HCL Traveler HA with MSSQL and custom CA in a container end to end
Daniel Nashed – 28 January 2026 18:10:48
The Domino container image supports Microsoft SQL server, MySQL and also PosgreSQL - which is available since Domino 14.5.1 EA.
The Traveler team also changed the travelerUtil script to work without root permissions and you run it with the "notes" user now.
This aligns the security model with other parts of Domino and helps specially in container environments where root shells are not available because the container itself (e.g, on K8s) uses the notes user (uid:gid -> 1000:1000)
Yesterday I added symbolic link support for the JDBC drivers so that a container update with a later JDBC driver does not need a change for the Traveler configuration.
I have tested the new configuration in two ways. First of all wit hthe Microsoft JDBC driver.
But also with the new PosgreSQL database support. For PosgreSQL I used a simple docker container on the same local Docker host:
./travelerUtil db set url=jdbc:postgresql://127.0.0.1:5432/traveler_ha path=/opt/hcl/domino/notes/latest/linux/Traveler/lib/postgresql-jdbc.jar user=traveler pw=traveler-ha-password
PosgreSQL would not offload TLS and would need a certificate where rotating it would need a database restart.
But you might get away with a 1 year certificate lifetime and start to rotate it after 6 month and pick up the update on each maintenance.
It's similar with Microsoft SQL server as a customer's DBA explained to me when configuring it today with TLS.
./travelerUtil db set "url=jdbc:sqlserver://mssql.example.com:1433;encrypt=true;databaseName=TRAVELER" user=traveler_ha 'pw=traveler-admin-secure-password' path="/opt/hcl/domino/notes/latest/linux/Traveler/lib/mssql-jdbc.jar"
Importing trusted roots as container build time
In our case the certificate as a corporate CA. This means the root certificate wasn't in the Linux nor in the Domino Java key store (where Traveler would expect it).
But there is a build option for the container image to add your own CA to the Linux and/or Domino Java key store.
For Domino itself you can just add the trusted root to certstore.nsf and get it deployed domain wide.
But for Traveler it really needs to be in the Java keystore.
See this documentation for details --> https://opensource.hcltechsw.com/domino-container/reference_custom_roots/
In our case we just dropped the PEM with the right name into the custom directory at build time.
The build process knows how to add the root to the JVM keystore and the Linux trust store (which can differ between distributions).
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}