Notes / Domino
How to use Domino OTS on Kubernetes to import an existing TLS Certificate 
By Daniel Nashed | 5/30/23 12:05 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino One Touch Setup has been designed with flexibility in mind, with special focus on getting a server up in a secure way.
On Docker you can just mount PEM files into the container. On Kubernetes TLS Certificates and Keys are stored in secrets.
Personally I am not a big fan of storing PEM files on disk. But you could at least set a password on the PEM file you import.
Here is a basic example how to create a secret on K8s and reference it in OTS.
Even the simple environment variable setup supports the security settings for CertMgr.
Of course the same functionality is also available with the more flexible JSON based configuration.
Importing trusted MicroCA Roots for a Nomad Lab environment
By Daniel Nashed | 5/29/23 12:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Yesterday I worked on a lab configuration based on Windows Sandbox, Domino and Nomad Web.
The biggest challenge is to have a trusted certificate for Nomad Web.
Nomad Server running with the Micro CA
A Nomad Server can use Domino CertMgr Micro CA Certs. But the root is not trusted in your browser.
I took a closer look and came up with a simple solution. which makes the import dramatically easier.
No more searching for the right trust store and handling PEM files manually.
Tuning Domino Servers for TLS sessions
By Daniel Nashed | 5/24/23 2:13 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
My previous post was mainly about HTTP traffic and I mentioned TLS/SSL don't use the maximum number of connections settings, because they have a SSL/TLS session.
Establishing a new TLS session has significant overhead! And you have to make sure in any application, that those sessions are cached and resumed.
I revisited a blog post from 2012 where I explained a fix, which went into 8.5.3. And was enabled in 8.5.4 by default (which turned into the 9.0 release when shipped as far I recall).
There was an issue with the session cache and a new cache had been implemented in 8.5.3. Today the new cache is the default and SSL_USE_ADDSESSION2=1 does not exist any more.
Domino on CentOS/RHEL compatible Linux - Timezone issues
By Oliver Busse | 5/19/23 1:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
With a new customer server we stumbled upon a strange behaviour using our low-code platform Aveedo we never saw before. We created the server at Hetzner using the Rocky 9 base installation. Rocky is binary compatible with RHEL and should be used in favour of CentOS in general as it is newer and still maintained.
Workspace all grey - no icons - workaround
By Jesper Kiær | 5/17/23 6:30 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
If you are running Notes 12.0.2 or higher you will for sure at some point run into an error were the workspace tabs fills out the entire workspace and you can not access you workspace database icons no more. There is nothing you can do in the UI to fix it.
The problem is due to a new setting in the notes.ini and and is easy fixable, if you know what to fix
Attachment is missing from meeting invitation
By Rainer Brandl | 5/11/23 1:53 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I received an information from a friend at HCL (a.k.a. "Wickerl" ) that attachments get lost when sending a meeting invitation to another Domino Domain. In the HCL Software Forum a user complained that this issue also occurs when sending a meeting invitation to external users.This issue is described in SPR # SJOICG3K9F.
HCL Domino 12.0.2: removed user-maildatabase in a cluster symmetry configuration is repaired after removed on 1 server.
By Remco Angioni | 5/8/23 1:01 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
n HCL Domino 12.0.2 we discovered that when we delete users, some maildatabases are repaired back to the home/mail Domino server……running on Windows servers.
Like all of you know, when removing a user from a clustered Domino environment, the cldbdir entry for that database is altered to REPAIR:DISABLED. Repair is not allowed for that database. We raised a ticket because we noticed, ofcourse, that this was not the case for some users we removed. The database was repaired from another clustermember. This left us with 2 maildatabases and NO persondocument.
Domino Server: Let adminp handle renames in maildatabases, but don’t delete users in name fields.
By Remco Angioni | 5/5/23 1:26 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Ever wondered why adminp treats a deletion the same as a rename when you have set the Administration Server Action to Modify all Names fields? Well, I did. I can imagine why a rename should be performed on all mail and calendar items, but a user deletion?????? Why you want that to happen at all?Why remove the evidence that someone have sent me an email or have sent me a meeting request? It doesn’t make sense at all to me.
That’s why I was searching for a way to tell Domino not to delete users in names fields, just renames when using adminp in maildatabases. And there it is, the solution.
New Defect Article – Verse on Android can’t sync any emails
By Andreas Ponte | 4/12/23 11:45 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Various users reported that sync of email/calendar was not working anymore withAndroid devices. The log shows this error:
“Error: Sync session XXXXXXX isoutdated and no longer valid.
I found the following “brand new” defect article from HCL, explaining the problem.
https://support.hcltechsw.com/csm?id=kb_article&sys_id=ac3decf21b066590574121f7ec4bcb8a
Dipping My Feet Into DKIM and DMARC
By Jesse Gallagher | 4/11/23 3:19 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
For a very long time now, I've had my mail set up in a grandfathered-in free Google Whatever-It's-Called-Now account, which, despite its creepiness, serves me well. It's readily supported by everything and it takes almost all of the mail-hosting hassle out of my hands.
Not all of the hassle, though, and over the past couple weeks I decided that I should look into configuring DKIM and DMARC, first for my personal mail and (if it doesn't blow up) for my company mail. I had set up SPF a couple years back, and I figured it was high time to finish the rest.
As with any admin-related post, keep in mind that I'm just tinkering with this stuff. I Am Not A Lawyer, and so forth.
TLS/SSL Cipher Troubleshooting
By Daniel Nashed | 4/10/23 9:35 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Every Domino release adds more TLS ciphers to the weak list to ensure poper security. We can expect the next versions also to have less ciphers available.
Domino ensures for clients and servers, that the list of ciphers provided is safe. In addition the default behavior is that the server decides the order of ciphers to pick.
And only allows secure renegotiation to prevent the client to pick a less secure cipher.
Usually this doesn't cause a lot of trouble for inbound connections. Modern browsers support modern ciphers. But outgoing connections for LDAP and ICAP could be a challenge.
I had to look into an ICAP connection problem this week. To demonstrate how the TLS handshake works, I wrote a small OpenSSL demo program in C. This turned into a quite flexible troubleshooting tool over the weekend.
Spam score testing tool and tip how to increase your rating
By Vladislav Tatarincev | 4/5/23 10:44 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I was working in one environment which had average spam rating and many emails that this eligible company sent have not reached intended destination.
Colleague of mine suggested my a site Mail-tester.com. idea is simple, you sent a mail and gives you score how to improve.
long story short, after some time we improved from 6 to 10 from maximum 10 possible.
Free version allow 4 mails per day which might be sufficient if you dont do too many changes per day.
Picking the right Linux Distribution
By Daniel Nashed | 4/5/23 10:42 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
There isn't one best or right distribution in general. There are many variations. For example Redhat/CentOS based platforms have flavors like Rocky and Alma Linux.
The HCL Domino community project looks into many possible combinations as the base image --> https://opensource.hcltechsw.com/domino-container/concept_environments/
There are basically three different main flavors with different toppings:
- Redhat/CentOS based (with yum and dnf in later versions to manage packages)
- Ubuntu/Debian (with apt to manage packages)
- SUSE Enterprise/Leap etc. (with zypper to manage packages)
The right distribution is really depending on your needs.
Certificate Store: Submit vs Save
By Martijn de Jong | 3/30/23 2:39 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
I regularly receive question about the Certificate Store and CertMgr, which made me realise that there’s a lot of confusion around the Submit Request and the Save & Close buttons in the store and when to use what. Time for an article to hopefully solve some of that confusion.
HCL Notes – Swiftfile Not Working as Expected
By Milan Matejic | 3/29/23 3:53 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
When using the "preview pane" in HCL Notes, and clicking on a folder, suggested by SwiftFile, the "move to folder" dialogue would sometimes come up. This was happening to my client, in about 1 of 20 cases
HCL Verse on Premises and HTTP error 404
By Rainer Brandl | 3/23/23 3:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I implemented VoP on a Domino Server running on an iSeries like the "implementation" always is done. But afterwards I received an HTTP error 404 when trying to open the URL https://mailserver.company.com/verse.After some rechecks ( did I put the JAR files to the correct location and did I modify the owner ) I recreated the redirect database, rechecked the server configuration but could not get rid of this issue.
New C3UG video: Low-Code with Tooljet using the HCL Domino REST APIs
By C3UG | 3/15/23 4:26 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This is a video about the new HCL Domino REST APIs in conjunction with the open source low code development environment "Tooljet". I do an intro to both systems and a (lengthy) demo, showing how to set up access to HCL Domino using the new REST APIs on Domino 12 and to get the data into data tables in a ToolJet project.
On Domino thread IDs and Linux/Windows process IDs
By Martijn de Jong | 3/1/23 9:53 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
A short tip on something which many people are probably not aware of, but which can be a huge time saver when you’re troubleshooting a Domino problem.
As an example, see this error message from a Domino log:
[062372:000014-00007F8001776700] 28/02/2023 13:16:20 CertStore: Error opening CertStore database [CN=PROD02/OU=SRV/O=ACME!!certstore.nsf] : The server is not responding. The server may be down or you may be experiencing network or VPN problems. Contact your system administrator if this problem persists.
[062372:000014-00007F8001776700] 28/02/2023 13:16:20 CertStore: Error opening CertStore on [CN=PROD02/OU=SRV/O=ACME] : The server is not responding. The server may be down or you may be experiencing network or VPN problems. Contact your system administrator if this problem persists.
Your first hunch might be that this is an error that’s caused by the CertMgr process. It’s related to the Certificate Store after all. But is this really the case?
HCL Nomad Web – User moved to another Domino Server
By Rainer Brandl | 2/23/23 3:44 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I had the issue that a user could not successfully complete the initial setup of HCL Nomad Web. The user always received the following error message: Afterwards I checked the result of the LDAP request for the home server which looked fine and the Domino Server also was available. So what could cause this error message ?
CAUSE: the user was moved to another mail server some days ago !!
width=device-width, initial-scale=1 http://gmpg.org/xfn/11 HCL Nomad Web – User moved to another Domino Server – Tips and News for Collaboration solutions max-image-preview:large //s1.wp.com //s0.wp.com //s2.wp.com //blogbyrainer.wordpress.com //wordpress.com //fonts-api.wp.com https://fonts.gstatic.com Tips and News for Collaboration solutions » Feed https://brandlrainer.info/feed/ Tips and News for Collaboration solutions » Comments Feed https://brandlrainer.info/comments/feed/ Tips and News for Collaboration solutions » HCL Nomad Web – User moved to another Domino Server Comments Feed https://brandlrainer.info/2023/02/22/hcl-nomad-web-user-moved-to-another-domino-server/fe
Domino 12.0.2 SAML Not Sending User to Originating URL
By Ted Hardenburgh | 2/23/23 3:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Fresh off the press is a new Knowledge Base article at HCL that describes an event where a user authenticating via SAML is not being sent to the originally requested URL after authentication, but is sent to the home URL for the site. This affects new or upgraded Domino 12.0.2 servers.
The cause for this is the new default setting for samesite=strict that is added to the relay state cookie. The notes.ini setting DOMINO_RELAY_COOKIE_SAMESITE=0 will resolve this issue after restarting Domino.
SVG Images not working in older Domino releases
By Fredrik Norling | 2/17/23 4:26 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
By default svg images doesn’t work in older versions of Domino like version 9.01, 10 perhaps even 11
I have verified in version 12 and there it work fine without problems.
Luckily there is an easy fix, in the Domino data directory there is a file httpd.cnf open up this file add add this line below i.e the Images section, placement isn’t important.
AddType .svg image/svg+xml # SVG format
Notes Tip #54: From Microsoft Outlook to HCL Notes
By Hogne B. Pettersen | 2/14/23 3:44 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
After some false stops and starts, Brainworker and I can finally publish my full user guide for Notes Mail, Calendar, Contacts and To do. Perfect for new employees used to Outlook, but also as a user guide for any Notes user. While Notes is so much more than just an email, calendar, and contacts application,these features are nevertheless some of the most important features of the client.
Setting up HCL Domino Time-based one-time password (TOTP) authentication
By Remco Angioni | 2/14/23 3:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Here is the easy guide how to setup HCL Domino TOTP on a Domino V12.0.2 server with internet site document.
TOTP and vert.x
By Stephan Wissel | 2/7/23 9:13 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
TOTP and vert.x - Time-based one-time passwords (TOTP) are a common security feature in Identity Providers (IdP). There are use cases beyond IdP, mine was 'Understanding what it takes').
TOTP interaction
You have two phases: enrollment and use. During enrollment a secret is generated and (typically) presented as QR Code. A user points one of the many Authenticator apps to it and gets a numeric code that changes once a minute.
When you use it, you pick the current number and paste it into the provided field. The backend validates the correctness with some time leeway.
What it is not
Typically when enrolling you also get recovery codes, sometimes called scratch codes. They are NOT part of TOTP and implementation is site specific and not standardized. An implementer might choose to check your recovery codes when your TOTP fails or provide a separate interaction using those.
The initial confirmation, is actually the first instance of "use" and one could have a successful enrollment without it. This is depending on the implementation.
It isn't foolproof. An attacker could trick you into typing your TOTP code into a spoofed form or just hijack your session (cookie). That's why responsible web apps run a tight security with CSP and TLS (and once browser support is better Permission Policy)
Calendar entry not displaying notes in HCL Verse 3.x
By Rainer Brandl | 2/3/23 4:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I had the issue that a customer complained that notices on the calendar form keep on loading and loading and you're not able to create a calendar entry or even display the content of the notes an existing calendar entry.After some conversation with HCL Support ( which again was working extremely fast in person of Suraj Joshi ) I received the information that the upgrade to HCL Domino 12.0.2 could cause this issue.
As mentioned in the official Defect Article this only occurs when the display language of the browser is set to another language than English.
Overdue PSA: Reverse-Proxy Headers in Domino 12.0.1FP1 and Newer
By Jesse Gallagher | 1/25/23 11:19 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
Just over a year ago now, I wrote a blog post describing the sudden removal of my beloved HTTPEnableConnectorHeaders notes.ini parameter in the 12.0.1 release.
However, during the administration-focused OpenNTF Repair Café today, I was reminded that I never modified that post or made a followup to detail the changes since then. I plan to remedy that here!
Nomad Web server connection options
By Daniel Nashed | 1/25/23 7:30 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
Nomad Web is a modern HCL client offering in form of a Progressive Web Application (PWA) running in your web browser.
In addition to Windows or Mac, it also works on Ubuntu and other Linux distributions! So there is finally a client offering for Linux clients again!
The Nomad Web application is installed on a server providing the required files for download.
Those files can be stored on a SafeLinx or Domino/Nomad Web server.
Windows Sandbox - A feature you should know
By Daniel Nashed | 1/23/23 2:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
The sandbox can be a very useful tool for many different situations.
I am often using it for Domino server or client install tests.
But there are many other use cases including training environments etc.
It's a full throw away sandbox environment recreated every time you start it.
The only limitation is that you can't reboot the Windows for example after a software update.
But even installing the Windows re-distributable run-time package does not require a boot.
Most applications like Notes/Domino install it on their own.
I needed it to test my own applications. But there is an easy way to download and silent install it:
NGINX TCP Stream with SNI support. More than helpful for lab environments
By Daniel Nashed | 1/23/23 2:15 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
In production you usually want centralized certificate handling and off-loading TLS termination to a load-balancer.
I posted scripts to have NGINX realod certs automatically from Domino CertMgr via HTTPS to leverage Domino's Let's Encrypt implementation.
But sometimes you really want all your servers directly exposed over TLS.
For example in a lab environment with limited resources and only one IP, you might want to still have each of the hosts expose their services on their own.
Quest for SAML to everybody continues
By Fredrik Norling | 1/23/23 2:10 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
My article regarding debugging SAML on HCL Domino is updated today with 2 points
What is the SP certificate used for
What can be wrong when you get a login loop
Check it out in the article https://www.xpagedeveloper.com/2022/debugging-saml-setups-in-hcl-domino