Domino 14.5 EA2 Community Image patch for fixing December 2024 issue

HCL published a new Notes & Domino Windows DLL and Linux Lib for the problem occurred December 13 in the Early Access Program forum (EAP) --> https://hclsw.co/domino-14-5-eap-forum
This isn't a IF. Just a replacement of the main Notes/Domino DLL/Lib to address the problem also for the early access release.

The fix was on hold because the focus was on production and customer environments first.
Daily builds don't have support for IF/HF. Therefore there is a simple "sidepack" with just the affected files to replace.

You just stop your server or client and replace the files.
For a container image patching a container image isn't the right way.

But the container project supports custom add-ons. Usually this is intended to add software from 3rd parties, like a server task or extension manager.
The same process can also be used to patch Domino in the container at container build time.

Here is the official documentation --> https://opensource.hcltechsw.com/domino-container/concept_custom_addons/.

Let me share the steps I just took to patch my server.
I can't make the tar file available for download to just include it in our build options referenced via a HTTPS link.
But this process should be pretty straightforward and you can share this tar file for all internal servers you are building an image for.

Building the add-on to patch Domino 14.5 EA2

The first steps it to create a new directory to hold your file structure for the software you and to distribute
In the next step you create  sub directory for the Domino binary directory.

The -p options allows you to create the whole directory path a once:

mkdir -p /tmp/patch/domino-bin
cd /tmp/patch/domino-bin

Then you add the two files into that directory and package them up into a tar file.

tar -cvf /local/software/domino145ea2patchx.tar *

The directory structure look like this:

tree
.
└── domino-bin
 ├── libnotes.so
 └── libnotes.so.sym

Because the data needs to be verified to be added to the container, you have to provide the SHA256 of the tar file when getting it installed.
Linux provides the a command-line tool to generate the SHA256 checksum like this:

sha256sum /local/software/domino145ea2patch.tar
d088983544651940f71b8b7d9d942aaad84ecbe9fdbd24464178c858b9daff3b  /mnt/storagebox/software/domino145ea2patch.tar


Once you have the file in place and the checksum, you just add the custom add-on to your container build command-line.
The build script will take care for patching the binaries for your during the build process.

Custom add-ons are installed at the end of the build processes and therefore allow to patch also Domino binaries if needed.
The same process works for all kind of business partner applications.


-custom-addon=domino145ea2patch.tar#d088983544651940f71b8b7d9d942aaad84ecbe9fdbd24464178c858b9daff3b

• Comments [0]

Microsoft critical CVEs are daily business? Be aware of this critical Outlook CVE

Interesting how different the acceptance of issues is in software can be.
The following CVE is something I would rate as a quite critical issue -> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298

I have not found much reference about it. For heise it is just one of the bugs fixed at patch day.

The critical problem is just worth a side note. It's listed as other risks also patched.
The wording "verschlucken" is also interesting. Sounds like not a big deal the way it is worded in German.

If you are using Outlook be aware of this issue and get patches in place!

https://www.heise.de/news/Microsoft-Patchday-Angreifer-nutzen-drei-Luecken-in-Hyper-V-aus-10242955.html

• Comments [0]

Two Domino 14.5 EA events next week

Domino 14.5 EA2 is around for a while. Some of you have joined the EAP forum https://hclsw.co/domino-14-5-eap-forum.
There are two Domino 14.5 events next week to present the latest information about Domino 14.5, which also give the opportunity to provide feedback.

The OpenNTF Webinar on Thursday focuses on Domino AutoUpdate & AutoInstall, which is a highlight feature in Domino 14.5.
Joing the HCL Domino AutoUpdate development team for an introduction, deep dive and questions on Thursday.

If you can understand German, there is another event on Tuesday afternoon CET.
Sadly Thomas Hampel (HCL) and Marc Thomas (Panagenda) can't join us on short notice.
That gives me a busy week and weekend preparing multiple slides decks to cover the full 4 hours.

The Domino 14.5 AutoUpdate slides for both events will be mainly the same just in 60 instead of 90 minutes.
The 4 hour DNUG even covers Domino IQ and many other Domino 14.5 features and current best practices and lessons learned from the critical fix end of last year.

I am looking forward to see many of you at those two events.

-- Daniel


DNUG Domino Day

- Lessons learned from last years critical fix and best practices
- Domino 14.5 EA2 Auto Update&Install
- Domino 14.5 EA2 IQ
- More Domino 14.5 features

Tuesday, January 14,2025  1 - 5pm CET

https://dnug.de/event/dnug-online-domino-4/

Registration: https://www.eventbrite.de/e/dnug-online-domino-day-tickets-1079209036279


OpenNTF Webinar: Domino 14.5 AutoInstall Feature Overview and Deep Dive Domino


14.5 brings a new AutoInstall feature to extend update notifications from previous versions.
Join us in this webinar to see it in action on Windows and Linux. Learn from the development team,
get all your questions answered, and provide feedback about the latest feature details in Domino 14.5 EA2

This session will be presented by team members Gary Rheaume, Daniel Nashed, and Dick Annichiarico.

Thursday January 16th from 11:00 AM (New York time) to 12:30 PM

https://www.openntf.org/main.nsf/page.xsp?name=Interact_With_Us&subName=Webinars

Registation: https://attendee.gotowebinar.com/register/4884186125784079453

• Comments [0]

DBMT tool enhancements in Domino 14.5 EA2

Sometimes small changes open many new possibilities.
The following DBMT tool command line options are added to DBMT in Domino 14.5 EA2:

-systemDbs (-sd for short)
Allows compact to process system dbs, which are usually ignored), as well as databases listed in the dbmt_compact_filter.ind file.

-regex (-re for short)
Now a database name can be specified using regular expressions. If an .ind file is specified, the database names listed in the .ind file can be regular expressions.

-validateDbs (-vd for short)
Does not execute the updall or compacts, but outputs the list of databases that could be affected by the DBMT command (mainly to validate -regex inputs). Can be used in combination with -sd

---

There was an issue with system databases which have not been compacted any more.
Even if they have been specified via an .IND file they have been skipped.

This has been addressed with a new switch to explicitly allow system databases to be processed.
It was actually a regression and is now formalized a an explicit option.
The option works in combination with other selection options.

Selecting databases wasn't fully flexible. Now you can specify a regular expression.
It allows full flexibility but can be a bit tricky to get right.

Therefore there is a new option to dry run your selection.

lo dbmt -sd -vd -re *names*

Again a small step to develop. But it might completely change the way you schedule your DBMT operations in future.


Documentation

https://help.hcl-software.com/domino/14.5.0/admin/wn_145ea2_administration_features.html

Regular expressions for the DBMT tool

https://help.hcl-software.com/domino/14.5.0/admin/admn_general_expressions_dbmt_tool.html#admn_general_expressions_dbmt_tool__table_ws2_chn_zcc

• Comments [0]

Checking leap year rules in Notes -- With historic view

This is a follow-on post to my previous Notes TIMEDATE post.
To sum it up. Notes is handing it right.

Checking if the calendar rules work for dates long time ago, made me look into history behind our modern time system.
I wrote a program to check Notes leap rules leveraging the Gregorian calendar.
The only year in question I found 1700. But it turned out this really depends when the Gergorian calendar became effective.

In the Julian calendar the dividable by 400 rule was not in place. It's arguable if this is an issue. That depends on the county ..
The US changed to the Gregorian calendar in 1752. For all future dates the Gregorian rules apply and future century leap days look right in my testing.

Here is what ChatGPT found out.. But you have to read it right and it is interesting to read.
I can't recall hearing about those history details in school ... I did know the rules. But not when they had been introduced in different countries.

-- Daniel

Leap year exceptions are related to the rules of the Gregorian calendar and its predecessor, the Julian calendar. These exceptions address the need to keep the calendar year aligned with Earth's orbit around the Sun. Here is a breakdown:

Leap Year Rules

1. Julian Calendar (Introduced in 45 BCE):
   - A year is a leap year if it is divisible by 4.
   - This rule overestimated the length of the solar year, causing an error of about 11 minutes annually. Over centuries, this accumulated, leading to calendar drift.

2.Gregorian Calendar (Introduced in 1582):
   - To correct the Julian calendar's drift, the Gregorian calendar added two additional rules:
     - A year is a leap year if it is divisible by 4.
     - **Exception:** If the year is divisible by 100, it is not a leap year, unless:
     - **Exception to the exception:** If the year is divisible by 400, it is a leap year.
   - This refinement corrected the annual discrepancy and aligned the calendar more closely with the solar year.

Historical Exceptions

1. Switch from Julian to Gregorian Calendar:
   - In 1582, Pope Gregory XIII introduced the Gregorian calendar. Ten days were skipped to realign the calendar with the seasons. Different countries adopted the Gregorian calendar at different times, causing discrepancies.
   - Example: In England and its colonies, the switch occurred in 1752, skipping 11 days (September 2 was followed by September 14).

2. Non-implementation of Leap Years:
   - Leap years that would occur under the Julian rules but not under the Gregorian rules (e.g., 1700, 1800, 1900) are exceptions. These were not leap years in Gregorian calendar countries but remained so in Julian calendar countries.

3. Adoption Delays:
   - Some countries, like Russia and Greece, retained the Julian calendar for centuries after 1582. Russia adopted the Gregorian calendar in 1918, and Greece in 1923.

Rare Leap Year Events

- Year 2000:
   - While divisible by 100 (not a leap year under the basic rule), it was also divisible by 400, making it a leap year under the Gregorian rules.

Summary of Leap Year Exceptions

- 1700, 1800, 1900: Not leap years in the Gregorian calendar, but leap years in the Julian calendar.
- Year 2000: A leap year in both systems due to the "divisible by 400" rule.

These rules and exceptions ensure the calendar remains synchronized with Earth's orbit, minimizing long-term drift.

• Comments [0]

Notes Timedate explained

There have been a couple of partner blog posts speculating about the background of the recent Domino 13.12.2024 problem, which might be a bit misleading.
For the background of what happened in detail and how HCL addressed the problem please wait for the official technote update.
But what I can tell is that HCL fixed it on a lower level function addressing all functionality in Domino and business partner applications using the effected functionality.

This means the only safe way is to apply the Interim fix provided by HCL for all supported releases including the extended support versions!
What I also can state is that all Notes TIMEDATE functionality is working as intended and are designed to handle date times from 1.1.1 to the end of all times.

Sorry for a long blog post like this. But I hope this helps to understand the Notes TIMEDATE a bit better.
The takeaway is that the Notes TIMEDATE works as intended for now and the far future.


I am briefly comparing the approach Notes took compared to the Linux/UNIX date, but will not go into all details about the Linux EPOCH date -- which would be maybe something for a future blog post.
But comparing two implementations makes it easier to understand.

To understand how time date functionality works it makes sense to look into the lowest level of presentation, which you can find in the C-API toolkit.
Notes/Domino uses the TIMEDATE structure to internally represent time.

The time is stored always in GMT/UTC and contains timezone and summer/winter (DST) information of how the data was stored.
The internal representation is always in UTC to ensure all operations are compatible for all timezones in summer and winter time and that no conversion is needed to compare them.
That also means everything displayed is only a conversion based on UTC with the choosen timezone at run-time.

typedef struct tagTIMEDATE
{
DWORD Innards[2];
} TIMEDATE;


The structure is a binary representation which should not be manipulated low level. It contains the date and time + zone + DST flag.

Linux time

In contrast the Linux timedate is a single number of seconds since 1.1.1970 midnight UTC, which will wrap around in 2038 in it's 32bit implementation.
The good news here is that Linux glibc has switched to a 64bit integer when 64bit Linux was introduced.
So today you will hopefully all run Linux environments with a time_t with 64bit which will work far beyond year 2028.
But there might be many older legacy environments without a 64bit time_t format which are limited to the 32bit integer design of the Linux time which can only hold around 68 years in seconds.

Notes TIMEDATE functions

The TIMEDATE can be converted to a TIME structure very similar to how Linux converts it's internal format to a human readable structure.
This structure is mainly intended for input/output.
There are also conversion functions to format a date based on time settings to format and read from/string buffers.


Structure

typedef struct {
int year;       /* 1-32767 */
int month;      /* 1-12 */
int day;        /* 1-31 */
int weekday;    /* 1-7, Sunday is 1 */
int hour;       /* 0-23 */
int minute;     /* 0-59 */
int second;     /* 0-59 */
int hundredth;  /* 0-99 */
int dst;        /* FALSE or TRUE */
int zone;       /* -11 to +11 */
TIMEDATE GM;
} TIME;


Most relevant functions to handle conversions to help understanding the TIMEDATE.


BOOL LNPUBLIC TimeLocalToGM(TIME far *Time);
BOOL LNPUBLIC TimeGMToLocal(TIME far *Time);
BOOL LNPUBLIC TimeGMToLocalZone(TIME far *Time);

Conversions take either the GM TIMEDATE format to convert it to individual values or the other way round.
The internally structure of a TIMEDATE contains two main components:

1.The elapsed in days since a certain EPOCH time which is different then the Linux EPOC and much lower.
2. Number of 1/100 seconds since midnight UTC/GMT


Both values are DWORD values which can hold the hundred seconds since midnight and sufficient number of days until the end of all times.
The Notes EPOC value is also way below 1.1.1 so it can handle dates earlier than 1900.

So both assumptions that Domino's EPOCH date is 1.1.1970 or 1.1.1900 are wrong.


TIMEDATE implementation benefits and facts

The design of the TIMEDATE brings a couple of benefits which makes it more flexible then other time formats.

1. Works since 1.1.1 until very far into the future
2. Supports timezone and summer/winter time
3. Compatible between timezones (this is specially important for replication)
4. Resolution is 1/100 second in contrast to for example Linux where the resolution is 1 second

How to make sure you are not running into issues in your applications

All the functionality described here is part of the original design of Notes and work unchanged since then.
This includes a function to calculate the difference between two TIMEDATES in seconds.

The resulting number if a LONG, which is a 32bit signed integer. This integer value can represent the delta in seconds for a round 68 years.

Usually this isn't a problem in applications and in the time when Notes was designed there was no 64bit Integer value.
68 years in seconds was sufficient and you could not calculate with larger numbers.

When calculating larger numbers you had always to switch to a float value else the resulting value would have wrapped.
Notes also provides a function returning the difference in seconds in a float value returning a NUMBER.
This result will allow longer time intervals but might loose precision in detail.


Compare without calculating the difference

In many cases you don't need to know the difference. You just want to check which date is younger.
The TimeDateCompare() works independently of the time difference and is the safer bet when comparing.

In future Notes should introduce a TIMEDATE difference routine returning LONG64.
This would help to calculate longer time spans without switching to floating point operations, which work well for larger numbers but might loose precision.

Today Notes and Domino is only available for 64bit and all platforms support 64bit integer data types. So it would be possible to implement a LONG64 version of the time difference function.
But until then you just need to take care of the LONG (32bit signed integer limits of 68 years -- more exact 2147483647 seconds).

-----

Side Note:

Usually you would not use time functionality for earlier dates than 1900.
I have tested with 1.1.1 but I would assume this isn't officially intended to work since that time.
There is a special leap year rule that might not have been taken into account those special rules omitting certain leap years (see reference below).
I have not spent any time validating that for earlier times or later times. But maybe I will look into this in another blog post.

"The Gregorian calendar therefore omits 3 leap days every 400 years, which is the length of its leap cycle.
This is done by omitting 29 February in the 3 century years (multiples of 100) that are not multiples of 400.
The years 2000 and 2400 are leap years, but not 1700, 1800, 1900, 2100, 2200, and 2300."
--- Ref: https://en.wikipedia.org/wiki/Leap_year


References:

I would also have a small C-API program to play around with the Notes TIMEDATE and to see how the functionality works.
But I am leaving that out here. If anyone is interested, I could share it including a Linux makefile.


LONG LNPUBLIC TimeDateDifference(const TIMEDATE far *t1, const TIMEDATE far *t2);
void LNPUBLIC TimeDateDifferenceFloat(const TIMEDATE far *t1, const TIMEDATE far *t2, NUMBER far *difference);
int  LNPUBLIC TimeDateCompare(const TIMEDATE far *t1, const TIMEDATE far *t2);


Extract from global.h

BYTE    = unsigned  8 bit integer
WORD    = unsigned 16 bit integer
DWORD   = unsigned 32 bit integer
LONG    = signed   32 bit integer

DWORD64 = unsigned 64 bit integer (on 32 and 64 bit operating systems)
LONG64  = signed 64 bit integer (on 32 and 64 bit operating systems)
NUMBER  = A platform-independent IEEE-64 floating point number


Number 2147483647

The number 2147483647 (or hexadecimal 7FFFFFFF) is the maximum positive value for a 32-bit signed binary integer
More information -->  https://en.wikipedia.org/wiki/2,147,483,647

----

Update 6. January 2025

There is an interesting technote Julian came up with. I wasn't aware of those details about the historic dates.
But this really matches what the C-API provides.

KB0039502  -- Error "Unable to interpret time or date" when entering specific dates from the year 1752

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0039502

Now you know the base year for the Notes TIMEDATE: year 4713 B.C.

If you take the number of days from today's date and divide them by 365,25 + take into account that there was no year zero, this matches the start date 4713 B.C.

So in contrast to most implementations taking 1970 or 1900 as the base, Notes uses the Julian date EPOCH.  

Now looking into it closer, there is a call to extract the Julian date:

DWORD LNPUBLIC TimeExtractJulianDate(const TIMEDATE far *Time);

Which turns out to be the TIMEDATE Innards value for the days.

See details about the Julian date here --> https://en.wikipedia.org/wiki/Julian_day

• Comments [8]

Useful Notes SmartIcons: Reformat text is my favorite

Notes formula are one of the lost arts. I am a big fan and have started to work with Notes at a time where we had no Lotus Script nor Java.
Today formula language is still very powerful. I am using it in many ways including C-API and Lotus script.

There are many @Commands for UI automation available. But there are also Lotus Script UI classes.
The really cool part of formula language is that you can use the commands in SmartIcons.

The following command selects the body text and sets the text to Default Sans Serif with 10pt.
It works for the whole mail including mail replies.

---
@Command([EditGotoField];"Body");
@Command([EditSelectAll]);
@Command([TextSetFontFace];@GetMachineInfo ([EnvVariable];"NAMEDSTYLE1_FACE"));
@Command([TextSetFontSize]; "10");
@Command([EditDeselectAll]);
---

It works for the whole mail including mail replies.


But there are more SmartIcons I use every day...

Remote server console

Notes 5.0 was the first client splitting client, admin and designer.
The old remote console is still available and works also without an admin client installed.
And also works on Mac and Nomad Web by the way.

---
@Command([AdminRemoteConsole])
---

Opening the notes.ini in notepad

This formula combines two commands. @ConfigFile is also useful in any text field with Shift + F9.

---
@Command([Execute];"notepad"; @ConfigFile)
---

Edit a field in a document

Another useful formula allows to update fields. This is one is for text field.

---
FieldName := @Prompt([OkCancelEdit]; "FieldName"; "Type the Field to change"; "") ; FieldValue := @Prompt([OkCancelEdit]; "FieldValue"; "Type the new Value"; "") ; FieldName + " --> " + FieldValue; @SetField (FieldName; FieldValue)
---

• Comments [2]

Ubuntu updates from a local repository including containers

In larger companies a local repository cache could be a more efficient way to update and install packages.
Providers often have their own repositories as well.

My favorite provider Hetzner runs an own repository:

https://docs.hetzner.com/robot/dedicated-server/operating-systems/hetzner-package-mirror/#for-x86-based-servers

Servers at Hetzner have the repository pre-setup (it is only available for Hetzner servers).

Container images

But when you use a container image the standard Ubuntu repository is used.
I never looked into it. But now I am working on a project where we require local repositories.
Using a local repository is the more efficient way in this case.
I have added functionality to the container image build use an alternate repository.
But this is limited to Ubuntu LTS 24.04 (Noble) for now.
domino-container/dockerfiles/install_dir_domino/custom/ubuntu_noble.sources


Building your own local repository

Debmirror is a tool to build repositories. If you only select the main components for x64 the size is 47 GB.

https://help.ubuntu.com/community/Debmirror

The script syncs the packages and you can use for example NGINX to host the repository.
I have tested the setup with Hetzner and also with the local repository.

Does anyone have a similar requirement? What are you doing to build with a local repository?

• Comments [0]

Updating NGINX certificates automatically from Domino CertMgr

Not sure you are aware this has been around for while.
I never added a readme to the directory.  The script is in the HCL GitHub CertMgr repository, which is mainly intended for CertMgr integrations, but provides other resources.
This script can find out if your certificate for an existing key got updated and just pulls the new cert.

https://github.com/HCL-TECH-SOFTWARE/domino-cert-manager/blob/main/examples/nginx/cert_upd_nginx.sh


The results from this script looks like this.
If nothing needs to be updated no details are printed.

The script could be scheduled automatically and it can also update NGINX or other services which use the certificate.
In my case I am using Domino Certificate URL Health check. I get a mail 30 days before expiration and just run the command.

But there is more automation possible (like running this script in a cron job).
I just keep it that way because I want exercise all the different functionality like the health check and once in a while get a mail to look at.

CertMgr is based on standards like PEM for certificates, public keys, certificate chains, exportable keys, trusted roots.
It is designed for integration and automation flows. I am using it in many different ways.

-- Daniel

/cert-update-dnug-lab.sh

---------------------------------
Sat Dec 28 10:42:53 AM UTC 2024
---------------------------------


Certificate Update
------------------

SAN         : DNS:*.dnug.eu, DNS:*.lab.dnug.eu, DNS:dnug.eu
Subject     : CN=*.dnug.eu
Issuer      : C=US, O=Let's Encrypt, CNæ
Expiration  : Mar  9 15:25:17 2025 GMT
Fingerprint : B7:1E:79:32:87:65:4B:8F:AC:97:76:06:29:D1:B5:48:03:9B:0C:41
Serial      : 049DE8710E8C129D59263ACB6B6A5489D614


Reloading NGINX configuration due to certificate update

• Comments [0]

New project Domino Download Server

Over the x-mas I had a bit of time to work on an idea I had already a while ago.
Some customers can't directly connect to the internet. Not even with a proxy.
Domino AutoUpdate and also the Domino Download script both support proxy environments including authenticated proxies.

The Domino Download script leverages the curl command-line which is very flexible.
But also Domino AutoUpdate has full proxy support.
Still some environments can' download anything from the internet. Some are even air gapped.

The idea was to come up with a NGINX based service which could be the source for all your Notes/Domino downloads.
I wanted it to work in different environments.

Download source for AutoUpdate

This requires emulation of the MHS API end-point and also a download of product.jwt and software.jwt.
This informatio is required by Domino AutoUpdate.

Domino Download script support

The script provides multiple ways to configure downloads.
By default it uses MHS as a download target.
But it can work against any other server which provides download functionality based on file name.

Simple web GUI to search and download files

If you can't access MHS directly, there is no nice looking download interface.
The project also implements a simple web front end based on filtered catalog.json data.

Implementation

The heart of the solution is NGINX with a LUA module leveraging the Domino Download script to download software automatically, if not yet available on disk.
The solution is kind of a corporate cache for Domino related web-kits.

I had a NGINX server providing the files earlier. The new solution is based on it but it is extended with automatic download options and a catalog UI.

Link to the current develop branch where I added basic documentation already (it's not yet in the main branch).
https://github.com/nashcom/domino-startscript/tree/develop/domdownload-server

Here is an example screen shot. This isn't intended to replace anything.
It's complementary for customers who can't directly access the internet or let their admins download from an internal, local repository which reaches out to MHS to get the software once.

Feedback?

Do you have use cases for this complementary way to download?
I mainly built it for own servers. But also will use this as a base to help customers with special requirements in this area.

The script itself also has it's own menu to run and maintain it. See the README link - -which might move to the Start Script GitHub documentation page later.

• Comments [1]