Query results for : May 2014
AMgr: Console command ’LOG.NSF’ is unknown- 13 May 2014 - (0) Comments
Thomas Hampel
13 May 2014After upgrading to Domino 9.0.1 the following messages show up at the console.
It seems the agent manager is trying to send file names as commands to the server's console...
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'ddm.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'admin4.nsf' is unknown
AMgr: Console command 'LOG.NSF' is unknown
AMgr: Console command 'LOG.NSF' is unknown
....
It turned out that its a small bug that was introduced in Domino 9.0.1 - the problem is already known and has been documented in SPR# CSAO9FR9ZS
A local workaround is documented here => LO78790: AMGR: CONSOLE COMMAND 'XXX.NSF' IS UNKNOWN SHOWS REPEATEDLY
Making Internet Mail Secure with just a few clicks - S/MIME in Domino- 9 May 2014 - (0) Comments
Thomas Hampel
9 May 2014I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.
After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:
Basic steps are:
1. Create a key ring file that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm
2. Set up the CA process in Domino
Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.
3. Migrate an (internet) Certifier into the CA
Just read and follow instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"
4. Rolling out Internet Certificates to Users
Follow instructions for Issuing Internet certificates in a Person document or use the step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.
Done!
Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.
What about Step-by-Step deployment instructions?
Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )
How to obtain the internet certificate's public key of a user?
When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...
at the very bottom there's a small check box...
Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way to protect your privacy forever.
Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.
Further reading:
- Quick guide to securing a Domino server with SSL using the CA process
- IBM Developerworks article "Enhancing e-mail security with S/MIME" by Chuck Connell
http://chc-3.com/pub/Notes-Internet-Encrypted-Email.pdf - Lotus Domino Certification Authority Tutorial
- Lotus Security Handbook,
- Technote #1308138 Export the private key from a Domino keyfile by using IKEYMAN
- Import & Export an Internet certificate from a Person document
The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino- 7 May 2014 - (3) Comments
Thomas Hampel
7 May 2014Setting up SSL in Domino using Self Signed Certificates is easy, one can choose between SSL using Domino as Certificate Authority or setting up SSL in Domino using the CA Process or even using an IBM HTTP Server in front of Domino
Since I'm still getting questions on how to quickly create a self signed certificate for Domino, here is a guide for dummies....
When working with self signed certificates in Domino, the product documentation wont tell you there's one small problem:
In the standard Domino Server Certificate Administration template (csrv50.ntf) there is no option to specify the key length for self signed certificates, so by default any new keys will be created with a key length of just 512byte, which is not enough for modern browsers nor for Internet Explorer 9 (or above), see http://technet.microsoft.com/en-us/security/advisory/2661254
So lets get this fixed by applying some small modifications to the template so the key size can be adjusted when needed. At the same time we can also change the default validation time to be configurable.
Continue Reading "The Dummies Guide to 2048 Bit SSL Self Signed Certificates in Domino" »
Product codes for Notes 9.0.1 Multilingual User Interface (MUI) packs- 6 May 2014 - (0) Comments
Thomas Hampel
6 May 2014Customers were demanding for it and here they are - the Multilingual User Interface (MUI) kits for the Notes Client V9.0.1
Those kits allow switching between different languages without the need to reinstall a new client software each time.
For further reference, the table below provides the part numbers to download the packages from Passport Advantage
Notes V9..0.1 | Standard | Basic | Browser Plugin |
IBM Notes 9.0.1 Client Windows English ( Announcement Letter ) | CIQ7REN | CIQ7QEN | Full = CIQ90EN Lite = CIQ96EN |
IBM Notes XTAF Dictionaries V9.0 for Windows Multilingual (Mac=CIF0DML , Linux=CIF6BML) | CIF0EML | ||
Multilingual User Interface for ... | |||
Group 1 - Catalan, Chinese Simplified, Chinese Traditional, French, German, Italian, Japanese, Korean, Portuguese, Brazilian, Spanish ( Announcement Letter ) | CIV5HML | CIT8TML | CIT9GML |
Group 2A - Danish, Dutch, Finnish, Norwegian, Swedish ( Announcement Letter ) | CIUZ6ML | CIUZ7ML | CIUZ8ML |
Group 2B - Arabic, Czech, Greek, Hebrew, Hungarian, Polish, Portuguese, Russian, Turkish | CIVY2ML | CIVY5ML | CIVY6ML |
Group 3 - Kazakh, Slovakian, Slovenian, Thai | CIVY3ML | CIVY4ML | CIVY7ML |
Remarks:
- Installation instructions essentially are the same as in earlier versions, so refer to IBM Technote 1288585 for more information.
- Upgrading from Notes 8.5.3 with a language pack installed directly to Notes 9.0 is not possible according to IBM Technote 1620790 so you need to uninstall it first.
- For information on how to install XTAF spell check dictionaries please see Technote # 1411732
- You can combine IBM Notes 9.0.1 and IBM Sametime 9.0 in a single install kit (Thanks Jeff Mitchell)