Notes / Domino
Domino Download Bash Script leveraging My HCL Software Portal 
By Daniel Nashed | 11/27/23 12:58 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The My HCL Software Portal is still an early access offering in parallel to Domino 14 early access.
It is planned to replace the Flexnet download soon and way easier and much faster to navigate.
The website just works and has awesome performance.
Domino 14 AutoUpdate leverages a new software download API to automatically download software into autoupdate.nsf.
The download just needs a download token, which can be requested if you are log into https://my.hcltechsw.com/.
I have been looking for a way to automatically download software for a couple of years.
Now with the new portal and this new API it is possible to write a Bash script for full command-line operations including a simple to use menu.
There are two different modes. By default the script uses My HCL Software navigation.
But alternatively it can also leverage Domino 14 Auto Update software.jwt, which has more granular information and allows a more structured download package browsing experience.
nginx as ingress for Docker composeg
By Stephan Wissel | 11/16/23 1:57 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
nginx as ingress for Docker compose - In June I wrote about how to use Docker & nginx to deliver statically rendered brotli files for your web (frontend) application. It improves delivery quite a bid, but left me wonder: isn't there too much static WebServer involved? Double hop to deliver static files.
Nginx as reverse proxy and SNI
By Martijn de Jong | 11/10/23 4:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I had some difficulty to find a good title for this article that would really cover the contents. Therefore, let me start with describing the problem I faced which led to this article.
I have a lot of sites running on my home server (this blog being one of them) using different technologies. As I have a single IPv4 address, all these sites are behind a reverse proxy, for which I use Nginx. A couple of those sites are Domino sites and last week I realised there was something wrong in that area. I have several internet site documents on Domino for different urls. However, last week I realised that all my urls that were forwarded to Domino, were being serviced based on the same internet site document. In other words, Domino did not recognise for which internet site a request was meant.
DOMI integration with IPS enabled
By Rainer Brandl | 11/7/23 2:07 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This week I had the issue that a customer has enabled IPS for any outgoing http/https traffic which caused a non-working DOMI integration because the token could not be approved.With a very helpful link from the HCL Support the issue could easily be solved by whitelisting the request to "integration-auth-token.hcltechsw.com" on port 443.
Configuring Entitlement Tracking in Domino 12
By Dmytro Pastovenskyi | 11/3/23 2:31 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
In the realm of HCL Domino Server 12.0, the feature of "Entitlement Tracking" has become a vital component for organizations.
While comprehensive information regarding Entitlement Tracking is available through HCL, I needed to know some practical management aspects, such as disabling the feature and adjusting intervals etc.
HCL Nomad Web SAML Authentication with Keycloak - Part 3: Nomad Web ID Vault Configuration
By Heiko Voigt | 11/2/23 3:08 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
In Part 2, we did the Keycloak Setup and created a realm, an identity provider (Domino LDAP), the Domino Service Provider information on Domino and exported the Service Provider XML, we did a set up for the nomad-config.yml on Domino and created the Service Provider on Keycloak by importing the Domino Service Provider XML and modifying it as needed. We then started Nomad and made sure, all switches fall into place.
Now, the only "Annoyance" in this process is the prompt of the Password of the Notes ID when we set up Nomad Web. Let's eliminate this as well as follows:
SAML SSO and Keycloak with HCL Nomad Web - Part 2: HCL Nomad Web Authentication
By Heiko Voigt | 10/31/23 8:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Wow - it's been REALLY long since I started my first post about SAML SSO with Keycloak and Domino. Today, we are going to take a look at Nomad Web on Domino (no Safelinks) and how we can make use of SAML to authenticate against the HCL Nomad Web Server and (in Part 3 of this series), the ID Vault to be able to unlock the Notes ID without a second password prompt.
NotesIn9 210: Compare Database Differences
By David Leedy | 10/31/23 2:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
In version 12 of HCL Domino they added a new advanced template that can be used to show differences in design elements between two database. This might come in handy if you need to compare databases. In this show I’ll give a short demo on this so you can get started using it.
NotesIn9 209: Creating a new Domino Domain
By David Leedy | 10/23/23 8:32 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
In this show I demo how to create a brand new HCL Domino v12 server and Domino Domain. I also show how to install the v12 Notes/Designer/Admin client. Its been a while since I did a show and I had some audio issues but I cleaned up much of it and should be better going forward.
Get your Linux environment ready for Domino V14
By Daniel Nashed | 10/20/23 3:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino V14 is planned to ship end of this year. For Windows the system requirements don't really change, because of the universal run-time.
But for Linux a newer compiler brings new OS dependencies. Specially the glibc version, which brings the base run-time support for C and also the C++ standard libs are important.
An application build with a newer compiler on a newer Linux version does not run on older versions with lower glibc versions.
glibc is the The GNU C Library - https://www.gnu.org/software/libc/
The new version required was released in August 2021 and is part of most current long term release Linux distributions.
Is HCL Notes/Domino using Oracle Java?
By Thomas Hampel | 10/14/23 7:42 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The short answer: No!
Background:
On January 23, 2023, Oracle announced (again) yet another new licensing model for Oracle Java that represents a dramatic price increase for large organizations.
This can lead to interesting discussions since e.g., a 40,000-employee organization could be asked spending USD $2.5M annually just on Oracle Java alone.
What Java version is used by Notes and Domino?
Notes and Domino are providing the Java runtime as part of the product, so customers do NOT need to download or install the Java runtime environment separately.
Since the JVM/JDK is part of the licensed product, it is covered under the product license of HCL or previously the product license of IBM.
With the acquisition of the product by HCL, dependencies to IBM Java were removed and got replaced with OpenJDK effectively in version 11.0.0 of HCL Notes/Domino.
Java updates are provided by HCL (and previously by IBM) typically as part of regular fix packs.
Domino Authentication via SAML – All Flavours
By Milan Matejic | 10/13/23 1:55 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
For the Engage 2022 event, I prepared a "Domino Authentication via SAML - All Flavours" session, to present it with my colleague Herwig W. Schauer. Alas, the session never got accepted and I never had time to convert it to a whitepaper. As I invested quite a bit of time for preparing the slides, I thought that I should upload it here before it inevitably travels into oblivion. Maybe it will come handy for some of you.
Keep HCL Domino JVM settings during upgrade?
By Remco Angioni | 10/9/23 2:58 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
When you have added custom settings in the Domino JVM environment, and upgrade Domino....you noticed that all your settings are gone. Even the custom JARS are removed. There is a way to keep them during the upgrade of Domino, and that's to tell Domino JVM that the files are on a different location...outside the Domino
Running Domino with SELinux on current REHL/CentOS Stream 9 & Co
By Daniel Nashed | 10/9/23 2:56 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino 12.0.2 added support for SELinux in enforced mode, which is enabled by default by newer installations.
SELinux is a lower level security feature, which can even limit processes running with root permissions.
But the application needs to have a SELinux profile.
I ran into this week on my own on a RHEL 9.2 machine and I got the same problem from a partner yesterday.
It turns out that systemd can't read from /tmp any more. But the Domino service from my Nash!Com start script writes the domino process id into the /tmp folder.
With SELinux enabled you get the following error message when looking into your service status (domino statusd).
The start and stop operations of your server will also hang, because systemctl will hang.
systemd[1]: domino.service: Can't convert PID files /tmp/domino.pid O_PATH file descriptor to proper file descriptor: Permission denied
Required Notes and Domino anti-virus file exclusions
By Daniel Nashed | 10/9/23 2:54 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This discussion came up in an OpenNTF Discord channel.
The question was if this might be a good idea to keep OS level anti-virus enabled for Notes/Domino files.
There is a clear statement from HCL about exclusions. But the technote doesn't explain why those exclusions are important.
The exclusion might be different for each anti-virus production in detail. It also depends on customer IT policies how to exclude data.
This can be either by path, extension or process.
There are also recommendations from some anti-virus vendors stating the same exclusions for their specific product:
Guidelines for excluding Notes and Domino directory and files when running an operating system Antivirus
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0093046
ible Ans
Lotus Evangelist: SMTP BlackListing, WhiteListing and Log and Reject/Tag
By Keith Brooks | 10/5/23 5:09 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
If you rely on your Domino server to handle all your mail, you probably have had numerous attacks on your server over time or even lately, as I did last week.
My personal Domino server is a mix of real code, websites, and active email, with various half-coded things and weird templates or customer testing.
However, I started getting harassed by sites looking for open SMTP accounts recently and figured something was amiss in my configuration document.
SAML Login redirections problem in Domino 12 - XPageDeveloper.com
By Fredrik Norling | 10/3/23 2:07 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Before we dive into the problem, let’s briefly understand the SAML authentication process within HCL Domino:
User requests access: A user attempts to access a resource (e.g., a web application) protected by SAML authentication.
Identity Provider (IdP) initiation: The user is redirected to an Identity Provider (IdP) for authentication. The IdP can be an external service or a SAML-enabled component within Domino itself.
Authentication: The user logs in at the IdP. Upon successful authentication, the IdP generates a SAML assertion, a digitally signed XML document containing authentication information.
SAML assertion delivery: The SAML assertion is sent back to the Domino server.
Domino server validation: Domino verifies the SAML assertion’s authenticity and extracts user identity information.
User redirection: If the SAML authentication is successful, Domino redirects the user to the requested resource.
The Samesite Cookie Issue
The problem arises at step 6 in the SAML authentication process. Users are not being redirected as expected, and this issue is attributed to a relatively new feature in web browsers called “Samesite.”
My thoughts on how Domino registers users
By Remco Angioni | 10/2/23 2:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
We all know Domino registers users. You need the certifier for the correct O or OU and the user is created with the hierarchical Full Name as the certified user. So, the hierarchical Full Name is the unique key. When you add users to a group, the hierarchical Full Name is added to the group.When you add users to the ACL, the hierarchical Full Name is added.
Don’t you all hate the DELETE/RENAME Adminp actions? It can take days before finishing, depending the amount of servers you have. And somtimes……it fails or got stuck in the flow.
HCL Domino rename via ADMINP does not check the new username in IDVault’s inactive users view.
By Remco Angioni | 10/2/23 1:59 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
We discovered some strange behavior during a user rename. The user was renamed via ADMINP. AdminQ pushed the renameflow that evening, because we enabled AdminQ also for registered users. The next morning we checked the rename and everything looks fine. But.....the user logged in, still with his old name and received an error that he wasn’t allowed to access the Domino server.
Domino CertMgr GitHub Repository with additional material
By Daniel Nashed | 9/27/23 1:21 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
Documentation is always a challenge. This is specially true when it comes to complex topics like SSL/TLS certificates.
Many admins still use their old cook books to get certificates created.
When HCL introduced CertMgr in Domino 12.0 the team asked for feedback in the early code drops.
And the team is keeping asking in public and private forums since then.
We really need your help to get it right. We need detailed feedback and questions.
My new plan is to turn questions into FAQs and Howto documents in this GitHub repository.
Who moved my Domino keyfile.kyr files?
By Daniel Nashed | 9/25/23 2:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino security in 2023
Domino 12.0 introduced a new, standards based and open way to work with web server certificates.
Instead of using command-line tools like OpenSSL and the Domino kyrtool you can now manage all web server certificates in a domain wide certstore.nsf.
The new functionality based on the well known text based PEM standard for certificates provides simplified flows and automation options for all type of certificates.
Domino 12 also introduces the more modern ECDSA (sometimes referred as ECC) keys/certificates which are based on elliptic crypto which has dramatically less overhead.
Moving from keyfile.kyr to certstore.nsf
The legacy kyr files can be automatically imported into certstore.nsf with a single command-line operation (load certmgr -importkyr all).
New Tiny Project: Wink Chattiness Patch
By Jesse Gallagher | 9/19/23 3:38 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I've been using the Domino 14 betas for development for a while now, and one of the things that has driven me a little nuts is the way Wink spews a bunch of INFO-level logs to the server console when the XPages runtime initializes. You've probably seen it - this stuff:
It goes on for a while like that.
This isn't new with 14 as such - it's just that 14 now ships with Verse by default, and Verse uses the Wink distribution that came along with the Extension Library, and so now everyone sees this.
Quick Tip: What is Notes tryin' to tell me? // Oliver Busse
By Oliver Busse | 9/18/23 4:27 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Quick Tip: What is Notes tryin' to tell me? // Oliver Busse
Quick Tip: What is Notes tryin' to tell me? // Oliver Busse /hp.nsf/life.png width=device-width, initial-scale=1 /xsp/.ibmxspres/.extlib/bootstrap/xsptheme/xsp.css /xsp/.ibmxspres/.extlib/bootstrap/bootstrap320/css/bootstrap.min.css /xsp/.ibmxspres/dojoroot-1.9.7/dijit/themes/tundra/tundra.css /xsp/.ibmxspres/.extlib/bootstrap/xpages300.css https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css /hp.nsf/bs3_tweaks.css /hp.nsf/paper/bootstrap.css /hp.nsf/hp_tweaks.css /hp.nsf/google-code-prettify/prettify.css /hp.nsf/prettify-desert.css 12, hcl, notes, quicktip, wtf /xsp/.ibmxspres/.extlib/css/tagcloud.css Toggle navigation index.xsp Oliver Busse about.xsp About # Pages blog.xsp Blog tutorials.xsp Tutorials docu.xsp Docs http://de.slideshare.net/OliverBusse Slide Decks terms.xsp Terms domnav.xsp Domino Navigator other.xsp More # Projects http://www.openntf.org/main.nsf/project.xsp?r=proj
Upgrading Notes client to V12 on Terminal Server
By Roberto Boccadoro | 9/13/23 12:07 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
I worked with my friend and lady geek, Marianna Tomasatti, at a customer to perform an upgrade of the Notes client to V12.0.2 FP1 on Terminal Server Windows 2019 Datacenter (multi-user installation) because the Notes clients had some issues.
Admin Client - custom icons for each domain?
By Thomas Hampel | 6/13/23 2:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
When you have to manage multiple Domains in your Admin client, finding the right domain
This example here is just showing two Domino Domains, but there are admins out there with 100+ domains to manage.
Maybe you want some custom icons then?
Time matters with SAML - XPageDeveloper.com
By Fredrik Norling | 6/5/23 2:31 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Keeping you servers time synked is important for server operations to keep running smoothly. And if you are using SAML it’s crucial because if your servers time drifts away you will get BAD SAML REQUEST and your users can’t login. To find out if this is the problem add DEBUG_SAML=31 (Set it to 0 to turn it off) in your notes ini and look for this entry.
Domino V14 backup for notes.ini
By Daniel Nashed | 6/1/23 2:03 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino backup is around since 12.0 and it got improvements in every release.
There are not many current AHA ideas for Domino Backup & Restore.
One smaller feature you can see in EAP1 is the backup of the notes.ini.
How to use Domino OTS on Kubernetes to import an existing TLS Certificate
By Daniel Nashed | 5/30/23 12:05 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino One Touch Setup has been designed with flexibility in mind, with special focus on getting a server up in a secure way.
On Docker you can just mount PEM files into the container. On Kubernetes TLS Certificates and Keys are stored in secrets.
Personally I am not a big fan of storing PEM files on disk. But you could at least set a password on the PEM file you import.
Here is a basic example how to create a secret on K8s and reference it in OTS.
Even the simple environment variable setup supports the security settings for CertMgr.
Of course the same functionality is also available with the more flexible JSON based configuration.
Importing trusted MicroCA Roots for a Nomad Lab environment
By Daniel Nashed | 5/29/23 12:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Yesterday I worked on a lab configuration based on Windows Sandbox, Domino and Nomad Web.
The biggest challenge is to have a trusted certificate for Nomad Web.
Nomad Server running with the Micro CA
A Nomad Server can use Domino CertMgr Micro CA Certs. But the root is not trusted in your browser.
I took a closer look and came up with a simple solution. which makes the import dramatically easier.
No more searching for the right trust store and handling PEM files manually.
Tuning Domino Servers for TLS sessions
By Daniel Nashed | 5/24/23 2:13 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
My previous post was mainly about HTTP traffic and I mentioned TLS/SSL don't use the maximum number of connections settings, because they have a SSL/TLS session.
Establishing a new TLS session has significant overhead! And you have to make sure in any application, that those sessions are cached and resumed.
I revisited a blog post from 2012 where I explained a fix, which went into 8.5.3. And was enabled in 8.5.4 by default (which turned into the 9.0 release when shipped as far I recall).
There was an issue with the session cache and a new cache had been implemented in 8.5.3. Today the new cache is the default and SSL_USE_ADDSESSION2=1 does not exist any more.