Daniel Nashed's Blog

Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...
Daniel Nashed Tags 64Bit AIX AIX64 Apple Blog Bug C-API Citrix Clustering Critical Problem C&S DAOS Domino 9 Domino Blog Template Domino8.5 Fun iNotes iOS iPhone Issue Linux LiveText New Technologies News Notes9 notes.ini nshrun Odd Things Performance private SAI SAML Scalability Security Server Availability Index SMTP Solaris SPAM SpamGeek SPR Start Script Symphony T-Mobile Tip Tips Traveler Ubuntu Widget Win64	Daniel Nashed's Blog SAML Domino 9 DNUG Domino 9 Presentation - Notes/Domino SAML Daniel Nashed 10 June 2013 14:41:35 Last Friday in Berlin I did a presentation of Domino 9. Focus for this presentation was the new DBMT, new compact options and other backend changes in this area on the one side. And SAML on the other side. I had a couple of VMs running demonstrating Federated Login for Web, Notes with ID-Vault and also showed what is possible in combination with the browser login and iNotes. The documentation about the functionality is a bit limited. But once you get it working it works quite well. There are some limitations but for a first version it works already great! SAML is leveraged for Federated Login with Web Clients and also Notes Standard Clients in combination with ID-Vault. Federated login also works in combination with NSL to take your Notes.ID offline. And for Web Login you can use Kerberos of your authenticated user in the AD. If you are interested in the presentation drop me a mail ... -- Daniel Comments [24] Security IBM Notes accepts Java applet and JavaScript tags inside HTML Daniel Nashed 3 May 2013 16:16:42 There is an issue in the Notes client that you should be aware of. heise Security has posted about this issue yesterday -->http://www.h-online.com/security/news/item/Huge-Java-hole-in-Lotus-Notes-1855406.html Notes did allow Java/JavaScript and Applets in emails for a long time. I have tested with and old Notes 7 client today. There have been issues with the underlaying JVM which makes it more critical. In Notes you can control as described in the article and also in the IBM technote released yesterday -> http://www.ibm.com/support/docview.wss?uid=swg21633819 how you can disable Java/JavaScript and Apples in the Notes client. This can be done via notes.ini, Preferences and you can also distribute it via Desktop policies and lock it down. A paranoid administrator would have already disabled it when the first issues with Java security have been reported a while ago (not just the IBM JVM but also the Oracle JVM). And you can also change the ECL settings for Java and JavaScript locally on your workstation or deploy it centrally to avoid that unsigned code can be executed. This would even work with an older Notes 7 client. The issue reported is that the Notes client does generally execute Java/JavaScript and Java Applets in HTML mail by default. There is a Interims Fix available since yesterday which does not allow this functionality in HTML email. Also the just released 8.5.3 FP4 and also 9.0 are affected. You don't need to install the fix asap. But you should disable the functionality using policy settings as a short term solution at least. I agree that his can be a potential risk and also would rate it quite high. At the time it was implemented customers wanted to have this new flexibility. It would have been just good to be able to control it in main with a separate setting and have it disabled by default. -- Daniel Comments [1] Notes9 Domino Designer Help has been moved completely to Eclipse help in Notes 9.0 Daniel Nashed 17 April 2013 16:23:38 The last available Designer Help in the "classical" NSF based format is 8.5.1. Since then IBM started to move to the Eclipsed based help system. This can have advantages but many developers still like to have also a NSF based version because searching/etc in the Eclipse help is not that flexible. With Notes 9 most information -- including @Formula, Lotus-Script, Java Class documentation has been completely removed from the NSF help. And if you have lost your old 8.5.1 documentation due to the updated you need to get a copy of the older ( IBM says legacy) NSF help database. At least the uploaded the older version to developer works. http://www.ibm.com/developerworks/lotus/documentation/dominodesigner/ I am not happy at all with this move and I would wish that IBM would continue using NSF for documentation. This is true for the Designer help and also Admin help. Right now already a lot of information is only available in the Wiki, which is much harder to keep track of and find. -- Daniel Comments [18] Tip Upgrading ODS for databases with old DB class in Domino 9 Daniel Nashed 9 April 2013 15:36:39 When you create a database for example with the extenson .ns7 the ODS will be ODS43 instead of ODS51. This kind of trick was used in earlier days and was to ensure that an older ODS was used when really needed. What this causes is that the DB class of the database instance is set to that version. And you cannot use a copy style compact to change this database to the new ODS -- even you rename the extension back to ".nsf". The only way to change the database class and ODS was to create a new replica. In Domino 9 there is a new compact switch "-upgrade". "-upgrade Upgrade databases created with older DB classes to the most recent class." This switch upgrades the DB class to a general DB (DBCLASS_NOTEFILE) #define DBCLASS_NOTEFILE 0xff01 ... `#define DBCLASS_V6NOTEFILE 0xff10` `#define DBCLASS_V8NOTEFILE 0xff11` `#define DBCLASS_V85NOTEFILE 0xff12` Some C-API based applications have created databases with specific DB classes and run into the same issue. With this new compact switch you can change the ODS for those databases quite easy. This even works when you don't change the extension of the file. But for best practices you should rename the file anyway. So a compact -C -upgrade help/ will upgrade all your help databases to the new ODS. Some of the help databases have an old DB classe and a normal compact will not bring them to the new ODS. you can verify this via the "show dir" command: `sh dir help` `DbName Version Log DAOS PIRC ---Modified Time----` `/local/notesdata/help/lsxlc.nsf` `V5` `Yes No Off 05.04.2013 22:38:45` `/local/notesdata/help/lccon.nsf` `V5` `Yes No Off 05.04.2013 22:38:54` `/local/notesdata/help/help9_designer.nsf V8 Yes No Off 05.04.2013 22:39:10` `/local/notesdata/help/help9_client.nsf V8 Yes No Off 05.04.2013 22:39:11` `/local/notesdata/help/help9_admin.nsf V8 Yes No Off 05.04.2013 22:39:11` `/local/notesdata/help/decsdoc.nsf` `V5` `Yes No Off 05.04.2013 22:38:43` This can be quite helpful. I know that also an anti-virus vendor hat issues with databases created with the wrong DB class. Comments [3] Tip Customizing Domino Out of Office Service Daniel Nashed 29 March 2013 17:44:08 I have got this question from two customers in the same week and I have never looked into this before. Thanks for Julie to point me to the right direction. With that information (field names) I found an interesting old The View article. It looks like this is the only documented source for this information. In my customer case the requirement was to not have the OOS (Out of Office Service) reply to potential SPAM messages even OOO replies to Internet email should be enabled in general. If you want to change which messages a OOS should reply to you first need to understand which messages are skipped by by OOS already: - Mail generated by an Out of Office service or agent (field: "$OOS") - Generated by the Mail file owner - Auto-generated Mail. OOS follows Domino or Internet conventions for auto-generated mail. The following fields are checked $AssistMail=1 (indicates the message was sent programmatically by server or client code e.g via agent) $AutoForward=1 (indicates the message was forwarded programmatically). OOS also checks fields added by mail applications in accord with Internet Engineering Task Force (IETF) standards to specify whether the message was generated by a human or automatically. Field Names: Auto-Submitted=auto-generated or Auto-Submitted=auto-replied - Also messages generated by the router as a non-delivery report Generated by List servers according to IETF standards for automated responders, including Mailer-daemon, listserv, and so on So if you want to ignore potential SPAM messages you can just set one of those fields in a pre-delivery agent or the AntiSpam solution on server side. In my case I am running a pre-delivery agent already and just added the fields to the mail to skip an OOO response. -- Daniel Sub Initialize Dim s As New NotesSession Dim doc As NotesDocument s.ConvertMime = False Set doc = s.DocumentContext If doc.HasItem( "nshsmtp_TotalScore" ) Then If (doc.nshsmtp_TotalScore(0) > 0) Then Call doc.ReplaceItemValue( "$AssistMail", "1" ) Call doc.ReplaceItemValue( "Auto-submitted", "auto-generated" ) Call doc.PutInFolder( "($JunkMail)" ) Call doc.RemoveFromFolder( "($Inbox)" ) End If End If End Sub Comments [0] Traveler Syncing Confidential Contacts with Traveler & Co Daniel Nashed 18 March 2013 08:55:41 In Notes 8.5 you can mark a contact as confidential to avoid that another person with access to your mailfile can see the contact. Contact sync marks contacts in the mailfile as public documents so reader access to the calendar does already provide access to contacts... The Confidential flag sets a reader names field "Readers" which avoids that someone with access to the mail-file can see those contacts. This functionality adds hard coded also "LocalDomainServers" to the "Readers" field to allow replication among servers and also access by other servers like a Traveler server. But in some cases your Traveler server is not on LocalDomainServers for security reasons. So the server will not see those contacts and cannot sync them. So we have multiple implications here: - Administrators need full access admin to see those contacts in case of troubleshooting - If your servers are not in LocalDomainServers confidential contacts are not replicated - Traveler Servers which are not in LocalDomainServers cannot sync confidential contacts We ran into this a couple of times and IMHO we really would need a more granular way to manage access for contacts, calendar and mail in future. This new functionality should have added at least an optional role to the Readers field. -- Daniel Comments [0] Traveler BES10 and Traveler 9 Daniel Nashed 27 February 2013 21:33:55 There has been some confusion about how BES10 will access Domino based mailfiles. A couple of customers asked me to explain how this is going to work. The following abstract describes briefly on high level how both will work together. The current BES server uses a C-API based solution which access the Domino Mail-Databases via Notes protocol (NRPC). With BES10 there is no native access any more and BES 10 only support devices with the new BB OS. All communication between BES 10 and Domino will be over ActiveSync to a IBM Notes Traveler Server which will use native NRPC to access user's mailfiles. So the communication is BES10 -> Traveler via ActiveSync Traveler -> Domino via NRPC. BB10 devices will normally connect to the BES10 server using the infrastructure that you already know. So the same security and encryption applies for BB10 devices. You can use policies in a similar way you could use in previous BES releases. The BES10 server will control the "business" part of the device. For other device types like iOS and Android the connectivity will be directly from the device to the Traveler server using ActiveSync. But the mobile device functionality of the BES10 server can be leveraged. So for iOS devices you can install a profile with a payload containing the ActiveSync account needed for Traveler and all sort of other settings. BES10 and Playbook devices can also be connected directly to a Traveler server using ActiveSync. When using BES10 and Playbook devices or the BES10 Server leveraging ActiveSync access you need Traveler 9 running on a Domino 9 server. Both are planned to ship end of March 2013. I hope this clarifies a bit how this new offering from Blackberry will work together with IBM Notes Traveler -- Daniel Comments [6] SMTP SpamGeek SpamGeek V1.3 with Linux64 Support and new Feature to allow to change SMTP Replies / Workaround for TLS over SMTP Daniel Nashed 22 February 2013 17:05:57 Just finished SpamGeek V 1.3 which now also works on Domino 9.0 Beta Linux 64bit. I added one new feature that allows to change the reply the server is sending in reply to SMTP commands... This helps a customer to solve his issue with TLS over SMTP that he is running into for over an year. Domino doesn't support the full TLS for SMTP and it isn't on the list for Domino 9 eigher. Only full support for TLS in HTTP is implemented by replacing the HTTP stack with the IBM one. So native TLS (it's called TLS but uses only SSL 3.0) in Domino for SMTP still has the issue that the handshake is not working for all connecting systems that request encryption via "STARTTLS" ... Depending on the requested ciphers the handshake will fail and the connection is closed instead using a another cipher. We needed a couple of debug hotfixes to figure out what is going wrong. So if you are running native Domino you cannot use TLS because you will not be able to communicate with some hosts requesting TLS. Feature request to get this addressed is SPR #YDEN8RNH22... SpamGeek does now allow you to configure reply codes depending on the connecting host and will remove TLS from the commands available for that host -- even TLS is enabled on the server. That's a workaround to allow to use TLS at least for some hosts/domains. I would wish IBM would address this because encrypted SMTP traffic becomes more and more important. And without the SpamGeek there is no chance having it enabled. Comments [0] 64Bit C-API Win64 C API call out results in server crash or returns corrupt data on 64-bit Domino 8.5.3 Fix Pack 3 Daniel Nashed 12 February 2013 11:41:28 We ran into this regression at a customer and it turned out that there have been some issues with calling C-API from Lotus Script in native Domino 64bit before. The fixes introduced some new issues that caused servers to crash. In our case with a abnormal process termination which did not result in a NSD containing a meaningful call-stack. So if you are running Domino 64 on Windows and you are calling C-API from Lotus Script you should take care about those fixes mentioned in this new technote. The problem occurs when you pass structures to a C-API call. On the other side there are fixes in 8.5.3 FP3 which correct parameter processing when passing pointers. You should be aware that pointers that you pass and that are returned are 64bit. Therefore you need a "double" instead of a "long" variable. This does not affect parameters that you pass by reference. You need it for passing a pointer itself. We got a hotfix for FP3 and DEV is trying to get the fix into the next fixpack and also 8.5.4 + 9.0. -- Daniel Technote-Reference -> http://www.ibm.com/support/docview.wss?uid=swg21624936 Comments [1] Lotusphere / IBM Connect 2013 -- meet me there Daniel Nashed 22 January 2013 16:40:03 Last days before Lotusphere / IBM Connect 2013 in Orlando ... This year I got two sessions in different tracks ... If you plan to look into Domino on Linux the Show and Tell session might be for you. I am showing a complete server install and also how to tune and troubleshoot it. The session comes with a complete set of screen prints for SLES and RHEL and I will use SLES 11 SP2 in the live in session. You will also see up to date tuning and configuration information in the second part of the session. Show 105 - IBM Lotus Notes and IBM Lotus Domino on Linux 101 Sunday 10:30 - 12:30 The second session is about performance tuning and will show best practices and experiences from the field in the admin and also developer area. BP106 IBM Lotus Domino RunFaster=1 Wednesday 15:00 - 16:00 There is also a "Linuxfest" event which is not listed on the official agenda that you might want to attend if you are interested in Linux -- Linuxfest Returns! -- Back for another informative all-inclusive Linux session in 2013 Join Bill Malchisky, Wes Morgan, and guest Daniel Nashed When: Thursday, 31 January Where: Dolphin Hotel - Sum Chow's (Next to Picabu, Level 1) Time: 12:15 - 1:30 pm Other: Bring your box lunch! I have added some new stuff to my Domino on Unix/Linux start script which I have not blogged about because I have been quite busy the last two month. If there is any feedback for the script or if you want to know something specific find me after the sessions or at the "Linuxfest" ... Have a great conference and a save trip to Orlando if you are attending Connect 2013 ... -- Daniel Comments [2]	About Contact Recent Entries DNUG Domino 9 Presentatio IBM Notes accepts Java ap Domino Designer Help has Upgrading ODS for databas Customizing Domino Out of Syncing Confidential Cont BES10 and Traveler 9 SpamGeek V1.3 with Linux6 C API call out results in Lotusphere / IBM Connect Feeds Content Feed Comment Feed Links Lotus Business Partner Forum Archives June 2013 (1) May 2013 (1) April 2013 (2) March 2013 (2) February 2013 (3) January 2013 (1) December 2012 (2) October 2012 (2) September 2012 (1) July 2012 (1) June 2012 (1) April 2012 (7) March 2012 (4) February 2012 (4) January 2012 (3) November 2011 (3) October 2011 (3) September 2011 (1) August 2011 (3) July 2011 (2) May 2011 (3) April 2011 (1) March 2011 (3) December 2010 (3) November 2010 (4) October 2010 (9) September 2010 (5) August 2010 (6) July 2010 (6) June 2010 (3) May 2010 (3) April 2010 (5) March 2010 (1) February 2010 (2) January 2010 (2) December 2009 (2) November 2009 (5) October 2009 (5) September 2009 (4) August 2009 (2) July 2009 (2) June 2009 (4) May 2009 (1) April 2009 (6) March 2009 (5) February 2009 (3) January 2009 (9) December 2008 (8)