Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    Rethink What You Know about HCL Domino

    Daniel Nashed  20 September 2020 22:32:15
    Wow! Those are statements we would never have heard from IBM.

    I would really wish we would have seen HCL taking over Domino and all the other collaboration products earlier ...


    For me Notes and Domino is still the best collaboration and rapid application development platform. Volt leverages Domino and it is evolving!

    Many customers are staying on older versions of Domino even compared to other platforms Domino is easy to update in place!
    Older Domino versions work to good to have the need for an upgrade. Even when upgraded new functionality is often not leveraged.

    https://www.hcltechsw.com/domino/rethink-domino


    Image:Rethink What You Know about HCL DominoImage:Rethink What You Know about HCL DominoImage:Rethink What You Know about HCL Domino

      HCL Domino Early Access presented at DNUG event

      Daniel Nashed  14 September 2020 22:00:44
      The slides have been posted here -> https://blog.hcltechsw.com/wp-content/uploads/2020/09/2020-09-08-DNUG-Keynote-1.pdf


      Image:HCL Domino Early Access presented at DNUG event

      You find the link in the offical Domino Early Access post:

      https://blog.hcltechsw.com/domino/introducing-hcl-domino-early-access-program/

      The slide deck gives you a background about the Early Access Program and also useful tips how to start (including a longer appendix with installation tips).

      You can directly start with the September code drop available on FlexNet.

      -- Daniel


      HCL Domino V12 Early Access September Code Drop available

      Daniel Nashed  14 September 2020 11:19:08

      The new code drop is available ...

      Image:HCL Domino V12 Early Access September Code Drop available

      Hot news: HCL Domino V12 Early Access Program

      Daniel Nashed  9 September 2020 07:49:53

      The new early access program for Domino V12 went live yesterday.

      At the same time we had a #dnug47online session about it and HCL showed the first Code drop.

      HCL Ambassadors got early hands on a first code drop and the program is now open all customers an partners with no separate registration -- the software is available on Flexnet.



      Image:Hot news: HCL Domino V12 Early Access Program

      This is really different from the last betas. We get early access to new functionality on design partner level.

      This beta leverages the Linux platform on Docker for easier deployment. There will be a separate full beta with all the different platforms.


      Docker will be new for many customers and partners more focused on Windows.

      But I would see this s a chance to look into modern exciting technology.

      As you might know from my blog posts, I have a strong Docker on Domino focus and if someone needs a jump start, I have a presentation to share, with a lot of details how to get started.


      Here is the link the official HCL blog post:


      https://blog.hcltechsw.com/domino/introducing-hcl-domino-early-access-program/

      I hope to see many of you in the forum.


      -- Daniel


      Generate QR Codes on your local Linux machine

      Daniel Nashed  28 August 2020 22:13:51

      A while ago had a blog post about multi factor authentication on Linux.
      There are many other places where you can use the TOTP protocol already today.
      It's really convenient to use a QR code for setup.

      What you should avoid is sending them to any type of website to generate the QR code like Google suggests in their setup (with disclaimers).

      Here is a simple but powerful tool running on a text based terminal on Linux.

      The two most interesting options are PNG or ANSI256 text.

      It's simple to install and to use ..

      yum install qrencode

      qrencode "http://www.nashcom.de" -tANSI256 -o -
      qrencode "http://www.nashcom.de" -tPNG -o test.png



      Image:Generate QR Codes on your local Linux machine

      What do you us for Internet Certs inside the company?

      Daniel Nashed  28 August 2020 11:45:54

      For external servers Let's Encrypt is a great option to automate certificate management.
      But as long you are not using offical DNS names registered in combination with "split DNS" etc you can't use Let's Encrypt to manage your certs internally.
      Also Let's Encrypt has some limits for the number of certificates you can request per domain.

      What type of CAs? Manual or automated?

      So I am curious what type of CAs you use out in the field.
      And how do you integrate certificate request flows?
      Do you have automation today?

      Microsoft CA.

      I guess that's one of the most commonly CAs used today in combination with AD?

      I just looked again into the Microsoft CA yesterday, because at one of my customers we need to renew around 40 certs.
      The only way they offer for non-windows machines which could request them automatically is via the Microsoft CA website.
      Depending on the configuration and your user permissions you can get certificates on the fly.
      Or just kick of the process pasting a CSR and get a request number which can be used later to retrieve the certificate.

      For what I needed I wrote a shell script leveraging curl to submit the request and to later download the certificate.

      The interface doesn't offer any type of REST request with a defined interface and I am not aware of any official interface. Maybe someone has an idea?
      I am just simulating the behavior of the website using curl for now. The only alternative way is the command-line which has to be executed on the CA or an authorized machine.

      So I am interested to hear what type of CAs you use and how the process is to get a certificate issued.
      And what automation you have implemented today.


      -- Daniel


      Image:What do you us for Internet Certs inside the company?


      Very old memories: Lotus Connector Classes in C-API

      Daniel Nashed  27 August 2020 20:16:49
      I just realized that I have been a freak most of my professional life -- LOL. Talking with another developer we ran into old LEI stories.
      "LEI", "IEI" and now "HEI" has been around for a very long time and is still really powerful.

      The back-end is part of Domino and you can use the LC classes in Lotus Script.
      Not sure if the documentation database is still around. I still have it on my help tab.


      It was always cross platform like all "Lotus" products and connected to all databases in early days.
      The software came from Edge Research and was way ahead of time.
      It included also powerful conversion for all type of char sets like EBCDIC.


      Around 1999 I needed a very fast sync solution for our in-house applications and wrote a native C-API application leveraging the underlying LC API.
      That API wasn't really documented for application development, but I somehow figured it out from the LC connectors guide -- intended to develop your own connectors.

      It has been a while! The product is still around and as powerful as it always was. Even we have other standards like JDBC.


      -- Daniel


      Image:Very old memories: Lotus Connector Classes in C-API

      ST 11.5 Meetings Preview on Docker

      Daniel Nashed  24 August 2020 20:36:25

      ST Meetings is finally available as a preview. I looked into the installation and with some minor tweaks and tips you should get it working.

      Once you know how it works a Docker setup has really some advantages.

      The documentation hopefully evolves over time https://help.hcltechsw.com/sametime/11.0.2/admin/t_deployment_docker.html

      Let me give you some feedback from what I just did. It's not a complete installation instruction.
      Just my side notes to complement the documentation and it could help when troubleshooting.

      Once you know how it works it just needs a couple of minutes to be up and running.
      (It's a test environment with a default cert for now)

      Image:ST 11.5 Meetings Preview on Docker

      Environment

      I used a SLES 15 SP server as a Docker host and also installed Domino 11.0.1 FP1 along with Sametime 11.0.2.
      So I have ST Community server, ST Proxy native on Linux and the ST Meetings server on Docker.


      Docker CE 19 Version

      First of all you should note that you have to use a recent Docker version. I would personally never install anything earlier than Docker CE 18.
      SLES 15 SP2 comes with Docker CE 19 out of the box. But CentOS 7.x comes with a very very old Docker version which will not work!

      Depending on how you setup CentOS 8.x you will end up with an up to date installed Podman instance which is sort of Docker compatible. But will not work for what we need.

      So you really have to install Docker using their official repro --> https://docs.docker.com/engine/install/centos/
      I would stay with CentOS 7, because the containerd version in CentOS 9 does not allow you to install Docker CE 19.x. But  Docker CE 18.x should also work if you want CentOS 8.x
      While testing I did SLES and CentOS installation in parallel. Both finally worked.

      The important part is to get all the host names and ports configured in the right way.
      I have not looked into replacing the certs -- I have not seen if ST Meetings supports Let's Encrypt like the underlying Jitsi server does.


      Install Docker Compose

      Docker Compose does not come with Docker CE. You have to install it separately.
      And it will be used to bring up all the container using the docker-compose.yml file which holds a description of all the containers and the network.

      Here is how you can install it --> https://docs.docker.com/compose/install/


      ST Meeting Server

      The installation comes with the Docker images and installation scripts.

      Before you start you really have to look into the custom.env file which is all you need to customize!
      There is a .env file which is used by docker-compose. And the docker compose file leverages variables defined in both files.

      Along with that the configuration is written into the jitsi-config directory.
      This is important information, because if your setup was wrong, you will need o remove the directory to get the configuration reset.

      The first installation will also create the JWT_APP_SECRET which you have to copy to your ST proxy and ST community server as outlined in the documentation.
      If you have made that configuration, you should pass the base64 encoded value when the install.sh script asks for it.

      In my case I had to redo the configuration a couple of times and look into the logs (so pasting the existing secret was helpful).

      Also looking into the logs of the container might be helpful.

      This command for example gets you the logs from the nginx container which you might need for troubleshooting (helped in my case).

      docker-compose logs -f nginx


      But if things go right you just run the install.sh script which will

      - upload all the Docker images to your docker host
      - write the configuration
      - use docker-compose up to create all the containers needed

      The configuration is local on your Docker host and mounted into the container as a volume.

      If you have to stop and remove all the containers you can just use

      docker-compose down

      This makes it easy if you need to review/update the config and start again.

      I hope this helps as a jump-start... The DNUG communications group will look into it for our own server. And that context we might come up with more details.

      -- Daniel





      HCL Notes 11.0.1 Fix Pack 1 (FP1) MAC Notarized

      Daniel Nashed  24 August 2020 18:52:53

      For all my Mac friends. You should update to the "notarized version" of the Notes client.

      This is an important step and required by Apple for Catalina to be fully compliant.

      And a new technote with additional links inside has been just published.

      https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0081088

      -- Daniel

      Changed default Notes Client mailto: with attachment behavior in 11.0.1 FP1

      Daniel Nashed  19 August 2020 17:34:28

      There is a changed behavior with mailto: links for Notes Clients.


      Mailto Links:


      Before this change Notes clients would allow attachments copied to the crafted mail message triggered by the mailto: link. With this change by default attachments are blocked.

      Here is an example:  
      mailto:badboy@umbrella.corp?attach=c:\noclist.txt

      Changed behavior:

      There is a new notes.ini parameter available in 11.0.1 FP1 which allows you to use the existing functionality MailToURL_Attach=1.

      The SPR #ARUIBM4MYE is not listed in the fixlist, because some genius reported it as a security issue for many different mail applications ->
      https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf

      RFC Compliance

      The functionality (including attachments) is RFC compliant as the report references and around for many years (
      https://tools.ietf.org/html/rfc6068).

      The resulting mail is a draft mail, which the user still needs to send. The URL schema does not allow to sent the message -- just to create it.

      Windows specific considerations

      There is one detail which isn't a nice behavior on Windows as discussed in the paper.
      If the link references a remote file server, windows will use known NTLM hashes to try to connect automatically.
      That alone should not cause a security issue with current NTLM configurations.  But this could still lead to some exposure in certain type of environments today.


      Side note: Notes private key/cert protection

      As outlined in the paper, many clients use keys and certificates on disk.

      The Notes client uses a Notes.ID which is protected by a password supporting modern encryption standards like AES256 and contains all certificates, private keys including S/MIME keys inside the Notes.ID.
      So replacing the Notes.id with something else or access to protected information is far more complex than what is described in the "security paper".


      Conclusion

      So in general if you are not using mailto: with attachments it is good that the feature is now disabled by default.

      And it will be also disabled by default with the next scheduled 10.0.1 FP and also 9.0.1 FP10 IF.

      Most customers are not leveraging mailto: with attachments. And it helps to protect against requests that could compromise your Windows security as outlined above.


      Reference to CVE Report and Technote

      Here is the official report for the security concern -->
      https://nvd.nist.gov/vuln/detail/CVE-2020-4089
      And it reference the current HCL technote which is progress of being updated right now -->
      https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080343
       

      Archives


      • [IBM Lotus Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]