Notes / Domino
SAML Login redirections problem in Domino 12 - XPageDeveloper.com 
By Fredrik Norling | 10/3/23 2:07 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Before we dive into the problem, let’s briefly understand the SAML authentication process within HCL Domino:
User requests access: A user attempts to access a resource (e.g., a web application) protected by SAML authentication.
Identity Provider (IdP) initiation: The user is redirected to an Identity Provider (IdP) for authentication. The IdP can be an external service or a SAML-enabled component within Domino itself.
Authentication: The user logs in at the IdP. Upon successful authentication, the IdP generates a SAML assertion, a digitally signed XML document containing authentication information.
SAML assertion delivery: The SAML assertion is sent back to the Domino server.
Domino server validation: Domino verifies the SAML assertion’s authenticity and extracts user identity information.
User redirection: If the SAML authentication is successful, Domino redirects the user to the requested resource.
The Samesite Cookie Issue
The problem arises at step 6 in the SAML authentication process. Users are not being redirected as expected, and this issue is attributed to a relatively new feature in web browsers called “Samesite.”
My thoughts on how Domino registers users 
By Remco Angioni | 10/2/23 2:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
We all know Domino registers users. You need the certifier for the correct O or OU and the user is created with the hierarchical Full Name as the certified user. So, the hierarchical Full Name is the unique key. When you add users to a group, the hierarchical Full Name is added to the group.When you add users to the ACL, the hierarchical Full Name is added.
Don’t you all hate the DELETE/RENAME Adminp actions? It can take days before finishing, depending the amount of servers you have. And somtimes……it fails or got stuck in the flow.
HCL Domino rename via ADMINP does not check the new username in IDVault’s inactive users view.
By Remco Angioni | 10/2/23 1:59 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
We discovered some strange behavior during a user rename. The user was renamed via ADMINP. AdminQ pushed the renameflow that evening, because we enabled AdminQ also for registered users. The next morning we checked the rename and everything looks fine. But.....the user logged in, still with his old name and received an error that he wasn’t allowed to access the Domino server.
Domino CertMgr GitHub Repository with additional material
By Daniel Nashed | 9/27/23 1:21 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
Documentation is always a challenge. This is specially true when it comes to complex topics like SSL/TLS certificates.
Many admins still use their old cook books to get certificates created.
When HCL introduced CertMgr in Domino 12.0 the team asked for feedback in the early code drops.
And the team is keeping asking in public and private forums since then.
We really need your help to get it right. We need detailed feedback and questions.
My new plan is to turn questions into FAQs and Howto documents in this GitHub repository.
Who moved my Domino keyfile.kyr files?
By Daniel Nashed | 9/25/23 2:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino security in 2023
Domino 12.0 introduced a new, standards based and open way to work with web server certificates.
Instead of using command-line tools like OpenSSL and the Domino kyrtool you can now manage all web server certificates in a domain wide certstore.nsf.
The new functionality based on the well known text based PEM standard for certificates provides simplified flows and automation options for all type of certificates.
Domino 12 also introduces the more modern ECDSA (sometimes referred as ECC) keys/certificates which are based on elliptic crypto which has dramatically less overhead.
Moving from keyfile.kyr to certstore.nsf
The legacy kyr files can be automatically imported into certstore.nsf with a single command-line operation (load certmgr -importkyr all).
New Tiny Project: Wink Chattiness Patch
By Jesse Gallagher | 9/19/23 3:38 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I've been using the Domino 14 betas for development for a while now, and one of the things that has driven me a little nuts is the way Wink spews a bunch of INFO-level logs to the server console when the XPages runtime initializes. You've probably seen it - this stuff:
It goes on for a while like that.
This isn't new with 14 as such - it's just that 14 now ships with Verse by default, and Verse uses the Wink distribution that came along with the Extension Library, and so now everyone sees this.
Quick Tip: What is Notes tryin' to tell me? // Oliver Busse
By Oliver Busse | 9/18/23 4:27 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Quick Tip: What is Notes tryin' to tell me? // Oliver Busse
Quick Tip: What is Notes tryin' to tell me? // Oliver Busse /hp.nsf/life.png width=device-width, initial-scale=1 /xsp/.ibmxspres/.extlib/bootstrap/xsptheme/xsp.css /xsp/.ibmxspres/.extlib/bootstrap/bootstrap320/css/bootstrap.min.css /xsp/.ibmxspres/dojoroot-1.9.7/dijit/themes/tundra/tundra.css /xsp/.ibmxspres/.extlib/bootstrap/xpages300.css https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css /hp.nsf/bs3_tweaks.css /hp.nsf/paper/bootstrap.css /hp.nsf/hp_tweaks.css /hp.nsf/google-code-prettify/prettify.css /hp.nsf/prettify-desert.css 12, hcl, notes, quicktip, wtf /xsp/.ibmxspres/.extlib/css/tagcloud.css Toggle navigation index.xsp Oliver Busse about.xsp About # Pages blog.xsp Blog tutorials.xsp Tutorials docu.xsp Docs http://de.slideshare.net/OliverBusse Slide Decks terms.xsp Terms domnav.xsp Domino Navigator other.xsp More # Projects http://www.openntf.org/main.nsf/project.xsp?r=proj
Upgrading Notes client to V12 on Terminal Server
By Roberto Boccadoro | 9/13/23 12:07 PM | Infrastructure - Notes / Domino | Added by Oliver Busse
I worked with my friend and lady geek, Marianna Tomasatti, at a customer to perform an upgrade of the Notes client to V12.0.2 FP1 on Terminal Server Windows 2019 Datacenter (multi-user installation) because the Notes clients had some issues.
Admin Client - custom icons for each domain?
By Thomas Hampel | 6/13/23 2:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
When you have to manage multiple Domains in your Admin client, finding the right domain
This example here is just showing two Domino Domains, but there are admins out there with 100+ domains to manage.
Maybe you want some custom icons then?
Time matters with SAML - XPageDeveloper.com
By Fredrik Norling | 6/5/23 2:31 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Keeping you servers time synked is important for server operations to keep running smoothly. And if you are using SAML it’s crucial because if your servers time drifts away you will get BAD SAML REQUEST and your users can’t login. To find out if this is the problem add DEBUG_SAML=31 (Set it to 0 to turn it off) in your notes ini and look for this entry.
Domino V14 backup for notes.ini
By Daniel Nashed | 6/1/23 2:03 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino backup is around since 12.0 and it got improvements in every release.
There are not many current AHA ideas for Domino Backup & Restore.
One smaller feature you can see in EAP1 is the backup of the notes.ini.
How to use Domino OTS on Kubernetes to import an existing TLS Certificate
By Daniel Nashed | 5/30/23 12:05 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Domino One Touch Setup has been designed with flexibility in mind, with special focus on getting a server up in a secure way.
On Docker you can just mount PEM files into the container. On Kubernetes TLS Certificates and Keys are stored in secrets.
Personally I am not a big fan of storing PEM files on disk. But you could at least set a password on the PEM file you import.
Here is a basic example how to create a secret on K8s and reference it in OTS.
Even the simple environment variable setup supports the security settings for CertMgr.
Of course the same functionality is also available with the more flexible JSON based configuration.
Importing trusted MicroCA Roots for a Nomad Lab environment
By Daniel Nashed | 5/29/23 12:39 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Yesterday I worked on a lab configuration based on Windows Sandbox, Domino and Nomad Web.
The biggest challenge is to have a trusted certificate for Nomad Web.
Nomad Server running with the Micro CA
A Nomad Server can use Domino CertMgr Micro CA Certs. But the root is not trusted in your browser.
I took a closer look and came up with a simple solution. which makes the import dramatically easier.
No more searching for the right trust store and handling PEM files manually.
Tuning Domino Servers for TLS sessions
By Daniel Nashed | 5/24/23 2:13 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
My previous post was mainly about HTTP traffic and I mentioned TLS/SSL don't use the maximum number of connections settings, because they have a SSL/TLS session.
Establishing a new TLS session has significant overhead! And you have to make sure in any application, that those sessions are cached and resumed.
I revisited a blog post from 2012 where I explained a fix, which went into 8.5.3. And was enabled in 8.5.4 by default (which turned into the 9.0 release when shipped as far I recall).
There was an issue with the session cache and a new cache had been implemented in 8.5.3. Today the new cache is the default and SSL_USE_ADDSESSION2=1 does not exist any more.
Domino on CentOS/RHEL compatible Linux - Timezone issues
By Oliver Busse | 5/19/23 1:34 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
With a new customer server we stumbled upon a strange behaviour using our low-code platform Aveedo we never saw before. We created the server at Hetzner using the Rocky 9 base installation. Rocky is binary compatible with RHEL and should be used in favour of CentOS in general as it is newer and still maintained.
Workspace all grey - no icons - workaround
By Jesper Kiær | 5/17/23 6:30 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
If you are running Notes 12.0.2 or higher you will for sure at some point run into an error were the workspace tabs fills out the entire workspace and you can not access you workspace database icons no more. There is nothing you can do in the UI to fix it.
The problem is due to a new setting in the notes.ini and and is easy fixable, if you know what to fix
Attachment is missing from meeting invitation
By Rainer Brandl | 5/11/23 1:53 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I received an information from a friend at HCL (a.k.a. "Wickerl" ) that attachments get lost when sending a meeting invitation to another Domino Domain. In the HCL Software Forum a user complained that this issue also occurs when sending a meeting invitation to external users.This issue is described in SPR # SJOICG3K9F.
HCL Domino 12.0.2: removed user-maildatabase in a cluster symmetry configuration is repaired after removed on 1 server.
By Remco Angioni | 5/8/23 1:01 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
n HCL Domino 12.0.2 we discovered that when we delete users, some maildatabases are repaired back to the home/mail Domino server……running on Windows servers.
Like all of you know, when removing a user from a clustered Domino environment, the cldbdir entry for that database is altered to REPAIR:DISABLED. Repair is not allowed for that database. We raised a ticket because we noticed, ofcourse, that this was not the case for some users we removed. The database was repaired from another clustermember. This left us with 2 maildatabases and NO persondocument.
Domino Server: Let adminp handle renames in maildatabases, but don’t delete users in name fields.
By Remco Angioni | 5/5/23 1:26 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Ever wondered why adminp treats a deletion the same as a rename when you have set the Administration Server Action to Modify all Names fields? Well, I did. I can imagine why a rename should be performed on all mail and calendar items, but a user deletion?????? Why you want that to happen at all?Why remove the evidence that someone have sent me an email or have sent me a meeting request? It doesn’t make sense at all to me.
That’s why I was searching for a way to tell Domino not to delete users in names fields, just renames when using adminp in maildatabases. And there it is, the solution.
New Defect Article – Verse on Android can’t sync any emails
By Andreas Ponte | 4/12/23 11:45 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Various users reported that sync of email/calendar was not working anymore withAndroid devices. The log shows this error:
“Error: Sync session XXXXXXX isoutdated and no longer valid.
I found the following “brand new” defect article from HCL, explaining the problem.
https://support.hcltechsw.com/csm?id=kb_article&sys_id=ac3decf21b066590574121f7ec4bcb8a
Dipping My Feet Into DKIM and DMARC
By Jesse Gallagher | 4/11/23 3:19 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
For a very long time now, I've had my mail set up in a grandfathered-in free Google Whatever-It's-Called-Now account, which, despite its creepiness, serves me well. It's readily supported by everything and it takes almost all of the mail-hosting hassle out of my hands.
Not all of the hassle, though, and over the past couple weeks I decided that I should look into configuring DKIM and DMARC, first for my personal mail and (if it doesn't blow up) for my company mail. I had set up SPF a couple years back, and I figured it was high time to finish the rest.
As with any admin-related post, keep in mind that I'm just tinkering with this stuff. I Am Not A Lawyer, and so forth.
TLS/SSL Cipher Troubleshooting
By Daniel Nashed | 4/10/23 9:35 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Every Domino release adds more TLS ciphers to the weak list to ensure poper security. We can expect the next versions also to have less ciphers available.
Domino ensures for clients and servers, that the list of ciphers provided is safe. In addition the default behavior is that the server decides the order of ciphers to pick.
And only allows secure renegotiation to prevent the client to pick a less secure cipher.
Usually this doesn't cause a lot of trouble for inbound connections. Modern browsers support modern ciphers. But outgoing connections for LDAP and ICAP could be a challenge.
I had to look into an ICAP connection problem this week. To demonstrate how the TLS handshake works, I wrote a small OpenSSL demo program in C. This turned into a quite flexible troubleshooting tool over the weekend.
Spam score testing tool and tip how to increase your rating
By Vladislav Tatarincev | 4/5/23 10:44 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
I was working in one environment which had average spam rating and many emails that this eligible company sent have not reached intended destination.
Colleague of mine suggested my a site Mail-tester.com. idea is simple, you sent a mail and gives you score how to improve.
long story short, after some time we improved from 6 to 10 from maximum 10 possible.
Free version allow 4 mails per day which might be sufficient if you dont do too many changes per day.
Picking the right Linux Distribution
By Daniel Nashed | 4/5/23 10:42 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
There isn't one best or right distribution in general. There are many variations. For example Redhat/CentOS based platforms have flavors like Rocky and Alma Linux.
The HCL Domino community project looks into many possible combinations as the base image --> https://opensource.hcltechsw.com/domino-container/concept_environments/
There are basically three different main flavors with different toppings:
- Redhat/CentOS based (with yum and dnf in later versions to manage packages)
- Ubuntu/Debian (with apt to manage packages)
- SUSE Enterprise/Leap etc. (with zypper to manage packages)
The right distribution is really depending on your needs.
Certificate Store: Submit vs Save
By Martijn de Jong | 3/30/23 2:39 AM | Infrastructure - Notes / Domino | Added by Oliver Busse
I regularly receive question about the Certificate Store and CertMgr, which made me realise that there’s a lot of confusion around the Submit Request and the Save & Close buttons in the store and when to use what. Time for an article to hopefully solve some of that confusion.
HCL Notes – Swiftfile Not Working as Expected
By Milan Matejic | 3/29/23 3:53 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
When using the "preview pane" in HCL Notes, and clicking on a folder, suggested by SwiftFile, the "move to folder" dialogue would sometimes come up. This was happening to my client, in about 1 of 20 cases
HCL Verse on Premises and HTTP error 404
By Rainer Brandl | 3/23/23 3:00 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I implemented VoP on a Domino Server running on an iSeries like the "implementation" always is done. But afterwards I received an HTTP error 404 when trying to open the URL https://mailserver.company.com/verse.After some rechecks ( did I put the JAR files to the correct location and did I modify the owner ) I recreated the redirect database, rechecked the server configuration but could not get rid of this issue.
New C3UG video: Low-Code with Tooljet using the HCL Domino REST APIs
By C3UG | 3/15/23 4:26 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
This is a video about the new HCL Domino REST APIs in conjunction with the open source low code development environment "Tooljet". I do an intro to both systems and a (lengthy) demo, showing how to set up access to HCL Domino using the new REST APIs on Domino 12 and to get the data into data tables in a ToolJet project.
On Domino thread IDs and Linux/Windows process IDs
By Martijn de Jong | 3/1/23 9:53 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
A short tip on something which many people are probably not aware of, but which can be a huge time saver when you’re troubleshooting a Domino problem.
As an example, see this error message from a Domino log:
[062372:000014-00007F8001776700] 28/02/2023 13:16:20 CertStore: Error opening CertStore database [CN=PROD02/OU=SRV/O=ACME!!certstore.nsf] : The server is not responding. The server may be down or you may be experiencing network or VPN problems. Contact your system administrator if this problem persists.
[062372:000014-00007F8001776700] 28/02/2023 13:16:20 CertStore: Error opening CertStore on [CN=PROD02/OU=SRV/O=ACME] : The server is not responding. The server may be down or you may be experiencing network or VPN problems. Contact your system administrator if this problem persists.
Your first hunch might be that this is an error that’s caused by the CertMgr process. It’s related to the Certificate Store after all. But is this really the case?
HCL Nomad Web – User moved to another Domino Server
By Rainer Brandl | 2/23/23 3:44 AM | Infrastructure - Notes / Domino | Added by Roberto Boccadoro
Today I had the issue that a user could not successfully complete the initial setup of HCL Nomad Web. The user always received the following error message: Afterwards I checked the result of the LDAP request for the home server which looked fine and the Domino Server also was available. So what could cause this error message ?
CAUSE: the user was moved to another mail server some days ago !!
width=device-width, initial-scale=1 http://gmpg.org/xfn/11 HCL Nomad Web – User moved to another Domino Server – Tips and News for Collaboration solutions max-image-preview:large //s1.wp.com //s0.wp.com //s2.wp.com //blogbyrainer.wordpress.com //wordpress.com //fonts-api.wp.com https://fonts.gstatic.com Tips and News for Collaboration solutions » Feed https://brandlrainer.info/feed/ Tips and News for Collaboration solutions » Comments Feed https://brandlrainer.info/comments/feed/ Tips and News for Collaboration solutions » HCL Nomad Web – User moved to another Domino Server Comments Feed https://brandlrainer.info/2023/02/22/hcl-nomad-web-user-moved-to-another-domino-server/fe