Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?


Query results for : Tools

Import & Export Internet Certificates Programatically- 18 June 2015 - (0) Comments

Thomas Hampel
 18 June 2015

We all know that Admins are lazy. Being lazy can be helpful when having development skills, especially to reduce the amount of helpdesk calls by automating boring work.
How to import X509 certificates into a Notes ID when the certificate itself is stored in the Windows certificate store?

S/MIME Import / Export Automation

If needed, users can then export or import Internet Certificates directly from the Notes Client, but who wants to do that manually?
Even exporting the certificate from the Notes ID is too complicated for most users...
Image:Import & Export Internet Certificates Programatically

Looking for an automated way to export Internet Certificates, the pubnames.ntf provides there are some undocumented @Formulas that can be found for working with X509 certificates
  • @X509Certificates([Subject];UserCertificate;"");
    Returns the list of subjects of the internet certificates stored in the person document field named "UserCertificate"
  • @Command([PKCS12ExportCertsFromNAB];UserCertificate;Certificate;Number;"0")
    Where "Number" is the element in the list returned by @X509Certificates

In my opinion those @Functions still show too many dialog boxes, so lets try to make it more simple.
The C-API documentation provides the functions required namely PKCS12_ExportIDFileToFile and PKCS12_ImportFileToIDFile.

Wrapping both into a small script is easy...

Function PKCS12_ExportIDFileToFile Lib "nnotes" Alias "PKCS12_ExportIDFileToFile" (_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal ExportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer

Function PKCS12_ImportFileToIDFile Lib "nnotes" Alias "PKCS12_ImportFileToIDFile" (_
           ByVal pPKCS12Filename As String,_
           ByVal pPKCS12Filepassword As String,_
           ByVal pIdFilename As String,_
           ByVal pIdFilepassword As String,_
           ByVal ImportFlags As Long,_
           ByVal ReservedFlags As Long,_                
           Preserved As Any) As Integer


Calling those API's would be able to import a certificate from a file, but often the certificate has already been deployed to (e.g.) the Windows certificate store.
It would have been easy to use a Windows API call to export a certificate into a file and then import it again back into the Notes ID using the Notes API calls above.
Unfortunately M$ discontinued support for CAPICOM after Windows XP... so we have to use old school methods like using command line tools like Certutil

still with the resulting functions you can Import and Export X509 certificates from the Windows certificate store to the NotesID and back.



As usual mind YMMV and feel free to further optimize the code to fit your needs-
Please use at your own risk and report back any suggestions or improvements!

Special Thanks to Marcus Floeser for providing the screenshot.

Mail Rules Analyzer has been published- 29 September 2014 - (1) Comments

Thomas Hampel
 29 September 2014

Today OpenNTF published one of my contributions Mail Rules Analyzer
It is a small tool for Domino Administrators to scan mail files on one many servers to find out if any mail rule has been set up for external forwarding of mails.

Main use case is to analyze an environment to notify users who have such mail rules configured before preventing users from forwarding mails to external recipients
Results can be grouped/sorted/analyzed later on. At present the tool will only scan for rules that will forward a mail to external recipients but certainly there is room for further improvement...
Here are a few screenshot of the user interface:

Image:Mail Rules Analyzer has been published

Image:Mail Rules Analyzer has been published
Please post your comments and ideas in the feature requests section of the project
This is just the first publication out of a number of tools which our team has developed over time, we expect to publish them one by one in the near future.

Special thanks to Julian Robichaux for allowing the design reuse of the OpenLog template.


Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments

Thomas Hampel
 9 May 2014

I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:

1. Create a key ring file
that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino

Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA

Just read and follow
instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users

Follow instructions for
Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.


Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?

Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know
how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?

When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

at the very bottom there's a small check box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.

Further reading

Unable to set/unset ’Record activity’ programmatically- 9 March 2014 - (0) Comments

Thomas Hampel
 9 March 2014

One little checkbox in Notes/Domino which can cause some headaches is "Record activity" which can be found in the Database Properties / User Detail window.
Audit & Compliance teams as well as work councils love it...

Image:Unable to set/unset ’Record activity’ programmatically
...and they always have the same opinion on how to set it, right?

Yes, I know you can
disable actvity logging for all databases on a server to improve performance, but what if you need the opposite compliance reasons? What if you need to enable activity logging for a few (hundred) databases at once, but not for all?

Developers of crouse will start searching the
Designer documentation for a LotusScript class of some sort, realizing quickly that it doesnt exist.
Next step of your research would be the
Notes C/C++ API Toolkits which normally provide methods to resolve the toughest problem -- bad luck this time.

Furtunately there are
clever business partners who seem to have found a way to mass-modify user activity settings by using the full version of the databaseEZ tool. (Thanks Ben for the hint)
Although this tool provides fast pain relief it is not always a perfect solution - think of situations where a large amount of servers is involved, or where admins dont have manager access to mail files, or where the setting has to be set on a regular basis etc.

So unfortunately there seems to be no (easy) programmatic way to modify this flag, at least there is no ready-made C-API, LotusScript or Java class for changing it.

The problem has already been reported to IBM within SPR # MSTS9G3AVP

Download Connect 2014 presentation files- 13 February 2014 - (1) Comments

Thomas Hampel
 13 February 2014

If you have not already managed to download the IBM Connect presentations with Stephan's instructions using CURL, here is a dummies guide for Firefox users.
Please note, those presentations are not publically available - to download them you need to authenticate with your IBM Connect credentials which can be found here:

Image:Download Connect 2014 presentation files

Step-by-step instructions:

1.        If not already installed, get
2.        Install the Plugin
DownThemAll!  ( for more information see )
3.        Open
page1 of the IBM Connect public files feed
4.        Authenticate using the credentials (see your IBM Connect badge)

5.        Right click on the page and choose "DownThemAll!..." to start the plugin

Image:Download Connect 2014 presentation files
6.        Set download options as shown below...
- Define where to store the downloaded files
- Set the filter to include only "Archives" & "Documents"

Image:Download Connect 2014 presentation files
7.        Start the download

Image:Download Connect 2014 presentation files
8.        Repeat step 5 to 7 with
page 2 of the feed

If everything worked out, you should have approx. 500 PDF files showing up in the folder specified above.

You might want to take a look at
Chris Miller's IBM Connect and Lotusphere slides database which currently hosts ~55 slide decks from IBM Connect 2014 and is publically accessible.
Furthermore Niklas Heidloff pulled together a
list of app dev sessions from IBM Connect 2014 , some more presentations can be found by searching Slideshare.

Unfortunately not all presentations are available for download - some speakers did not grant permission to publish the slides, so there's some content that is only available to people in the room.

If you did not make it to Orlando there's a chance to attend local events such as the
Rheinland Nachlese 2014 organized by TIMETOACT

Backup Notes ID on local computer- 14 January 2013 - (0) Comments

Thomas Hampel
 14 January 2013

On special request of a customer, I'm posting a little LotusScript to back up the current NotesID locally.

        Dim s As New NotesSession
        Dim NotesID$, BackupID$, NotesData$
        NotesData = s.Getenvironmentstring("Directory", True)
        NotesID$ = s.Getenvironmentstring("KeyFileName", True)
        '# check if the 2nd character in the string NotesID is a ':'
        If Not Right(Left(NotesID$,2),1) = ":" Then
                '# NotesID is located within Data Directory
                NotesID$ = NotesData$ & "\" & NotesID$                
        End If
        Print "Current NotesID is : " & NotesID$
        BackupID$ = NotesID$ & ".bak"
        Print "Backup will be stored in : " & BackupID$
        If Dir$ (BackupID$,0)="" Then
                '# No previous backup found, so okay to continue
                '# Previous backup found, so deleting existing file and create a new backup
                Print "Previous backup found, so deleting existing file and create a new backup"
                Kill BackupID$
        End If
        Print "Creating a backup of your NotesID in : " & BackupID$
        FileCopy NotesID$, BackupID$
        MsgBox "A backup of you Notes User ID was created in " & Chr(13) & BackupID$

Creating PDF documents from within Notes/Domino- 3 December 2011 - (0) Comments

Thomas Hampel
 3 December 2011

How can PDF documents be rendered from within a Notes application?
Converting Notes documents into Adobe's PDF format can be a challanging task.
Many different software addon products for Lotus Notes/Domino are being sold to make this happen,
e.g. DominoPDF which is being used by some of my customers - but in fact you dont need anything else than a Java component inside of your application.

Simply by using the iText Library and a small piece of source code, you can add PDF conversion functions to your Domino application. Look at this video to see an example. The solution outlined here makes sense for embedding this functionality inside an application. For single computers instead, its most likely enough to look at FreePDF (english) a freeware PDF converter which installs itself as a printer device.

Firefox Plugins you should have- 14 March 2011 - (0) Comments

Thomas Hampel
 14 March 2011

Web Developer
which is very useful to uncover attempts for clickjacking.

HTTPS everywhere
Prevents from identify theft via firesheep

Collaborate with an IBM employee via Sametime- 25 January 2011 - (0) Comments

Thomas Hampel
 25 January 2011

I have been asked several times how customers can talk or chat with IBM'ers directly. It still seems that people dont know that they can get access to IBM's internal Sametime environment by using the ST web client.

Collaborate with an IBM employee via Sametime...
here is an explanation how to do that:
You can also take a
Video Tour

If you want to find the email addresses of the people you know inside IBM, see here

Eclipse Update Sites- 9 November 2010 - (0) Comments

Thomas Hampel
 9 November 2010

Customers and colleagues quite often are asking where to find some special tools to extend their Lotus Notes client.
Using Eclipse Updates is a great method to extend the functionality of the client itself and to keep up to date in case of updates.

Here a list of interesting Eclipse Update sites:
  • SNAPPS - SidebarChart, ReCon Remote Console Sidebar, and more
  • Jeff Geifelt, SecretAgent, Formul8, and more
  • LotusLive Meetings
  • Epilio
  • Lemkinworld
  • OpenNTF

Lotus Learning Plugin

PS: Please let me know about other update site's on the internet which provide cool / clever enhancements for Lotus Notes or Sametime.

Productivity- 9 November 2010 - (0) Comments

Thomas Hampel
 9 November 2010

Working in the IT business for several years brings a lot of experience of using different tools to increase our own productivity.
Within this article I'm goping to share some tools which I believe are essential for a Domino Administrator.

  • IBM Support Assistant
  • GIMP, a freeware image editor for complex graphics
  • Picasa, useful for managing a large amount of pictures
  • SnagIT
  • Camtasia Studio
  • Total Commander , file manager for people who grew up without a mouse.
  • FreePDF XP , create PDF documents by printing them
  • VideoLAN
  • Google Earth
  • Notepad++
  • Wireshark - an excellent network traffic analyzer
  • FaJo TimeTool, a gread freeware application to track time spent for different projects
  • Dia or YEd as a replacement for Visio. Visio viewer will help

Lotus Notes Tools
  • Teamstudio
  • Ytria
  • NotesPeek , allows to analyze Notes applications

Browser plugins
, (of course for Firefox)
  • AI Roboform - store and manage your (Web-) passwords in a secure way.
  • IBM Support Bar - direct access to support material of IBM
  • Firefox Sync - sync bookmarks across different computers/operating systems, incl. sync to iPhone
  • BetterPrivacy - delete supercookies on the fly
  • FireBug - even if you're not a web developer, this tool is a musthave to analyze HTTP related problems
  • NoScript - musthave to keep a browser secure.

Other Interesting tools

Create an Impressum- 7 August 2010 - (0) Comments

Thomas Hampel
 7 August 2010

Publishing on the web isnt easy these days, often it just takes a few days until someone complaints that your web site doesnt meet the legal requirements.
A first start is to use a little helper like the one on this web page to create a basic impressumg which might already fit your needs.
Unfortunately you almost have to study law in order to build an impressum that will fulfil all legal requirements of your country, so its worth spending a few bucks and consult a lawyer.
Thomas Hampel, All rights reserved.