Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Query results for : January 2015

Look what I’ve found- 18 January 2015 - (1) Comments

Thomas Hampel
 18 January 2015

Packing for IBM ConnectEd 2015 I stumbled into last years IBM Connect 2014 backpack...
The little surprise surprise I've found inside was the ***drumroll*** original Lotusphere Pretzel Cookie !!
Image:Look what I’ve found
No, I'm not planning to eat it althgouh its calories would last a month or two  Who knows what will happen if anyone would take a bite.
Given the fact that 2014 was the last year where the word Lotusphere appeared at the show, this cookie is probably turning into a collectors item.

I'm wondering if there are people who would try making big money by selling it on ebay?
Image:Look what I’ve found
Hint: Stop searching ebay, you can't really buy that cookie there.

AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around- 12 January 2015 - (0) Comments

Thomas Hampel
 12 January 2015

Moving mail files from server to server is a simple task, AdminP handles this job properly. It does even work across domains... and it worked perfectly in numerous projects in the past.
Until today when I ran into a problem where the same process 'all of a sudden' (**what else**) caused an error in AdminP - but only for a specific group of destination servers.

After creating the AdminP Move User request (using our internal tools), the AdminP request "Check Mail Server's Access" failed with this error:
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around
Errors:

Title: Domain's Directory Path: Domain's Directory; Name: Admin Lastname/OU/Org;
Error: Both the signer and the author of this request must have Editor access or Author access with the UserModifier role to the Domino Director

Analysis

We checked access rights on both sides... several times....but everything was set up correctly. Even restarting the server (to refresh the name lookup cache) did not change the situation.
Finally after a few chats with my colleagues they indicated it could be related to a problem they had seen before, referencing an old bug ( LO81200 ) and also pointing to a new SPR

SPR # JPAI9FEKCP, fixes a Notes Client issue where if a local NAMELookup cache has been created it is inappropriately being used as opposed to doing the NAMELookup on the remote server. This may result in Notes Client errors indicating insufficient access to perform any number of Notes Client operations such as Admin Client move user or simply signing of databases.

Although the SPR reads like it would apply to Notes Clients only, I can confirm it does apply to Domino Servers as well, at least for that specific AdminP request type "Move User"
We did a few tests and quickly found a workaround, so here is what you can do about it:

Temporary Solution:

Don't use groups to grant the specific access rights.
In our case putting the name of the person who signed the AdminP request >directly< into the ACL of the Names.nsf of the destination server fixed the issue.

This is what the AdminP Move User reuqest should look like before the user authenticates
Image:AdminP Move User - Access Rights seem not to work in Domino 9.0.1FP1 and how to work around

Permanent Solution

Apply Domino 9.0.1 FixPack2 now or wait for Domino 9.0.2 to be released.

Lessons learned:

1.        Always install the latest version of Domino
Note: The destination server in question is not maintained by our team.
2.        What an awsome team we have :)

References

Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected- 7 January 2015 - (2) Comments

Thomas Hampel
 7 January 2015

Problem:
Opening the mail file of another person is causing the message "Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected" to be displayed:
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected
While IBM Technote 1303181 only provides a basic idea of what is wrong, it does not give any idea what can be done to fix it.
So I had to look into details and quickly found the problem.

Steps to reproduce

In order to reproduce the problem, this is what you have to do:
  • Make sure you have the Notes.ini variable CHECK_QUOTA_ON_MAIL_CREATE set to 1
  • Open another person's mail file, this will write the current date at the end of the Notes.ini variable DELEGATED_MAIL_FILEx
  • Close your Notes client
  • Change the date format of your operating system from DD.MM.YYYY to MM/DD/YYYY (or the other way around)
  • Open the same other persons mail file again.

Analysis

Trying to find the root cause with debugging enabled shows a different error "*CE39918+421: Type mismatch"
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected
but at least it indiicates the problem is located in the Database Open script.
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected

What is causing this problem?

Obviously it is a String to Date conversion issue. Storing a Date in a String to convert it back to a date is never a good idea. If you really need to do it you should not rely on the CDat function to work. Write your own function which does ignore the
Regional settings - in specific the date format - of this workstation have been changed.

Resolving the problem

Change the date format of your operating system back to what it should be.
If the date format of your computer is correct and the problem still persists, then manually update your Notes.ini and remove all lines starting with DELEGATED_MAIL_FILE or by updating the date format at the end of this line yourself.

Permanent solution

A perfect solution would require to update the mail template to be updated. in specific the script Library "CheckQuotas" contains a class called "CheckQuota" with the Sub "SetCalMgrINI"
This sub contains several references where a string is being converted to a date. This is where additional verification is required to ensure the string value is a date which can be converted using the current regional settings.
Image:Opening another mail file is causing Type mismatch in method CoerStrToNum: STRING found, DOUBLE expected

Monitoring IBM Domino Server on Linux via SNMPv3- 5 January 2015 - (0) Comments

Thomas Hampel
 5 January 2015

Monitoring Domino servers via SNMP should be a simple task, if it would be documented properly.
There are quite a few blog posts out there on the internet such as
this nice article by Detev Schuemann which unfortunately is in German.. So I'd like to provide an english translation with a few updates which in my opinion are valuable.

Background

Simple Network Management Protocol (SNMP) is a protocol for monitoring network devices such as routers, switches, servers, printers and much much more.
Vendors of a device are providing a definition of values which can be read or modified in form of a
MIB (Management Information Base). Those values are called OIDs (object identifiers) and are ordered in a hierarchical structure.

MIB definitions for Domino can be found online
http://www.oidview.com/mibs/334/NOTES-MIB.html
A MIB file for IBM Domino can be found in the Domino program directory and is called "domino.mib"

On a Linux server the file can be found here /opt/ibm/domino/notes/latest/linux/domino.mib


Step-by-step Instructions

For each Domino server which you want to monitor, you need to enable SNMP support, the following is a step by step description of what you need to do for a Domino server on Linux.
Instructions for Windows are available here
Examples below are based on
CentOS which is using yum as package manager. For other Linux distributions commands are slightly different, also path references shown in the example below might not be the same for you.

Step 1 - SNMP Master Agent

Although Domino its own snmp master agent, I recommend not to use it because the version supplied with Domino is the rather dated version 5.0.7
.
Currently version 5.7.3 is the latest version available. Check the
net-snmp change log to see what has changed between versions.
Obviously you should prefer using the operating system snmp master agent which comes preinstalled for a number of Linux distributions.
If not already installed, you can install the package net-snmp with the following command.

# yum install net-snmp

The library net-snmp-utils provides some additional tools like snmpwalk, which we will need later on for testing functionality
# yum install net-snmp-utils

To check the version you are running...

$ snmpwalk --version

Image:Monitoring IBM Domino Server on Linux via SNMPv3
Note: Current releases of CentOS and Redhat provide net-snmp version 5.7.2 by default.


Option B - NET-SNMPD v5.0.7 provided by Domino

Domino provides net-snmpd in version 5.0.7  - again, I do not recommend using this version.

However, if really want to use it enter these commands to copy the required files to the /etc directory and make sure the service is started after a reboot.

# cp /opt/ibm/domino/notes/latest/linux/net-snmpd* /etc
# ln –f –s /etc/net-snmpd.sh /etc/init.d/net-snmpd

# chkconfig --add net-snmpd

# chkconfig net-snmpd on

Note that in this type of configuration your settings are stoed in the file  /etc/net-snmpd.conf

Step 2 - Update Configuration

Back up the original config file to a location of your choice

cp /etc/snmp/snmpd.conf /root

Edit the file /etc/snmp/snmpd.conf . Modifying this file is only required if you are using the master agent provided by your OS.

# nano /etc/snmp/snmpd.conf

1.) Search for sysLocation and update it according to your needs as shown here:
sysLocation    YourDataCenterLocation
sysContact     email@yourdomain.com


2.) define a username/password combination for SNMP v3 authentication
Of course the user name and password used in this example are to be changed to fit your needs

createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES


3.) At the end of the same file, add this line:
smuxpeer 1.3.6.1.4.1.334.72 NotesPasswd

Dont forget to save the file


Step 3 - SNMP Startup Script

Although you could add /usr/sbin/snmpd as a service directly, its probably more useful to use a startup script.

Domino already provides such a script - you just need to modify the configuration so that it can be used.


# cp /data/ibm/domino/notes/latest/linux/net-snmpd.sh /etc/init.d/net-snmpd

# nano /etc/init.d/net-snmpd


Update the configuration (starting in line 31) as follows:

INSTDIR=/usr/sbin
PROGNAME=snmpd

PROGPATH=$INSTDIR/$PROGNAME

CONFNAME=snmpd.conf

CONFPATH=/etc/snmp/$CONFNAME

LOGPATH=/var/log/snmpd.log

PROGARGS="-C -c $CONFPATH -l $LOGPATH"

Make sure the startup script runs at next boot

# chkconfig --add net-snmpd
# chkconfig net-snmpd on


Step 4 - Update Firewall Rules

SNMP requires UDP port 161 to be accessible, so you need to open this port on the local firewall.
Do not forget to open this port on any other firewall on your network which is between the monitoring server and your Domino server
# iptables -I INPUT -p udp --dport 161 -j ACCEPT


Step 3 - Testing basic functions

Test basic SNMP functionality
from the local host and also from a remote server.
# snmpwalk -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.2021.100.2.0

As a result you should get the version number of the SMTP master agent

Image:Monitoring IBM Domino Server on Linux via SNMPv3

Step 5 - Enable Domino SNMP Agent

Make sure LNSNMP will be started after a reboot. (Note: change the path to match your configuration!
)
# ln -f -s /opt/ibm/domino/notes/latest/linux/lnsnmp.sh /etc/rc.d/init.d/lnsnmp
# chkconfig --add lnsnmp

# chkconfig lnsnmp on
# service lnsnmp start

In case you get the error  "LOTUSDIR must be set in the environment or in this script." you need to update script so that it can find the path to your Domino server, e.g. LOTUSDIR=/opt/ibm/domino


if everything has worked out, starting the lnsnmp should provide the following output

New sub-agent on server is registering a sub-tree with branch ID:
1.3.6.1.4.1.334.72.3

Sending SNMP "Server Up" trap for server .

service lnsnmp startNew sub-agent on server is registering a sub-tree with branch ID:

1.3.6.1.4.1.334.72.1


Step 6 - Domino Tasks

Start the following tasks from the Domino server console

load quryset
load intrcpt
load collect

"quryset" is required to support SNMP queries

"intrcpt" is required to support SNMP traps for Domino events

"Collect" is required to support statistic threasold traps

Create a program document or add the tasks to the Notes.ini variable "ServerTasks=" so ensure they are started automatically after a server restart.

Step 7 - Testing Domino SNMP agent response

Now its time to test if we can access Domino objects via SNMP, e.g. by reading a single value.

$ snmpget -v3 -u SNMPv3UserName -A SNMPUserSecretPassword -a MD5 -l authnoPriv dominoserver.domain.com .1.3.6.1.4.1.334.72.1.1.6.2.1.0

Should return the fully qualified Domino Server name as a string

Image:Monitoring IBM Domino Server on Linux via SNMPv3

Ok, you're done... the Domino SNMP Agent is configured and can be used.

However, there still is some work to be done on your SNMP management console e.g.
Nagios ,FAN , Cacti (or whatever you are using) in order to monitor Domino via SNMP (for example, server down).

Next Actions:

If you like this post, please let me know via Twitter
@ThomasHampel or by leaving a comment below. Please note that comments are moderated and wont show up before being approved.
Hint... configuring Nagios for Domino monitoring and configuring Cacti for trend analysis is subject of another blog post which I'm already working on.


Troublshooting
  • Check snmpd.log for errors
    # cat /var/log/snmpd.log
  • Error : refused smux peer: oid SNMPv2-SMI::enterprises.334.72, descr Lotus Notes Agent
    see
    IBM Technote 1313318
  • Error - Unknown User
    Either a typo in the user name or you forgot to add the user to the snmpd.conf file in step 1, search the config file for something like this:
    createUser SNMPv3UserName MD5 SNMPUserSecretPassword AES
  • Error in packet. Reason: authorizationError (access denied to that object)
    The user exists and the password worked, but does not have access rights required. Check snmpd.conf to see if you have granted at least read only rights, search the file for a string like this:
    rouser SNMPv3UserName

Tools:

Take a look at
Paessler SMTP Tester (Freeware / Windows)
Image:Monitoring IBM Domino Server on Linux via SNMPv3

Further reading:
Thomas Hampel, All rights reserved.