Q&A from April Webinar: Domino Administration Best Practices

Graham Acres | 2 weeks ago | Comments

We ran out of time during our April webinar for the Q&A session, so this blog presents all of the questions and answers for you. Again we thank Heather, Roberto, Serdar and John for providing more detail on this interesting topic, and a big thanks to Daniel Nashed for helping with some of these answers too.

Before the Q&A however, we have some additional goodies for you. Heather and Roberto have put together a blog on some details they didn't get to in the slides.

Also, Serdar has a correction on the slide about the java.pol file. Apparently, after V11, HCL Domino is no longer using the “java.pol” file, also noted by Per Henrik Lausten previously. After V11, you need to use “$user.home/.java.policy” file. Please refer to the relevant technote https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085173.

And now, onto the Q&A from our audience:

Q Is it easy to scrap then rebuild an ID vault in Domino?
A The best practices approach is to build an ID Vault as soon as you create a server and make a replica of the resulting ID Vault database. Having said that, Yes, you can scrap an ID Vault and then go through the process of creating a new one.
Q I can’t find the password to my ID Vault. How much trouble am I in?
A Definitely you are in trouble. The only option is to create a new Vault.
Q Personally I think it's good practice to use OU's to separate servers and signer IDs from the User IDs. /SRV/ACME, /QA/ACME, /USR/ACME.

Context: The purpose of the comment during the webinar was with regards to keeping the architecture simple.
A O and OU organization is definitely subjective. The purpose of the comment during the webinar with regards to keeping the architecture simple, which would be ideal for a small deployment. However, for a large deployment in a company that is federated, OUs may indeed lend themselves for allowing secure distributed administration and end user categorization. Overall, just like server platforms, there really is not a best practice here.

Also a best practice is to make a backup of all cert IDs along with the passwords. Your future self will thank you.
Q Is the notes client able to connect to a domino server created on an openshift container that has the port 1352 exposed in a reverse proxy way ? I know it is complicated, but I'm just asking if it is possible.
A We went straight to Daniel for the answer on this one. Today there is no supported solution available. HCL is aware of the need however, hearing this request from Business Partners already.
Q We want to move all on premise servers into the cloud, on openshift, containers, using the Daniel Nashed script. We somehow don't want to recreate the environment from scratch is there a best practice to this kind of migration?
A Another question that we went to Daniel to ask. His response: This is really difficult to answer. It is less about a Domino migration and more about learning the best way to implement and use OpenShift. Once you have OpenShift configured correctly, this is a normal Domino migration. But the key challenge is to get the right OpenShift configuration.
Q What tool do you use to analyze NSDs and crashes?
A Generally Admins will use their eyes and experience. The key things in an NSD are to find the PID and TID that crashed and the call stack of the PID and TID. John mentioned encouraging people to use the Fault Analyzer Task and setting up your environment for fault data collection as Heather had mentioned, so that you can identify patterns that lead to crashes if you are experiencing a high number of outages.
Q Do you recommend different a Notes network port for cluster traffic?
A Yes :) It will depend on your environment and available resources of course, but ideally, Yes.
Q How about HCL SafeLInx as front end for Traveler Server?
A Absolutely. HCL SafeLinx can manage and redirect incoming requests from Traveler clients to Traveler servers.
Q Is LE4D going to be part of Domino v12?
A No, but the new CertMgr application will have the same features and much more. LE4D works only with the LetsEncrypt Ca, while the new app will work with any CA.
Q For 443, how do we let Java agents know, where are the certificate files? .kyr, .sth files
A If the question is about connecting to HTTPS targets when the remote certificate is untrusted, this is documented here: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0035853
Q Serdar, your thoughts on using Basic Authentication for REST services (naturally on HTTPS)?
A Basic Authentication has inherent security flaws in various scenarios. For example, it’s easily decoded once intercepted, it has a large attack window as it’s transmitted for every request, etc. HTTPS will definitely help but still there are reasons to be uncomfortable with it. In some cases, it would be acceptable with reasonable precautions. Such as a securely containerized consumer in a closed network would provide a more secure architecture. In less controlled environments it’s still possible to implement cookie-based session-authentication for RESTful consumers. The only problem is, it has some non-standard behaviours. Eventually, OAuth2 support would be ideal for the future.
Q The value of 'redirectTo' in the post could be validated or rewriten?
A I have seen pen test issues related to RedirectTo parameter. In certain cases this parameter might be considered as a security vulnerability. I created an idea (https://domino-ideas.hcltechsw.com/ideas/DOMINO-I-273) about this a while ago. There is also another notes.ini param “DominoValidateRedirectTo=1”. Refer to this technote: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0037962
Q If a java agent on the web gets "Out of Backend Memory" error - which size needs to be increased? It occurs when JVM Heap Space indicates ample memory still available.
A When a java agent is called through Web, it’s run by the HTTP task. So HTTPJVMMaxHeapSize is the setting to adjust.
Q java.pol should be used for Domno Volt, I suppose. Rather than modify java.policy
A After v11, HCL Domino does not use the java.pol file anymore. Instead, you need to use “$user.home/.java.policy” file. Please refer to the relevant technote: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085173.
Q We have never implemented ID Vault, what is a good document that helps explain everything and has detailed steps of the process to implement? I am the only admin so want to make sure I don't mess it up.
A The documentation explains in details how an ID Vault works and all the steps needed to set it up, start from here https://help.hcltechsw.com/domino/11.0.1/admin/conf_notesidvault_c.html
Q There used to be a notes.ini analyser at http://www.lntoolbox.com/en/online-tools/notes-ini-analyzer.html did anyone use this and is it still alive ?
A That website seems to be not active anymore
Q What is the best current resource for notes.ini settings? I recently ran into a setting that caused a problem on the server and I eventually found out that the setting had been deprecated and replaced by a new setting in the NSF.
A The HCL Notes and Domino documentation available on the HCL website should be considered reliable. For example, the following page is for notes.ini parameters related to Traveler 11. https://help.hcltechsw.com/traveler/11.0.0/List_of_Notes_ini_settings.html. And this one is for notes.ini parameters that may be set in the Domino Configuration document https://help.hcltechsw.com/domino/11.0.0/conf_notesinisettings_c.html

Remembering Nathan T. Freeman - Friday, April 16 at 1:00 PM EDT

Graham Acres | 1 month ago | Comments

Please join OpenNTF at an open online gathering to remember our co-founder and friend, Nathan T. Freeman.

We will host an open GoToMeeting for everyone in the Community to join and share their memories of Nathan, this coming Friday, from 1:00 - 2:00 PM EDT. You may use this link to join the meeting: https://www.gotomeet.me/howardtlcc/nathan

Nathan's vision led to the forming on OpenNTF as a free, open source service to the Notes and Domino community. His leadership made it happen, and also he backed it up by contributing code, sharing ideas, and pushing IBM, all while giving his time freely on the old XPages Skype chat that he was a regular participant in. User Groups were another way to share, and he has numerous presentation to his credit, sharing his knowledge with the community.

We have already seen some wonderful memories of Nathan shared by various members of the community, all with the theme of his generosity, and his unique grin. Please join us to share more of these stories.

R.I.P. Nathan

Christian Guedemann | 1 month ago | Comments
Dear Friends

Today, we have lost our Co-Founder Nathan T. Freeman. Nathan was a fighter, an inspiration and a visionary. As one of the Founders of OpenNTF, he had a huge influence of how and what OpenNTF has become. Beside his contribution as a leader, he has also done the hard work of contributing code. Code that will be a part of his legacy to us. He had always a strong opinion and therefore also strong arguments. Disussions with him where always fun and intense at the same time. Nathan

I remember, when I was speaking together with Nathan at a Notes User Group Event in Denmark. We had a nice chat about our families and what we are doing beside the crazy programming stuff. At that moment, I figured out that Nathan cares more about who I am then what I do. So let us do the same. Let us keep in our memory who he was and who he was to us. We will miss you!

Today, we as OpenNTF ask you to give something back and support Nathan's family. So please support: https://www.gofundme.com/f/ntf-needs-your-help