Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

IBM Notes Traveler 9.0.1.6 released with some important fixes

Daniel Nashed  2 July 2015 00:33:26
IBM Traveler 9.0.1.6 ships a couple of importan APAR fixes for the IBM Traveler

Some of the fixes solve problems in MIME & attachment handling which have been introduced in the last releases when the new MIME handling has been introduced.

Fixlist:

APAR #         Component         Abstract
LO84879         Server         Calendar notice may be sent multiple times or be sent by the server ID.
LO85144         Server         E-mail containing invalid zero character in WBXML encoding may not sync correctly to mobile device.
LO85222         Server         Attachment with an unknown content type may not download to device.
LO85237         Server         Proxy credentials may not be removed from notes.ini during startup.
LO85260         Server         When Trash sync first enabled, sync only today and later trash items to improve performance.
LO85283         Server         Mime format e-mail may sync to device without the body.
LO85357         Server         Attachment with forward slash in file name may not sync to mobile device.
LO85444         Server         Web Admin may not show data for a user and will recieve "Could not generated devicetype" error message.
LO85445         Server         Attachment with multiple dot characters in file name may not sync to mobile device.
LO85477         Server         On standalone server auto cleanup could impact security records then requiring re-approval if approval is enabled.

Here is the download link --> http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Notes+Traveler&release=All&platform=All&function=all

You should really consider updating your server if you are on 9.0.1.4 or 9.0.1.5.

-- Daniel

IBM Verse Client for iOS shipped

Daniel Nashed  30 April 2015 09:24:40
Finally the IBM Verse App for iOS is released

https://itunes.apple.com/de/app/ibm-verse/id949952976

Image:IBM Verse for iOS app - Available in AppStore


You can either use it to access the IBM Connections Cloud or Traveler On-Premise environments.
Currently you can only use one account against either On-Premise or the cloud.

Take care that the first Traveler release supporting the client is 9.0.1.3 but you should install the latest 9.0.1.4 version.

The Verse client is a container app. You can still continue to use ActiveSync with the integrated apps.
It's not a replacement. Both ways to access the Traveler server are fully supported.

If you want a container app, IBM Verse is a good option for you but you should be aware that contacts and calendar cannot be accessed outside the IBM Verse app.
What I really like is the notifications that you get via Apple push notifications.

For testing I am currently using both in parallel and get the best of both worlds.
But in normal environments you should decide for one way to access your Traveler data.


IBM published an FAQ (part of the Traveler Documentation):
http://www.ibm.com/support/knowledgecenter/?lang=en#!/SSYRPW_9.0.1/iOSVerseIntro.html

Traveler 9.0.1.4 shipped

Daniel Nashed  29 April 2015 10:42:56


IBM has released the Traveler 9.0.1.4 which fixes the reported crash issue with MIME conversions mentioned earlier --> http://www.ibm.com/support/docview.wss?uid=swg1LO84505
If you are on 9.0.1.3 you should update asap.

There are a couple of other important fixes included -- see below.

Already installed, thanks Sebastian for the heads up!

-- Daniel
Release Date Component Build Level Documentation
April 29, 2015 Server 9.0.1.4 201504201605_20 IBM Traveler 9.0.1.4 Release Notes
IBM Traveler Product Documentation
Android Client 9.0.1.3 201504141229

APAR # Component Abstract
LO84142 Android Delay in displaying name lookup results from compose dialog.
LO84220 Server Change default for number of corporate lookup results from 30 to 120 results.
LO84239 Android Search e-mail on Android Tablet may display results from wrong e-mail.
LO84410 Server Incorrect language used when processing multiple calendar notices.
LO84334 Server Decline notice from device is not compatible with Exchange Server.
LO84316 Android Android client crash on old 2.x OS devices.
LO84411 Server Mime format calendar entries may not display special characters correctly.
LO84490 Android Send mail gets stuck in Outbox if the user is over quota.
LO84505 Server Server may crash processing a Mime document with invalid format.
LO84520 Android Imported calendars on Android device may not update unless there is Traveler Calendar update.
LO84555 Server Server busy message sent to the device may be misleading as to cause.
LO84568 Server Pre-approval and delete API may fail if orphan records encountered.
LO84569 Server Server performance issue related to HTTP getStatus request.
LO84597 Server E-mail using Delivery failure form may not sync full body to mobile device.
LO84660 Server Plain text conversion is adding extra space for div html tag.
LO84662 Server Mime format document with both plain and html text may not sync the plain text to the mobile device.
LO84663 Server Android may stop syncing mail after encountering a malformed Mime format document.
LO84665 Server Embedded images with name mime.jpg will not sync to mobile device.
LO84684 Server Change to device security settings may not sync immediately to BB and Windows devices.
LO84686 Server User stops receiving mail for couple hours if all mail replicas restarted in close proximity.
LO84723 Server No invitee status displayed for meetings created from Android client.


Traveler 9.0.1.3 server crashes when attempting to sync a MIME-formatted document missing a RFC822 header

Daniel Nashed  13 April 2015 09:05:51
You might want to wait updating your Traveler Server to 9.0.1.3 because of a MIME related bug that can cause crashes.
IBM now released a technote with official information about the issue --> Technote 21701590
If you already updated and have abnormal process terminations in the Traveler servertask you should not try to downgrade but instead request a fix from IBM (going back to an earlier version would cause a complete resync of all devices).


IBM is working on a 9.0.1.4 version with will -- according to the technote -- be released in April.


I am running 9.0.1.3 since it was released and did not yet run into a crash.
But if you did not update yet you should wait for 9.0.1.4.


-- Daniel

New Start Script Version 3.0 with systemd support released

Daniel Nashed  7 April 2015 10:12:21
There is a new version of the start script for Domino on Linux (also AIX and Solaris) that supports RHEL 7 and SLES 12 which a both now using systemd instead of the older init scripts.
When you are migrating to one of those platforms you have to switch to the new start script and also use systemd to start/stop your Domino server.

Also for the new versions of Linux the start script remains the main main entry point for all your operations with the server.
But for start and stop you will need root permissions or your Linux admin can allow you to use the start script with root permissions via "sudo".
The start script an invoke all the needed systemd commands to start and stop the Domino server. But you can also use the systemd commands instead.

I have updated and rewrote part of the documentation. If you are familiar with the start script already you should be aware that there are some changes.
There is a new "domino.service" file which represents the systemd service. You need one of those files for each partition along with the rc_domino file.
In the domino.service file there are references to the rc_domino_script which need to match the path where you have installed the script.
And also rc_domino needs information which service file should be used. By default the service name is commended out to work with previous versions.
If you are running with systemd you have to set the "DOMINO_SYSTEMD_NAME" variable to your domino.service.

The documentation contains information about all changes and there is a "systemd" section in the readme as well.

In addition I added an additional status command. "statusd" gives you the systemd status for your service.

And I have also added another not related command which I wanted for my own environments.

The "resources" command shows you all resources the server currently uses (processes, shared memory, semaphores, MQs ..).

Here is a link to the script page --> http://www.nashcom.de/nshweb/pages/startscript.htm
You can request the new version with the form that page.

There are also some other minor changes all documented in the version history.

If you have any questions let me know by mail.

Enjoy the new version

Daniel


DHA with more than 1024 key size and Java still works

Daniel Nashed  6 April 2015 22:58:19
As posted before Java 6 and 7 cannot handle DHE key sizes above 1024 bit.
The work-around was to limit the DHE key size via notes.ini parameter SSL_DH_KEYSIZE=1024.
But this reduced the key size for all other clients that used DHE as well.

There is another idea who to work-around this limitation.
Java does only support the following DHE cipher:

33 - DHE_RSA_WITH_AES_128_CBC_SHA

This is the weakest DHE cipher supported by Domino. If we disable this cipher, Java will not use DHE any more and we are not limited by the DHE 1024 bit key-size that is the maximum size that Java supports.

Disabling this cipher results in the following ciphers to be used. for Java For Java 8 a different DHE cipher is implemented and the 1024 does not apply for Java 8.

Java 6u45          TLS 1.0         TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS         128
Java 7u25         TLS 1.0         TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   No FS         128

Java 8u31         TLS 1.2         TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   FS         128


This sounds like a good work-around for the Java DHE key-size limitation.

The resulting cipher spec for DHE with all other recommended ciphers enabled is the following:

SSLCIPHERSPEC=9D9C3D3C352F0A39676B9E9F

For more details check my previous blog posts.

-- Daniel


New Version of KyrTool released

Daniel Nashed  3 April 2015 08:38:12
There is a newer version of the key ring tool that has been released on fix-central.

Here is the list of fixes for the newer version.
You should also update your client and server to the latest available IF because there are also fixes in the back-end for some issues parsing certificates.

By the way ... I really like the command line kyrtool. A couple of days ago a customer asked me for some maintenance of their existing key ring files.
Their CA expired and we had to remove the root CA from over 150 key-ring files.
Using a shell script in combination with the kyrtool allowed me to export the private key and certificates, use "sed" to modify the file, create a new key-ring file, re-import and verify the key-ring file.
We even dumped information about the keys, certs etc and validation of the key-ring files into a CSV file to have an overview :-)

-- Daniel
DKEN9U5UEX Fix crash if pem file provided as input file has embedded nulls
KLYH9UBNGW Add Sha 256 Pinning to the kyrtool - displaying the digest on show commands
MKIN9QHT5W Fix kyrtool crashing when attempting the create command and giving an existing directory for the keyfile name
DKEN9RVQGD Fix kyrtool sometimes erroring on import all command



http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Lotus&product=ibm/Lotus/Lotus+Domino&release=9.0.1.2&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0

    Solution for jconsole SSLv3 vs TLS interoperability issue in Domino 9.0.1 FP3

    Daniel Nashed  3 April 2015 08:15:05
    As posted before there is a compatibility for the jconsole / Java server controller introduced in 9.0.1 FP3.
    IBM shipped a newer JVM in 9.0.1 FP3 with SSLv3 disabled. Previous versions used SSLv3 only even the JVM would have supported TLS 1.0.

    So once you update your server but not your client you cannot access your server over the server controller.
    If you update your server but not your client you are running in the same issue the other way round.

    The only solution was to have two separate clients for patched and unpatched servers.

    Ben Rose got a solution for this issue from IBM after escalating the problem.

    According to Ben there is a way to re-enable SSLv3 on your Notes client.

    You can set the following system variable on your workstation to pass the parameter to the embedded JVM used for the jconsole.

    Variable: JAVA_TOOL_OPTIONS
    Value: -Dcom.ibm.jsse2.disableSSLv3=false

    This should allow you to connect again from a 9.0.1FP3 jconsole to both 85x , 9.0.1 and 9.0.1FP3 servers.

    Don't forget to remove the parameter once all your servers have been updated!

    Thanks Ben for insisting getting a solution and posting how to work-around the issue!

    -- Daniel



      Traveler 9.0.1.3 Available - Verse iOS - Trash folder sync - Invitee status - Android push notifications

      Daniel Nashed  2 April 2015 10:22:10
      Traveler 9.0.1.3 has shipped with a couple of interesting new features. And the what's new section does give you some interesting other hints.
      I have copied the what's new information to this document but want to give you some additional hints.

      We had many customer asking for Trash folder sync support. It was already included in a previous version but disabled by default -- apparently because they needed to do some more testing. Now it is enabled by default.


      The Google Cloud Messaging support (GCM) for Traveler Android clients can be very helpful to improve battery life because no active HTTP session is needed for push notifications.
       
      For GCM you need the following requirements:

      The IBM Traveler server will attempt to communicate with the Google Cloud Messaging service using host android.googleapis.com using port 443.   Make sure that your firewall allows this connection!!!

      For more details see --> https://developer.android.com/google/gcm/http.html

      The IBM Traveler server will not attempt to contact GCM until it has a reason to do so.  
      To verify that this connection is working, you should first connect an IBM Traveler for Android client from a device that is also logged in with a Google account.  

      On the Traveler server, run the command: tell traveler push cmstatus
      See details here --> http://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/google_messaging.dita


      Traveler 9.0.1.3 does also support the new iOS Verse app which is currently in beta.

      The what's new section officially mentions it so I can officially speak about it.

      IBM Verse is available already but the iOS mobile client is not yet available.
      There will be a native iOS app that connects to IBM Verse and also to your Traveler servers.
      This Traveler version has official support for the Verse app.

      There is a site note that this is only supported when your Traveler server is running on top of Domino 9.0.1.
      I would always recommend to install the latest Traveler version along with the newest Domino release.
      Specially if you need TLS encryption you want to install the latest IF that introduced TLS 1.2 support for Domino.

      There are also a couple of additional fixes, list in the fixlist (see link at the end of the post)..

      You can download the latest updates using Fixcentral as usual.

      -- Daniel



      What's new in IBM Traveler 9.0.1.3

      IBM Traveler 9.0.1.3 delivers the following new features for its supported devices.


      IBM Verse for iOS client support

      If you are part of the IBM Verse for Apple iOS program, you can connect the IBM Verse app to this version of the IBM Traveler server.
      There are some differences in functionality when the IBM Verse app connects to this on premises version of IBM Traveler versus when it connects to Connections Cloud.

      Trash folder syncing

      Support for the syncing of the Trash folder is now available in the client. However, it is dependent on the IBM Traveler server also providing this support. When the client is running against a server that supports Trash, a Trash folder will appear in IBM Traveler Mail. Deleted items will appear in the Trash folder and may be restored or permanently deleted from the Trash folder.

      Invitee status

      As the meeting organizer or chairperson, you now can see the response status for the attendees of your meeting on your mobile device.

      Google Cloud Messaging support for IBM Traveler for Android clients

      This version of the IBM Traveler server can now use Google Cloud Messaging (GCM) for real time push notifications to keep your Mail, Calendar, Contact and To Do data on your IBM Traveler for Android clients up to date. Using GCM can greatly improve the battery life of Android devices using IBM Traveler, as IBM Traveler no longer needs to stay constantly connected via HTTP to the IBM Traveler server for push notifications.

      For more information, refer to Google Cloud Messaging for IBM Traveler for Android clients and How do I configure automatic syncing on a Android device?.

      Expanded Domino server support

      This version of the IBM Traveler server can now be installed on 3 different base Domino servers:

          IBM Domino 8.5.3 with Upgrade Pack 1 installed (excluding IBM Traveler for iSeries)
          IBM Domino 9.0
          IBM Domino 9.0.1

      In the past, the IBM Traveler server could only have been installed on the latest Domino release. But now the IBM Traveler installer is able to detect which of the above Domino versions the IBM Traveler server is being installed onto, and install the appropriate binary files for that version. There are some limitations when running on a Domino 8.5.3 server versus a Domino 9.0.1, and the recommendation is to install the Traveler server on a Domino 9.0.1 server to gain access to the largest set of Traveler server features.

      IBM Traveler for iSeries must be installed on a Domino 9.0 or Domino 9.0.1 server.

      The IBM Verse client is only supported when Traveler is installed on a Domino 9.0 or Domino 9.0.1 server.
      Note: If you change the version of Domino server after installing the Traveler server, you must re-install Traveler again. All data will be preserved, but the re-install is required so that Traveler installs updated binary files that match the updated Domino server.


      Links:

      What's new in IBM Traveler 9.0.1.3

      https://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/Whats_new_in_Lotus_Notes_Traveler_9.dita

      Fixlist:

      http://www.ibm.com/support/docview.wss?uid=swg21700212

      engage conference security presentation

      Daniel Nashed  1 April 2015 12:24:03
      Yesterday at engage conference in Ghent (http://www.engage.ug/) I gave an updated presentation based on the ConnectED 2015 presentation.
      I added most of the new notes.ini parameter and also information how to enable those new ciphers and rewrote/reordered a bunch of slides and added more information after the latest IF has been shipped.


      During the conference I got the question what I would recommend .
      Here is what I would recommend for the latest fix -- which is sort of a short summary of the presentation.


      By the default some of the new ciphers are already enabled. And all other security functionality introduced is enabled by default. I would recommend not to disable them if you don't really need to.

      There are a couple of options that you might still want to consider based on your environment.


      Note: The current IF does completely ignore all SSL settings in the server/internet site doc.
      With previous fixes you have been able to specify the ciphers still in the server/internet site doc but it was recommended to already make changes using the SSLCipherSpec described in the presentation.



      -- Disable SSLv3 --


      I think it is time to completely disable SSLv3 on Domino because almost all applications and browsers support at least TLS 1.0


      notes.ini DISABLE_SSLV3=1



      -- Re-Enable SSL V2 HELLO if you really have to --


      If you are running a public SMTP Server you don't control what you customers, partners and other do with their SMTP servers.

      In some cases they are still using an older version which still tries an old SSL V2 HELLO.

      By default Domino has this old version of the handshake disabled.
      As blogged before you can re-enable it since the previous IF with the following notes.ini variable.


      notes.ini SSL_ENABLE_INSECURE_SSLV2_HELLO=1



      -- Enable DHE Ciphers if you need "PFS" --


      If you are interested using the new PFS ciphers I mentioned in my last blog post (DHE ciphers which will provide PFS for most clients) you really have think about balancing higher overhead in CPU and maybe slower response time with security.

      You could enable it and check what additional CPU overhead you have afterwards.


      A good cipher spec to configure in that case would be:


      notes.ini SSLCipherSpec=
      9D9C3D3C352F0A3339676B9E9F

      This would give you the currently enabled default ciphers + the new DHE ciphers which are not enabled by default for performance reasons.


      9D = RSA_WITH_AES_256_GCM_SHA384

      9C = RSA_WITH_AES_128_GCM_SHA256

      3D = RSA_WITH_AES_256_CBC_SHA256

      3C = RSA_WITH_AES_128_CBC_SHA256

      35 = RSA_WITH_AES_256_CBC_SHA

      2F = RSA_WITH_AES_128_CBC_SHA

      0A = RSA_WITH_3DES_EDE_CBC_SHA


      New DHE ciphers (for PFS support) not enabled by default


      33 - DHE_RSA_WITH_AES_128_CBC_SHA

      39 - DHE_RSA_WITH_AES_256_CBC_SHA

      67 - DHE_RSA_WITH_AES_128_CBC_SHA256

      6B - DHE_RSA_WITH_AES_256_CBC_SHA256

      9E - DHE_RSA_WITH_AES_128_GCM_SHA256

      9F – DHE_RSA_WITH_AES_256_GCM_SHA384



      -- In case of Java Apps reduce the DHE Key Size used --


      In addition if you have Java applications accessing your server they will use the DHE ciphers.

      But Java 1.6 and 1.7 do only support key length up to 1024 bit.

      So in that case you have to reduce the key length for the DHE ciphers (which will let the DHE ciphers be rated as sort of "weak" by some SSL testing sites).


      notes.ini SSL_DH_KEYSIZE=1024



      -- Get a proper SHA-256 based Certificate --


      In addition you have to ensure that you are using a proper SHA-256 based certificate.


      That's a very short summary or recommendations from my presentation depending on your needs.


      You should be careful when you disable some of the default ciphers.

      All of them are currently rated as secure. And if you disable cipher you could end up having no cipher in common for one of your SSL clients.


      I hope this short summary is helpful.


      -- Daniel