Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed

Domino V12 -- A security release

Daniel Nashed – 30 May 2021 09:07:08

The count down for the he official Domino and Sametime launch event  June 7, 2021 is ticking louder -->
But as most of you already know Notes & Domino V12 is already available for download and I have moved most of my production environment already to Notes & Domino V12.

I have blogged about many new Domino functionality but I would like to highlight two other interesting bog posts in addition.

Domino V12 is really a security release. There is a lot of cool and useful functionality as outlined in blog posts like the posts referenced above.

The Domino native Let's Encrypt (ACME) implementation is the most easy to use and most complete implementation on the market.
And you can leverage the new CertMgr and certstore.nsf also for any other CA and distribute TLS Credentials (the new Domino term for private key + certificate + chain (intermediates) + trusted root).

IMHO working with web server certificates have never been easier in any other enterprise product. From proprietary *.kyr file format Domino moved to standard PEM file format.
Let me highlight two of my favorite security features, which are more hidden gems.

Auto magical certificate import

Importing certificates was always difficult. You had to find the right certificates and add them in the right order inside a PEM file.
Now it magically works in any order or even with duplicate and mismatching certificate chains.

CertMgr will just build the certificate chain from private key and matching leaf certificate up to the root certificate and auto complete certificate chains multi level from it's own trust store.
This option came in late in beta 3 when the trusted root functionality was added.

And this is one of my favorite details, which makes certificate management a lot easier for admins.
This is all included in one Domain wide, easy to deploy database.

New TLS Cache

The old and limited KYR file cache in the SSL layer has been rewritten to fully take benefit of the new cerstore.nsf.
As soon you deploy the certstore.nsf database it will be automatically used and allows to auto reload of TLS Credentials without restart.

The new TLS Cache works also per process internet process and each cache instance has a dedicated maintenance thread,
which is monitoring cerstore.nsf and will reaload and swap the cache just in time once updated.

So this means new and updated certificates will be available without any delay or administrator's action.
This is also a feature which has been added in the final beta 3 and is one of the more hidden features without any UI representation.

The old KRY and the new TLS Cache are designed to work in parallel for full compatibility to existing releases.
But you should really switch to the new functionality and have your existing kyr files automatically imported leveraging "load certmgr --importkyr all".
This command will check the server doc and all configured internet for *.kyr files to import into certstore.nsf for your convenience.

I will go into a lot of details in the upcoming OpenNTF seminar in June. And you can expect more blog posts about the new certificate features.

OpenNTF Certificate Manager Webinar 17. June 2021.



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]