How to add a trusted root to Linux  

By Daniel Nashed | 2/3/25 2:57 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

I am still adding custom trusted root support to the Domino container project. You will be able to just specify a trusted root to add to the local Linux trust store. Like other low level functionality this works differently on different Linux flavors. Here is what I am adding for SUSE, for Debian/Ubuntu and basically all the other Redhat/RPM based systems (I rested Rocky, Alma & Co so far).

Data Access With XPages JEE  

By Jesse Gallagher | 1/17/25 6:25 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Though one day I'd really like to sit down and work on expanding and categorizing the documentation for the XPages JEE project, in the mean time I can at least put together some scattered info in the form of blog posts, webinars, and example apps. Add this post to the pile! Some of it will be a rehash of previous posts, but it doesn't hurt to see it rephrased.

DBMT tool enhancements in Domino 14.5 EA2   

By Daniel Nashed | 1/7/25 2:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Sometimes small changes open many new possibilities. The following DBMT tool command line options are added to DBMT in Domino 14.5 EA2: -systemDbs (-sd for short) Allows compact to process system dbs, which are usually ignored), as well as databases listed in the dbmt_compact_filter.ind file. -regex (-re for short) Now a database name can be specified using regular expressions. If an .ind file is specified, the database names listed in the .ind file can be regular expressions. -validateDbs (-vd for short) Does not execute the updall or compacts, but outputs the list of databases that could be affected by the DBMT command (mainly to validate -regex inputs). Can be used in combination with -sd

Notes Timedate explained  

By Daniel Nashed | 1/7/25 2:38 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

There have been a couple of partner blog posts speculating about the background of the recent Domino 13.12.2024 problem, which might be a bit misleading. For the background of what happened in detail and how HCL addressed the problem please wait for the official technote update. But what I can tell is that HCL fixed it on a lower level function addressing all functionality in Domino and business partner applications using the effected functionality. This means the only safe way is to apply the Interim fix provided by HCL for all supported releases including the extended support versions! What I also can state is that all Notes TIMEDATE functionality is working as intended and are designed to handle date times from 1.1.1 to the end of all times.

Domino Router bug - seems to also affect server availability index  

By Darren Duke | 1/7/25 2:36 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

I was waiting for the other shoe to drop for this bug. Surely the errant code wasn't only in the router task. Well, it seems that it's NOT only the router. After working with a customer on fail-over issues in a cluster we came across this interesting availability index "issue". On a server patched for the router bug (or that is un-patched server that has not been rebooted) the "show ai" command behaves as expected, the XF, Hits and AI min and max are populated However, on a rebooted, un-patched server AI is completely and utterly blank

A little Domino container story  

By Martijn de Jong | 1/3/25 7:05 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

If you’re active in the Domino world, it’s unlikely that you missed that we had a little problem 2½ weeks ago.... This blog post is not about this problem itself, but this problem caused many servers with outdated Domino versions to urgently need an update, and this is a little story about one of those servers.

New project Domino Download Server  

By Daniel Nashed | 12/30/24 7:11 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Over the x-mas I had a bit of time to work on an idea I had already a while ago. Some customers can't directly connect to the internet. Not even with a proxy. Domino AutoUpdate and also the Domino Download script both support proxy environments including authenticated proxies. The Domino Download script leverages the curl command-line which is very flexible. But also Domino AutoUpdate has full proxy support. Still some environments can' download anything from the internet. Some are even air gapped. The idea was to come up with a NGINX based service which could be the source for all your Notes/Domino downloads. I wanted it to work in different environments.

Thomas Hampel  

By Thomas Hampel | 12/13/24 5:35 PM | Infrastructure - Notes / Domino | Added by Oliver Busse

*** ALERT *** Development team just identified a new issue which will affect ALL Domino server versions as of TODAY ( 13th of December 2024 ) Starting as of today, if you restart your Domino server, a router error will result in delivery failures due to a routing loop. Mail rules will also start failing. It is a date/time issue in our code. We will of course provide a fix as soon as possible for all Domino versions that are in support. Furthermore for older versions in extended support, customers with an extended support agreement will be provided with a fix as well.

HCL Domino Leap – Fixing Embedded Forms Issues After Updating to 1.1.5   

By Milan Matejic | 11/26/24 5:02 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

If you are embedding HCL Domino Leap Applications or Forms into portals and sites not hosted on the same Domino Server as Domino Leap, you might encounter issues due to the Content-Security-Policy (CSP) HTTP Response Header. Starting with HCL Domino Leap 1.1.5, a Strict CSP policy has been introduced.

Modern email protocols: DANE, MTA-STS and TLS-RPT  

By Martijn de Jong | 11/8/24 3:47 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

n my recent OpenNTF webinar on modern E-mail Server operations, I covered several SMTP-related protocols like DKIM, SPF, and DMARC. However, with ongoing efforts to enhance the security of SMTP, new protocols have emerged, and these are the focus of this article. Two weeks after my OpenNTF presentation, my former colleague Erwin Stamer, contacted me regarding the DANE status of my domain as it was yellow instead of green. He was looking at the status of my domain as they were implementing it at his employer (a large Dutch bank) and was looking for an example. I must admit that I initially had no idea what DANE was, but as it was in line with my presentation, I dived into it. DANE, MTA-STS and TLS-RPT all work together, but let’s look at them separately.

Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity  

By Daniel Nashed | 10/28/24 2:20 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Notes intermittently hangs or opens mail or other database slowly after 30 minutes of inactivity This might help you in some network situations and it came up today in the OpenNTF Discord chat. TCP/IP keep alive is a functionality in the network stack to tell the server's TCP/IP stack and also the active components like firewalls, VPNs etc, that your session is still alive -- even the application is not sending any data. The Windows default keep interval is 2 hours. This Windows sends a keep alive for a TCP/IP session only. Linux and MacOS have a default keep alive interval of 75 seconds, which is a much more reasonable default. On Windows you can change the value by adding a new registry value, specifying a shorter keep alive interval in milliseconds. A good default value would be 75 seconds like on Linux and MacOS.

Key Rollover vs Certifier rollover  

By Daniel Nashed | 10/28/24 2:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

This is probably a topic many admins never really looked into and you might still run with your very old 630 key size. Key size and certificate key size play an important role in your security and you should be aware of it. Key Rollover Rolling over keys is a quite normal operation. It's a best practice to rotate keys at least when the recommended key strength changed. Rolling over a key is client side initiated but requires an admin action. Certifier Rollover When rolling over certifiers you are creating a new key for your certifier and sign it with the right signing ID. For your organization certifier this will be the organization certifier itself which signs itself. Once that operation completes you have to re-sign all OU certifiers, server IDs and Notes.IDs step by step in this order. You also have to take care of all cross certificates, Vault trust certificates. The process is quite complex and needs planning:

Upgrading OnTime in a container | Roberto Boccadoro  

By Roberto Boccadoro | 10/25/24 5:32 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Running Domino in a container is becoming more and more popular in these days. I assume the reader is familiar with the topic, I am not going to explain how to create and run a Domino container. If you want to know more about Domino containers watch the replay of the webinar that Martijn did for OpenNTF and read his presentation. OnTime is included in Domino, starting with Release 14, is a great tool and I encourage my readers to use it, the version included in Domino is free and very powerful. The issue is that Intravision, creates new releases of OnTime faster that HCL creates new releases of Domino, which is obviously understandable. For example the OnTime version included in Domino is 11.1, but the most recent is 11.5. Hence if you want to keep updated your environment, you need to upgrade OnTime. That is easy if you run Domino on Windows or Linux native, but what if you run Domino in a container ?

Check the minimum client version for your Notes application  

By Daniel Nashed | 10/25/24 3:12 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Notes provides new functionality in Lotus Script and there also Java classes added to the client. Lotus Script Named documents have been introduced in Notes/Domino 12.0.1. I have just written an application which needs a Java class which is introduced in Notes 12.0.2 as it turned out. So I came up with a simple check I am going to add to all my applications which use more current functionality. You can drop this code into the PostOpen script of any database and switch to the right constant

Using Custom DNS Configurations With CertMgr  

By Jesse Gallagher | 10/25/24 3:10 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The most common way that I expect people use Domino's CertMgr/certstore.nsf is to use Let's Encrypt with the default HTTP-based validation. This is very common in other products too and usually works great, but there are cases when it's not what you want. I hit two recently. Domino's CertMgr can handle those DNS challenges just fine, though, and the HCL-TECH-SOFTWARE/domino-cert-manager project on GitHub contains configuration documents for several common providers/protocols. For historical reasons (namely: I didn't like Network Solutions in 2000), I use joker.com as my registrar, and they're not in the default list. Indeed, it seems like their support for this process is very much a "oh geez, everyone's asking us for this, so let's hack something together" sort of thing. Fortunately, the configuration docs are adaptable with formula (and other methods) - I'll spare you the troubleshooting details and get to the specifics.

Domino Container image custom add-on support enhancements  

By Daniel Nashed | 10/14/24 3:19 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

There is a custom add-on functionality Martijn and Roberto just blogged about this week. https://blog.martdj.nl/2024/10/10/building-custom-add-ons-for-your-domino-container-image/ https://www.robertoboccadoro.com/2024/10/10/upgrading-ontime-in-a-container/ This was the missing trigger for me to look into it again. It's a quite new functionality which wasn't fully documented yet. Documentation I have added a new documentation mark down page-->https://opensource.hcltechsw.com/domino-container/concept_custom_addons/

Building custom add-ons for your Domino container image – Martijn's Blog  

By Martijn de Jong | 10/14/24 3:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

This is a post that I thought I had already written, but I realised today that I hadn’t. It’s about a feature that Daniel Nashed added to the Domino container community project in the past year and that I showed in my presentations on the Domino container project at Engage and OpenNTF. But apparently, apart from that, Daniel and I never documented it. So here it is. The documentation on how to create your own custom add-on packages for your Domino container image.

Installing Domino REST API in an existing Domino container server – Martijn's Blog  

By Martijn de Jong | 10/3/24 1:18 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

The Domino REST API, a.k.a. DRAPI, is a requirement for running HCL Volt MX Go. On a native Domino server, it’s an add-on that you can install. The installation will install files in both a special install directory, the Domino program directory and the Domino data directory. On a Domino server using Domino container images, you need a Domino image with the REST API included. After all, the Domino program directory is not persistent, which means that any addition to this directory that was added in the container and not in the image, is lost when the Domino container is stopped and restarted. Something that happens whenever you reboot the host machine. Luckily, the Domino container community image build tool includes the Domino REST API in the build menu, so it’s easy to add.

Linux LSOF is causing 100% CPU load inside a container in some configurations  

By Daniel Nashed | 10/2/24 4:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Linux LSOF is causing 100% CPU load inside a container in some configurations https://blog.nashcom.de/nashcomblog.nsf/dx/ https://blog.nashcom.de/nashcomblog.nsf/feed.rss RSS - Daniel Nashed's Blog Daniel Nashed's Blog Daniel Nashed Linux LSOF is causing 100% CPU load inside a container in some configurations Linux Domino Container width=device-width, initial-scale=1.0, minimum-scale=1.0 Daniel Nashed's Blog ../nashcom.css ../dx/imprint.htm Imprint Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ... Search Search Search Search alt Daniel Nashed # Tags Tag: 64Bit ../archive?openview&title=64Bit&type=cat&cat=64Bit 64Bit Tag: ACME ../archive?openview&title=ACME&type=cat&cat=ACME ACME Tag: ACME HTTP-01 ../archive?openview&title=ACME%20HTTP-01&type=cat&cat=ACME%20HTTP-01 ACME HTTP-01 Tag: ADFS ../archive?openview&title=ADFS&type=cat&cat=ADFS ADFS Tag: AdminCentral ../archive?openview&title=AdminCentral&type=cat&cat=AdminCentral AdminCentral Tag: AIX ../archive?openvie

Disabling XPages if not needed reduces open files and HTTP start/stop time  

By Daniel Nashed | 9/30/24 4:30 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

While working on setup automation I often ran into HTTP startup challenges. It can take up to 40-50 seconds until the HTTP task is started. If you look at open files, you notice that each thread has more than 70 files open. This sums up to up quite some files and the HTTP server start/stop time is much slower. In case you don't use XPages there is a simple switch to disable the XPages run-time and only load the standard Java components. notes.ini INotesDisableXPageCMD=1 I first had the impression Java in general would cause overhead on start. But my tests drilled down to XPages/OSGI.

Domino 14.0 FP2 IF1 installer might fail on new machines -- VCRUNTIME140 32bit is missing  

By Daniel Nashed | 9/24/24 1:06 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

I ran into this today when testing and got a customer reporting this one hour later. So it was easy to reply with a root cause and solution. Domino is a 64bit application. Therefore the Windows run-time installed with the Domino release installer is 64bit only. The Fixpack installer has no VC runtime requirements. But it turns out the hotfix installer, which is also used for interim fixes is also a 32bit installer and has VC dependencies.

Domino does not shutdown cleanly when Windows is rebooted or shutdown  

By Daniel Nashed | 9/11/24 6:23 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

When stopping the Domino service manually, the Windows service control manager (SCM) waits sufficient time to shutdown Domino cleanly. But it turns out a Windows shutdown or reboot does not wait sufficient time for service termination. This is critical because it would kill running Domino processes without notice. Even with transaction log enabled, this isn't a desirable situation.

How to find out what is eating my disk space on Linux?  

By Daniel Nashed | 9/11/24 6:22 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

If you don't know the Linux tool ncdu, this will make your day. The tool by default scans from where you are or any directory you specify. Specially when running on WSL you might want to use excludes. On top there is a delete option, which can be quite helpful when you find large files you don't need. I am using it for years and it did safe my IT life more than once. And it is very fast...

You don't have to overwrite your Command when pasting into the Domino Console  

By Cormac McCarthy | 8/31/24 3:35 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

While having a look at the HCL Domino Portal ideas portal the other week I came across something I was going to vote for, namely Paste (using CTRL+V) in the Server Console “Domino Command” input field should not remove existing content in that input field. Just as I was about to hit the vote button, I read the comments. Someone had helpfully put in the solution

Silent HCL Notes 32 bit to 64 bit upgrade changes - Domino People  

By Cormac McCarthy | 8/27/24 9:59 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

HCL have recently published one of the “gotchas” around upgrading from 32 bit to 64 bit Notes. I came across this again and thought it worth sharing. When upgrading Notes 32 bit to 64 bit via command line/scripting/third party install tool (basically anywhere you’re running silently) the syntax for PROGDIR and DATADIR changes to PROGDIRW64 and DATADIRW64.

Problem when uploading ID file to Vault with Admin Client 14.x to Domino 12.0.1.x   

By Rainer Brandl | 8/27/24 9:57 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Today I had the problem that a customer complained about the problem of uploading the ID of a new registered user to an existing vault. I could see the following entries in the local log.nsf:27.08.2024 11:03:00 ID 'C:\HCL\Notes\Data\user\testuser1.id' failed to upload to vault 'O=customer_vault' on server 'CN=SERVER01/O=SRV'. 'Test User1' made request. Error: Remote system no longer responding After opening a case I received the link to a TechNote where a problem with Admin Client V14.x and HCL Domino 12.0.1.x is documented. I afterwards modified the setting in the NOTES.INI of the client and now the upload of the ID for the newly registered user is working fine !!! Be aware to put the setting “TCPIP=TCP,0,15,16000” only in the NOTES.INI of a V14 client !!! If you set this value in a NOTES.INI of V12, the client will not startup and will cause serious troubles !!!

Does TOTP Work for users in a Secondary Directory via DA  

By Keith Brooks | 8/21/24 6:43 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Like many of our customers, a customer has a large external user community relying on their applications. We have about 7,000 external customers. Some are undoubtedly old customers, but 7,000 is a lot of people. Previously, I wrote about how to bulk add these people into your ID Vault, and that was all fine and good where we have only one names.nsf for everyone and everything. We may have had 2-3 servers in that org. Now, the 7,000 are in a secondary external names.nsf via DA (Directory Assistance). The Problem 1) How do you register and maintain the people in a secondary Directory? 2) Does the DA even work with TOTP?

HCL Domino TOTP & Passkey authentication   

By Rainer Brandl | 8/19/24 7:45 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

In a customer environment I have enabled the great working TOTP authentication. After migration the environment to Domino V14 I also enabled the Passkey authentication in the same Internet Site document.Afterwards neither TOTP authentication nor Passkey Authentication worked. A clarification of the HCL Support delivered the following information: You cannot enable both authentication types for the same internet site document !!

Route HCL Traveler mail to your internal scanner  

By Remco Angioni | 8/8/24 7:28 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

Companies normally scan mail only on the first Domino SMTP server, not on all servers. For HCL Traveler server, this could be a problem because your external and mobile device can be infected with ransom-ware or a virus. This way it can harm you organization. How to check all mails coming from HCL Traveler servers using your already running and active scanner?

Domino One Touch Setup (OTS) advanced examples and helpers  

By Daniel Nashed | 7/29/24 3:22 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro

OTS is a very powerful and flexible feature of Domino 12+ which has been extended in each dot release since then. I am OTS a lot in the container world. But it also works on Windows. It perfectly fits into the container world. And we added a couple of integration points into the container image. Because I got a couple of questions I wrote up some examples, related information and also an Lotus Script agent to extend the functionality. The agent is intended to be an example how to wrote own integrations and also to leverage and extend the existing agent for own needs.