset of the mails they have received, even if the mail itself is stored in the EMC system.
Here are the details...

When logging in with Active Directory credentials, users can only see emails which have been sent to the internet address of that user.
Logging in with Notes/Domino user name and HTTPPassword, only the Lotus Notes mails can be found.

By opening one email in each account and looking at the header, it became clear that EMC SourceOne can not associate the AD user name with the Notes user name.
The Notes user name is stored in a custom attribute of the Active Directory user object, but there is no option to customize the EMC software to make use of this attribute.

For each mail, EMC seems to use the recipients name as a string to search ActiveDirectory. So if the mail has been sent to "" it will find a corresponding user in AD and can associate it with the user.
When the mail is sent to "Firstname Lastname/OU/O", there is no corresponding user in AD, at least not among the list of objects which EMC is searching in.

Those of you who have already migrated from Exchange to Domino already know that for perfect CoExistence between both systems, the AD user needs to have a Notes proxyAddress defined.
Based on this knowledge it was easy to resolve the problem.

adding the Notes user name to the list of email addresses ("proxyAddresses") in  the AD user object resolved the issue.
Image:EMC SourceOne

The result is another proxy address "NOTES:CN=Firstname Lastname/OU=X/O=Y" in addition to the internet address itself.

Product codes for Notes 8.5.3 Multilingual User Interface (MUI) packs- 10 August 2012 - (1) Comments

Thomas Hampel
 10 August 2012

For further reference, here the part numbers of the MUI kits

Before installing a Multilingual User Interface pack (MUI), either the Standard or Basic Notes 8.5.3 Client must be installed.
If you'd like to simply install additional spell check dictionaries please see
Technote # 1411732.
Standard Basic
Notes 8.5.3 Client Windows English CI1L4EN CI1L2EN
Group 1 - Catalan, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Portuguese, Brazilian, Spanish CI3SGML
Group 2A - Danish,Dutch, Finnish, Norwegian, Swedish CI58UML
Group 2B - Arabic, Czech, Greek, Hebrew, Hungarian, Polish, Portuguese, Russian, Turkish CI5PAML
Group 3 -  Kazakh, Slovakian, Slovenian, Thai CI5PBML

Profile documents and Author rights in ACL- 30 July 2012 - (0) Comments

Thomas Hampel
 30 July 2012

What if a developer is using user specific profile documents to store some settings in a Domino application.
In this example users have Author access with the ability to create new documents and the ability to write public documents, no roles and no reader or author name fields are used in any document.

Image:Profile documents and Author rights in ACL

I'm wondering why users are not able to modify their own profile document by using the simple formula @Command([EditProfile]; "profile"; @Username)

Of course developers will refer to the Designer Help or
this technote where IBM clearly states:

In order to edit profile documents, including your own profile, using @Command([EditProfile]), you must have at least Editor access or Author access in the ACL plus inclusion in an Author field.

so it sounds like the user name must be listed in an author name field in order to modify an existing userprofile.

Unfortunately in reality it seems to be working slightly different... see this example:

I've created a new form to be used as a profile document, the form contained only a single field

Image:Profile documents and Author rights in ACL
Additionally I've created a small agent with the following code:

Dim s As New NotesSession
Dim doc As NotesDocument
Dim ws As New NotesUIWorkspace
Set doc = s.currentdatabase.Getprofiledocument("profile", s.Effectiveusername)
'# allows to modify the field values in the backend
Call doc.Replaceitemvalue("Test", "test")
Call doc.Save(true, false)
'# allows to modify field values using the frontend
Call ws.Dialogbox("profile", true, true, false, false, false, false, "Test", doc, false, false, false)
Call doc.Save(True, False)
'# does NOT allow to modify the document
Call ws.Editprofile("profile", s.Effectiveusername)

It seems like its possible to modify userprofile documents (which dont have an author name field) even when you dont have author access to the document itself.
To clarify: the application was put on a server and access rights were limited to Author.

Image:Profile documents and Author rights in ACL

I'm wondering if there's any good explanation for this behavior.

Update : The problem has been filed as SPR (Software Problem Report) # RGAU8WZE2X and the Customer Report, APAR # LO71028 was created.

Signing and deploying Eclipse Plugins into Notes Clients- 26 June 2012 - (0) Comments

Thomas Hampel
 26 June 2012

Installing Eclipse plugins in a Notes client is a simple task. I'm sure users would be even more happy if admins would sign them properly before rolling them out.
Otherwise, meaning when they are not signed, or if signed with an invalid signature, users will see messages like this:
Image:Signing and deploying Eclipse Plugins into Notes Clients

For a quick and dirty solution it would be possible set some preferences in the plugin_customization.ini or in the Notes client so that it will not show these warnings at all.
Unfortunately this will lower the security of the entire environment and therefore is not recommended.

The better method is to sign the plugin properly with a self signed certificate and then create a trust relationship with a Domino root certificate.
So these are the actions that need to be performed:
1.) Extract the Eclipse update site you want to sign to a temporary location on your hard disk
2.) Detach this command file to the same folder location where the file "site.xml" is located
3.) Edit the file and customize the settings according to your needs - see remarks within the file.
4.) Run the .cmd file
5.) Save a copy of the .keystore, .cer and sign_.cer files, they can be used to sign new release plugin if required.
6.) Import the new certificate (.cer) into the Domino server
7.) Create a cross-certificate from the internet certificate
8.) Publish the certificate to clients through security policy settings
9.) Create a new NSF based Eclipse update site and import the local update site from the temporary location (see step 1)
10.) Create a widget catalog
11.) Create a new widget using the Toolbar icon "Getting started with Widgets"  Image:Signing and deploying Eclipse Plugins into Notes Clients and choose "Features and Plugins"
Image:Signing and deploying Eclipse Plugins into Notes Clients

12.) Add the widget created to the widget catalog created in step 10 and don't forget to define a meaningful title and category. (e.g. Autoinstall) if you want the widget to be applied automatically. See next step for details.
13.) In the Domino Directory update the Desktop policy settings to include the newly created Widget catalog
Image:Signing and deploying Eclipse Plugins into Notes Clients

All together it will allow automatically distributing plugins in the Notes client without error messages and without overall lowering security.
Well, one prompt remains....
Image:Signing and deploying Eclipse Plugins into Notes Clients

Passthru configuration done right- 2 June 2012 - (1) Comments

Thomas Hampel
 2 June 2012

I'm wondering why some customers are not using Passthru - a function which exists in Notes/Domino for years.

From an infrastructure point of view, a Domino passthru server is nothing else than a special reverse proxy for Notes/Domino. Compared to normal reverse proxy servers it is providing an higher level of security due to the fact that authentication/authorization is using the NotesID for authentication and not relying on username/password

I've seen customers who create multiple location documents and tell end users to switch between them to force the usage of passthru. Personally I dont think that this is what end users expect, so here is a configuration which will use the passthru server automatically when it can not find a direct connection.

To efficiently use an existing passthru server, Notes Clients should be configured the following way:

Create a server connection document in the personal address book of the Notes Client pointing to the passthru server name and its IP address(or DNS name)

2.) Create another connection document, of type "passthru" which is used for */Org , where Org is the root certifier of your organization.

Image:Passthru configuration done right

important for this one is to set the usage priority to "Low" as shown in this picture

Image:Passthru configuration done right

Once completed, its time for
testing the connection.

Advanved options:

When using multiple passthru servers, its possible to put an IP sprayer or load balancer in front of them, so all servers are addressable with the same DNS name.
Typically a Notes client will reject connecting to a server that is using a different name than the one requested.
No need to worry, because
Technote 1233210 already provides the solution.
On each of the Domino passthru servers behind the network sprayer you can add NETWORK_SPRAYER_ADDRESS=sprayer to notes.ini. Where "sprayer" is supposed to be a comma separated list of acceptable names or IP addresses of the load balancer.

Result :

If the Notes Client is within the corporate network it will directly connect to the target Domino server, but if the direct connection fails it will try to use the next available passthru server.

A really large Notes application which seems to exceed 100 TeraByte- 1 December 2011 - (0) Comments

Thomas Hampel
 1 December 2011

Another interesting observation in a Notes 8.5.3 client.

This Notes application, shows up in the Admin client with an incredible amount of disk space.

If I am calculating right 1,0*E^14 is 100 TeraByte in a single NSF file, which is located on my local computers disk.

Image:A really large Notes application which seems to exceed 100 TeraByte

Actually the physical disk size on operating system level shows a different value, of just 1.290.240 bytes

While the DB properties show 101 MByte...

Image:A really large Notes application which seems to exceed 100 TeraByte

I guess something is wrong here...

Cleanup Separators- 24 November 2011 - (0) Comments

Thomas Hampel
 24 November 2011

Does anyone know what "Cleanup Separators" are???
This menu appeard today in my Lotus Domino Administrator client version 8.5.3

alt="Image:Cleanup Separators" border="0" src="cleanup-separators.htm/content/M2?OpenElement">

error while loading shared libraries: 3 May 2011 - (1) Comments

Thomas Hampel
 3 May 2011

Installing Lotus Notes on Linux is rather simple, the UI starts right away without any problems.
However if you happen to run command level operations such as compact or fixup you may run into problems because the following error message may appear:

"error while loading shared libraries: cannot open shared object file: No such file or directory"

Notes is complaining it can’t find which normally resides in the /usr/lib folder on your machine.
All you have to do is to create some links so that the Notes/Domino code can find this file

To do so you will have to be root or have sudo rights and execute the following commands
sudo ln -s /opt/ibm/lotus/notes/ /usr/lib/
sudo ln -s /opt/ibm/lotus/notes/ /usr/lib/
sudo ln -s /opt/ibm/lotus/notes/ /usr/lib/

or if you want a more propper solution, use those commands (thanks to Brian for reminding me)

# Create the conf file and put into place
echo “/opt/ibm/lotus/notes” >/tmp/lotus-notes.conf
sudo install -m 644 /tmp/lotus-notes.conf /etc/

# Tell the linker to use it
sudo ldconfig

Note: Of course all these commands refer the the standard Notes client installation directories, which you may need to adjust to fit your installation.
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.