Notes / Domino
TOTP and vert.x
By Stephan Wissel | 2/7/23 9:13 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
TOTP and vert.x - Time-based one-time passwords (TOTP) are a common security feature in Identity Providers (IdP). There are use cases beyond IdP, mine was 'Understanding what it takes').
TOTP interaction
You have two phases: enrollment and use. During enrollment a secret is generated and (typically) presented as QR Code. A user points one of the many Authenticator apps to it and gets a numeric code that changes once a minute.
When you use it, you pick the current number and paste it into the provided field. The backend validates the correctness with some time leeway.
What it is not
Typically when enrolling you also get recovery codes, sometimes called scratch codes. They are NOT part of TOTP and implementation is site specific and not standardized. An implementer might choose to check your recovery codes when your TOTP fails or provide a separate interaction using those.
The initial confirmation, is actually the first instance of "use" and one could have a successful enrollment without it. This is depending on the implementation.
It isn't foolproof. An attacker could trick you into typing your TOTP code into a spoofed form or just hijack your session (cookie). That's why responsible web apps run a tight security with CSP and TLS (and once browser support is better Permission Policy)
Calendar entry not displaying notes in HCL Verse 3.x 
By Rainer Brandl | 2/3/23 4:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I had the issue that a customer complained that notices on the calendar form keep on loading and loading and you're not able to create a calendar entry or even display the content of the notes an existing calendar entry.After some conversation with HCL Support ( which again was working extremely fast in person of Suraj Joshi ) I received the information that the upgrade to HCL Domino 12.0.2 could cause this issue.
As mentioned in the official Defect Article this only occurs when the display language of the browser is set to another language than English.
Overdue PSA: Reverse-Proxy Headers in Domino 12.0.1FP1 and Newer
By Jesse Gallagher | 1/25/23 11:19 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
Just over a year ago now, I wrote a blog post describing the sudden removal of my beloved HTTPEnableConnectorHeaders notes.ini parameter in the 12.0.1 release.
However, during the administration-focused OpenNTF Repair Café today, I was reminded that I never modified that post or made a followup to detail the changes since then. I plan to remedy that here!
Nomad Web server connection options
By Daniel Nashed | 1/25/23 7:30 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
Nomad Web is a modern HCL client offering in form of a Progressive Web Application (PWA) running in your web browser.
In addition to Windows or Mac, it also works on Ubuntu and other Linux distributions! So there is finally a client offering for Linux clients again!
The Nomad Web application is installed on a server providing the required files for download.
Those files can be stored on a SafeLinx or Domino/Nomad Web server.
Windows Sandbox - A feature you should know
By Daniel Nashed | 1/23/23 2:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The sandbox can be a very useful tool for many different situations.
I am often using it for Domino server or client install tests.
But there are many other use cases including training environments etc.
It's a full throw away sandbox environment recreated every time you start it.
The only limitation is that you can't reboot the Windows for example after a software update.
But even installing the Windows re-distributable run-time package does not require a boot.
Most applications like Notes/Domino install it on their own.
I needed it to test my own applications. But there is an easy way to download and silent install it:
NGINX TCP Stream with SNI support. More than helpful for lab environments
By Daniel Nashed | 1/23/23 2:15 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
In production you usually want centralized certificate handling and off-loading TLS termination to a load-balancer.
I posted scripts to have NGINX realod certs automatically from Domino CertMgr via HTTPS to leverage Domino's Let's Encrypt implementation.
But sometimes you really want all your servers directly exposed over TLS.
For example in a lab environment with limited resources and only one IP, you might want to still have each of the hosts expose their services on their own.
Quest for SAML to everybody continues
By Fredrik Norling | 1/23/23 2:10 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
My article regarding debugging SAML on HCL Domino is updated today with 2 points
What is the SP certificate used for
What can be wrong when you get a login loop
Check it out in the article https://www.xpagedeveloper.com/2022/debugging-saml-setups-in-hcl-domino
Certificate Information tool
By Fredrik Norling | 1/17/23 2:40 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
SSL certificates, SAML certificates, Signing certificates the number is long of different kinds of certificates and you might need to check the name of a certificate, the start or end date or perhaps the thumbprint.
I use the tool mainly to get end dates of certificates sent to me from customers because I hate when they expire and need to be changed without any preparation. And the worst kind that most administrators often miss is the certificates that is auto created i.e. in ADFS servers, Azure Enterprise apps, Okta
Email Encryption
By Prominic.NET | 1/12/23 9:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Emails are now not only an important part of our daily lives but also one of the most used gateways for cybercriminals into our lives. Let’s explore how we can keep the door shut.
Please wait until that HTTP service is ready
By Stephan Wissel | 1/3/23 10:17 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Our brave new world of containers and microservices runs on a combination of YAML and shell scripts. Getting them to run in the desired sequence can be a challenge. When ready isn't ready All container environments have a 'depends' clause, so the container runtime can determine the correct startup startup sequence for the zoo of containers comprising the application to be launched. Each container will usually signal when it is ready.
However ready can mean different things to different applications.
In the container world it should be: the service is available.
However it could be: service was successfully started, but might be busy with house keeping. In the later case the start scripts of the dependent services need to do their own waiting
HCL Domino, view indexer stuck with very high CPU usage
By Jesper Kiær | 1/2/23 6:16 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
I have a customer who has a Domino server running with very high CPU usage, and it should not, since it is not a very busy server.
It is the indexer which gets stuck with very high CPU usage
Solution for broken TrendMicro ScanMail for Domino 12.0.2 on Windows
By Remco Angioni | 12/23/22 4:16 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
After upgrading the Domino to 12.0.2, TrendMicro scanmail stops working. The cause is C API OSLoadLibrary changes in Domino 12.0.2.
TrendMicro had identified the problem and created a temp workaround for it.
See article: https://success.trendmicro.com/dcx/s/solution/000291870?language=en_US
Posted presentation on CompareDBs
By Andre Guirard | 12/14/22 2:16 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I gave a presentation about CompareDBs, the new template in 12.0.1 Domino server, for a recent OpenNTF webinar. The slides for that — with their attached notes — are a reasonably good summary of what the tool is good for, so I decided to post them here.
How to configure SAML SSO for HCL Nomad Web for Domino using Keycloak - Part 2
By Heiko Voigt | 12/13/22 12:38 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
So it took a little bit longer to get this 2nd part of the series - I ran into some issues during the configuration, also, we decided to upgrade our Keycloak implementation to the latest version 20.x and experienced some setbacks when re-importing the configuration from version 18.x - we lost a couple of settings and it took a while to find the differences and patch them up.
How to get the error message for a Notes error code
By Daniel Nashed | 12/13/22 1:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Sometimes scripts or Domino server commands only return an error code and you would like to know the error message.
There is an easy way to get the error message back from a server command.
"show message [module]
In most cases you don't need server tasks specific error messages and just use the decimal error code.
Setup DKIM for HCL Domino 12.0.2
By Remco Angioni | 12/9/22 1:58 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Finally we can setup and use DKIM email authentication in HCL Domino. Here are the steps for adding DKIM in Domino and DNS.The actions are my actual commands for adding DKIM to my angioni.nl domain.
HCL Notes Client – “Invalid RTF Data On The Clipboard”
By Ulrich Krause | 12/3/22 11:30 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
The issue applies to HCL Notes 12.0.1 standard and basic as well as HCL Notes 12.0.2 32/64Bit standard and basic.
When you try to change your signature in the Calendar Profile, you get the error message
OpenNTF Quickie: Install Domino + Nomad + Leap on Docker - YouTube
By OpenNTF | 11/30/22 3:40 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
This video demonstrates the installation process for Domino 12.0.2 including HCL Nomad Web and HCL Domino Leap on Docker using the Domino Container build script.
ID Vault “Invalid or nonexistent document” error caused by Cluster Symmetry Repair
By Kim Greene | 11/29/22 12:34 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
In helping a customer who was having an issue with getting TOTP working, I came upon an interesting situation with their ID Vault. When issuing ‘show idvault’, the following error was displayed.
Invalid or nonexistent document: Vault replica list inconsistency for vault /ID_Vault
The really strange thing about this situation was the replica of the ID Vault was on both the primary and secondary server, however only the primary server was listed as a Vault Server in the ID Vault itself.
How to configure SAML SSO for HCL Nomad Web for Domino using Keycloak - Part 1
By Heiko Voigt | 11/29/22 10:57 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
This is part one of my series on how to utilize Keycloak as the SAML IDP for HCL Nomad Web for Domino. While HCL describes the use of ADFS in the online documemtation, Keycloak can serve for this purpose with ease as well. Within this series I want to describe the components and configurations that are necessary to make the two work together.
The lsconst expedient
By Andre Guirard | 11/28/22 10:12 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
There are a lot of handy constants included in the LotusScript file lsconst.lss, which you can include in your scripts via the statement:
%Include "lsconst.lss"
It contains many “Const” definitions for symbolic names needed for calling built-in functions, such as this constant useful when calling Messagebox function:
Public Const MB_OK = 0
None of these constants is necessary since you can also hardcode the constant value when you make your call. But it makes your code easier to read and maintain if you use the symbolic names, so this is a best practice.
Domino 12.0.2 on Docker - some changes with One Touch setup
By Oliver Busse | 11/28/22 4:03 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I learned the hard way what it means to "reset" the Docker Desktop installation using a tool like "Clean My Mac X", a tool that I strongly recommend to get rid of all crap that slows down your system - and does much more.
However, resetting a Docker Desktop installation means that everything is wiped - except from the program itself. Docker started to be unstable, so my plan was to re-install it.
After I did this task, I found out that all my containers were gone - including the images and volumes. The latter is the worst, so be careful.
Restic – Command Line Tool supporting Windows VSS
By Daniel Nashed | 11/24/22 2:03 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Now that Domino 12.0.2 is has a native VSS Writer, we can look into new interesting integrations.
In my session at SUTOL conference this week, I showed a first version of a Restic integration for Domino 12.0.2 via VSS.
Restic is a very interesting application (https://restic.net)
It's a single binary written in GO
And uses a approach like Borg Backup uses. But in contrast to Borg Backup it has full Windows support.
This includes VSS Writer + AutoRecovery support!
It is Open Source, efficient, flexible & secure.
And very simple to setup & use!
Domino Oddness on Azure - 38 second delay in sending mail from web UI
By Sean Cull | 11/22/22 10:43 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
We have had an odd issue on Domino that we have not been able to resolve despite lots of input from HCL. I just wanted to post it in case any other person comes across it.
The symptom is a Domlog entry for 38 seconds when you trigger an email via XPages.
This happened @4 years ago on an Azure Linux Domino 9 server ( which we scrapped ) and then started again with an Azure Windows Domino 11 server about a year ago.
HCL Notes 12.0.2 - New Signature feature seems broken
By Jesper Kiær | 11/21/22 2:07 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
To test the new HCL Notes 12.0.2 "Signature" feature I created a simple form with a Rich Text Lite field for testing out the feature.
I have have removed all options,but the signature feature for the field.
Only a part of the image seem to be saved in the field.
Tinkering with Mastodon, Keycloak, and Domino
By Jesse Gallagher | 11/11/22 4:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Because of what I'll euphemistically call the current historical moment on Twitter, I (like a lot of people) decided to give another look at Mastodon. The normal way one would use it would be to sign up at mastodon.social and be on one's merry way, treating it just like a slightly-different Twitter.
However, Mastodon is intentionally designed to be federated in a way similar to email, and the software is available on GitHub complete with scripts for Docker Compose, Vagrant, and so forth. So I went and did that, setting up my currently-barely-used account at @jesse@pub.frostillic.us.
That on its own isn't particularly notable, nor are the specifics of how I set it up (it was a hodgepodge of a couple posts you can find by looking for "mastodon docker compose"). What I found neat for our purposes here was the way I could piggyback authentication onto stuff I had recently done with Keycloak. Keycloak, incidentally, was the topic of today's OpenNTF webinar, so, if you didn't see it, check back there for the replay when it's posted.
November OpenNTF Webinar: Integrate Keycloak with Domino for Identity Management
By OpenNTF | 11/9/22 4:09 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
In the days of micro-services, Identity Management, Identity Brokering and Single-Sign-On Capabilities are getting more and more important. HCL has put some serious investment into modernizing the various Domino authentication capabilities but still a lot of services require external system integration to be a nice citizen in a service orchestra. In this session, Heiko want to demonstrate the use cases and technical ways to integrate one major Open Source Identity Management system with HCL Domino - Keycloak.
Protecting your Domino container with fail2ban
By Martijn de Jong | 11/7/22 4:25 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
If your Domino server is connected to the Internet, you’ll find that bots (hacked systems running a script) will throw a brute force attack on your Domino server. For me, especially, my SMTP server was under heavy attack.
The reason why it’s interesting for hackers to find a valid login on an SMTP server, is that this will probably allow them to send spam through your mail server. Most mail servers allow sending mail through their servers for other domains for authenticated users only. The chances of them guessing any of the users in my Domino directory right and then also guessing the password correctly are basically zero, but the pollution of my log file is reason enough to stop them.
Fail2ban is a very elegant program for Linux to do just that. You can configure it to scan log files for certain patterns (it uses RegEx to recognise them) and add hosts that match those patterns too often within a defined period of time, to the block list of iptables.
First look at the Genesis Catalog - the App Store for Domino software
By Prominic.NET | 11/3/22 1:26 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
During Collabsphere 2022, Prominic’s CTO Justin Hill presented a new tool we’ve made at Prominic that is not only very useful but also has a great potential: Genesis.
SnTT - Which Database has an FTI?
By Keith Brooks | 11/3/22 6:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Earlier this year, Martin Vogel and I gave a session at Engage titled "Teaching Young and Old Dogs New Tricks: Notes & Domino Shortcuts You Wish You Knew," It was a great session with a filled capacity of the room.
But I was neglectful; I had planned to post some essential tips in my blog at the time but did not get to it. I will try to make up for it over the next few weeks.
The first one that not everyone may know about is how to find out which databases have a FTI, Full Text Index.
Here is the scenario:
You are asked to build new servers for your customer or organization and while looking at the old server, notice some indexing on some databases. This causes you to think, how do I find out which databases have an FTI so they can be rebuilt on the new server?