Daniel Nashed's Blog | Comments

Engage 2026 Presentation Slides Leveraging CertMgr and Resources

Daniel Nashed — Wed, 29 Apr 2026 19:52:57 +0200

Comments to this thread are now closed.

I also changed the settings in my blog to disable comments for all future posts.

Engage 2026 Presentation Slides Leveraging CertMgr and Resources

Mark Holloway — Mon, 27 Apr 2026 13:04:28 +0000

Hi @Daniel & @Kris,

thanks for sharing your perspective — and yes, I was there, in previous years. This year I wasn't, and that itself tells you something: nobody is paying for my attendance anymore. Not because Engage isn't a great community event — it is — but because for most of my clients, HCL is simply no longer on the radar. That's not a personal opinion. That's the market talking.

**On the products**

After 7 years under HCL, we still don't have a Notes client that can compete visually or functionally with modern productivity tools. The UI remains stuck in a design language that feels like 2005. HCL Verse was supposed to be the future of mail — it was never finished, never reached feature parity, and was quietly sidelined. These are not minor gaps. They are fundamental promises that were never delivered.

Nomad Web is a step in the right direction, but it's still not a full replacement for the desktop client, and the roadmap credibility has been eroded by years of under-delivery.

**On the financials**

Let's look at the numbers. HCLSoftware's Annual Recurring Revenue for FY25 came in at just over $1 billion — essentially flat compared to the previous year, with growth of 1.8% in constant currency. The software division grew 3.5% for the full year — modest, at best, for a company claiming to be transforming the enterprise software market. Compare that to what Microsoft, Salesforce, or ServiceNow are doing in the same space.

More telling: HCLSoftware's revenue is around $1.4 billion out of HCLTech's total $14+ billion. Notes/Domino is a fraction of that. The strategic weight of this product line within the parent company is marginal — and investment decisions reflect that.

**My personal take — why HCL will not grow in this market**

HCL bought the IBM legacy portfolio in 2019 for one reason: to extract value from an installed base, not to build a new one. That's a legitimate business strategy, but it's not a growth strategy. You don't invest heavily in acquiring new customers for a platform that the broader market has already written off as legacy.

The European enterprise market has largely made its decisions. Microsoft 365 is the default. Google Workspace is the alternative. Everything else needs to fight for relevance — and to fight, you need aggressive sales, a modern go-to-market, and products that genuinely impress prospects. HCL has none of those three things in this segment.

The fact that Engage — a European flagship event for an enterprise software portfolio — is entirely run by a volunteer community is not something to celebrate. It's a symptom. It means HCL doesn't believe enough in this market to invest directly in it. The community does extraordinary work, but it is filling a gap that HCL itself should be filling. When a vendor outsources its own evangelism to unpaid volunteers, it has already decided the market isn't worth the investment.

I genuinely respect the people in this ecosystem — the consultants, the developers, the community members who keep showing up year after year. But respect for the community is not the same as confidence in the vendor.

Hope isn't a strategy. And for most of us working in the field, the business reality is already pointing in a different direction.

See you — maybe — at next year's Engage.

Engage 2026 Presentation Slides Leveraging CertMgr and Resources

Kris De Bisschop — Mon, 27 Apr 2026 08:28:15 +0000

Hi Mark

thanks a lot for your comments but I think it's difficult to give an opinion on an event if you were not present.

This year we had more attendees and there were even students present. Those students are the people that need to get introduced in the products to know more about them and see for themselves that, with the knowledge they have, they can work with the products that last already more then 30 years.

It's true that some of the stuff shown during the opening session is not a fit for all sorts of companies amongst us but allowing to use AI, at no additional license cost, and being able to create decent solutions out of it, is something that has been shown during lots of other sessions during the two days of Engage.

This community is year on year growing, every year we see new people coming to Engage and we have new people getting introduced to the HCL Digital Solutions portfolio.

I never saw so much new stuff getting introduced in the products then since HCL took over. They listen to what is needed, they evaluate how it can be delivered and they deliver, year after year and this for the last 7 years since they took over from IBM.

I suggest you attend next year's Engage and follow the sessions given by people in the field, working with the products and sharing their knowledge how they leverage what HCL offers.

Domino Transaction log on ZFS

Daniel Nashed — Fri, 24 Apr 2026 17:59:50 +0200

@Jeroen this is a known issue since I worked with my first Proxmox customer ages ago.

The translog code tries to caclulate the block size but fails for some reason above 32K.

I looked at the callstack and did see which area this happened.

Then I escalated it to support/DEV at that time.

The block size of 32K was something I found out on my own testing the sizes. But I would use 16K for translog.

Domino Transaction log on ZFS

Jeroen Jacobs — Fri, 24 Apr 2026 15:43:38 +0000

Thanks, I hit this error as well when deploying Domino on ZFS. Can I ask: how did you discover the block size was the issue? There is nothing in the error message that indicates this.

Engage 2026 Presentation Slides Leveraging CertMgr and Resources

Daniel Nashed — Fri, 24 Apr 2026 16:50:42 +0200

@Mark,

Why are you posting a reply like this on my post for a technical session for Engage instead of sharing it with HCL?

Let me forward your reply to HCL to have them aware of your feedback.

Daniel

Domino/Traveler 14.5.1 shipped today - the container image is updated - ClamAV is added to Domino

Daniel Nashed — Fri, 24 Apr 2026 16:47:33 +0200

Hi Norbert,

ClamAV uses clamd which can be on the same or a different machine.

Clamd is also available on Windows if you really want it to be on Windows.

But it could be also a Linux machine running Clamd native or in a container.

I would personally prefer a loopback connection. But CScan supports TLS.

Clamd itself does not support TLS but you can add any kind of secure proxy or load-balancer in front of it. Like NGINX.

I wrote up NGINX configurations and blogged about it earlier.

-- Daniel

CertMgr and .kyr files

Daniel Nashed — Fri, 24 Apr 2026 16:45:24 +0200

@Richard, there should not be any reason to use kyr files in 2026.

Starting with Domino 12 CertMgr is the recommended way to use TLS/SSL certificates.

Already in 12.0 you see a message that you should switch to CertMgr.

I would be personally interested in what reasons a customer should have to use kyr files.

Thanks

Daniel

CertMgr and .kyr files

Richard Pajerski — Fri, 24 Apr 2026 13:22:08 +0000

Thanks for the presentation on the CertMgr! IBM had definitely neglected this area of the product and it's great to see that HCL took the time to roll this out and help stabilize Domino's security posture.

One point -- for folks still needing to deal with those legacy .kyr files for whatever reason, I offer an easy-to-use and very inexpensive Windows Desktop utility (Aperture) for managing them.

Best,

Richard

Domino/Traveler 14.5.1 shipped today - the container image is updated - ClamAV is added to Domino

Norbert Gase — Fri, 24 Apr 2026 10:02:53 +0000

Hi,

so how is ClamAV implemented/to implement in Domino 14.5.1 on Windows on-prem (no container).

Do I have to install separate ClamAV (MSI installer) locally on each windows server I'm running Domino on? Or is ist completely integrated? Did not find anything in detail for this topic.

Thanks.

Engage 2026 Presentation Slides Leveraging CertMgr and Resources

Mark Holloway — Fri, 24 Apr 2026 08:57:37 +0000

Let's be honest here. Engage is still a great community event — the people, the sessions, the social evenings — but at some point we have to stop avoiding the elephant in the room.

Attendance is shrinking year after year. Zero major surprises from HCL. A keynote full of AI buzzwords that feel exciting on stage but leave SMBs wondering: "where exactly do I fit in this roadmap?"

Agentic AI and Vibe Coding are cool. But 80% of the Domino installed base is mid-market companies running business-critical apps on lean IT budgets. When was the last time HCL announced something that made *that* audience feel genuinely valued?

The community keeps showing up — loyal, passionate, willing to evangelize. HCL keeps talking strategy. But strategy without traction is just a PowerPoint.

How many more years of declining attendance before someone at HCL asks the hard question: are we growing this ecosystem, or just managing its decline?

Ollama keep models loaded for longer than 5 minutes idle time

AnotherVisitor — Fri, 24 Apr 2026 08:49:19 +0000

Example shows that they are loaded into GPU not CPU ;)

My HCLSoftware download portal (MHS) requires to accept license terms

Christian Carrasco G — Tue, 21 Apr 2026 21:54:10 +0000

HCL Domino 12.0.2 FP7 on UBUNTU

Thanks

Regards

Notes / Domino 14.5.1 – Testing TLS 1.3 and Post-Quantum Cryptography with HttpGetRequest

Daniel Nashed — Wed, 8 Apr 2026 20:36:19 +0200

What you are looking for in the TLS cipher settings is not expected to show up there, because ML-DSA, ML-KEM, SHAKE-128, and SHAKE-256 are not TLS ciphers.

The TLS cipher list in Domino contains cipher suites, for example:

TLS_AES_256_GCM_SHA384

Ciphers support multiple ways for:

- key exchange

- encryption algorithm

- integrity algorithm

What is used depends on both ends of the communication channel and are negotiated during the handshake.

The handshake also differs between TLS versions. For example TLS 1.3 has an advanced handshake used when both sides support TLS 1.3.

First part of the handshake is to find out the highest TLS version both sides have in common.

Then the handshake finds out about the best cipher supported on both ends (the order is usually defined by the server).

Then details like the following are negotiated, based on available on both sides.

There isn't anything configurable on Domino side. The Domino Internet tasks TLS stack isn't OpenSSL based and does not support those modern standards yet.

But OpenSSL backend code is used in other parts of Notes/Domino. For example for Lotus Script HTTP request class.

---

ML-KEM (Key Encapsulation Mechanism)

Used for key exchange, not encryption itself

How both sides agree on a shared secret

ML-DSA (Digital Signature Algorithm)

Used for signing / authentication

Not used for encrypting data

SHAKE-128 / SHAKE-256

Hash / extendable-output functions

Used in derivation, hashing, signatures, not as TLS ciphers

---

I hope this clarifies it a bit?

Certificate Lifetimes Are Shrinking — Is Your Domino Infrastructure Ready?

Anders Johansson — Tue, 7 Apr 2026 14:21:56 +0000

Very interesting, everyone have this problem now, but we have multiple customer environments where the central point of creating certificates cannot be Domino. we need to import certificates into Domino from where the customer creates the certificate. Is this also taken into consideration.

Some of my colleagues will be at Engage.

Notes / Domino 14.5.1 – Testing TLS 1.3 and Post-Quantum Cryptography with HttpGetRequest

haiyan — Tue, 7 Apr 2026 04:43:46 +0000

Refer the "what is new in domino 14.5.1."

Cryptography

The OpenSSL library has been updated to version 3.5.4. This is a Long Term Support (LTS) version of the library that has been submitted the CVMP for FIPS 140-3 verification. See Encryption standards for details.

The cryptographic layer underlying Notes and Domino now leverages OpenSSL 3.5 to support multiple algorithms relevant to protect against attacks based on quantum computing, such as ML-DSA, ML-KEM, SHAKE-128, and SHAKE-256. As this field is rapidly evolving and the IETF standards are still being written, there is no end-user PQC functionality currently available for use in 14.5.1.

Open the Domino14.5.1 server document ->Ports ->Internet Ports, click the Modify button under TLS ciphers, can not find more TLS Cipher Settings about the ML-DSA, ML-KEM, SHAKE-128, and SHAKE-256, could you guide us how to enable these cipher? Thank you very much!

Domino 14.5 Design task comes with some pretty useful new functionality

Daniel Nashed — Tue, 31 Mar 2026 17:06:33 +0200

Hi Denis,

I would be interested why you don't want the new behavior but there is a documented switch.

-nologfile --> it's not undocumented. It's part of the design task help.

----

lo design -?

Purpose: Refreshes database designs from their template.

Usage: Load DESIGN [source] [target] [options]...

[source]: Server name containing the templates. Default is LOCAL.

[target]: Server name of databases to refresh. Default is LOCAL.

[options]:

-d name Directory name (relative to data directory) to refresh.

-f name File name of database to refresh.

-i name Database, folder or a file name containing a list of pathnames,

each of which may be a database or a folder to refresh design(s).

-t name Only refresh design of databases with this design template name.

-sd Refresh design of System Databases in dominosystemdbs.ind.

-adm Refresh design only if current server is Administration Server of database.

-mt name Mail design update log to the Internet Address name.

-log Explicitly enable logging of design changes to file.

-nologfile Logging will be redirected to the console.

-regex Run on databases matching the regular expression in pattern

Domino 14.5 Design task comes with some pretty useful new functionality

Denis Kopprasch — Tue, 31 Mar 2026 06:09:59 +0000

Hi Daniel,

do you know how to restore the normal behaviour of the design task, so that it continues to log it's output to the log.nsf, maybe there is an undocumented switch or ini setting? I'm used to search the log nsf for design errors...

Revisiting Domino ClamAV for databases on rest

Daniel Nashed — Wed, 25 Mar 2026 17:28:26 +0200

Hi Christian,

the HCL build-in functionality in CScan is for mail-flow scan and offers multiple options what to do with a message.

This includes cleaning the message and delivering it.

My use case is scanning messages in mailfiles and applications.

The main question here is if we want to delete messages or at least quarantine messages before that.

But those documents would not be always messages and in a problem situation eventually false positive mails get quarantine or cleaned.

My first step is to move messages to a Virus folder and report the message. I am not saying in a future iteration I would want to allow deleting messages or cleaning them.

Cleaning message isn't simple. Domino CScan replaces the attachment inline to not break the message structure. I will need to check if there is public API that can do that.

The expressions HCL is using for DBMT and design task are actually not regex but Domino pattern maching. Which is the matches function in Notes.

There is no C-API for it .But I could use the same approach Domino backup uses (which was built using the public C-API initially).

Still I would not call that -regex. It would be matches syntax and I would add that option.

The industry is using regex for something different. I compared the two syntax options and there is quite some differences.

Only because Domino is doing something in a certain way, that does not mean it is the only right way. I can offer both.

And yes for admins probably the matches synctax is easier. But not as flexible as regex.

-- Daniel

Revisiting Domino ClamAV for databases on rest

Christian Henseler — Wed, 25 Mar 2026 07:48:34 +0000

Hello Daniel,

I think in a productive environment, potentially infected attachment should not be delivered to end users.

In my experience, users are ignoring any warnings and will open attachments.

But you've already written "the mail was never delivered to a user".

Other AV products would replace an infected attachment with a warning attachment and would deliver the desinfected mail to the user.

It might be a good idea to use the same pattern matching/regex as DBMT does use in/since 14.5.1

Best Regards

Christian