261 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
SSL V2 HELO can be re-enabled with 9.0.1 FP3 IF1
Wed, Feb 25th 2015 64
SLES 12 support added in 9.0.1 FP3 IF1
Tue, Feb 24th 2015 22
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 20
Planned Domino 9 SLES 12 Support
Thu, Jan 29th 2015 12
ConnectED Session Slides posted BP102: Practical IBM Notes and Domino Internet Security
Tue, Jan 27th 2015 11
Notes/Domino 9.0.1 FP3 has shipped
Wed, Jan 21st 2015 18
Domino TLS POODLE Fix released
Sun, Dec 21st 2014 18
Top 10
SSL V2 HELO can be re-enabled with 9.0.1 FP3 IF1
Wed, Feb 25th 2015 64
SLES 12 support added in 9.0.1 FP3 IF1
Tue, Feb 24th 2015 22
Some Additonal TLS 1.0 Information
Thu, Nov 6th 2014 20
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 20
Domino TLS POODLE Fix released
Sun, Dec 21st 2014 18
Notes/Domino 9.0.1 FP3 has shipped
Wed, Jan 21st 2015 18
Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats
Tue, Dec 2nd 2014 13
Planned Domino 9 SLES 12 Support
Thu, Jan 29th 2015 12
iNotes Redirect without Anonymous Access
Fri, Dec 5th 2014 12
Taking full benefit of RAM for File-System Cache with Domino on W64
Thu, Mar 13th 2014 11


Daniel Nashed
Blog Title Daniel Nashed’s Blog
Blog Description Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...
Blog URL http://blog.nashcom.de
RSS Feed http://blog.nashcom.de/nashcomblog.nsf/feed.rss
Validate Feed feedvalidator.org or validator.w3.org
Feed Last Checked Feb 25, 2015 3:00:13 PM EST. Realtime Update:
Location Germany


Recent Blog Posts
64
SSL V2 HELO can be re-enabled with 9.0.1 FP3 IF1
Wed, Feb 25th 2015 3:45p   Daniel Nashed
As discussed before the security fixes introduced with the additon of TLS 1.0 removed V2 SSL HELO support. This caused issues with applications that still use the V2 SSL HELO for compatibility issues. Specially older OpenSSL Versions did use V2 SSL HELO unless explicitly specifying TLS 1.0. For most applications you can work-around it with updating the OpenSSL version to a current level. But specially when using the SMTP STARTTLS extension we don't control what the connecting server uses
22
SLES 12 support added in 9.0.1 FP3 IF1
Tue, Feb 24th 2015 1:19p   Daniel Nashed
There is a new section that you should note and regularly check: http://www.lotus.com/ldd/fixlist.nsf/WhatsNew/ This section will provide important updates to the fixlist. In this case the support for SLES 12 with 9.0.1 FP3 IF1! WOW! That was a fast response! Normally new major OS versions have to wait at least for a dot release! THANKS!!! As posted before there was a technical issue with restricted ports because bindsock did not work any more because of kernel changes in SLES 12. IBM a
20
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 5:35a   Daniel Nashed
As discussed before, it's not a good idea to completely disable SSLv3 too soon. Notes/Domino 9.0.1 FP3 ships with a newer JVM version that completely disables SSLv3. The Oracle team disabled SSLV3 by default but the IBM JVM team completely removed SSLv3. The Domino server controller and Server Console are based on Java and use the SSL/TLS stack for communication. Domino before FP3 uses SSLv3 only -- I don't want to start any theories about why ... The newer version with FP3 and highe
12
Planned Domino 9 SLES 12 Support
Thu, Jan 29th 2015 6:25p   Daniel Nashed
The question for SLES 12 has been raised during IIBM ConnectED. There is an issue with Domino on SLES 12 and SLES 12 is not currently supported (in contrast with RHEL 7). There is a SPR # YXYX9RA56Z "Error - Unable to Bind port 443 or 80" on SUSE12. I have checked in the Lab and got a similar info than what has been posted before on the web: "There is a known issue with SLES 12 where bindsock has issues. Before we can support SLES 12 and any other newer kernel with this issue, we will
11
ConnectED Session Slides posted BP102: Practical IBM Notes and Domino Internet Security
Tue, Jan 27th 2015 10:45p   Daniel Nashed
Today I had the pleasure to present with Dave Kern about Domino internet security. Now that the presentation is public, I can speak about all the details that we presented. See the slides for all details. We covered what is already available in 9.0.1 FP3 and what is coming after FP3 quite soon. In the session demo we had a the SSL Test website showing a A- up to A+ rating depending on the configuration. There is a lot good stuff coming up in a scheduled interims fix. This includes TLS
18
Notes/Domino 9.0.1 FP3 has shipped
Wed, Jan 21st 2015 11:09a   Daniel Nashed
Today Notes/Domino 9.0.1 FP3 has been shipped. Already installed it on my production server. There are new new "SSL/TLS" releated fixes in FP3. But there are updates planned after FP3. So updating to FP3 is the base and you should consider an update soon. It's always better to install a FP than a IF which is technically a combo hotfix. There are also a couple of other important fixes in FP3. When you look into the Fixlist you see a couple of database/DAOS releated fixes. The FP al
18
Domino TLS POODLE Fix released
Sun, Dec 21st 2014 5:12a   Daniel Nashed
As reported before the IF that introduced TLS 1.0 is vulnerable to the new PODDLE issue. IBM released a new IF for all supported versions that fixes this issue. After installing the IF you can re-enable the CBC ciphers which are now reported as not vulnerable by the SSL Labs Test site. In addition to this fix IBM officially introduces a new notes.ini variable to disable SSL V3. DISABLE_SSLV3=1 will disable SSL V3 completely. But as mentioned before you should be completely sure if you wa
10
New-Domino-POOLE-Iussue-now-with-TLS
Tue, Dec 9th 2014 11:16p   Daniel Nashed
There is a new exploit that affects TLS! Not all implementations of TLS are affected. But Domino and also some other solutions like the F5 load-balancer are on the list. For more details read --> https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls The problem effects all CBC ciphers. IBM is working on a solution. Meanwhile you can disable the CBC ciphers. Currently there are only two ciphers left. Not really completely what we want but it sounds like IBM
12
iNotes Redirect without Anonymous Access
Fri, Dec 5th 2014 9:15a   Daniel Nashed
When running iNotes you might only want to allow authenticated connections to your Domino Server over HTTP. But on the other side you want to use the iNotes Redirect database which contains some images and other design that should load even the user is not yet authenticated. There is a Wiki article that describes in detail what to do. Thanks to IBM pointing out that parameter! http://www.lotus.com/ldd/dominowiki.nsf/dx/Allowing_Anonymous_Access_to_iNotes_Redirect_images__while_preventing_An
13
Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats
Tue, Dec 2nd 2014 5:11a   Daniel Nashed
Now that more and more customers are using the new keyring tool we run into interesting constellations. Microsoft uses binary formats instead of the ascii based PEM format that the keyring tool requires. Openssl does not only help you to create the key and the certficates. You can also use it to convert the certificate formats. I have written a short step by step short documentation for my customer including some troubleshooting steps and tricks. To keep it short I have left out the re
9
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 5:15a   Daniel Nashed
Finally Traveler 9.0.1 IF7 is available. I don't see a fixlist yet but I got a fixlist from a customer from the latest hotfix he got. The IF should fix all attachment issues which came up with IF6, includes the latest Android client and should also have an updated certificate for APNS. So now you can install 9.0.1 IF7 in combination with Domino 9.0.1 FP2 IF1 which introduces TLS 1.0 in one go with just one downtime. FixCentral Download Link: http://www.ibm.com/support/fixcentr
20
Some Additonal TLS 1.0 Information
Thu, Nov 6th 2014 11:12a   Daniel Nashed
TLS 1.0 and the removal of SSL 3.0 from browsers that triggered the whole discussion is not just something that needs to be addresses on a Domino server. IBM has done a lot of work in quite a short time and now that customers are implementing the fix it shows that also other software is effected. Introducing TLS 1.0 for Domino was the first step from IBM to ensure that clients that only support TLS 1.0 and higher can still connect to the Domino server. For now IBM still has SSL 3.0 enabled
11
Domino TLS 1.0 SHA-2 Support to prevent POODLE has been shipped today
Mon, Nov 3rd 2014 6:16p   Daniel Nashed
As blogged before IBM was already working on addressing the POODLE attack by finally implementing TLS 1.0 for all internet protocols. Today IBM shipped an Interims Fix to introduce TLS 1.0 which is very important because many browsers and other software vendors are about to drop SSL 3.0 support. So you need those fixes to continue to use secure protocols like HTTS, secure SMTP, LDAP, IMAP, POP3, DIIOP.. There are a couple of changes which are described in the following Wiki documents. And
6
TLS and SHA-2 Support and the POODLE Attack
Tue, Oct 21st 2014 12:11p   Daniel Nashed
IBM has officially responded to the POODLE attack and also officially responded to newer crypto standards. Very good news for Domino! IBM will introduce TLS 1.0/1.2 and SHA-2 support for all protocols soon! The current technotes mention a very short timeframe and it looks like we are going to get fixes at least for the current Domino 9.0.1 code stream. Some fixes will be also in the 8.5.x code-stream but some of the improvements like SHA-2 support cannot be back ported. So you should be pr
5
Traveler Issues with Attachments containing special chars after updating to 9.0.1 IF6
Sat, Sep 27th 2014 6:12a   Daniel Nashed
Before leaving for holidays last week the first customer contacted me about issues with attachments that have blanks, umlauts or other characters in the attachment name. I could not reproduce it on iOS but on Android but without the error message in the log that he got. Meanwhile it is clear that this issue affects all devices types and there is a fix that should hopefully address this problem. IBM is working on a new IF to address the issue and also possible other related issues but mean
5
My Top 3 Formula Commands for working in the Notes Client
Thu, Sep 18th 2014 11:16p   Daniel Nashed
All of those commands are not new at all. They are all round for a very long time. But they make my day easier. I am surprised that many still don't know at least the first two. The last one is more a convenience when working with replicas. @Command([AdminRemoteConsole]) Before Release 5 there wasn't an admin client and the admin/designer was integrated into the normal client. The old live console is still in the client and you don't need an admin client -- just the right per
7
Important Update on Traveler iOS 8 Support -- You have to install an IF!
Mon, Sep 15th 2014 3:13p   Daniel Nashed
There are some last minute changes in iOS which are only in the final version. Apple changed the EAS Sync ID which used to match the Device ID. There has been planning for that change for a while but Apple should have introduce that change already in the Beta releases. However this change causes issues in device mapping for the companion/todo app. IBM released a IF for 9.0.1/9.0.0.1/8.5.3 UP2 today to address this issue and added some background logic to map the device ID. There is a A
8
Traveler iOS 8 Support
Wed, Sep 10th 2014 10:12a   Daniel Nashed
iOS is released soon (hopefully 17.9 for existing devices) and I already got some customer questions about it. There is a technote describing the Traveler support for iOS 8. The good news everything should work fine and new app versions for iOS are on their way. Traveler supports iOS 8 with 8.5.3 Upgrade Pack 2 and higher but I would highly recommend that you update to the latest and greates release 9.0.1 IF5 anyway. Only the latest IFs will recognize iOS 8 correctly because they have
7
Important Platform Support Additions in Notes/Domino 9.0.1 FP2
Thu, Aug 21st 2014 10:12a   Daniel Nashed
The new fixpack adds the following platform support: 9.0.1 FP2 adds support for the following: Citrix XenApp 7.5 for Client Internet Explorer 11 for xPages RHEL7 for Server I got the question for RHEL7 already a couple of weeks ago and I think it is great news to have RHEL7 support introduced with a fixpack! That does not always happen! The release notes have been updated today and tests are completed. http://www.lotus.com/ldd/fixlist.nsf/0/7ff6a78cb16153d085257d2b00
6
Traveler 9.0.1 IF5 shipped
Wed, Jul 30th 2014 12:12a   Daniel Nashed
Traveler 9.0.1 IF5 shipped just in time for updating a customer yesterday -- after we planned the downtime for more than a month -- funny. First updated my Linux box before updating the customer server on Windows. The Linux silent install on Linux was a lot quicker than the one on Windows. There are a couple of important fixes for all devices types and a new version of the Android client. http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing#901IF5 IBM Note
5
Force Traveler to use IPv4 instead of IPv6
Mon, Jul 28th 2014 8:11a   Daniel Nashed
We ran into this in a customer situation. The code used in Traveler is Java based. For the Servlet and also for the Travler servertask. Even if you specify notes.ini NTS_HOST_IP_ADDR with an IPv4 address Traveler might use IPv6. If you are in stand-alone mode this should not cause any issues. But if you are in HA mode connecting to a remote machine might cause trouble in some situations. My recommendation would be to completely disable IPv6 on the machine unless you really need it. At s
7
DAOS NLO Encryption and Decryption
Wed, May 28th 2014 6:10a   Daniel Nashed
We have been asking for this functionality since DAOS was releases and now there is finally a solution. In some cases customers have to either switch of DAOS NLO encryption for a server or enable it later on. Or even want to move from one server.id to another server.id. There are two SPRs (#PMAO9C6R9G / #GFAL9AKKJZ) described in the following technote --> http://www.ibm.com/support/docview.wss?uid=swg21673931. The TN also describes how to use this new functionality. There are a cou
3
Details About ODS 52 shipped with Notes/Domino 9.0.1
Tue, Apr 29th 2014 6:12a   Daniel Nashed
I got a couple of questions from multiple customer about ODS 52 which has been introduced in 9.0.1. There is a bit of confusion about the new ODS and there is not much public available information. First of all the new ODS 52 is optional and you only need it in some special cases. It is not enabled by default and in the same way that you needed to set the new ODS it will also be implemented in 9.0.1 How to migrate to the new ODS? You will need to set notes.ini CREATE_R9_DATABASES=1.
6
IBM Notes & Domino are not vulnerable to OpenSSL "Heartbleed" bug (CVE-2014-0160)
Wed, Apr 9th 2014 2:11p   Daniel Nashed
In case you are wondering. IBM Domino is not affected by the OpenSSL "Heartbleed" issues. Also Traveler (leveraging the Domino HTTP stack) nor the IBM HTTP Stack in Domino 9 on Windows does not use OpenSSL and is not affected. You still have to update your machines to a current OpenSSL package if you are running a 1.0.1 OpenSSL package. Here is the technote from IBM --> http://www.ibm.com/support/docview.wss?uid=swg21669782 And here is some additonal information I got from my ISP
9
Passing a document to an agent without saving it first
Sun, Apr 6th 2014 6:12a   Daniel Nashed
How cool is that new functionality introduced in 8.5.2. Simple but important addition. Looks like this has been implemented for XPages but you can also use it in normal Java and LotusScript. Before you had to save a document before passing the document context to an agent. Now you can just pass a new in-memory document and you don't need to save it at all. This is really useful when passing parameters to and from agents that you invoke. For example if you want output for a Java agent th
6
Traveler 9.0. IF4 has shipped
Mon, Mar 31st 2014 6:14a   Daniel Nashed
Traveler 9.0.1 IF 4 has shipped end of last week. There are some important fixes on the server side and also some fixes in the Android client. After doing the update over the weekend I thought about building a small script to automate Traveler updates on Linux. First I thought it would make sense to have it in my start script but I am not sure about it. Silent install works like a charm. What do you think? Should I add a customizable script to shutdown, install, startup? It could be even
11
Taking full benefit of RAM for File-System Cache with Domino on W64
Thu, Mar 13th 2014 6:10a   Daniel Nashed
A long time ago I already blogged about the changes IBM introduced for the file-system cache. And I ran into this in customer situations many times. I have described it in my IBM Connect session but because I got questions about it again, I think it makes sense to mention it again. The default settings they implemented might impact you when you add a lot of RAM to your Domino server. We have seen dramatical reduction of read I/O when adding a lot of RAM to the Windows machine because Wind




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition