Quantcast
Channel: Daniel Nashed’s Blog
Viewing all 852 articles
Browse latest View live

Domino on Linux Start Script 3.1.3 with changed way to request it

October 29, 2017, 8:43 pm
$
0
0
Just updated the start script to a new version with some minor changes.
There was one issue with systemd on shutdown and I made a change in the way config files are used.

Most of the new features are coming in either thru projects or when I want something for my own environment.
I don't get much feedback or feature requests beside that.

One change triggered by a project was how config files apply. We wanted to use the same configuration for all servers.
But we wanted special settings for the Traveler servers. So I changed the way the config files apply.
Now you can use a general config and additional or changed parameters for individual servers.
That way you can have a general config that you deploy automatically and you keep a server specific file with changes.

So in that case the general config would be /etc/sysconfig/rc_domino_config.
And the specific config would be for example: /etc/sysconfig/rc_domino_config_notes.

This would also work in partitioned environments where each server has a basic configuration and you want additional parameters for a partition.
On the other side even on partitioned servers you could use variables which depend on variables like the DOMINO_USER.


Changed way to request the start script

I am also changing the way you can request the new version. Until now I had a request form.
Now you just send a mail to dominostartscript  at nashcom.de with the subject "script".

The old implementation was a servertask which read the data posted in database.
I switched to a pre-delivery agent with some additional logic to check the message.
So for example I am not triggering an automatic reply if the message is a reply or is an autosubmitted message.

I am not yet updating the start script page and want to see first how this works with requests coming in thru the blog.
And I hope you like the new way to request the start script? Any feedback is welcome.

-- Daniel



--------------
Change History
--------------

V3.1.3 30.10.2017

Problems Solved
---------------

Fixed an issue with systemd in combination with server controller.
Now the server controller correctly shutsdown when the service is stopped


New Features
------------

listini -- displays server's notes.ini

Changes
-------

Changed sample rc_domino_config_notes setting DOMINO_PRE_SHUTDOWN_COMMAND to "tell traveler shutdown"


V3.1.2 01.09.2017

New Features
------------

New check if Domino ".res" files exist and readable to generate warnings

New short cut command "res" for "resources"

Changes
-------

In previous version either the server specific config file was used or the default config file.

The config files are now used in the following order to allow more flexible configurations:

- First the default config-file is loaded if exists (by default: /etc/sysconfig/rc_domino_config)
- In the next step the server specifc config-file (by default: /etc/sysconfig/rc_domino_config_notes) is included.
- The server specific config file can add or overwrite configuration parameters.

This allows very flexible configurations. You can specify global parameters in the default config file and have specific config files  per Domino partition.
So you can now use both config files in combination or just one of them.
Search

Erster DNUG "Domino Next" Event 23.11.2017

November 9, 2017, 3:44 am
$
0
0
Nach den Ankündigungen zu Domino 10, der IBM & HCL Kooperation und Domino 2025 haben wir die Agenda für den DNUG Domino Day am 23.11.2017 in Düsseldorf umgestellt.

Teil des Domino Days wird ein Domino Next Feedback Richtung Domino 10 und beyond.
Neben Uffe Sorensen wir auch ein Kollege von HCL mit dabei sein.

Es wird  im Vortrag von Uffe u.A. um die aktuellen Informationen zur Kooperation gehen.
Ihr könnt alle eure Fragen mitbringen und im "Feedback" Teil geht es dann um Feedback für Wünsche für Domino 10 und beyond.
Dieser Teil ist bewußt ans Ende gelegt, damit genügend Zeit für Fragen ist ...

Ich bin sehr gespannt.

PS: Der Event ist für DNUG Mitglieder kostenlos! Gegen eine Gebühr können auch nicht Mitglieder teilnehmen...
 

https://www.eventbrite.de/e/dnug-fachgruppentag-domino-day-fachgruppe-verse-und-notesdomino-tickets-35785282744



09:00 - 09:10
Begrüßung
Daniel Nashed - CEO (Nash!Com)
Manfred Lenz - Technical Sales Professional, IBM Collaboration and Talent Solutions (IBM Software Sales)

09:10-10:05
UPDATE: IBM Notes/Domino Feature Packs
Daniel Nashed - CEO (Nash!Com)
 
10.05-11:05
ApplicationInsights & IBM Domino Doublecheck - Der Weg um richtige Entscheidungen treffen zu können
Christoph Adler - Senior Consultant (panagenda)

11:05-12:00
SSL Zertifikate unter Domino - Allgemeine Einführung und Vorstellung der kostenfreien CA Let's Encrypt
Detlev Poettgen - Geschäftsführer (midpoints)

12:00-13:00
Mittagspause

13:00-13:45
Domino Application Cloud (DAC) & Domino on Docker
Michael Finkenbrink - Certified Senior Architect, IBM Collaboration Solutions (IBM Software Services)

13:45-14:15
Kaffeepause

14:15-15:15
Keynote: IBM Notes/Domino and Verse On-Premises - News/Strategy/Roadmaps incl. Notes Domino 10
Uffe Sorensen - Messaging & Collaboration Director (IBM Software Sales)
n.n. - HCL Industries

15:15 - 17:00
Notes/Domino Next Feedback" - Workshop in Form eines Knowledge Cafes zum Thema "Anforderungen an Verse Notes Domino 10 und danach
Uffe Sorensen - Messaging & Collaboration Director (IBM Software Sales)
Peter Schütt - Leader IBM Collaboration Solutions Strategy D-A-CH (IBM Software Sales)
Manfred Lenz - Technical Sales Professional, IBM Collaboration and Talent Solutions (IBM Software Sales)

VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild

November 14, 2017, 4:35 am
$
0
0
We just discovered an interesting configuration issue, which generates quite some logging and is a bit annoying.
When you specify the view_rebuild_dir without the trailing slash / back-slash, the server will internally append the slash.

But if you configured the view_rebuild_dir in the config document without the (back) slash the server will tell you every couple of minutes that the server changed the setting.

This happens why the internal path is always stored with the trailing (back) slash and the notes.ini check to update the parameter compares against the config doc entry without the (back) slash.

VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild

So you have a constant changing parameter -- even it looks the same in the notes.ini

The correct notes.ini entry would be

VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild/

including the trailing slash.

This avoids the log messages.

-- Daniel

Traveler 9.0.1.20 Released

November 18, 2017, 4:44 am
$
0
0
Traveler 9.0.1.20 has been released and I installed it already.
As usual, if you are not waiting for an urgent open issue that is listed in the fix list, it might make sense to wait before installing a new version in production asap.
I have installed it already befor the weekend and it looks good for my small environment.

Beside the fixes listed below there is a new feature:
  • Support for invitee availability search from Calendar on Exchange ActiveSync clients.

Still trying to test it. Not sure the iOS native calendar does support it.

I did not have this on the radar and also never tested with the Verse app. Don't see it working here.
Maybe someone has an idea?

I did not testing but without luck on any of my clients.

APAR # Abstract
LO93044 Slow sync due to prime sync thread looping over large number of child documents.
LO93067 Better handling of encrypted mail when syncing to mobile device.
LO93070 Traveler cleanup bind command may fail when using MS SQL Server.
LO93084 Better handling of Notes Doc Links when syncing to mobile devices.
LO93196 Traveler "did not respond in time" messages on the console log.
LO93217 Additional HTML to plain text conversion options to improve generated plain text content.
LO93221 Do not include previous attachments on reply mails from MaaS Secure Mail client.
LO93236 Improve crash prevention on Traveler server when processing documents.
LO93238 Phone messages with HTML content may not display correctly on mobile device.
LO93258 Traveler server may be unresponsive due to logging thread deadlock.
LO93319 Support for Domino 9.0.1 FP10.

End of Service for JVM 1.6

November 25, 2017, 3:34 am
$
0
0

IBM uses the Oracle JVM as their base for their IBM JVM platform which is used in IBM products like Notes, Domin and Traveler.

JVM 6.0 has been around for almost 10 years and is now discontinued since Sep 2017.
Oracle discontinued their support for JVM 1.6 so IBM cannot support JVM 1.6 on their side.

That also means for IBM platforms that there is no patch support for JVM 1.6!

For Notes and Domino means you have to update to 9.0.1 FP8/FP10 for JVM 1.8 and hopefully FP10 will bring compile time for JVM 1.8 as well (current planning).

If you are running on Notes/Domino 8.5.3 or an earlier 9.0.1 FP don't panic. Most Java applications on Domino are not directly accessible over the network. There is at least the Domino HTTP stack between the client and the Java application.
On the client side you might have direct connection from the client to the internet. And for encrypted connections there have been limitations before in the SSL/TLS area as posted before.
For example there is just very limited TLS 1.2 support in JVM 1.6 with just one chiper.

I personally would still wait for Feature Pack 10 and have the full JVM 1.8 support also at compile time. But you should be aware that it is time to move to a current release.

If you are on 9.0.1 you are just a "FP" install away. If you are on 8.5.3 there are another good reasons to move to a current 9.0.1 release from security point of view. For example missing SHA-256 support and no TLS 1.2 support - not just for JVM.


Here is a link to the support cycle for the IBM JVM
https://developer.ibm.com/javasdk/support/lifecycle/


Daniel

Domino 9.0.1 FT Index Hang and potential crash

December 9, 2017, 8:08 pm
$
0
0
We ran into a hang situation multiple times during FT indexing. It turned out that this is a regression introduced in FP9 due to changes in the FT index area.

In certain situations the FTIndex update does hang getting document data and will cause one CPU core to be maxed out for this thread.
The description of the SPR says it is a "spike" but it more looks like the thread permanently uses CPU.

This can happen with updall, DBMT and also other tasks updating the FT index.
The process cannot be stopped and this will also cause that the server cannot be shutdown cleanly.

We got a hotfix which will will be included in IF3. After applying the hotfix we had no new server hangs.

I am including the call-stack for the hang to this blog post to have it searchable for others who might run into the same issue.
If you have not installed FP9 you should wait for IF3. If you are on FP9 and run into this issue, take a full NSD, open a PMR and reference the mentioned SPR numbers to get the fix.

-- Daniel


-- Fixed SPRs --

SPR #SVEM9SLCL7
J3 server crashed on DBMT task, while full text indexing the database

SPR #TDOOAT6LK9
CPU spike when running dbmt (or updall/update task) and creating full text index.

-- Call Stack --

Thread 3 (Thread 0x7f2c5da71700 (LWP 17594)):
#0  ODSToOrFromHost (toHost=32769, type=0, vbuffer=0x7f2c5da6e8e0, iterations=1) at ods.c:824
#1  0x00007f2cba7ef8fe in ODSReadItem (src=0x7f2c54466d96, type=, dest=0x7f2c5da6e8e0) at ods.c:1420
#2  0x00007f2cbab635e2 in GetChar(STREAM_CTX*, STREAM_DATA*) () from /opt/ibm/domino/notes/latest/linux/libnotes.so
#3  0x00007f2cbab64932 in FTGetDocStream () from /opt/ibm/domino/notes/latest/linux/libnotes.so
#4  0x00007f2c5d390919 in NotesStreamReadChar (arg=) at ftg_dstr.cpp:1412
#5  0x00007f2cbab5ca7c in FTLexMatch () from /opt/ibm/domino/notes/latest/linux/libnotes.so
#6  0x00007f2c5d39296c in FTGCreateIndex (pFTGCtx=0x7f2c4c00abf8) at ftg_dstr.cpp:1839
#7  0x00007f2c5d38bac0 in CFTNoteIndexer::ProcessDoc(FTG_CTX *, struct {...} &) (this=, pFTGCtx=0x7f2c4c00abf8, docIndexerInfo=...) at ftgindex.cpp:2074
#8  0x00007f2c5d38c5d1 in FTGIndexIDProc (Parameter=, NoteID=207326) at ftgindex.cpp:1685
#9  0x00007f2cb999285d in IDEnumerate (hTable=536872571, Routine=0x7f2c5d38c343 , Parameter=0x7f2c4c00abf8) at idtable.c:2216
#10 0x00007f2c5d38e252 in FTGIndex(FT_THREAD *, struct {...} *, WORD, char *) (pftt=0x7f2cb41004d0, pFTStreamCtx=0x7f2c4c00abf8, Options=392, StopFile=) at ftgindex.cpp:1146
#11 0x00007f2cbab5adce in FTCallIndex () from /opt/ibm/domino/notes/latest/linux/libnotes.so
#12 0x00007f2cbab5c3a3 in FTIndexExt2 () from /opt/ibm/domino/notes/latest/linux/libnotes.so
#13 0x00007f2cb93e8485 in UpdateFullTextIndex (hDB=1154, Pathname=0x7f2cb4101648 "mail/c1/xn06451.nsf", Flags=201342976, fullTextStatus=8) at update.c:1239
#14 0x00007f2cb93ea78f in UpdateCollectionsExt (_hModule=, Pathname=0x7f2cb4101648 "mail/c1/xn06451.nsf", Type=2, Flags=201342976, Flags2=0, mSecs=0, ViewNoteID=0, ContainerObjectID=0, ViewTitle=0x40a360 "", retDbTitle=0x0, fSrchSite=0, QueuedRequest=0, retbLater=0x0, fullTextStatus=8, wantsFulltext=0x0) at update.c:660
#15 0x00007f2cb93ea957 in UpdateCollections (_hModule=32769, Pathname=0x0, Flags=, ViewNoteID=, ContainerObjectID=, ViewTitle=, retDbTitle=0x0, fSrchSite=0, QueuedRequest=0, retbLater=0x0, fullTextStatus=8, wantsFulltext=0x0) at update.c:106
#16 0x0000000000405238 in UpdallThread (threadparam=) at dbmt.c:2108
#17 0x00007f2cb98e7be3 in ThreadWrapper (Parameter=) at thread.c:1183
#18 0x0000003aae007aa1 in start_thread () from /lib64/libpthread.so.0
#19 0x0000003aadce8bcd in clone () from /lib64/libc.so.6

DOMINO NETWORK PERFORMANCE OPTIMIZATION WINDOWS 2008 R2 VERSUS 2012

December 31, 2017, 12:19 am
$
0
0
There is a new APAR which describes a performance issue on Windows 2008 and earlier.
The APAR is based on a PMR which I had open with IBM. So I want give you the full detail about what we found out instead of the summary described in  
LO93355: DOMINO NETWORK PERFORMANCE OPTIMIZATION WINDOWS 2008 R2 VERSUS 2012 --> https://www.ibm.com/support/entdocview.wss?uid=swg1LO93355  
We had a situation where we needed to replicate databases from an existing Domino 8.5.3 FP6 Windows 2008 environment to a new Domino 9.0.1 FP9 Linux 64 environment.  
The replication was quite slow and we tried all kind of optimization on Domino, Windows and Linux.
Beside increasing the sending/receiving buffer and memory we have been looking into ways to optimize the the Domino configuration.

It turned out that Domino NRPC network compression was not always helpful depending on the configuration. So we ended up to disable network compression in our particular case. But this might not help in your configuration. It's something that needs testing.
Between the Domino application sending the data and the IP-Stack sending the actual data there is a layer called the "NTI" layer which is responsible for actually coordinating sending the data.  
The buffer size can not be modified and depending on the transaction higher latency networks take some time for the round-trip between sending and receiving side.
But the main issue we have seen was that sending attachments which have a bigger chunk size that is send over the network was also slow.  

Windows 2008 TCP/IP Issue  
The issue we found on the Windows IP stack only had impact in network environments which have higher latency than a local network where the latency is around 1 ms.  
Our environment had 1 GBit and around 6 ms latency which is already great for a wide area connection . If you are having higher latency the performance might be even lower!
We also reproduced the slow performance also with a faster connection with similar latency (10 GBit network with 5-6 ms latency). So it is the latency that has impact!  
For transferring attachments with my own written C-API test application we have seen 2,5 MB/sec transferring data from Win2008.
In contrast Windows 2012 did not have the same issue and that was very strange for us.  
After discussion with the network team and a lot of tests we found the following tuning parameters.
Both parameter do not exist by default on Win2008 R2 but the DefaultSendWindow exists for example on Win7 (which hare  comparable network stack) with a smaller value.  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\AFD\Parameters]  
"DefaultSendWindow"=dword:00080000  
"DefaultReceiveWindow"=dword:00080000  
Those settings ensures that the much more chunk sizes are send over the network before the IP-stack waits for the ACK from the other side. By default it was around 12 KB of data which was quite small!
The first tests on our internal environment after the change showed 35 MB/sec!
But that does not mean that normal replication will have the same performance because it is a mix of different transactions! We only tested object write transactions which had the biggest impact in our case.

Object Write Chunk-Size is 256 KB  
In discussions with IBM we also found out that the documentation for changing the chunk size for sending attachment data was wrong.  
The WIKI documentation say that the chunk size ist 64 KB and can be increased with a Notes.ini parameter up to 1 MB.  
But it turns out that the parameter was only implemented as a test for a customer and the fix had never been added to the code.  
Here is the technote describing Notes.ini SERVER_SEND_OBJECT_CHUNK_SIZE.  
This is the only documentation for the parameter that should be corrected. The parameter does currently not exist and the default is 256 KBinstead of 64 KB.  
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Optimising_NRPC_Bandwidth_Consumption_for_attachment
I have been testing different chunk sizes between 64KB and 1 MB with a low level C-API application which writes attachments.
And I found out that 256KB is a good balanced value. So there would be no need to change this parameter.

Conclusion and some additional tips for AdminP
When you are running on Win20012 or higher you don't need to change anything.  
For Windows 2008 you should really set the registry parameter, because this will be a big boost for your replication performance.  
On the other side the nature of replication is that document level replication will always take some time even in a local network.
That's why Domino provides accelerated replica which uses a different transaction type.
It's a kind of backup restore over the network. But that does only work if the database is not DAOS enabled.
For DAOS enabled databases the replicator is used and it takes benefit of storage optimization.
It will only send the attachment if it isn't yet on the remote side. But this might be still slower compared to an accelerated replica.
To better utilize the bandwidth of your 1 GBit line we ended up having multiple AdminP threads leveraging the replicator code to push databases in parallel.
There is ab enhancement in the 9.0.1 codestream (we got it backported to 8.5.3 FP6) which allows one process with multiple threads to replicate in parallel.
And if you want AdminP to create the replica immediately instead of just creating a replica stub you need the following notes.ini parameter: ADMINP_EXCHANGE_ALL_UNREAD_MARKS=1.
When you set this parameter Adminp actually pushes the database instead of creating a replica stub and also syncs all unread marks for the database.
Note:  The admin4.nsf the request type will look like accelerated replica copy even DAOS is enabled on the database and the status of the request also looks a bit different.
You should not be worried about that. It will use the normal replicator code including unread mark sync.
 

Meltdown and Spectre Exploid

January 4, 2018, 2:44 pm
$
0
0

There is a new security issue for most modern CPUs. Intel and AMD is affected in different ways.
It's not something that is application specific. It's a CPU and OS level issue. Which affects also virtualization hosts.

Here is the best website to get details --> https://meltdownattack.com

And there are already some patches for some platforms.

I have just installed the current kernel patches for CentOS (kernel 2.6.32-696.18.7).

Here is the info from RHEL about the first patches https://access.redhat.com/errata/RHSA-2018:0008.

We will probably see patches for other platforms including virtualization platforms like ESX.

Those are the first fixes. And we will probably see more followup fixes.

-- Daniel

Search

Meltdown and Spectre Exploit

January 4, 2018, 2:44 pm
$
0
0

There is a new security issue for most modern CPUs. Intel and AMD is affected in different ways.
It's not something that is application specific. It's a CPU and OS level issue. Which affects also virtualization hosts.

Here is the best website to get details --> https://meltdownattack.com

And there are already some patches for some platforms.

I have just installed the current kernel patches for CentOS (kernel 2.6.32-696.18.7).

Here is the info from RHEL about the first patches https://access.redhat.com/errata/RHSA-2018:0008.

We will probably see patches for other platforms including virtualization platforms like ESX.

Those are the first fixes. And we will probably see more followup fixes.

Update 06.01.2018:

There is an interresting article describing some of the background and what hardware and software vendors are doing against it with different approaches.

https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/

From what I see the applications with the biggest exposure to those bugs are web-browsers because they execute active code from remote (e.g. JavaScript).

Here is also a current statement from Mozilla:

https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

And there is the status page for Chrome and other Google technologis:


https://support.google.com/faqs/answer/7622138#chrome


-- Daniel

ROBOT SSL/TLS Attack

January 16, 2018, 6:41 pm
$
0
0
This has not been widely discussed yet. But since SSL Labs will start reporting it with a rating of F beginning of February let me explain some background and what you could do.

The issue has been there in a similar way before and is back. You can read the details here --> https://robotattack.org/

Affected are the older ciphers that are not widely used by current browsers/client. You could disable those ciphers until the issue is fixed.
But on the other side most browsers/clients do support higher secure ciphers. And because by default the server cipher order is used, a client should not choose a weaker cipher.
In addition because of Secure Renegotiation which is supported by Domino and most browsers/clients support it, no weaker cipher will be used than the best common cipher between client and server.

That means that only a very small fraction of connections might use those affected ciphers and if you disable those the client cannot connect at all.

A fix for the ROBOT Attack is planned for FP10.

So IMHO there is no need right now to disable those affected older RSA ciphers unless you have very high security requirements or if you are concerned about your SSL labs rating ..

If you disable those affected ciphers the warning on the SSL Labs test side goes away.

Here is a more paranoid configuration of TLS ciphers that you could use:

set config SSLCipherSpecÀ30009FC02F009EC028006BC0140039C02700670033C013
restart task http

If you look into the compatibility report, there is no current client that could not connect any more (even older IE versions would connect).
The other positive effect would be that you would only support DHE and ECDHE ciphers which is a good idea in general..

UPDATE 17.01.2018

Andy Brunner had an interesting comment. In my cipher list I am still having 0033 which is rated as a weak cipher which is not enabled by default.
I have a cipher configuration database where I still had that cipher listed.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)

If you still have this cipher listed and did not allow weak ciphers the server will give you a hint:

SSLDisableExportCiphers> Disabling weak cipher DHE_RSA_WITH_AES_128_CBC_SHA. Set notes.ini "USE_WEAK_SSL_CIPHERS=1" to re-enable.

So the better fitting cipher liste in this case would be

set config SSLCipherSpecÀ30009FC02F009EC028006BC0140039C0270067C013
restart task http


The mentioned cipher is rated as weak by Domino because it is a cipher that internally uses "SHA"

Update: I almost forgot and got reminded about this Java 1.6 issue.
The cipher is rated as weak for another reason. Older Java can only support this DHE cipher with 1024 bit.

That's a longer story which you can find details here --> http://blog.nashcom.de/nashcomblog.nsf/dx/dha-with-more-than-1024-key-size-and-java-still-works.htm
and another blog post here with some more details and ideas --> http://blog.nashcom.de/nashcomblog.nsf/dx/higher-crypt-standards-with-notesdomino-and-jvm-1.6.htm


-- Daniel



Image:ROBOT SSL/TLS Attack

Notes/Domino 9.0.1 Feature Pack 10 shipped

January 31, 2018, 1:20 pm
$
0
0

Notes/Domino 9.0.1 Feature Pack 10 shipped.
I updated my client and one of my production servers this morning. My upgrade went well. But as always I am interested in your feedback.

When you install the admin/design client the result will be a single 1.8 JVM.
Before we had a mix of JVM 1.8 for run-time and JVM 1.6 which made development more complicated.

As you can read in the release notes beside the JVM version also the Eclipse version has been updated to work with JVM 1.8 and also to introduce new functionality.

The compile time JVM is the biggest change in FP 10.

The fixlist database is not updated yet but the readme already contains fixes.

I have reverted my cipher list to the default and tested if the ROBOT SSL/TLS Attack is fixed.
SSL Labs does not show any issues any more and the fix just comes in time before SSL Labs will give server not fixed against the  OBOT SSL/TLS Attack and using those vulnerable ciphers get a  "F" rating beginning of February.

The browser stays removed. And there are still discussions among business partners who used embedded browser functionality in their solutions.


http://www.lotus.com/ldd/fixlist.nsf/WhatsNew/86a6c4ba892f0218852581fc0067b4f4?OpenDocument

Header/Subject Encoding issues after upgrading to 9.0.1 FP10

February 1, 2018, 3:09 am
$
0
0
As Christian Henseler reported in the comments there is an issue with SMTP header encoding.
Subjects that are UTF8 encoded are not converted.

I can reproduce that on my server with different external mail accounts and also when using putty against a FP10 server. With FP9 it works well.

They look like this:   =?utf-8?Q?Ã=84ü_Test_?=

Until this problem is fixed you should not uprade to FP10!

I have opened a PMR and also posted in the DP forum. L2 confirmed it looks like a regression.

Stay tuned for updates.

-- Daniel

Notes/Domino 9.0.1 FP10 Issues -- IBM is working on IF1 and is listening for more feedback

February 2, 2018, 1:05 pm
$
0
0
As posted before there is an issue with header encoding with umlauts which causes for example the subject to look scapbled.
This issue is already SPRed and I got a mail that a hotfix is on the way (I have a PMR open).

There are a couple of other issues development is working on. One is an issue I reported today about the Notes and Domino release version.
The major Domino version is reported like this:

9.0.1 FP10

Release 900.0 QMR:11 QMU:0 Hotfix: 0 Fixpack: 0 (0)

In contrast to

9.0.1.FP9

Release 9.0 QMR:1 QMU:9 Hotfix: 0 Fixpack: 0 (0)

This is causing issues with some add-on applications where licenses are issued based on the major Domino version like iQSuite and others.

Beside those issues that are already posted, there are some others which are investigated.

Stay tuned and check the following post

https://www.ibm.com/developerworks/community/blogs/LotusSupport/entry/Listening_to_your_feedback_on_Notes_Domino_9_0_1_FP10


Update 03.02.2018 12:00

I got a hotfix  9.0.1FP10HF47 for the subject conversion issue which I already installed.
The first tests look good. The HF also contains a fix for the version number issue.

Those fixes will be part of IF1. Stay tuned for more information.

Release Information before the fix:
Release 900.0 QMR:11 QMU:0 Hotfix: 0 Fixpack: 0 (0)

After the fix:
Release 9.0 QMR:1 QMU:9 Hotfix: 0 Fixpack: 0 (0)


Update 05.02.2018 16:30

The fix I got was just intended to fix the subject line issue. Not yet the build version issue.

The build version should look like this with IF1 which is intended to be shipped this week.


Local Notes/Domino Release 9.0 QMR:1 QMU:10 Hotfix: 0 Fixpack: 0 (0)

Remote Notes/Domino Release 9.0 QMR:1 QMU:10 Hotfix: 0 Fixpack: 0 (0)

Looks good for me now.




Notes and Domino 9.0.1 IF1 has been released

February 8, 2018, 10:39 pm
$
0
0
Notes and Domino 9.0.1 FP10 IF1 has been released.
I already posted that the subject line encoding was already fixed with a HF I got thru support.
And also that the version numbering issue has been fixed.

The subject line issue also affects the Notes client when you run POP3/IMAP in the client because the same code is used.
A fix for the client is planned. So in case you are using POP3/IMAP you should wait for the next IF.

There is also a security vulnerability which has been pushed out to customers via FLASH: Security Bulletin.
So in case you are running on Windows you are affected when any of the services like NSD or smart-upgrade! All releases are affected according to the technote.

The LDAP authentication issue which was a regression in FP9 causing some type of authentications to fail.
That regression is still pending to be fixed. So if you use your Domino as an authentication source via LDAP (for example for Sametime) you should still wait for the fix before upgrading that server.

-- Daniel


Domino Server 9.0.1 IF1

PPUEASMHAW        Fixed a potential security vulnerability with the IBM Domino Diagnostics service Security Bulletin: IBM Notes NSD Privilege Escalation (technote 2010777)        
PPUEASUDSF        Fixed a potential security vulnerability with the IBM Domino Diagnostics service Security Bulletin: IBM Notes Privilege Escalation in IBM Notes Diagnostics service (technote 2010767)        
MKINAUWTG4        Fixed a potential Server memory leak        
DVDI9UNH38                 Fixed a potential Server crash        
JBAMAVKUPX        Fixed an issue where the subject line encoded (UTF-8) after upgrading to Domino 9.0.1FP10        
KBRNAVLMA3        Fixed an issue where the version string returned was incorrect with the API NSFDbGetMajMinVersion after upgrading to Domino 9.0.1FP10        

Notes Client 9.0.1 IF1

PPUEASMHAW        Fixed a potential security vulnerability with the IBM Domino Diagnostics service Security Bulletin: IBM Notes NSD Privilege Escalation (technote 2010777)        
PPUEASUDSF        Fixed a potential security vulnerability with the IBM Domino Diagnostics service Security Bulletin: IBM Notes Privilege Escalation in IBM Notes Diagnostics service (technote 2010767)        
PPUEASNC5D        Fixed a potential security vulnerability with the IBM Notes Smart Update Service Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service  (technote 2010775)        
KBRNAVLMA3        Fixed an issue where the version string returned was incorrect with the API NSFDbGetMajMinVersion after upgrading to Domino 9.0.1FP10

Traveler 9.0.1.21 Released

March 7, 2018, 12:57 pm
$
0
0
There is a new Traveler Release posted today. I don't see many critical issues but some might affect you.
I have just updated my server right now.Looks good so far.

There is a change in the database schema, when you run Traveler HA with a state database on SQL server:

"Note for customers that manage their database schema: IBM Traveler 9.0.1.21 includes a database schema update for MS SQL Server deployments. It is only necessary to run verifyIndexes.sql to update the schema to latest level.
Otherwise no action is required unless upgrading from a version prior to 9.0.1.16. If you use auto schema updates (default behavior) there is no action required."

-- Daniel

APAR # Abstract
LO93281 Modify an encrypted event from mobile device may corrupt event body.
LO93380 Support 32 bit Domino 9.0.1 Server.
LO93412 One index may cause performance problems on MS SQL Server.
LO93440 Incorrect default ACL for R6MemoMap.nsf
LO93455 Incorrect error code used for network error.
LO93466 Set $RFSaveInfo field on Reply/Forward from mobile device.
LO93491 Name used for time zone on mobile device does not match value used by Notes Client.
LO93522 Improve handling of very small in-line mime images.
LO93529 Web Administrator interface may show Verse for iOS device as not supporting data wipe.
LO93547 Not authorized message logged during network outage.
LO93596 Device may be missing e-mail if user has another device with a smaller filter window.
LO93599 Handle unexpected list format in notes.ini file.
LO93645 Event may not show on user's device when user was removed then re-invited to the event.
LO93660 Yellow status message displayed for Replicas table missing a Primary Key.
LO93663 Mail in sent folder may be missing content when configured to save with no attachments.
LO93706 Add NTS_JAVA_PARMS_EXT notes.ini parameter to allow for values larger than 256 characters.
LO93709 Attachment with DBCS characters in the file name may not display on mobile device.
LO93720 Update APNS Certificates, new expiration data March 30,2019.


Search

Notes Client FP Installs fail starting 20.4.2018

April 24, 2018, 12:38 am
$
0
0
Since 20.4.2018 Notes Client Feature Pack Installations are failing.
I got the first report on Friday and another customer pinged me on Monday.
And we are discussing among partners about this issue.

One partner reported that updates from FP9 to FP10 still work for him. But all other updates are failing.
IBM state that this isn't an issue with FP7 or FP8. But I have not verified that.

The root cause is that signatures for some plug-ins cannot be verified any more because the certificate validation expired.
It's not just one plug-in that fails and you might have a different plug-in that is reported to cause the error.

Here is the error message that you see n the Eclipse logs:

java.security.cert.CertificateExpiredException: NotAfter: Fri Apr 20 01:59:59 CEST 2018

If you turn back the time to an earlier date it's still works. But this isn't a work-around I would suggest.

There is another work-around to temporary allow expired certificates of signatures during install and enable it afterwards.

You would need to add the following setting to plugin_customization.ini and revert the setting back after installation.

"com.ibm.rcp.security.update/EXPIRED_SIGNATURE_POLICY=ALLOW"

But again this is also just a work-around.

IBM is aware of the issue and posted a technote -> http://www.ibm.com/support/docview.wss?uid=swg22015805

They are working on a solution. The technote says that they don't know exactly what is causing the issue. We have to wait for their update.
And I would recommend to wait before updating your clients until a fix is available instead using the work-arounds.


Update April 26, 2018:

IBM/HCL posted an update today in the TN. They found the issue, fixed it and hopefully if QE testing is successful we will have a fix soon.

@Marc, see they are posting an update for 9.0.1 FP9, FP10, Current MAC 64bit Client and also 8.5.3 FP6!
So the update for FP9 will be first and the other versions follow soon!


Here are the details from the update:
We have found a solution for the certificate issue for all products and versions. Please see the eGA for each product and version in the table below. Please note this is subject to change depending on the outcome of our QE Testing.
Product Version                                  Projected eGA
Notes Client 853FP6IF16                    Tuesday May 1, 2018
Notes Client 901FP9IF2                 Friday April 27, 2018
Notes Client 901FP10IF3                 Beginning of May 2018
MAC 64-bit IF15                         Tuesday May 1, 2018
Sametime Standalone 9.0.1 FP1         Beginning of May 2018



-- Daniel

Destination Domino / Notes/Domino 10

May 19, 2018, 2:26 am
$
0
0

Destination Domino / Notes/Domino 10

I haven't blogged much in the last weeks and I haven't been at IBM Think in Las Vegas for personal reasons.
The feedback I got from partners and customers after IBM Think and at the Swiss user Group (SNoUG) event in Zürich was very positive.
I would have wished we would have got that energy back some years before.

Personally I wasn't a big fan of feature packs. It has been a great idea to ship incremental feature releases in an agile style as soon they are ready.
But renaming "FP" form Fixpack to Feature Pack also introduced some technical deployment challenges and the market did not really understand it.

There are improvements in every fixpack and feature packs. For example some long planned features like NIFNSF and large summary data.

I have spoken at many conferences about best practices and features introduced in the recent feature packs.
Those new backend database features and other new functionality showed long term commitment even there was some not completely clear communication about support extension for the 9.0.1 release.

Having a Domino 10 release and already speaking about future plans like "Domino 11" is great news!
Now with HCL taking over the development including all the developers a Domino 10 release makes a lot of sense.

Development moved to a HCL location near to the IBM offices in Littleton, MA.Now they can finish implementation of ideas they started to work on years ago.
What I hear there is a lot of new energy and they are looking for 70 new developers.

IBM was reducing investment and staff not only for Collaboration software but also in other areas.
Having HCL as a company who believes in the product and sees the potential behind it as a platform is great news!
HCL is a large international company with locations world-wide and they wouldn't invest in it, if they would not see future in it!

The Notes client on iOS is a good example. The first versions of it existed already for a while. It's an own port which will be also available on Android!
And by the way the Notes 10 client will be available in 64bit on Windows and share the code base with the Mac client.

Looking into the presentations from IBM Think in Las Vegas I did not see all features and new development capabilities planned for Domino 10 that I did hear from partners and customers after the conference and from other sources.
But IBM and HCL are very clear about the long term support for Notes/Domino!

At SNoUG the picture was more clear and I am looking forward to the Engage conference in Rotterdam to see more details  --> https://engage.ug/
We also finalized the agenda for the German DNUG event in Darmstadt mid of June  --> http://dnug.de/en/dnug45-agenda/

I will be presenting at both conferences and I am looking forward to meet many of you at those two events!

You should also keep an eye on the Destination Domino website --> https://www.ibm.com/collaboration/ibm-domino

And I will be more active on my blog after the Engage conference.

-- Daniel


Domino 9.0.1 FP10 IF2 - one important fix is missing

May 21, 2018, 12:06 am
$
0
0
Domino 9.0.1 FP10 IF2 has been released with some important fixes.

If you are on FP10 you should apply IF2. If you did not install FP10 you should wait for IF3.

There is one missing fix for a Domino server hang that you should be aware of.  I personally know at least about 3 customers who ran into this issue.
It can happen if two processes are updating the same database. For example update, replica, router and server!

It wasn't clear when IF2 was released and I had to double check with IBM before posting. That took some time.

So if you are not on FP10 you should wait for IF3 which should have those two fixes.

SWAS96ZP5B: Server hang due to semaphore deadlock between a doc update & nsf search (cc# 323200)
JMANAS8HZP - Crash on router after upgrade to 901FP9 on nIMAP with PANIC: OSBBlockAddr: Bad BBlock handle (FFFFFFFB) (cc# 322553)

-- Daniel


Interim Fix 2
                       
RMASAT7KEX         Fixed an issue where LDAP does not properly escape # character in results        
YYYYAQK8QM         Fixed an HTTP PANIC on LookupHandle        
VNEN8J2MUZ         Fixed a router PANIC on LookupHandle        
RDUK5E6U8Z         Fixed an issue where sending a message from iNotes a second instance of "MIME-Version: 1.0" occurs in MIME header        
SWASAVKR2A         Fixed a hang w/ extension mgr search calls        
ARUIAXQW38         Fixed a panic at Domino startup if statically enable inline view indexes for Domino 9.0.1 Feature Pack 10        
MKINAXNM6V         Fixed an issue where check markers crash in WriteJavaScriptMethods()        

First impressions from Engage Conference in Rotterdam this week

May 23, 2018, 1:39 pm
$
0
0
Jut back from #engageug. The conference was the best conference I have been for a long time!
Beside the great venue on the cruise ship the HCL sessions technical session and specially the round tables have been a big positive surprise for me.

As a already posted this week my impression is that the move from IBM to HCL gave a big positive push to the development team!
The feedback they took and there reactions to our ideas what the details we got about Notes/Domino/Verse/Sametime 10 was more than positive.
I am really looking forward to get my hands on the first beta arriving for a closed group in June and a beta 2 is planned in July for a larger audience.

HCL is not only investing in the Domino server and all the new stuff like https://nodejs.org support the client on iPad and on Android tables that is coming but they also invest in the Notes client!
Beside the new client functionality we have seen in the sessions there way more in the round table discussions that HCL and IBM did tell us. And they have been very open for additional feedback!
Not all of it will make it into Notes/Domino 10 but they are already planning for a Notes/Domino 11 release (planned for 2019).

Beside of of the features there is great news for AIX, iSeries/System i, SLES customers.
Heard yesterday at our Linux round table Domino 10 is planned to be supported on all of those platforms!!
The only platform that will be dropped is Win32. The plan is introduce Win64 support for Sametime 10 and remove the remaining road blocker for dropping Win32.

In addition to that there is great news for customers who want to run Domino on CentOS.
CentOS is a long term release/free community edition which is source code compatible with REHL.

So with the feedback we gave at the conference and in our roundtable IBM/HCL is planning to introduce "best effort" support for CentOS 7 in Domino 10!
That means that you will be able to submit PMRs. You will not longer have to reproduce it on one of the other supported platforms!
One of the other reasons is that the base image for Docker in Domino 10 will be very likely CentOS as well.

There are already many smaller customers using CentOS for their Domino environment. And I am also supporting CentOS for my Domino start script.

So I am very happy about this move! This will be specially interested for smaller customers and maybe new developers who want start to look into the new stack that is planned for Domino 10 with Node JS.

HCL showed live code in their sessions and had iPads with the current build of the HCL Nomad to play with!
I am really looking forward to get my hands on the betas!

Thanks again to Theo and the team this marvelous conference!

Daniel




Font Rendering Changes in 9.0.1 FP9/FP10

May 28, 2018, 2:13 pm
$
0
0

There is a font encoding change introduced in 9.0.1 FP9  to better display fonts when send in MIME messages.

-- snip --
Full fidelity for fonts in Notes emails
When Notes users send email over the internet, the font size in the MIME body is rendered correctly in the recipient email. No notes.ini setting is needed.
-- snip --

But sending MIME messages to older Notes Client versions the fonts might look different. For example "serif" font might be displayed as "san serif".
Here is an example:

-- Feature Pack 9  --



-- Feature Pack 8 --




There have been improvements in the font rendering in FP10 to display sent messages and incoming messages in FP10 correctly.
But if you have many older Notes Clients you send MIME mails to and want to avoid that the client shows the wrong font, you might want to revert back to the previous font encoding.

9.0.1 FP10 introduces a new Notes.ini setting to revert back to the previous font encoding.
Because I am communicating with many Notes recipients over the internet, I have decided to revert my font encoding back to the previous fomat for now.

-- snip --
"SPR# SSIRAS99AG - Added an ini "DisableFontSizeMimeImprovement" to disable the fix for SPR #SSIRAAGJX8 that went into 901FP9"
-- snip --


But the notes,ini setting in the SPR description is missing the underscores. The correct setting is:

notes.ini DISABLE_FONT_SIZE_MIME_IMPROVEMENT=1


-- Daniel
Image:Font Rendering Changes in 9.0.1 FP9/FP10
Viewing all 852 articles
Browse latest View live
Search