Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

Daniel Nashed's Blog

 Domino 

Domino 14.5 is not supported on Windows Core Server

Daniel Nashed – 19 February 2026 14:54:24

Microsoft offers two different installation modes for Windows Servers for the two different editions (Standard & Datacenter).

  • "Windows Core server" an installation mode without full graphically UI
  • The full server installation with a full administration GUI

Windows Core Server Standard Edition is meanwhile the default when you run the installer.
But even the Domino System Requirements does not explicitly exclude Windows Core server it is not a supported configuration yet.
There is an AHA idea to vote for, which only has 7 votes today.

https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-2524


I am not sure if nobody has the requirement or nobody knows it is not supported yet.

Windows Core Server needs less resources and is the recommended installation mode by German BSI because also from security point of view.
Specially for smaller servers since Windows 2025 it is important to reduce the footprint of the Windows server, because it tends to use more memory out of the box.
It comes with a simple configuration menu for the most important tasks and works well with Domino.
The installer, the classical configuration wizard and also the Jconsole GUI just works unchanged.

Only the service.exe doesn't launch. But to start and stop services you can either use sc command line or use the services part of taskmgr.
RDP works as well. But Windows 2025 also comes with OpenSSH installed and you can just enable for administration via a SSH session -- But that's maybe something for another post.

This post is to raise awareness and to see if someone is currently using it or plans to use it.

If you have a requirement to install it, please vote for my AHA idea.


Image:Domino 14.5 is not supported on Windows Core Server
 Domino IQ 

Domino IQ Mail Request Requirements and Troubleshooting

Daniel Nashed – 19 February 2026 14:14:54
Domino IQ offers two simple to use actions which are integrated into the Mail 14.5 and 14.5.1 mail template.

  • Summarize
  • Reply with Domino IQ

They are a bit hidden and might not show up if not all requirements match.
The question what is required came up a couple of times.
Therefore I added a diagnostic form to the Domino IQ lab database a while ago.
It checks all the requirements I found in the mail template for the hide when formula around the actions.

Here is an example which also shows the requirements:

  • Notes 14.5 or higher standard client
  • Use the Notes Client theme Notes 11 or higher
  • Use the 14.5 mail template or higher
  • Have a Domino IQ server available in your domain (the actions will use the default server in your Domino domain, because the commands don't pass in a Domino IQ server)
  • Have the two actions configured and available (The code gets the list of actions available)


You find the details on the Detail tab listed in the last screen shot below.


Image:Domino IQ Mail Request Requirements and Troubleshooting


Image:Domino IQ Mail Request Requirements and Troubleshooting


Image:Domino IQ Mail Request Requirements and Troubleshooting
 Linux  sudo 

Getting sudo permissions right

Daniel Nashed – 19 February 2026 11:10:19

sudo can be used in multiple ways. In general it is away to delegate root access for certain operations or to switch to root.
On Ubuntu traditionally no user can login directly with root remotely and you have to switch from your account to root using "sudo su -".
But it can be also used to delegate individual commands or even just some parameters of a command.

Narrowed whitelist

What is really important is that the list is as narrowed as possible.
You should only white list commands.
Allowing all commands and just have a black-list does not work well!

If you would only exclude some operations an admin could for example copy the "bash" binary and just run it to gain root access.

When using sudo to get a root bash session, you should make sure the session can only be opened asking for a password at least.
If you read one of my previous posts, there could be even a time limited authorization to use root using singed SSH keys. But this would need some planning and an application to securely issue those SSH certs after validating the user and approving the access.

Running distinct commands are usually OK without specifying a password.

Here is a simple example how it can look for a "notes" application user.
Starting and stopping all services on a Domino server should be perfectly OK for a Domino admin.
Eventually you also want the Domino user to reboot a machine or similar commands which can be only performed by root.

Also applying updates could be an operation potentially delegated to an application admin.


visudo

notes  ALL= NOPASSWD: /usr/bin/systemctl start *, /usr/bin/systemctl stop *, /usr/bin/systemctl restart *, /usr/bin/systemctl status *, /usr/sbin/reboot

Even allowing all systemctrl operations could be used to gain higher access then intended. You could install your own services for example, which would run with root permissions.


Check other ways to allow permissions -- Example Docker

Think about every operation to allow and check if there are other ways to allow an operation.
For example for Docker you can just add a "notes" user to the "docker" group to allow a Domino admin to run all Docker commands.

usermod -aG docker notes

A good way to operated is to provide everything an application admin has to do to the application user (in our case notes) and let the admins perform restricted operation on need to do level.
Normal application administration does usually not require root.

You would need root permissions for example when updating Domino servers.

But there is also a way around that.

For a native installed Domino server there is AutoUpdate since Domino 14.5 which is authorized by an autoinstall binary which uses with SUID to gain root access to shutdown Domino and install an update.
Those operations are also narrowed down to this exact use case and the software to install is verifying the software to install end to end using a software.jwt agains a public key backed into the binary.

With Docker you can build an image with "notes" permissions and if you Git clone the repositories with the "notes" user there is no need for "root" to build or operate Domino on Docker.



 Domino  Backup 

Domino 14.5+ Backup supports .ind files

Daniel Nashed – 18 February 2026 22:25:17

Domino 14.5+ switched to the same back-end DBMT and the design task switched to in 14.5.
This offers out of the box support for more than 20000 databases without a notes.ini parameter.
The number of entries is now dynamic.
Switching to the new way to process databases also introduces support for .ind files.

This should still say a special purpose configuration.
Configuring a full backup with an exclude list is still the preferred way to ensure you are not missing any new added databases in another directory.
But it can be a helpful configuration for some special use cases.


Here is a simple example using the new system database list.
You should note that the exclude configuration is still in place.

lo backup dominosystemdbs.ind

Backup: Starting backup for 29 database(s)



Image:Domino 14.5+ Backup supports .ind files

Domino 14.5. automatically maintains a dominosystemdbs.ind file

Daniel Nashed – 18 February 2026 22:11:53

Did you know Domino 14.5. maintains a new dominosystemdbs.ind file.
It contains all system databases ordered by name.

plus
  • the directory assistance database name (which can have  different name)
  • the mail.boxes (which can be more than one)
  • the ID Vault database if configured on server

The standard database list can contain databases that are not actually present on the server.
The list is mainly intended for have an exclude and include list.
DBMT and other tasks ignore databases not present and don't cause an error message.

The list is also used for the new design refresh functionality which is used when refreshing templates after a release update.

The list can be pretty useful also for off-line compacts and other maintenance tasks.


activity.nsf
admin4.nsf
admincentral.nsf
adminq.nsf
autoupdate.nsf
busytime.nsf
catalog.nsf
certlog.nsf
certstore.nsf
cldbdir.nsf
clubusy.nsf
cscancfg.nsf
cscanlog.nsf
cscanquarantine.nsf
daoscat.nsf
dbdirman.nsf
ddm.nsf
dircat.nsf
domcfg.nsf
dominobackup.nsf
dominodla.nsf
dominoiq.nsf
domlog.nsf
entitlements.nsf
entitlementtrack.ncf
events4.nsf
idpcat.nsf
inetlockout.nsf
lndfr.nsf
log.nsf
mtdata/mtstore.nsf
names.nsf
passkey.nsf
statrep.nsf
toolbox.nsf
updatesite.nsf
userlicences.nsf
da.nsf
mail1.box
mail2.box
IBM_ID_VAULT/NotesLab-Vault.nsf

 NGINX 

Configure NGINX to support ECDSA and RSA certs/keys at the same time

Daniel Nashed – 18 February 2026 21:38:57

NGINX is still my favorite secure reverse proxy. There are easier to use solutions.
But NGINX is very flexible, high performance and can be configured in very detail.

Here is an example for a configuration we are running in DNUG lab.
This is only the TLS/SSL part of the configuration. The server has many different names dispatched via SNI to different local and remote hosts on the same IP.

Here is a TLS 1.2/1.3 only configuration with very selective ciphers and the 3 main ECDSA NIST-P curves.
NGINX supports dual certs. You can add a ECDSA and RSA key in parallel.

When your client only supports RSA ciphers / or only RSA signatures you get a session using a RSA key and RSA ciphers.

Here is an example request:

openssl s_client -connect linus.lab.dnug.eu:443 -servername linus.lab.dnug.eu -tls1_2 -cipher 'ECDHE-RSA-AES128-GCM-SHA256'

This might not be 1:1 what you want to use. Yo would probably want more ciphers. But this is something good to test with.

events {}
http {

 ssl_session_cache         shared:SSL:10m;
 ssl_session_timeout       10m;
 ssl_protocols             TLSv1.2 TLSv1.3;
 ssl_ciphers               'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256';
 ssl_ecdh_curve            secp256r1:secp384r1:secp521r1;
 ssl_prefer_server_ciphers on;

 ssl_certificate           /local/nginx/star-dnug-lab-ecdsa.pem;
 ssl_certificate_key       /local/nginx/star-dnug-lab-ecdsa.key;
 ssl_certificate           /local/nginx/star-dnug-lab-rsa.pem;
 ssl_certificate_key       /local/nginx/star-dnug-lab-rsa.key;

 proxy_read_timeout        60;
 proxy_ssl_name            $server_name;
 proxy_ssl_server_name     on;
 proxy_ssl_session_reuse   on;


...
 Domino  Backup 

Use Domino Backup to take a snapshot of a database to use it on another machine

Daniel Nashed – 18 February 2026 14:10:22

Sometimes you need a physical copy database to use them somewhere else.
For example to replace a database low level or to provide a set of templates to someone.

If you have Domino backup configured to store backups on disk, you can safely copy those NSF/NTF files while the server is running.
You can even create a fresh backup of a single database just for that purpose (e.g. load backup log.nsf).
There is a way to take a snapshot of a database. But this command is mainly for troubleshooting and limited in size by default.

Domino Backup brings the database into backup mode, takes a copy and applies deltas.
That's a convenient way to "grab" a database while a server is running.

Image:Use Domino Backup to take a snapshot of a database to use it on another machine
 SSH 

Update to a current OpenSSH client & server to be post quantum crypto safe

Daniel Nashed – 18 February 2026 00:37:55

Today I got an interesting warning. This was on Windows -- not on Linux.
The log message took me to this OpenSSH info page -> https://www.openssh.org/pq.html
This isn't OpenSSL. This is about OpenSSH.

OpenSSH decided to add a security warning in the latest versions to warn for sessions connecting to older OpenSSH server versions with the following warning.

** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html

If you are running for example on Ubuntu 24.04 LTS you are on the safe side.
The version in use is currently version 9.6

ssh -V
OpenSSH_9.6p1 Ubuntu-3ubuntu13.14, OpenSSL 3.0.13 30 Jan 2024

The next LTS version 26.04 -- which is planned for April 2026 -- will bring at least

ssh -V
OpenSSH_10.2p1 Ubuntu-2ubuntu1, OpenSSL 3.5.3 16 Sep 2025 (I am running it already for testing)

The interesting part are those two key exchange algorithm

  1. sntrup761x25519-sha512@openssh.com
     
  2. mlkem768x25519-sha256  (in OpenSSH 10.x and higher)


The first key exchange algorithm is already in OpenSSH 9.6.
It's an hybrid algorithm which is regarded as quantum computing safe.
But OpenSSH switched to a newer algorithm in 10.x.

Even if you are not getting this warning, if you don't have any client with OpenSSH version which prints this warning, it makes sense to look at your version and make sure you are running the latest version supported by your OS.
This also includes OpenSSH servers for Windows!

The link above has more details about why this is important today. It would be a major concern if you are a normal customer.
But it makes sense to update OpenSSH versions anyhow.

This would be a client and server requirement! And it also affects clients like MobaXterm which might use embedded libs.
There are ways to use external SSH versions. I would not be too concerned. But looking into the latest versions for your SSH client/server software and installing the latest OpenSSL version is always a good idea.


ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512
sntrup761x25519-sha512@openssh.com
mlkem768x25519-sha256
 Domino  Backup 

Domino Backup notifications and central logging

Daniel Nashed – 17 February 2026 00:09:58

Domino Backup can be configured in 5 minutes if you have deduplicating storage locally or available over a file share.
Some of my customers use it specially for smaller servers which don't need larger backup infrastructure.
This could be hosted servers or smaller admin or gateway servers.

But it would also work for larger servers if the storage is performing well.
There can be a second backup tier in the back-end.
Domino Backup isn't only a great backup solution.
It also provides functionality which other backup implementations don't provide out of the box.

Beside restoring documents and folders back into the original database, there are a couple of other flexible options like changing replica ID, disabling replication. DAOS restore integration and a lot more.

One interesting details is is logging, which is implemented in the "Notes way".
You can fully configure in which case a backup log should be send and to which recipient.

Here is a production example from a customer who ran into a backup error where one database could not be backuped, because the database was corrupted.

Logging can be defined in very detail even the standard log configuration only provides the options to send backup logs Always, when warnings came up or only in error case.

  • Log document always or just in error case
  • A formula to define the target recipient
  • There is even a way to customize the log form
  • In addition the mail contains additional fields beside subject and body with status information, so you can email those log documents into a central database.
     

Image:Domino Backup notifications and central logging

Image:Domino Backup notifications and central logging
 OIDC  JWT 

Notes 14.5.1 request OIDC token for Bearer authentication

Daniel Nashed – 17 February 2026 23:22:52

This is my favorite Notes 14.5.1 client/development feature.
To request resources via NotesHTTPRequest authentication usually needs a user/password.
The more modern approach is to request a JWT to authenticate.

A JWT iss issued for a limited time and allows access to servers who trust the configured OIDC provider.
This could be a Domino server or any other application using a Domino OIDC povider.
In one of my last posts I configured HashiCorp to trust a Domino OIDC provider.
With this new functionality you can request a JWT and use it with the NotesHTTPRequest as shown below.

1. Your Notes client uses it's Notes.ID to request a JWT -- very similar to it already can request LTPA tokens.
2. The JWT is used for REST type of requests from an API.


A LPTA token is more intended for web-browsers. But also applications like Sametime uses this type of authentication.
In future I can see more functionality on the Domino, Sametime and other applications to use JWTs.
Notes 14.5.1 EA1 introduced this function in Java. Notes 14.5.1 EA2 added a Lotus Script version of the function based on EAP forum feedback.

I can imagine many integrations where this new JWT token request will be a game changer.

Reference to 14.5.1 documentation

https://help.hcl-software.com/dom_designer/14.5.1/basic/H_GETOIDCACCESSTOKEN_METHOD.html


Example script

Sub Initialize
       
       On Error GoTo error_handler
       
       Dim session As New NotesSession
       Dim http As NotesHTTPRequest
       
       Dim Server As String
       Dim ClientID As String
       Dim Issuer As String
       Dim Resource As String
       Dim Scopes As String
       Dim Token As String
       Dim Url As String
       Dim Response As String
       
       ' --- OIDC configuration ---
       Server   = "oidc.nashcom.lab"
       ClientID = "oidc-nashcom-org"
       Issuer   = "https://oidc.nashcom.lab/auth/protocol/oidc"
       Resource = ""
       Scopes   = ""
       
       MessageBox "User Name: " & session.UserName
       
       ' --- Get OIDC access token ---
       Token = session.GetOIDCAccessToken(Server, ClientID, Issuer, Resource, Scopes)
       
       If Token = "" Then
               Error 1000, "No OIDC access token returned"
       End If
       
       Url = "https://pluto.nashcom.lab/access.nsf"
       
       Set http = session.CreateHTTPRequest()
       
       http.SetHeaderField "Authorization", "Bearer " & Token
       http.SetHeaderField "User-Agent", "HCL Notes 14.5.1 OIDC Test"
       
       Response = http.Get(Url)
       
       MessageBox "HTTP Status: " & http.ResponseCode & Chr(10) & Chr(10) & "Response:" & Chr(10) & Response
       
       Exit Sub

error_handler:

       MessageBox "Error " & Err & ": " & Error$
       Exit Sub
       
End Sub



Recent Entries

Feeds

Links

    Archives

    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]